Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

S
Sounil Yu
SESSION  ID: #RSAC Sounil  Yu Understanding  the  Security   Vendor  Landscape  Using  the   Cyber  Defense  Matrix PDIL-­‐W02F @sounilyu
#RSAC Disclaimers 2 The  views,  opinions,  and  positions  expressed  in  this  presentation   are  solely  my  own It  does  not  necessarily  represent  the  views  and  opinions  of  my   employer  and  does  not  constitute  or  imply  any  endorsement   from  or  usage  by  my  employer All  models  are  wrong,  but  some  are  useful -­‐ George  E.  P.  Box @sounilyu
#RSAC Our  industry  is  full  of  jargon  terms  that  make it  difficult  to  understand  what  we  are  buying   3 To  accelerate  the  maturity  of  our  practice,  we  need  a  common  language @sounilyu
#RSAC Our  common  language  can  be  bounded  by  five  asset   classes  and  the  NIST  Cybersecurity  Framework 4 Operational  FunctionsAsset  Classes DEVICES Workstations,  servers,  VoIP  phones,   tablets,  IoT,  storage,  network   devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing on,  traveling  through,  or  processed   by  the  resources  above The  people  using  the  resources   listed  above APPS NETWORKS 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets  and  vulns,   measuring  attack  surface,  baselining normal,  risk  profiling Preventing  or  limiting  impact,   patching,  containing,  isolating,   hardening,  managing  access,  vuln remediation Discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,   security  analytics Acting  on  events,  eradicating  intrusion   footholds,  assessing  damage,   coordinating,  reconstructing  events   forensically Returning  to  normal  operations,   restoring  services,  documenting   lessons  learned @sounilyu
#RSAC Introducing  the  “Cyber  Defense  Matrix” 5 Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process @sounilyu
#RSAC Left  and  Right  of  “Boom” 6 Identify Protect Detect Respond Recover Technology People Process Pre-­‐Event Structural  Awareness Post-­‐Event Situational  Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Enterprise  Security  Market  Segments 7 Identify Protect Detect Respond Recover Technology People Process IAM Endpoint  Visibility  and  Control  / Endpoint  Threat  Detection &  Response Configuration and  Systems Management Data Labeling App  Sec (SAST,  DAST, IAST,  RASP), WAFs Phishing Simulations DDoS Mitigation Insider  Threat  / Behavioral Analytics Network Security (FW,  IPS) DRM Data Encryption, DLP IDS Netflow Full  PCAP AV,  HIPS Deep  Web, Brian  Krebs, FBI Backup Phishing Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC We  care  about  more  than  just  the  assets  that   are  owned  and  controlled  by  the  enterprise 8 Threat  Actors Vendors Customers Employees Enterprise  Assets • Devices  -­ user  workstations,  servers,   phones,  tablets,  IoT,  peripherals,  storage,   network  devices,  web  cameras,   infrastructure  devices,  etc. • Applications -­ The  software,  interactions,   and  application  flows  on  the  devices • Network -­ The  connections  and  traffic   flowing  among  devices  and  applications • Data -­ The  information  residing on,  traveling  through,  or  processed  by  the   resources  listed  above • Users  – The  people  using  the  resources   listed  above 01001101010110101001 10110101010101101010 Operational  Functions • Identify  – inventorying  assets  and   vulnerabilities,  measuring  attack  surface,   baselining normal,  risk  profiling • Protect – preventing  or  limiting  impact,   patching,  containing,  isolating,  hardening,   managing  access,  vuln remediation • Detect – discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,  security   analytics • Respond – acting  on  events,  eradicating   intrusion  footholds,  assessing  damage,   coordinating  response,  forensics • Recover – returning  to  normal  operations,   restoring  services,  documenting  lessons   learned @sounilyu
#RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Identify Protect Detect Respond R Market  Segments  – Other  Environments 9 Threat Actor Assets Threat Data Intrusion Deception Malware Sandboxes Vendor Assets Cloud  Access Security  Brokers Vendor  Risk Assessments Customer Assets Endpoint  Fraud Detection Device Finger-­‐ printing Device Finger-­‐ printing Web  Fraud Detection Employee Assets BYOD MAM BYOD MDM @sounilyu
#RSAC 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES Workstations,  servers,  VoIP   phones,  tablets,  IoT,  storage,   network  devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing  on,   traveling  through,  or  processed by  the  resources  above The  people  using  the resourceslisted  above APPS NETWORKS DATA USERS Security  Technologies  Mapped  by  Asset  Class 10 Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
#RSAC IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets,   measuring  attack   surface,  baselining normal,  risk  profiling Preventing  or  limiting   impact,  containing,   hardening,  managing   access Discovering  events,   triggering  on   anomalies,  hunting   for  intrusions Acting  on  events,   eradicating  intrusion   footholds,  assessing   damage,   coordinating,   reconstructing   events  forensically Returning  to  normal   operations,  restoring   services,   documenting  lessons   learned Security  Technologies  Mapped  by  Operational   Functions 11 MSSPs  /  IR Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
#RSAC Security  Technologies  by  Asset  Classes  &   Operational  Functions 12 Identify Protect Detect Respond Recover Technology People Process Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Use  Case  1:  Understand  how  products  in  one   area  support  the  capabilities  of  another  area 13 Threat Actor Assets Devices Applications Networks Data Users Identify Protect Detect Respond Recover Enterprise Assets Threat  data  providers  fall   into  this  category… …  and  threat  integration  platforms  consume,   integrate,  and  drive  action  on  threat  data   through  other  products  that  are  in  these   categories @sounilyu
#RSAC Use  Case  2:  Define  Security  Design  Patterns (a.k.a.  Security  Bingo  Card) 14 Identify Protect Detect Respond Recover Technology People Process O O O O O O O O O O O O O O O O O O O O O O O O O Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Use  Case  3:  Maximizing  Your  Available   Deployment  Footprint  (What  vs  Where) 15 Devices Applications Networks Data Users Protect RASP WAF Secure Coding What:  Application  Security Anti Malware Malware Sandbox Phishing Awareness Protect What:  Endpoint  Protection Devices Applications Networks Data Users Where Where @sounilyu
#RSAC Use  Case  4:  The  (network)  perimeter  is  dead.   Long  live  (other)  perimeters 16 Devices Applications Networks Data Users Devices Applications Networks Data Users TO FROM Devices Apps Networks Data Users Devices • SSH   Certificates • Client-­‐sideSSL   Cert • Geofencing • Fingerprinting • NAC • Encryption   keys • ? Apps • Server-­‐Side   SSL Cert • API  Key • ? • Encryption   keys • Enhanced SSL   Certificates Networks • 802.1X   Certificate • ? • Firewall  Rules • ? • ? Data • Hashes  /   Checksums • Hashes  /   Checksums • ? • ? • Hashes  /   Checksums Users • User Creds • Biometrics • 2FA • User Creds • Biometrics • 2FA • User Creds • 2FA • User Creds • 2FA • Photo  ID • Handshake FROM TO Reduce/Eliminate  these  perimeters to  make  security  more  usable PROTECT @sounilyu
#RSAC Use  Case  5:  Calculate  Defense-­‐in-­‐Depth 17 Identify Protect Detect Respond Recover 0.25 0.40 0.20 0.64 0.20 0.10 0.10 0.15 0.45 0.15 0.10 0.20 0.39 0.05 0.10 0.20 0.32 0.30 0.10 0.37 0.52 0.36 0.51 0.35 0.46 44 Devices Applications Networks Data Users Defense  in Depth  Score D-­‐in-­‐D  Score (sumof columns and row *100) @sounilyu
#RSAC Use  Case  6:  Understand  how  to  balance your  portfolio  without  breaking  the  bank 18 Identify Protect Detect Respond Recover $50 $100 $50 $200 $50 $100 $50 $100 $300 $100 $100 $50 $250 $50 $50 $50 $150 $50 $50 $100 $200 $200 $250 $150 $200 $1000 Devices Applications Networks Data Users Total Total @sounilyu
#RSAC Use  Case  7:  Anticipate  the  “Effective  Half  Life”   of  People  Skills,  Processes,  and  Technologies 19 Identify Protect Detect Respond Recover Technology People Process 55 3 42 3 53 3 53 3 54 2 55 4 33 3 35 4 33 4 55 1 45 5 21 3 22 3 32 3 45 4 25 5 24 2 25 3 22 2 35 3 55 5 35 4 23 3 43 4 55 5 New  detection  technologies   may  need  to  be  rolled  out   EVERY  TWO  YEARS to  maintain   efficacy  at  50%  or  higher Staff  need  training   EVERY  YEAR to   maintain  efficacy  at   50%  or  higher Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Use  Case  8:  Disintermediate  Components  for   Easier  Orchestration 20 010010101001011010 010010100100110111010010010100010110110111 010010100111010101101010100 0100101001011010101010010100101010100100011101 0100101101100100100110010110010 010010101011010 0100101001011011010100101110 010101001011010 100010110110111 010101101010100 010100100011101 100110010110010 010010101011010 Common Message Fabric Vendor   Application   Protection 1011010100101110 Enterprise   Network   Detection Enterprise   Device Response Customer Device Protection Threat  Actor Application Identification Enterprise Network Identification Customer Device Identification Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
#RSAC Devices Applications Networks Data Users Degree  of Dependency Use  Case  9:  Differentiate  between  a platform  and  a  product 21 Identify Protect Detect Respond Recover Technology People Process Product Platform What  makes  a  technology  a  “platform”? 1. Enables  enterprises  to  operate  as   mechanics  and  not  just  chauffeurs 2. Exposes  all  its  functions  through  APIs   for  easier  integration  with  other   technologies  and  capabilities 3. Leverages  data  exchange  standards   that  enable  interchangeable   components @sounilyu
#RSAC Usually  Fighting Against Technology Usually  Fighting Against People Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process Use  Case  10:  Identifying  Opportunities  to  Accelerate   the  People>Process>Technology  Lifecycle 22 Codified  Into Playbooks  &  Checklists New   Discoveries and War  Stories! Embedded Into Technology @sounilyu
#RSAC ✔✔ ✔✔✔ ✔✔✔✔ ✔✔✔✔ ✔✔ ✔ ✔✔ ✔✔ ✔✔✔ ✔ ✔ ✔✔✔ ✔✔✔ ✔✔✔ ✔✔ Use  Case  11:  Identify  technology  gaps  or   overreliance  in  your  technology  portfolio 23 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree  of Dependency @sounilyu
#RSAC Model  Shortfalls:    Where  is  analytics?    GRC?     Orchestration? This  framework  supports  the  higher  level  functions  of  orchestration,  analytics,  and   governance/risk/compliance,   but  they  are  represented  on  a  different  dimension GRC Analytics Orchestration 24@sounilyu
#RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Comparison  of  Models:  Gartner’s  Five  Styles of  Advanced  Threat  Defense 25 Source:  Gartner Time Where  to  Look Real  Time/ Near  Real  Time Post  Compromise (Days/Weeks) Network Payload Endpoint Network  Traffic Analysis Network Forensics Payload Analysis Endpoint  Behavior Analysis Endpoint Forensics Style  2Style  1 Style  5Style  4 Style  3 Enterprise Assets Style  4 Style  1 Style  5 Style  2 Threat Actor Assets Style  3 @sounilyu
#RSAC Applying  the  Cyber  Defense  Matrix 26 This  week Use  the  matrix  to  categorize  vendors  that  you  encounter  in  the  Expo  Hall Ask  them  where  they  fit  and  don’t  allow  them  to  be  in  multiple  shopping   aisles In  the  first  three  months  following  this  presentation  you  should: Send  me  feedback  on  how  you  have  mapped  vendors  to  it Organize  your  portfolio   of  technologies   to  see  where  you  might  have  gaps Identify  vendors  that  may  round  out  your  portfolio   based  on  your  security   design  pattern  (a.k.a.  security  bingo   card) Within  six  months  you  should: Send  me  feedback  on  how  you  used  the  Cyber  Defense  Matrix  and  improved  it @sounilyu
#RSAC Sounil  Yu @sounilyu
1 of 27

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

Download to read offline
Technology

The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission. See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions

S
Sounil Yu

Recommended

Cyber Defense Matrix: Revolutions by
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
1.4K views35 slides
Cyber Defense Matrix: Reloaded by
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
14.5K views35 slides
New Paradigms for the Next Era of Security by
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
1.5K views20 slides
Threat Hunting with Cyber Kill Chain by
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
419 views50 slides
MITRE ATT&CK framework by
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
832 views30 slides
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security by
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
7.9K views17 slides

More Related Content

What's hot

How I Learned to Stop Information Sharing and Love the DIKW by
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
1.3K views8 slides
Security Operation Center Fundamental by
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
3.5K views79 slides
MITRE ATT&CK Framework by
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
3.3K views31 slides
DTS Solution - Building a SOC (Security Operations Center) by
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
46.7K views97 slides
Lessons Learned in Automated Decision Making / How to Delay Building Skynet by
Lessons Learned in Automated Decision Making / How to Delay Building SkynetLessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
1.6K views26 slides
Critical Capabilities for MDR Services - What to Know Before You Buy by
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
835 views25 slides

What's hot(20)

How I Learned to Stop Information Sharing and Love the DIKW by Sounil Yu
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
Sounil Yu1.3K views
Security Operation Center Fundamental by Amir Hossein Zargaran
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran3.5K views
MITRE ATT&CK Framework by n|u - The Open Security Community
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community3.3K views
DTS Solution - Building a SOC (Security Operations Center) by Shah Sheikh
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh46.7K views
Lessons Learned in Automated Decision Making / How to Delay Building Skynet by Sounil Yu
Lessons Learned in Automated Decision Making / How to Delay Building SkynetLessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Sounil Yu1.6K views
Critical Capabilities for MDR Services - What to Know Before You Buy by Fidelis Cybersecurity
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity835 views
When and How to Set up a Security Operations Center by Komand
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
Komand3.5K views
Security operations center-SOC Presentation-مرکز عملیات امنیت by ReZa AdineH
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH6.2K views
Security Operations Center (SOC) Essentials for the SME by AlienVault
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault9.9K views
An introduction to SOC (Security Operation Center) by Ahmad Haghighi
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi22.5K views
Understanding the Cyber Security Vendor Landscape by Sounil Yu
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
Sounil Yu8.6K views
SOC Architecture - Building the NextGen SOC by Priyanka Aash
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash4.6K views
Threat Hunting - Moving from the ad hoc to the formal by Priyanka Aash
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash1K views
Identifying Effective Endpoint Detection and Response Platforms (EDRP) by Enterprise Management Associates
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Enterprise Management Associates1.4K views
SOC presentation- Building a Security Operations Center by Michael Nickle
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle49.3K views
Planning and Deploying an Effective Vulnerability Management Program by Sasha Nunke
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke2.5K views
Next-Gen security operation center by Muhammad Sahputra
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra1.3K views
Optimizing Security Operations: 5 Keys to Success by Sirius
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius3.3K views
Bulding Soc In Changing Threat Landscapefinal by Mahmoud Yassin
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin1.1K views
Basics of Cyber Security by Nikunj Thakkar
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
Nikunj Thakkar1.6K views

Similar to Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

Insecure magazine - 52 by
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
40 views66 slides
Mobile phone as Trusted identity assistant by
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
1.5K views18 slides
Anatomy of a cyber attack by
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
7.3K views21 slides
Top 5 Ways You Can Protect Your Privacy On Web by
Top 5 Ways You Can Protect Your Privacy On WebTop 5 Ways You Can Protect Your Privacy On Web
Top 5 Ways You Can Protect Your Privacy On WebSheila Guy
2 views79 slides
Unicom Conference - Mobile Application Security by
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
115 views21 slides
IDS+Honeypots Making Security Simple by
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
2.8K views62 slides

Similar to Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)(20)

Insecure magazine - 52 by Felipe Prado
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
Felipe Prado40 views
Mobile phone as Trusted identity assistant by Vladimir Jirasek
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek1.5K views
Anatomy of a cyber attack by Mark Silver
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
Mark Silver7.3K views
Top 5 Ways You Can Protect Your Privacy On Web by Sheila Guy
Top 5 Ways You Can Protect Your Privacy On WebTop 5 Ways You Can Protect Your Privacy On Web
Top 5 Ways You Can Protect Your Privacy On Web
Sheila Guy2 views
Unicom Conference - Mobile Application Security by Subho Halder
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder115 views
IDS+Honeypots Making Security Simple by Gregory Hanis
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis2.8K views
Summer internship - Cybersecurity by AbhilashYadav14
Summer internship - CybersecuritySummer internship - Cybersecurity
Summer internship - Cybersecurity
AbhilashYadav141.5K views
Sholove cyren web security - technical datasheet2 by SHOLOVE INTERNATIONAL LLC
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2
SHOLOVE INTERNATIONAL LLC445 views
ISACA CACS 2012 - Mobile Device Security and Privacy by Michael Davis
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis964 views
Information Security Risk Management by ipspat
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
ipspat956 views
Web Application Security by sudip pudasaini
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini279 views
Information Security 201 by Null Bhubaneswar
Information Security 201Information Security 201
Information Security 201
Null Bhubaneswar 26 views
2 20613 qualys_top_10_reports_vm by azfayel
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
azfayel379 views
Cyber Security: A Hands on review by MiltonBiswas8
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
MiltonBiswas8165 views
Безопасность данных мобильных приложений. Мифы и реальность. by Advanced monitoring
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring721 views
Marlabs cyber threat management by Rajendra Menon
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
Rajendra Menon306 views
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks. by Scalar Decisions
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Scalar Decisions2.4K views
Aujas incident management webinar deck 08162016 by Karl Kispert
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
Karl Kispert612 views
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений by SECON
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON593 views
Securing Mobile Apps - Appfest Version by Subho Halder
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
Subho Halder367 views

Recently uploaded

Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericShapeBlue
88 views9 slides
The Role of Patterns in the Era of Large Language Models by
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language ModelsYunyao Li
80 views65 slides
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... by
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...ShapeBlue
85 views10 slides
Ransomware is Knocking your Door_Final.pdf by
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
90 views46 slides
CryptoBotsAI by
CryptoBotsAICryptoBotsAI
CryptoBotsAIchandureddyvadala199
40 views5 slides
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesShapeBlue
210 views15 slides

Recently uploaded(20)

Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue88 views
The Role of Patterns in the Era of Large Language Models by Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li80 views
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... by ShapeBlue
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
ShapeBlue85 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp90 views
CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19940 views
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue210 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue94 views
Initiating and Advancing Your Strategic GIS Governance Strategy by Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software140 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE69 views
Qualifying SaaS, IaaS.pptx by Sachin Bhandari
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptx
Sachin Bhandari897 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue123 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue181 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue63 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty62 views
Cencora Executive Symposium by marketingcommunicati21
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposium
marketingcommunicati21139 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue179 views
Generative AI: Shifting the AI Landscape by Deakin University
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI Landscape
Deakin University43 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue112 views
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ... by ShapeBlue
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
ShapeBlue79 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue93 views

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

  • 1. SESSION  ID: #RSAC Sounil  Yu Understanding  the  Security   Vendor  Landscape  Using  the   Cyber  Defense  Matrix PDIL-­‐W02F @sounilyu
  • 2. #RSAC Disclaimers 2 The  views,  opinions,  and  positions  expressed  in  this  presentation   are  solely  my  own It  does  not  necessarily  represent  the  views  and  opinions  of  my   employer  and  does  not  constitute  or  imply  any  endorsement   from  or  usage  by  my  employer All  models  are  wrong,  but  some  are  useful -­‐ George  E.  P.  Box @sounilyu
  • 3. #RSAC Our  industry  is  full  of  jargon  terms  that  make it  difficult  to  understand  what  we  are  buying   3 To  accelerate  the  maturity  of  our  practice,  we  need  a  common  language @sounilyu
  • 4. #RSAC Our  common  language  can  be  bounded  by  five  asset   classes  and  the  NIST  Cybersecurity  Framework 4 Operational  FunctionsAsset  Classes DEVICES Workstations,  servers,  VoIP  phones,   tablets,  IoT,  storage,  network   devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing on,  traveling  through,  or  processed   by  the  resources  above The  people  using  the  resources   listed  above APPS NETWORKS 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets  and  vulns,   measuring  attack  surface,  baselining normal,  risk  profiling Preventing  or  limiting  impact,   patching,  containing,  isolating,   hardening,  managing  access,  vuln remediation Discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,   security  analytics Acting  on  events,  eradicating  intrusion   footholds,  assessing  damage,   coordinating,  reconstructing  events   forensically Returning  to  normal  operations,   restoring  services,  documenting   lessons  learned @sounilyu
  • 5. #RSAC Introducing  the  “Cyber  Defense  Matrix” 5 Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process @sounilyu
  • 6. #RSAC Left  and  Right  of  “Boom” 6 Identify Protect Detect Respond Recover Technology People Process Pre-­‐Event Structural  Awareness Post-­‐Event Situational  Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 7. #RSAC Enterprise  Security  Market  Segments 7 Identify Protect Detect Respond Recover Technology People Process IAM Endpoint  Visibility  and  Control  / Endpoint  Threat  Detection &  Response Configuration and  Systems Management Data Labeling App  Sec (SAST,  DAST, IAST,  RASP), WAFs Phishing Simulations DDoS Mitigation Insider  Threat  / Behavioral Analytics Network Security (FW,  IPS) DRM Data Encryption, DLP IDS Netflow Full  PCAP AV,  HIPS Deep  Web, Brian  Krebs, FBI Backup Phishing Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 8. #RSAC We  care  about  more  than  just  the  assets  that   are  owned  and  controlled  by  the  enterprise 8 Threat  Actors Vendors Customers Employees Enterprise  Assets • Devices  -­ user  workstations,  servers,   phones,  tablets,  IoT,  peripherals,  storage,   network  devices,  web  cameras,   infrastructure  devices,  etc. • Applications -­ The  software,  interactions,   and  application  flows  on  the  devices • Network -­ The  connections  and  traffic   flowing  among  devices  and  applications • Data -­ The  information  residing on,  traveling  through,  or  processed  by  the   resources  listed  above • Users  – The  people  using  the  resources   listed  above 01001101010110101001 10110101010101101010 Operational  Functions • Identify  – inventorying  assets  and   vulnerabilities,  measuring  attack  surface,   baselining normal,  risk  profiling • Protect – preventing  or  limiting  impact,   patching,  containing,  isolating,  hardening,   managing  access,  vuln remediation • Detect – discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,  security   analytics • Respond – acting  on  events,  eradicating   intrusion  footholds,  assessing  damage,   coordinating  response,  forensics • Recover – returning  to  normal  operations,   restoring  services,  documenting  lessons   learned @sounilyu
  • 9. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Identify Protect Detect Respond R Market  Segments  – Other  Environments 9 Threat Actor Assets Threat Data Intrusion Deception Malware Sandboxes Vendor Assets Cloud  Access Security  Brokers Vendor  Risk Assessments Customer Assets Endpoint  Fraud Detection Device Finger-­‐ printing Device Finger-­‐ printing Web  Fraud Detection Employee Assets BYOD MAM BYOD MDM @sounilyu
  • 10. #RSAC 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES Workstations,  servers,  VoIP   phones,  tablets,  IoT,  storage,   network  devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing  on,   traveling  through,  or  processed by  the  resources  above The  people  using  the resourceslisted  above APPS NETWORKS DATA USERS Security  Technologies  Mapped  by  Asset  Class 10 Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  • 11. #RSAC IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets,   measuring  attack   surface,  baselining normal,  risk  profiling Preventing  or  limiting   impact,  containing,   hardening,  managing   access Discovering  events,   triggering  on   anomalies,  hunting   for  intrusions Acting  on  events,   eradicating  intrusion   footholds,  assessing   damage,   coordinating,   reconstructing   events  forensically Returning  to  normal   operations,  restoring   services,   documenting  lessons   learned Security  Technologies  Mapped  by  Operational   Functions 11 MSSPs  /  IR Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  • 12. #RSAC Security  Technologies  by  Asset  Classes  &   Operational  Functions 12 Identify Protect Detect Respond Recover Technology People Process Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 13. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Use  Case  1:  Understand  how  products  in  one   area  support  the  capabilities  of  another  area 13 Threat Actor Assets Devices Applications Networks Data Users Identify Protect Detect Respond Recover Enterprise Assets Threat  data  providers  fall   into  this  category… …  and  threat  integration  platforms  consume,   integrate,  and  drive  action  on  threat  data   through  other  products  that  are  in  these   categories @sounilyu
  • 14. #RSAC Use  Case  2:  Define  Security  Design  Patterns (a.k.a.  Security  Bingo  Card) 14 Identify Protect Detect Respond Recover Technology People Process O O O O O O O O O O O O O O O O O O O O O O O O O Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 15. #RSAC Use  Case  3:  Maximizing  Your  Available   Deployment  Footprint  (What  vs  Where) 15 Devices Applications Networks Data Users Protect RASP WAF Secure Coding What:  Application  Security Anti Malware Malware Sandbox Phishing Awareness Protect What:  Endpoint  Protection Devices Applications Networks Data Users Where Where @sounilyu
  • 16. #RSAC Use  Case  4:  The  (network)  perimeter  is  dead.   Long  live  (other)  perimeters 16 Devices Applications Networks Data Users Devices Applications Networks Data Users TO FROM Devices Apps Networks Data Users Devices • SSH   Certificates • Client-­‐sideSSL   Cert • Geofencing • Fingerprinting • NAC • Encryption   keys • ? Apps • Server-­‐Side   SSL Cert • API  Key • ? • Encryption   keys • Enhanced SSL   Certificates Networks • 802.1X   Certificate • ? • Firewall  Rules • ? • ? Data • Hashes  /   Checksums • Hashes  /   Checksums • ? • ? • Hashes  /   Checksums Users • User Creds • Biometrics • 2FA • User Creds • Biometrics • 2FA • User Creds • 2FA • User Creds • 2FA • Photo  ID • Handshake FROM TO Reduce/Eliminate  these  perimeters to  make  security  more  usable PROTECT @sounilyu
  • 17. #RSAC Use  Case  5:  Calculate  Defense-­‐in-­‐Depth 17 Identify Protect Detect Respond Recover 0.25 0.40 0.20 0.64 0.20 0.10 0.10 0.15 0.45 0.15 0.10 0.20 0.39 0.05 0.10 0.20 0.32 0.30 0.10 0.37 0.52 0.36 0.51 0.35 0.46 44 Devices Applications Networks Data Users Defense  in Depth  Score D-­‐in-­‐D  Score (sumof columns and row *100) @sounilyu
  • 18. #RSAC Use  Case  6:  Understand  how  to  balance your  portfolio  without  breaking  the  bank 18 Identify Protect Detect Respond Recover $50 $100 $50 $200 $50 $100 $50 $100 $300 $100 $100 $50 $250 $50 $50 $50 $150 $50 $50 $100 $200 $200 $250 $150 $200 $1000 Devices Applications Networks Data Users Total Total @sounilyu
  • 19. #RSAC Use  Case  7:  Anticipate  the  “Effective  Half  Life”   of  People  Skills,  Processes,  and  Technologies 19 Identify Protect Detect Respond Recover Technology People Process 55 3 42 3 53 3 53 3 54 2 55 4 33 3 35 4 33 4 55 1 45 5 21 3 22 3 32 3 45 4 25 5 24 2 25 3 22 2 35 3 55 5 35 4 23 3 43 4 55 5 New  detection  technologies   may  need  to  be  rolled  out   EVERY  TWO  YEARS to  maintain   efficacy  at  50%  or  higher Staff  need  training   EVERY  YEAR to   maintain  efficacy  at   50%  or  higher Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 20. #RSAC Use  Case  8:  Disintermediate  Components  for   Easier  Orchestration 20 010010101001011010 010010100100110111010010010100010110110111 010010100111010101101010100 0100101001011010101010010100101010100100011101 0100101101100100100110010110010 010010101011010 0100101001011011010100101110 010101001011010 100010110110111 010101101010100 010100100011101 100110010110010 010010101011010 Common Message Fabric Vendor   Application   Protection 1011010100101110 Enterprise   Network   Detection Enterprise   Device Response Customer Device Protection Threat  Actor Application Identification Enterprise Network Identification Customer Device Identification Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  • 21. #RSAC Devices Applications Networks Data Users Degree  of Dependency Use  Case  9:  Differentiate  between  a platform  and  a  product 21 Identify Protect Detect Respond Recover Technology People Process Product Platform What  makes  a  technology  a  “platform”? 1. Enables  enterprises  to  operate  as   mechanics  and  not  just  chauffeurs 2. Exposes  all  its  functions  through  APIs   for  easier  integration  with  other   technologies  and  capabilities 3. Leverages  data  exchange  standards   that  enable  interchangeable   components @sounilyu
  • 22. #RSAC Usually  Fighting Against Technology Usually  Fighting Against People Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process Use  Case  10:  Identifying  Opportunities  to  Accelerate   the  People>Process>Technology  Lifecycle 22 Codified  Into Playbooks  &  Checklists New   Discoveries and War  Stories! Embedded Into Technology @sounilyu
  • 23. #RSAC ✔✔ ✔✔✔ ✔✔✔✔ ✔✔✔✔ ✔✔ ✔ ✔✔ ✔✔ ✔✔✔ ✔ ✔ ✔✔✔ ✔✔✔ ✔✔✔ ✔✔ Use  Case  11:  Identify  technology  gaps  or   overreliance  in  your  technology  portfolio 23 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  • 24. #RSAC Model  Shortfalls:    Where  is  analytics?    GRC?     Orchestration? This  framework  supports  the  higher  level  functions  of  orchestration,  analytics,  and   governance/risk/compliance,   but  they  are  represented  on  a  different  dimension GRC Analytics Orchestration 24@sounilyu
  • 25. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Comparison  of  Models:  Gartner’s  Five  Styles of  Advanced  Threat  Defense 25 Source:  Gartner Time Where  to  Look Real  Time/ Near  Real  Time Post  Compromise (Days/Weeks) Network Payload Endpoint Network  Traffic Analysis Network Forensics Payload Analysis Endpoint  Behavior Analysis Endpoint Forensics Style  2Style  1 Style  5Style  4 Style  3 Enterprise Assets Style  4 Style  1 Style  5 Style  2 Threat Actor Assets Style  3 @sounilyu
  • 26. #RSAC Applying  the  Cyber  Defense  Matrix 26 This  week Use  the  matrix  to  categorize  vendors  that  you  encounter  in  the  Expo  Hall Ask  them  where  they  fit  and  don’t  allow  them  to  be  in  multiple  shopping   aisles In  the  first  three  months  following  this  presentation  you  should: Send  me  feedback  on  how  you  have  mapped  vendors  to  it Organize  your  portfolio   of  technologies   to  see  where  you  might  have  gaps Identify  vendors  that  may  round  out  your  portfolio   based  on  your  security   design  pattern  (a.k.a.  security  bingo   card) Within  six  months  you  should: Send  me  feedback  on  how  you  used  the  Cyber  Defense  Matrix  and  improved  it @sounilyu

Editor's Notes

  1. Approaching this from a practitioner’s view. If the market is a representation of our needs, then what are we actually seeing in the market and how does that fit into any models that we have? Common language = Klingon 101. Think of this as Klingon 201 or 301. Mention that this is intended to be shareable, you can take pictures, you can reference me, but you can’t reference Bank of America
  2. Mention the difficulties of distinguishing between - Identify and Detect - What is protected vs where that protection is applied.
  3. Our understanding of Threat Actor assets enables our ability to protect our internal assets and detect intrusions
  4. Are there inefficiencies when what it does isn’t where it does it? Can we make tradeoffs to optimize our footprint and not overwhelm one part of it (e.g., endpoint)
  5. Talk about functional decomposition