Understanding the Security Vendor Landscape Using the Cyber Defense Matrix

Similar documents
IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

The Cyber Threat Landscape

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Protecting What Matters Most. Bartosz Kryński Senior Consultant, Clico

Concierge SIEM Reporting Overview

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Critical Controls for Cyber Security.

Logging In: Auditing Cybersecurity in an Unsecure World

Advanced Threats: The New World Order

IBM SECURITY QRADAR INCIDENT FORENSICS

Intelligence Driven Security

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Defending Against Data Beaches: Internal Controls for Cybersecurity

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

BM482E Introduction to Computer Security

While you are waiting for our webinar to begin, you might be interested in the downloads on the Attachment tab:

Stay ahead of insiderthreats with predictive,intelligent security

SANS Top 20 Critical Controls for Effective Cyber Defense

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

SourceFireNext-Generation IPS

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

The Cloud App Visibility Blindspot

Active Visibility for Multi-Tiered Security. Juergen Kirchmann Director Enterprise Sales EMEA

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Information Security for the Rest of Us

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

Eliminating Cybersecurity Blind Spots

Defending against Advanced Threats: Addressing the Cyber Kill Chain

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Technical Note. ForeScout MDM Data Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

The Incident Response Playbook for Android and ios

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

If you can't beat them - secure them

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

74% 96 Action Items. Compliance

IBM QRadar Security Intelligence April 2013

Professional Services Overview

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Critical Security Controls: What s NAC Got to Do with IT?

The Web AppSec How-to: The Defenders Toolbox

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Breaking the Cyber Attack Lifecycle

Obtaining Enterprise Cybersituational

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Protecting Your Organisation from Targeted Cyber Intrusion

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Top 20 Critical Security Controls

How to Choose the Right Security Information and Event Management (SIEM) Solution

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

We Prevent Breaches (and surprises) Intelligent Prevention

IT Security Strategy and Priorities. Stefan Lager CTO Services

Patching & Malicious Software Prevention CIP-007 R3 & R4

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

How To Get A Cloud Service For A Small Business

2012 North American Managed Security Service Providers Growth Leadership Award

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Security Information & Event Management (SIEM)

1 Introduction Product Description Strengths and Challenges Copyright... 5

Evolution Of Cyber Threats & Defense Approaches

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Perspectives on Cybersecurity in Healthcare June 2015

Persistence Mechanisms as Indicators of Compromise

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Security Intelligence

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

RSA Security Anatomy of an Attack Lessons learned

Castles in the Air: Data Protection in the Consumer Age

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cyber Defense Operations Graduate Certificate

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Cybersecurity: What CFO s Need to Know

Secure Your Mobile Workplace

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Cisco Cyber Threat Defense - Visibility and Network Prevention

Transcription:

SESSION ID: PDIL-W02F Understanding the Security Vendor Landscape Using the Cyber Defense Matrix Sounil Yu sounil@gmail.com @sounilyu

Disclaimers The views, opinions, and positions expressed in this presentation are solely my own It does not necessarily represent the views and opinions of my employer and does not constitute or imply any endorsement from or usage by my employer All models are wrong, but some are useful - George E. P. Box 2

Our industry is full of jargon terms that make it difficult to understand what we are buying To accelerate the maturity of our practice, we need a common language 3

Our common language can be bounded by five asset classes and the NIST Cybersecurity Framework DEVICES APPS NETWORKS DATA 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 Asset Classes Workstations, servers, VoIP phones, tablets, IoT, storage, network devices, infrastructure, etc. The software, interactions, and application flows on the devices The connections and traffic flowing among devices and applications The information residing on, traveling through, or processed by the resources above IDENTIFY PROTECT DETECT RESPOND Operational Functions Inventorying assets and vulns, measuring attack surface, baselining normal, risk profiling Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation Discovering events, triggering on anomalies, hunting for intrusions, security analytics Acting on events, eradicating intrusion footholds, assessing damage, coordinating, reconstructing events forensically USERS The people using the resources listed above RECOVER Returning to normal operations, restoring services, documenting lessons learned 4

Introducing the Cyber Defense Matrix Identify Protect Detect Respond Recover Degree of Dependency Technology 5 Process People

Left and Right of Boom Identify Protect Detect Respond Recover Pre-Event Structural Awareness Post-Event Situational Awareness Degree of Dependency Technology 6 Process People

Enterprise Security Market Segments Identify Protect Detect Respond Recover IAM AV, HIPS Endpoint Visibility and Control / Endpoint Threat Detection & Response Configuration and Systems Management App Sec (SAST, DAST, IAST, RASP), WAFs Netflow Network Security (FW, IPS) IDS DDoS Mitigation Full PCAP Labeling Encryption, DLP Deep Web, Brian Krebs, FBI DRM Backup Phishing Simulations Phishing Awareness Insider Threat / Behavioral Analytics Degree of Dependency Technology 7 Process People

We care about more than just the assets that are owned and controlled by the enterprise 01001101010110101001 10110101010101101010 Threat Actors Vendors Customers Employees Enterprise Assets - user workstations, servers, phones, tablets, IoT, peripherals, storage, network devices, web cameras, infrastructure devices, etc. - The software, interactions, and application flows on the devices Network - The connections and traffic flowing among devices and applications - The information residing on, traveling through, or processed by the resources listed above The people using the resources listed above 8 Operational Functions Identify inventorying assets and vulnerabilities, measuring attack surface, baselining normal, risk profiling Protect preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation Detect discovering events, triggering on anomalies, hunting for intrusions, security analytics Respond acting on events, eradicating intrusion footholds, assessing damage, coordinating response, forensics Recover returning to normal operations, restoring services, documenting lessons learned

Market Segments Other Environments Threat Actor Assets Intrusion Deception Malware Sandboxes Vendor Risk Assessments Cloud Access Security Brokers Vendor Assets Customer Assets Threat Device Fingerprinting Endpoint Fraud Detection Web Fraud Detection Employee Assets Device Fingerprinting BYOD MDM BYOD MAM 9

Security Technologies Mapped by Asset Class DEVICES Workstations, servers, VoIP phones, tablets, IoT, storage, network devices, infrastructure, etc. APPS The software, interactions, and application flows on the devices NETWORKS The connections and traffic flowing among devices and applications DATA The information residing on, traveling through, or processed by the resources above USERS The people using the resources listed above 10011101010101010010 01001101010110101001 11010101101011010100 10110101010101101010 10 Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.

Security Technologies Mapped by Operational Functions IDENTIFY Inventorying assets, measuring attack surface, baselining normal, risk profiling PROTECT Preventing or limiting impact, containing, hardening, managing access DETECT RESPOND RECOVER Discovering events, triggering on anomalies, hunting for intrusions Acting on events, eradicating intrusion footholds, assessing damage, coordinating, reconstructing events forensically Returning to normal operations, restoring services, documenting lessons learned 11 MSSPs / IR Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.

Security Technologies by Asset Classes & Operational Functions Identify Protect Detect Respond Recover Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here. Degree of Dependency Technology 12 Process People

Use Case 1: Understand how products in one area support the capabilities of another area Threat Actor Assets and threat integration platforms consume, integrate, and drive action on threat data through other products that are in these categories Enterprise Assets Threat data providers fall into this category 13

Use Case 2: Define Security Design Patterns (a.k.a. Security Bingo Card) Identify Protect Detect Respond Recover Degree of Dependency Technology 14 People Process

Use Case 3: Maximizing Your Available Deployment Footprint (What vs Where) What: Application Security Where Protect RASP WAF Secure Coding What: Endpoint Protection Protect Where Anti Malware Malware Sandbox Phishing Awareness 15

Use Case 4: The (network) perimeter is dead. Long live (other) perimeters FROM TO FROM Apps TO Apps SSH Certificates Server-Side SSL Cert 802.1X Certificate Hashes / Checksums User Creds Biometrics 2FA Client-side SSL Cert Geofencing Fingerprinting NAC Encryption keys API Key? Encryption keys? Firewall Rules?? Hashes / Checksums User Creds Biometrics 2FA PROTECT? Enhanced SSL Certificates?? Hashes / Checksums User Creds 2FA User Creds 2FA Photo ID Handshake Reduce/Eliminate these perimeters to make security more usable 16

Use Case 5: Calculate Defense-in-Depth Defense in Depth Score Identify Protect Detect Respond Recover D-in-D Score 0.25 0.40 0.20 0.64 0.20 0.10 0.10 0.15 0.45 0.15 0.10 0.20 0.39 0.05 0.10 0.20 0.32 0.30 0.10 0.37 0.52 0.36 0.51 0.35 0.46 44 (sum of columns and row *100) 17

Use Case 6: Understand how to balance your portfolio without breaking the bank Identify Protect Detect Respond Recover Total Total $50 $100 $50 $200 $50 $100 $50 $100 $300 $100 $100 $50 $250 $50 $50 $50 $150 $50 $50 $100 $200 $200 $250 $150 $200 $1000 18

Use Case 7: Anticipate the Effective Half Life of People Skills, Processes, and Technologies Identify Protect Detect Respond Recover 5 4 3 4 2 2 1 3 2 3 3 3 2 3 4 3 3 3 4 2 5 3 2 Staff need training EVERY YEAR to maintain efficacy at 4 50% 2or higher 2 2 2 3 2 3 2 3 5New 4detection 3 3technologies 3 5 may need to be rolled out EVERY TWO YEARS to maintain 3 efficacy 4 3 at 50% 3 or 3 higher 5 5 5 5 5 3 3 5 4 4 5 1 5 4 2 5 5 5 5 5 5 2 5 5 4 5 4 5 5 3 5 Degree of Dependency Technology 19 Process People

Use Case 8: Disintermediate Components for Easier Orchestration 010010101001011010 Vendor Application Protection 010101001011010 010010100100110111010010010100010110110111 Enterprise Network Detection 100010110110111 010010100111010101101010100 0100101001011010101010010100101010100100011101 0100101101100100100110010110010 Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here. 010010101011010 0100101001011011010100101110 20 Enterprise Device Response Customer Device Identification Customer Device Protection Threat Actor Application Identification Enterprise Network Identification 010101101010100 010100100011101 100110010110010 010010101011010 1011010100101110 Common Message Fabric

Use Case 9: Differentiate between a platform and a product Identify Protect Detect Respond Recover Product What makes a technology a platform? 1. Enables enterprises to operate as mechanics and not just chauffeurs Platform 2. Exposes all its functions through APIs for easier integration with other technologies and capabilities 3. Leverages data exchange standards that enable interchangeable components Degree of Dependency Technology 21 Process People

Use Case 10: Identifying Opportunities to Accelerate the People>Process>Technology Lifecycle Identify Protect Detect Respond Recover Embedded Into Technology Codified Into Playbooks & Checklists New Discoveries and War Stories! Degree of Dependency Usually Fighting Against Technology Technology 22 Process Usually Fighting Against People People

Use Case 11: Identify technology gaps or overreliance in your technology portfolio Identify Protect Detect Respond Recover Degree of Dependency Technology Process People 23

Model Shortfalls: Where is analytics? GRC? Orchestration? This framework supports the higher level functions of orchestration, analytics, and governance/risk/compliance, but they are represented on a different dimension Orchestration Analytics GRC 24

Comparison of Models: Gartner s Five Styles of Advanced Threat Defense Real Time/ Near Real Time Time Post Compromise (Days/Weeks) Enterprise Assets Style 4 Style 5 Where to Look Network Payload Endpoint Network Traffic Analysis Payload Analysis Style 1 Style 3 Endpoint Behavior Analysis Style 4 Network Forensics Endpoint Forensics Style 2 Style 5 Style 1 Style 2 Style 3 Threat Actor Assets Source: Gartner 25

Applying the Cyber Defense Matrix This week Use the matrix to categorize vendors that you encounter in the Expo Hall Ask them where they fit and don t allow them to be in multiple shopping aisles In the first three months following this presentation you should: Send me feedback on how you have mapped vendors to it Organize your portfolio of technologies to see where you might have gaps Identify vendors that may round out your portfolio based on your security design pattern (a.k.a. security bingo card) Within six months you should: Send me feedback on how you used the Cyber Defense Matrix and improved it 26

Sounil Yu sounil@gmail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information