SESSION ID: PDIL-W02F

Understanding the Security

Vendor Landscape Using the
Cyber Defense Matrix Sounil Yu
sounil@gmail.com
@sounilyu

#RSAC
 #RSAC

Disclaimers

The views, opinions, and positions expressed in this presentation

are solely my own
It does not necessarily represent the views and opinions of my
employer and does not constitute or imply any endorsement
from or usage by my employer

All models are wrong, but some are useful

- George E. P. Box
2
 Our industry is full of jargon terms that make #RSAC

it difficult to understand what we are buying

To accelerate the maturity of our practice, we need a common language

3
Our common language can be bounded by five asset #RSAC

classes and the NIST Cybersecurity Framework

Asset Classes Operational Functions
DEVICES Workstations, servers, VoIP phones, IDENTIFY Inventorying assets and vulns,
tablets, IoT, storage, network measuring attack surface, baselining
devices, infrastructure, etc. normal, risk profiling

PROTECT Preventing or limiting impact,

APPS The software, interactions, and patching, containing, isolating,
application flows on the devices hardening, managing access, vuln
remediation
NETWORKS DETECT Discovering events, triggering on
The connections and traffic flowing anomalies, hunting for intrusions,
among devices and applications security analytics
Acting on events, eradicating intrusion
The information residing RESPOND footholds, assessing damage,
DATA
10011101010101010010
01001101010110101001
11010101101011010100
on, traveling through, or processed coordinating, reconstructing events
10110101010101101010
by the resources above forensically

USERS RECOVER Returning to normal operations,

The people using the resources
restoring services, documenting
listed above
lessons learned
4
 #RSAC

Introducing the “Cyber Defense Matrix”

Identify Protect Detect Respond Recover

Devices

Applications

Networks

Data

Users
Degree of Technology People
Dependency Process
5
 #RSAC

Left and Right of “Boom”

Identify Protect Detect Respond Recover

Devices

Applications Pre-Event
Structural Awareness

Networks
Post-Event
Data Situational Awareness

Users
Degree of Technology People
Dependency Process
6
 #RSAC

Enterprise Security Market Segments

Identify Protect Detect Respond Recover
Endpoint Visibility and Control /
Devices IAM Endpoint Threat Detection
& Response
AV, HIPS

Configuration App Sec

Applications and Systems
Management
(SAST, DAST,
IAST, RASP),
WAFs

Network DDoS Mitigation

Networks Netflow Security
(FW, IPS) IDS Full PCAP

Data Data Deep Web,

Encryption, Brian Krebs, DRM Backup
Data Labeling DLP FBI

Phishing Phishing Insider Threat /

Behavioral
Users Simulations Awareness Analytics

Degree of Technology People

Dependency Process
7
We care about more than just the assets that
are owned and controlled by the enterprise
Threat Actors
Vendors
Customers
Employees
Enterprise Assets
• Devices - user workstations, servers,
phones, tablets, IoT, peripherals, storage,
network devices, web cameras,
infrastructure devices, etc.
• Applications - The software, interactions,
and application flows on the devices
• Network - The connections and traffic
flowing among devices and applications
• Data - The information residing
01001101010110101001
on, traveling through, or processed by the
10110101010101101010
resources listed above
• Users – The people using the resources
listed above
8
#RSAC
Operational Functions
• Identify – inventorying assets and
vulnerabilities, measuring attack surface,
baselining normal, risk profiling
• Protect – preventing or limiting impact,
patching, containing, isolating, hardening,
managing access, vuln remediation
• Detect – discovering events, triggering on
anomalies, hunting for intrusions, security
analytics
• Respond – acting on events, eradicating
intrusion footholds, assessing damage,
coordinating response, forensics
• Recover – returning to normal operations,
restoring services, documenting lessons
learned
 #RSAC

Market Segments – Other Environments

Threat Actor Assets

Vendor Assets
Intrusion
Deception
Malware Vendor Risk
Sandboxes Assessments
Cloud Access
Security Brokers
Customer Assets

Endpoint Fraud
Threat Detection
Data Device
Finger- Web Fraud
printing Detection
Employee Assets

BYOD
MDM
Device
Finger- BYOD
printing MAM

9
 #RSAC

Security Technologies Mapped by Asset Class

DEVICES
Workstations, servers, VoIP
phones, tablets, IoT, storage,
network devices, infrastructure, etc.

APPS
The software, interactions, and
application flows on the devices

NETWORKS
The connections and traffic flowing
among devices and applications
10011101010101010010
01001101010110101001

DATA 11010101101011010100
10110101010101101010

The information residing on,

traveling through, or processed
by the resources above

USERS Disclaimer: Vendors shown are

The people using the representative only. No usage or
endorsement should be construed
resources listed above because they are shown here.

10
 Security Technologies Mapped by Operational #RSAC

Functions
Inventorying assets,
IDENTIFY measuring attack
surface, baselining
normal, risk profiling

Preventing or limiting
PROTECT impact, containing,
hardening, managing
access
Discovering events,
DETECT triggering on
anomalies, hunting
for intrusions
Acting on events,
eradicating intrusion
RESPOND footholds, assessing
MSSPs / IR
damage,
coordinating,
reconstructing
events forensically
Returning to normal
RECOVER operations, restoring Disclaimer: Vendors shown are
representative only. No usage or
services,
endorsement should be construed
documenting lessons because they are shown here.
learned
11
Security Technologies by Asset Classes & #RSAC

Operational Functions
Identify Protect Detect Respond Recover

Devices

Applications

Networks

Data
Disclaimer: Vendors shown are

Users
representative only. No usage or
endorsement should be construed
because they are shown here.

Degree of Technology People

Dependency Process
12
Use Case 1: Understand how products in one #RSAC

area support the capabilities of another area

Threat Actor Assets
… and threat integration platforms consume,
integrate, and drive action on threat data
through other products that are in these
categories Enterprise Assets

Threat data providers fall

into this category…

13
Use Case 2: Define Security Design Patterns #RSAC

(a.k.a. Security Bingo Card)

Identify Protect Detect Respond Recover

Devices
    
Applications
    
Networks     
Data     
Users     
Degree of Technology People
Dependency Process
14
 Use Case 3: Maximizing Your Available #RSAC

Deployment Footprint (What vs Where)

What: Application Security What: Endpoint Protection
Protect Protect
Anti
Devices Malware
RASP
Devices Malware
WAF Sandbox
Applications
Secure Phishing
Where Coding Where Applications
Awareness

Networks
Networks
Data Data
Users Users

15
 Use Case 4: The (network) perimeter is dead. #RSAC

Long live (other) perimeters

PROTECT
FROM TO TO
Devices Apps Networks Data Users
Devices Devices FROM
• SSH • Client-side SSL • NAC • Encryption •?
Certificates Cert keys
Devices
• Geofencing
Applications Applications
• Fingerprinting
• Server-Side • API Key •? • Encryption • Enhanced SSL
Apps
SSL Cert keys Certificates
Networks Networks
• 802.1X •? • Firewall Rules •? •?
Networks
Certificate
• Hashes / • Hashes / •? •? • Hashes /
Data Data Data
Checksums Checksums Checksums
• User Creds • User Creds • User Creds • User Creds • Photo ID
Users • Biometrics • Biometrics • 2FA • 2FA • Handshake
Users Users • 2FA • 2FA

Reduce/Eliminate these perimeters

to make security more usable 16
 #RSAC

Use Case 5: Calculate Defense-in-Depth

Identify Protect Detect Respond Recover D-in-D Score

Devices 0.25 0.40 0.20 0.64

Applications 0.20 0.10 0.10 0.15 0.45
Networks 0.15 0.10 0.20 0.39
Data 0.05 0.10 0.20 0.32
Users 0.30 0.10 0.37
0.52 0.36 0.51 0.35 0.46 44
Defense in
Depth Score (sum of columns and row *100)

17
 Use Case 6: Understand how to balance #RSAC

your portfolio without breaking the bank

Identify Protect Detect Respond Recover Total

Devices $50 $100 $50 $200

Applications $50 $100 $50 $100 $300

Networks $100 $100 $50 $250

Data $50 $50 $50 $150

Users $50 $50 $100

Total $200 $200 $250 $150 $200 $1000
18
Use Case 7: Anticipate the “Effective Half Life” #RSAC

of People Skills, Processes, and Technologies

Identify Protect Detect Respond Recover

Devices
5 4 3 4 2 2 1 3 2 3 3 3 2 3 4
Applications
3 3 2Staff need
5 3training
2 2 3 2 5New4detection
3 3 technologies
3 5
EVERY YEAR to may need to be rolled out
maintain efficacy at EVERY TWO YEARS to maintain
Networks 3 4 4 50%2or higher
2 2 2 3 3 3 efficacy
4 3 at 50%
3 or3 higher
5

Data 5 5 5 5 3 3 5 4 4 5 1 5 4 2 5

Users 5 5 5 5 5 2 5 5 4 5 4 5 5 3 5
Degree of Technology People
Dependency Process
19
 Use Case 8: Disintermediate Components for #RSAC

Easier Orchestration
Vendor
Application 010101001011010
010010101001011010 Protection
Enterprise
010010100100110111010010010100010110110111
Network 100010110110111
Detection
Enterprise
010010100111010101101010100 Device 010101101010100
Response
Customer Common
0100101001011010101010010100101010100100011101
Device
Identification
010100100011101
Message
0100101101100100100110010110010 Customer Fabric
Device 100110010110010
Protection
010010101011010
Threat Actor
Application 010010101011010
Identification
0100101001011011010100101110
Enterprise
Disclaimer: Vendors shown are Network 1011010100101110
representative only. No usage or Identification
endorsement should be construed
because they are shown here.
20
Use Case 9: Differentiate between a #RSAC

platform and a product

Identify Protect Detect Respond Recover

Devices
Product

Applications
Platform
What makes a technology a “platform”?
Networks
1. Enables enterprises to operate as
mechanics and not just chauffeurs
2. Exposes all its functions through APIs
Data
for easier integration with other
technologies and capabilities
3. Leverages data exchange standards
Users
that enable interchangeable
components
Degree of Technology People
Dependency Process
21
Use Case 10: Identifying Opportunities to Accelerate #RSAC

the People>Process>Technology Lifecycle

Identify Protect Detect Respond Recover

Devices

Applications
Embedded
Into Codified Into New
Networks Technology Discoveries
Playbooks & Checklists
and
Data War Stories!

Users Usually Fighting Usually Fighting

Against Technology Against People
Degree of Technology People
Dependency Process
22
Use Case 11: Identify technology gaps or #RSAC

overreliance in your technology portfolio

Identify Protect Detect Respond Recover

Devices
   
Applications
 

Networks    

Data  

Users   

Degree of People
Technology
Dependency
Process

23
Model Shortfalls: Where is analytics? GRC? #RSAC

Orchestration?
This framework supports the higher level functions of orchestration, analytics, and
governance/risk/compliance, but they are represented on a different dimension
Orchestration
Analytics
GRC

24
 Comparison of Models: Gartner’s Five Styles #RSAC

of Advanced Threat Defense

Enterprise Assets
Time
Style 4 Style 5
Real Time/ Post Compromise
Near Real Time (Days/Weeks)

Network Network Traffic Network Style 1 Style 2

Analysis Forensics Threat Actor
Where to Look

Style 1 Style 2 Assets

Payload
Payload Analysis
Style 3

Style 3
Endpoint Behavior Endpoint
Endpoint
Analysis Forensics
Style 4 Style 5
Source: Gartner

25
 #RSAC

Applying the Cyber Defense Matrix

This week
Use the matrix to categorize vendors that you encounter in the Expo Hall
Ask them where they fit and don’t allow them to be in multiple shopping aisles

In the first three months following this presentation you should:

Send me feedback on how you have mapped vendors to it
Organize your portfolio of technologies to see where you might have gaps
Identify vendors that may round out your portfolio based on your security
design pattern (a.k.a. security bingo card)

Within six months you should:

Send me feedback on how you used the Cyber Defense Matrix and improved it
26
 #RSAC

Sounil Yu
sounil@gmail.com