The Cyber Defense Matrix, Reloaded Defense Matrix - RSA2019...¢  SAST, DAST, SW Asset Mgt,...

Click here to load reader

download The Cyber Defense Matrix, Reloaded Defense Matrix - RSA2019...¢  SAST, DAST, SW Asset Mgt, Fuzzers EP

of 35

  • date post

    27-Jan-2021
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of The Cyber Defense Matrix, Reloaded Defense Matrix - RSA2019...¢  SAST, DAST, SW Asset Mgt,...

  • #RSAC

    SESSION ID:

    Sounil Yu

    The Cyber Defense Matrix, Reloaded

    STR-T09

    @sounilyu

  • #RSAC

  • #RSAC

    Vendors shown are representative only

    No usage or endorsement should be construed because they are shown here

    Opinions are my own and do not represent those of my employer

    Disclaimers

    @sounilyu 3

    All models are wrong, but some are useful - George E. P. Box

    …and some models are measurably more useful - Doug Hubbard

  • #RSAC

    Background on the Cyber Defense Matrix

    @sounilyu 4

  • #RSAC

    Background on the Cyber Defense Matrix

    @sounilyu 5

    Operational Functions Inventorying assets and vulns, measuring attack surface, prioritizing, baselining normal, threat modeling, risk assessment

    Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation

    Discovering events, triggering on anomalies, hunting for intrusions, security analytics

    Acting on events, eradicating intrusion, assessing damage, forensic reconstruction

    Returning to normal operations, restoring services, documenting lessons learned, resiliency

    Asset Classes Workstations, servers,

    phones, tablets, storage,

    network devices, IoT

    infrastructure, etc.

    Software, interactions,

    and application flows on

    the devices

    Connections and traffic

    flowing among devices

    and apps

    Information at rest, in

    transit, or in use by the

    resources above

    The people using the

    resources listed above

    10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010

    DEVICES

    APPS

    NETWORKS

    DATA

    USERS

    IDENTIFY

    PROTECT

    DETECT

    RESPOND

    RECOVER

  • #RSAC

    The Cyber Defense Matrix

    @sounilyu 6

    Operational Functions Inventorying assets and vulns, measuring attack surface, prioritizing, baselining normal, threat modeling, risk assessment

    Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation

    Discovering events, triggering on anomalies, hunting for intrusions, security analytics

    Acting on events, eradicating intrusion, assessing damage, forensic reconstruction

    Returning to normal operations, restoring services, documenting lessons learned, resiliency

    Asset Classes Workstations, servers,

    phones, tablets, storage,

    network devices,IoT

    infrastructure, etc.

    Software, interactions,

    and application flows on

    the devices

    Connections and traffic

    flowing among devices

    and apps

    Information at rest, in

    transit, or in use by the

    resources above

    The people using the

    resources listed above

    10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010

    DEVICES

    APPS

    NETWORKS

    DATA

    USERS

    IDENTIFY

    PROTECT

    DETECT

    RESPOND

    RECOVER

    Devices

    Applications

    Networks

    Data

    Users

    Degree of Dependency

    Technology People

    Process

    Identify Protect Detect Respond Recover

  • #RSAC

    Devices

    Applications

    Networks

    Data

    Users

    Degree of Dependency

    Technology People

    Process

    Identify Protect Detect Respond Recover

    Background on the Cyber Defense Matrix

    @sounilyu 7

  • #RSAC

    Enterprise Security Market Segments

    @sounilyu 8

    Devices

    Applications

    Networks

    Data

    Users

    Degree of Dependency

    Technology People

    Process

    Identify Protect Detect Respond Recover

    IAM Endpoint Detection & ResponseConfig Mgt, Vuln Scanner

    Data Audit, Discovery,

    Classification

    RASP, WAF

    Phishing Simulations

    DDoS Mitigation

    Insider Threat / Behavioral Analytics

    Network Security

    (FW, IPS/IDS)

    DRM Encryption,

    Tokenization, DLP, DRM

    Netflow, Network Vuln

    Scanner NW Forensics

    AV, HIPS

    Deep Web, Brian Krebs,

    FBI Backup

    Phishing & Security

    Awareness

    SAST, DAST, SW Asset Mgt,

    Fuzzers

    EP Forensics

  • #RSAC

    We care about more than just the assets that are owned and controlled by the enterprise

    @sounilyu 9

    Threat Actors

    Vendors

    Customers

    Employees

    Enterprise Assets

    • Devices - workstations, servers, phones,

    tablets, IoT, peripherals, storage, network

    devices, web cameras, infrastructure, etc.

    • Applications - The software, interactions,

    and application flows on the devices

    • Network - The connections and traffic

    flowing among devices and applications

    • Data - The information residing

    on, traveling through, or processed by the

    resources listed above

    • Users – The people using the resources

    listed above

    01001101010110101001 10110101010101101010

    Operational Functions

    • Identify – inventorying assets and vulns,

    prioritizing, measuring attack surface,

    baselining, threat modeling, risk assessmt

    • Protect – preventing or limiting impact,

    patching, containing, isolating, hardening,

    managing access, vuln remediation

    • Detect – discovering events, triggering on

    anomalies, hunting for intrusions, security

    analytics

    • Respond – acting on events, eradicating

    intrusion footholds, assessing damage,

    coordinating response, forensics

    • Recover – returning to normal

    operations, restoring services,

    documenting lessons learned

  • #RSAC

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Market Segments – Other Environments

    @sounilyu 10

    Threat Actor Assets

    Threat Intel

    Intrusion Deception Malware

    Sandboxes

    Vendor Assets

    Cloud Access Security Brokers

    Vendor Risk Assessments

    Customer Assets

    Endpoint Fraud Detection

    Device Finger- printing

    Digital Biometrics

    Web Fraud Detection

    Employee Assets

    BYOD MAM

    BYOD MDMPCI-DSS, GDPR

  • #RSAC

    Recap from 2016 Briefing

    11@sounilyu

    Other Use Cases

    Primary Use Case: Vendor Mapping

    Differentiating Primary & Supporting Capabilities

    Defining Security Design Patterns

    Maximizing Deployment Footprint

    Understanding the New Perimeter

    Calculating Defense-in-Depth

    Balancing Your Portfolio Budget

    Planning for Obsolescence

    Disintermediating Security Components

    Comparing Point Products vs Platforms

    Finding Opportunities for Automation

    Identifying Gaps in People, Process, Tech

    https://bit.ly/cdm-rsa2016

  • #RSAC

    Early Stage Expo and Sandbox Vendors

    12

    Identify Protect Detect Respond Recover

    Technology People Process

    Devices

    Applications

    Networks

    Data

    Users

    Degree of Dependency

    @sounilyu

    Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.

    SecurePlus Data

  • #RSAC

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Devices

    Applications

    Networks

    Data

    Users

    Identify Protect Detect Respond Recover

    Early Stage Expo and Sandbox Vendors

    13@sounilyu

    Threat Actor Assets

    Vendor Assets

    Customer Assets

    Employee Assets

    Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.

  • #RSAC

    Use Case 12: Optimal Resource Allocation Ratios

    14@sounilyu

    Technology

    People

    Processes

    Technology People

    Process

    90 70 50 30 10

    10 30 50 70 90

    50 50 50 50 50

    Identify Protect Detect Respond Recover

    ~10:1 ~2:1 1:1 ~1:2 ~1:10Tech:People Ratio

    RISK ADVERSE POSTURE RISK TAKING POSTURE

  • #RSAC

    Use Case 13: Understanding Handoffs and Responsibilities

    15@sounilyu

    Identify Protect Detect Respond Recover

    Endpoint Services CERT Endpoin