Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

4,218 views

Published on

The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.

Published in: Technology

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (RSA Conference 2016)

  1. 1. SESSION  ID: #RSAC Sounil  Yu Understanding  the  Security   Vendor  Landscape  Using  the   Cyber  Defense  Matrix PDIL-­‐W02F @sounilyu
  2. 2. #RSAC Disclaimers 2 The  views,  opinions,  and  positions  expressed  in  this  presentation   are  solely  my  own It  does  not  necessarily  represent  the  views  and  opinions  of  my   employer  and  does  not  constitute  or  imply  any  endorsement   from  or  usage  by  my  employer All  models  are  wrong,  but  some  are  useful -­‐ George  E.  P.  Box @sounilyu
  3. 3. #RSAC Our  industry  is  full  of  jargon  terms  that  make it  difficult  to  understand  what  we  are  buying   3 To  accelerate  the  maturity  of  our  practice,  we  need  a  common  language @sounilyu
  4. 4. #RSAC Our  common  language  can  be  bounded  by  five  asset   classes  and  the  NIST  Cybersecurity  Framework 4 Operational  FunctionsAsset  Classes DEVICES Workstations,  servers,  VoIP  phones,   tablets,  IoT,  storage,  network   devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing on,  traveling  through,  or  processed   by  the  resources  above The  people  using  the  resources   listed  above APPS NETWORKS 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DATA USERS IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets  and  vulns,   measuring  attack  surface,  baselining normal,  risk  profiling Preventing  or  limiting  impact,   patching,  containing,  isolating,   hardening,  managing  access,  vuln remediation Discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,   security  analytics Acting  on  events,  eradicating  intrusion   footholds,  assessing  damage,   coordinating,  reconstructing  events   forensically Returning  to  normal  operations,   restoring  services,  documenting   lessons  learned @sounilyu
  5. 5. #RSAC Introducing  the  “Cyber  Defense  Matrix” 5 Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process @sounilyu
  6. 6. #RSAC Left  and  Right  of  “Boom” 6 Identify Protect Detect Respond Recover Technology People Process Pre-­‐Event Structural  Awareness Post-­‐Event Situational  Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  7. 7. #RSAC Enterprise  Security  Market  Segments 7 Identify Protect Detect Respond Recover Technology People Process IAM Endpoint  Visibility  and  Control  / Endpoint  Threat  Detection &  Response Configuration and  Systems Management Data Labeling App  Sec (SAST,  DAST, IAST,  RASP), WAFs Phishing Simulations DDoS Mitigation Insider  Threat  / Behavioral Analytics Network Security (FW,  IPS) DRM Data Encryption, DLP IDS Netflow Full  PCAP AV,  HIPS Deep  Web, Brian  Krebs, FBI Backup Phishing Awareness Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  8. 8. #RSAC We  care  about  more  than  just  the  assets  that   are  owned  and  controlled  by  the  enterprise 8 Threat  Actors Vendors Customers Employees Enterprise  Assets • Devices  -­ user  workstations,  servers,   phones,  tablets,  IoT,  peripherals,  storage,   network  devices,  web  cameras,   infrastructure  devices,  etc. • Applications -­ The  software,  interactions,   and  application  flows  on  the  devices • Network -­ The  connections  and  traffic   flowing  among  devices  and  applications • Data -­ The  information  residing on,  traveling  through,  or  processed  by  the   resources  listed  above • Users  – The  people  using  the  resources   listed  above 01001101010110101001 10110101010101101010 Operational  Functions • Identify  – inventorying  assets  and   vulnerabilities,  measuring  attack  surface,   baselining normal,  risk  profiling • Protect – preventing  or  limiting  impact,   patching,  containing,  isolating,  hardening,   managing  access,  vuln remediation • Detect – discovering  events,  triggering  on   anomalies,  hunting  for  intrusions,  security   analytics • Respond – acting  on  events,  eradicating   intrusion  footholds,  assessing  damage,   coordinating  response,  forensics • Recover – returning  to  normal  operations,   restoring  services,  documenting  lessons   learned @sounilyu
  9. 9. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Identify Protect Detect Respond R Market  Segments  – Other  Environments 9 Threat Actor Assets Threat Data Intrusion Deception Malware Sandboxes Vendor Assets Cloud  Access Security  Brokers Vendor  Risk Assessments Customer Assets Endpoint  Fraud Detection Device Finger-­‐ printing Device Finger-­‐ printing Web  Fraud Detection Employee Assets BYOD MAM BYOD MDM @sounilyu
  10. 10. #RSAC 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 DEVICES Workstations,  servers,  VoIP   phones,  tablets,  IoT,  storage,   network  devices,  infrastructure,  etc. The  software,  interactions,  and   application  flows  on  the  devices The  connections  and  traffic  flowing   among  devices  and  applications The  information  residing  on,   traveling  through,  or  processed by  the  resources  above The  people  using  the resourceslisted  above APPS NETWORKS DATA USERS Security  Technologies  Mapped  by  Asset  Class 10 Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  11. 11. #RSAC IDENTIFY PROTECT DETECT RESPOND RECOVER Inventorying  assets,   measuring  attack   surface,  baselining normal,  risk  profiling Preventing  or  limiting   impact,  containing,   hardening,  managing   access Discovering  events,   triggering  on   anomalies,  hunting   for  intrusions Acting  on  events,   eradicating  intrusion   footholds,  assessing   damage,   coordinating,   reconstructing   events  forensically Returning  to  normal   operations,  restoring   services,   documenting  lessons   learned Security  Technologies  Mapped  by  Operational   Functions 11 MSSPs  /  IR Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  12. 12. #RSAC Security  Technologies  by  Asset  Classes  &   Operational  Functions 12 Identify Protect Detect Respond Recover Technology People Process Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  13. 13. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Use  Case  1:  Understand  how  products  in  one   area  support  the  capabilities  of  another  area 13 Threat Actor Assets Devices Applications Networks Data Users Identify Protect Detect Respond Recover Enterprise Assets Threat  data  providers  fall   into  this  category… …  and  threat  integration  platforms  consume,   integrate,  and  drive  action  on  threat  data   through  other  products  that  are  in  these   categories @sounilyu
  14. 14. #RSAC Use  Case  2:  Define  Security  Design  Patterns (a.k.a.  Security  Bingo  Card) 14 Identify Protect Detect Respond Recover Technology People Process O O O O O O O O O O O O O O O O O O O O O O O O O Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  15. 15. #RSAC Use  Case  3:  Maximizing  Your  Available   Deployment  Footprint  (What  vs  Where) 15 Devices Applications Networks Data Users Protect RASP WAF Secure Coding What:  Application  Security Anti Malware Malware Sandbox Phishing Awareness Protect What:  Endpoint  Protection Devices Applications Networks Data Users Where Where @sounilyu
  16. 16. #RSAC Use  Case  4:  The  (network)  perimeter  is  dead.   Long  live  (other)  perimeters 16 Devices Applications Networks Data Users Devices Applications Networks Data Users TO FROM Devices Apps Networks Data Users Devices • SSH   Certificates • Client-­‐sideSSL   Cert • Geofencing • Fingerprinting • NAC • Encryption   keys • ? Apps • Server-­‐Side   SSL Cert • API  Key • ? • Encryption   keys • Enhanced SSL   Certificates Networks • 802.1X   Certificate • ? • Firewall  Rules • ? • ? Data • Hashes  /   Checksums • Hashes  /   Checksums • ? • ? • Hashes  /   Checksums Users • User Creds • Biometrics • 2FA • User Creds • Biometrics • 2FA • User Creds • 2FA • User Creds • 2FA • Photo  ID • Handshake FROM TO Reduce/Eliminate  these  perimeters to  make  security  more  usable PROTECT @sounilyu
  17. 17. #RSAC Use  Case  5:  Calculate  Defense-­‐in-­‐Depth 17 Identify Protect Detect Respond Recover 0.25 0.40 0.20 0.64 0.20 0.10 0.10 0.15 0.45 0.15 0.10 0.20 0.39 0.05 0.10 0.20 0.32 0.30 0.10 0.37 0.52 0.36 0.51 0.35 0.46 44 Devices Applications Networks Data Users Defense  in Depth  Score D-­‐in-­‐D  Score (sumof columns and row *100) @sounilyu
  18. 18. #RSAC Use  Case  6:  Understand  how  to  balance your  portfolio  without  breaking  the  bank 18 Identify Protect Detect Respond Recover $50 $100 $50 $200 $50 $100 $50 $100 $300 $100 $100 $50 $250 $50 $50 $50 $150 $50 $50 $100 $200 $200 $250 $150 $200 $1000 Devices Applications Networks Data Users Total Total @sounilyu
  19. 19. #RSAC Use  Case  7:  Anticipate  the  “Effective  Half  Life”   of  People  Skills,  Processes,  and  Technologies 19 Identify Protect Detect Respond Recover Technology People Process 55 3 42 3 53 3 53 3 54 2 55 4 33 3 35 4 33 4 55 1 45 5 21 3 22 3 32 3 45 4 25 5 24 2 25 3 22 2 35 3 55 5 35 4 23 3 43 4 55 5 New  detection  technologies   may  need  to  be  rolled  out   EVERY  TWO  YEARS to  maintain   efficacy  at  50%  or  higher Staff  need  training   EVERY  YEAR to   maintain  efficacy  at   50%  or  higher Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  20. 20. #RSAC Use  Case  8:  Disintermediate  Components  for   Easier  Orchestration 20 010010101001011010 010010100100110111010010010100010110110111 010010100111010101101010100 0100101001011010101010010100101010100100011101 0100101101100100100110010110010 010010101011010 0100101001011011010100101110 010101001011010 100010110110111 010101101010100 010100100011101 100110010110010 010010101011010 Common Message Fabric Vendor   Application   Protection 1011010100101110 Enterprise   Network   Detection Enterprise   Device Response Customer Device Protection Threat  Actor Application Identification Enterprise Network Identification Customer Device Identification Disclaimer:  Vendors  shown  are   representative  only.  No  usage  or   endorsement   should   be  construed   because   they  are  shown  here. @sounilyu
  21. 21. #RSAC Devices Applications Networks Data Users Degree  of Dependency Use  Case  9:  Differentiate  between  a platform  and  a  product 21 Identify Protect Detect Respond Recover Technology People Process Product Platform What  makes  a  technology  a  “platform”? 1. Enables  enterprises  to  operate  as   mechanics  and  not  just  chauffeurs 2. Exposes  all  its  functions  through  APIs   for  easier  integration  with  other   technologies  and  capabilities 3. Leverages  data  exchange  standards   that  enable  interchangeable   components @sounilyu
  22. 22. #RSAC Usually  Fighting Against Technology Usually  Fighting Against People Devices Applications Networks Data Users Degree  of Dependency Identify Protect Detect Respond Recover Technology People Process Use  Case  10:  Identifying  Opportunities  to  Accelerate   the  People>Process>Technology  Lifecycle 22 Codified  Into Playbooks  &  Checklists New   Discoveries and War  Stories! Embedded Into Technology @sounilyu
  23. 23. #RSAC ✔✔ ✔✔✔ ✔✔✔✔ ✔✔✔✔ ✔✔ ✔ ✔✔ ✔✔ ✔✔✔ ✔ ✔ ✔✔✔ ✔✔✔ ✔✔✔ ✔✔ Use  Case  11:  Identify  technology  gaps  or   overreliance  in  your  technology  portfolio 23 Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree  of Dependency @sounilyu
  24. 24. #RSAC Model  Shortfalls:    Where  is  analytics?    GRC?     Orchestration? This  framework  supports  the  higher  level  functions  of  orchestration,  analytics,  and   governance/risk/compliance,   but  they  are  represented  on  a  different  dimension GRC Analytics Orchestration 24@sounilyu
  25. 25. #RSAC Devices Applications Networks Data Users Identify Protect Detect Respond Recover Devices Applications Networks Data Users Identify Protect Detect Respond Recover Comparison  of  Models:  Gartner’s  Five  Styles of  Advanced  Threat  Defense 25 Source:  Gartner Time Where  to  Look Real  Time/ Near  Real  Time Post  Compromise (Days/Weeks) Network Payload Endpoint Network  Traffic Analysis Network Forensics Payload Analysis Endpoint  Behavior Analysis Endpoint Forensics Style  2Style  1 Style  5Style  4 Style  3 Enterprise Assets Style  4 Style  1 Style  5 Style  2 Threat Actor Assets Style  3 @sounilyu
  26. 26. #RSAC Applying  the  Cyber  Defense  Matrix 26 This  week Use  the  matrix  to  categorize  vendors  that  you  encounter  in  the  Expo  Hall Ask  them  where  they  fit  and  don’t  allow  them  to  be  in  multiple  shopping   aisles In  the  first  three  months  following  this  presentation  you  should: Send  me  feedback  on  how  you  have  mapped  vendors  to  it Organize  your  portfolio   of  technologies   to  see  where  you  might  have  gaps Identify  vendors  that  may  round  out  your  portfolio   based  on  your  security   design  pattern  (a.k.a.  security  bingo   card) Within  six  months  you  should: Send  me  feedback  on  how  you  used  the  Cyber  Defense  Matrix  and  improved  it @sounilyu
  27. 27. #RSAC Sounil  Yu @sounilyu

×