View
220
Download
3
Category
Preview:
Citation preview
SESSION ID:
#RSAC
Sounil Yu
Understanding the Security Vendor Landscape Using the Cyber Defense Matrix
PDIL-W02F
sounil@gmail.com@sounilyu
#RSAC
Disclaimers
2
The views, opinions, and positions expressed in this presentation are solely my own
It does not necessarily represent the views and opinions of my employer and does not constitute or imply any endorsement from or usage by my employer
All models are wrong, but some are useful- George E. P. Box
#RSACOur industry is full of jargon terms that makeit difficult to understand what we are buying
3
To accelerate the maturity of our practice, we need a common language
#RSACOur common language can be bounded by five asset classes and the NIST Cybersecurity Framework
4
Operational FunctionsAsset Classes
DEVICES Workstations, servers, VoIP phones, tablets, IoT, storage, network devices, infrastructure, etc.
The software, interactions, and application flows on the devices
The connections and traffic flowing among devices and applications
The information residingon, traveling through, or processed by the resources above
The people using the resources listed above
APPS
NETWORKS
10011101010101010010010011010101101010011101010110101101010010110101010101101010
DATA
USERS
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Inventorying assets and vulns, measuring attack surface, baseliningnormal, risk profiling
Preventing or limiting impact, patching, containing, isolating, hardening, managing access, vulnremediationDiscovering events, triggering on anomalies, hunting for intrusions, security analyticsActing on events, eradicating intrusion footholds, assessing damage, coordinating, reconstructing events forensically
Returning to normal operations, restoring services, documenting lessons learned
#RSAC
Introducing the “Cyber Defense Matrix”
5
Devices
Applications
Networks
Data
Users
Degree ofDependency
Identify Protect Detect Respond Recover
Technology PeopleProcess
#RSAC
Left and Right of “Boom”
6
Identify Protect Detect Respond Recover
Technology PeopleProcess
Pre-EventStructural Awareness
Post-EventSituational Awareness
Devices
Applications
Networks
Data
Users
Degree ofDependency
#RSAC
Enterprise Security Market Segments
7
Identify Protect Detect Respond Recover
Technology PeopleProcess
IAM Endpoint Visibility and Control /Endpoint Threat Detection
& Response
Configurationand SystemsManagement
DataLabeling
App Sec(SAST, DAST,IAST, RASP),
WAFs
PhishingSimulations
DDoS Mitigation
Insider Threat /BehavioralAnalytics
NetworkSecurity(FW, IPS)
DRMData
Encryption,DLP
IDSNetflow
Full PCAP
AV, HIPS
Deep Web,Brian Krebs,
FBIBackup
PhishingAwareness
Devices
Applications
Networks
Data
Users
Degree ofDependency
#RSACWe care about more than just the assets that are owned and controlled by the enterprise
8
Threat ActorsVendors
CustomersEmployees
Enterprise Assets• Devices - user workstations, servers,
phones, tablets, IoT, peripherals, storage, network devices, web cameras, infrastructure devices, etc.
• Applications - The software, interactions, and application flows on the devices
• Network - The connections and traffic flowing among devices and applications
• Data - The information residingon, traveling through, or processed by the resources listed above
• Users – The people using the resources listed above
0100110101011010100110110101010101101010
Operational Functions• Identify – inventorying assets and
vulnerabilities, measuring attack surface, baselining normal, risk profiling
• Protect – preventing or limiting impact, patching, containing, isolating, hardening, managing access, vuln remediation
• Detect – discovering events, triggering on anomalies, hunting for intrusions, security analytics
• Respond – acting on events, eradicating intrusion footholds, assessing damage, coordinating response, forensics
• Recover – returning to normal operations, restoring services, documenting lessons learned
#RSAC
Market Segments – Other Environments
9
Threat Actor Assets
ThreatData
IntrusionDeceptionMalware
Sandboxes
Vendor Assets
Cloud AccessSecurity Brokers
Vendor RiskAssessments
Customer Assets
Endpoint FraudDetection
DeviceFinger-printing
DeviceFinger-printing
Web FraudDetection
Employee Assets
BYODMAM
BYODMDM
#RSAC
10011101010101010010010011010101101010011101010110101101010010110101010101101010
DEVICESWorkstations, servers, VoIP phones, tablets, IoT, storage, network devices, infrastructure, etc.
The software, interactions, and application flows on the devices
The connections and traffic flowing among devices and applications
The information residing on, traveling through, or processedby the resources above
The people using theresources listed above
APPS
NETWORKS
DATA
USERS
Security Technologies Mapped by Asset Class
10
Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.
#RSAC
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Inventorying assets, measuring attack surface, baseliningnormal, risk profiling
Preventing or limiting impact, containing, hardening, managing access
Discovering events, triggering on anomalies, hunting for intrusionsActing on events, eradicating intrusion footholds, assessing damage, coordinating, reconstructing events forensicallyReturning to normal operations, restoring services, documenting lessons learned
Security Technologies Mapped by Operational Functions
11
MSSPs / IR
Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.
#RSACSecurity Technologies by Asset Classes & Operational Functions
12
Identify Protect Detect Respond Recover
Technology PeopleProcess
Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.
Devices
Applications
Networks
Data
Users
Degree ofDependency
#RSACUse Case 1: Understand how products in one area support the capabilities of another area
13
Threat Actor Assets
Enterprise Assets
Threat data providers fall into this category…
… and threat integration platforms consume, integrate, and drive action on threat data through other products that are in these categories
#RSACUse Case 2: Define Security Design Patterns(a.k.a. Security Bingo Card)
14
Identify Protect Detect Respond Recover
Technology PeopleProcess
Devices
Applications
Networks
Data
Users
Degree ofDependency
#RSACUse Case 3: Maximizing Your Available Deployment Footprint (What vs Where)
15
Devices
Applications
Networks
Data
Users
Protect
RASP
WAF
SecureCoding
What: Application Security
AntiMalware
MalwareSandbox
PhishingAwareness
ProtectWhat: Endpoint Protection
Devices
Applications
Networks
DataUsers
Where Where
#RSACUse Case 4: The (network) perimeter is dead. Long live (other) perimeters
16
Devices
Applications
Networks
Data
Users
Devices
Applications
Networks
Data
Users
TOFROM
Devices Apps Networks Data Users
Devices
• SSH Certificates
• Client-side SSL Cert
• Geofencing• Fingerprinting
• NAC • Encryption keys
• ?
Apps • Server-Side SSL Cert
• API Key • ? • Encryption keys
• Enhanced SSL Certificates
Networks • 802.1X Certificate
• ? • Firewall Rules • ? • ?
Data • Hashes / Checksums
• Hashes / Checksums
• ? • ? • Hashes / Checksums
Users• User Creds• Biometrics• 2FA
• User Creds• Biometrics• 2FA
• User Creds• 2FA
• User Creds• 2FA
• Photo ID• Handshake
FROM TO
Reduce/Eliminate these perimetersto make security more usable
PROTECT
#RSAC
Use Case 5: Calculate Defense-in-Depth
17
Identify Protect Detect Respond Recover
0.25 0.40 0.20 0.640.20 0.10 0.10 0.15 0.450.15 0.10 0.20 0.39
0.05 0.10 0.20 0.320.30 0.10 0.370.52 0.36 0.51 0.35 0.46 44
Devices
Applications
Networks
Data
Users
Defense inDepth Score
D-in-D Score
(sum of columns and row *100)
#RSACUse Case 6: Understand how to balanceyour portfolio without breaking the bank
18
Identify Protect Detect Respond Recover
$50 $100 $50 $200
$50 $100 $50 $100 $300
$100 $100 $50 $250
$50 $50 $50 $150
$50 $50 $100
$200 $200 $250 $150 $200 $1000
Devices
Applications
Networks
Data
Users
Total
Total
#RSACUse Case 7: Anticipate the “Effective Half Life” of People Skills, Processes, and Technologies
19
Identify Protect Detect Respond Recover
Technology PeopleProcess
55 3
42 3
53 3
53 3
54 2
55 4
33 3
35 4
33 4
55 1
45 5
21 3
22 3
32 3
45 4
25 5
24 2
25 3
22 2
35 3
55 5
35 4
23 3
43 4
55 5
New detection technologies may need to be rolled out
EVERY TWO YEARS to maintain efficacy at 50% or higher
Staff need training EVERY YEAR to
maintain efficacy at 50% or higher
Devices
Applications
Networks
Data
Users
Degree ofDependency
#RSACUse Case 8: Disintermediate Components for Easier Orchestration
20
010010101001011010
010010100100110111010010010100010110110111
010010100111010101101010100
0100101001011010101010010100101010100100011101
0100101101100100100110010110010
010010101011010
0100101001011011010100101110
010101001011010
100010110110111
010101101010100
010100100011101
100110010110010
010010101011010
CommonMessage
Fabric
Vendor Application Protection
1011010100101110
Enterprise Network
DetectionEnterprise
DeviceResponse
CustomerDevice
ProtectionThreat ActorApplication
IdentificationEnterpriseNetwork
Identification
CustomerDevice
Identification
Disclaimer: Vendors shown are representative only. No usage or endorsement should be construed because they are shown here.
#RSAC
Devices
Applications
Networks
Data
Users
Degree ofDependency
Use Case 9: Differentiate between aplatform and a product
21
Identify Protect Detect Respond Recover
Technology PeopleProcess
Product
PlatformWhat makes a technology a “platform”?1. Enables enterprises to operate as
mechanics and not just chauffeurs2. Exposes all its functions through APIs
for easier integration with other technologies and capabilities
3. Leverages data exchange standards that enable interchangeable components
#RSAC
Usually FightingAgainst Technology
Usually FightingAgainst People
Devices
Applications
Networks
Data
Users
Degree ofDependency
Identify Protect Detect Respond Recover
Technology PeopleProcess
Use Case 10: Identifying Opportunities to Accelerate the People>Process>Technology Lifecycle
22
Codified IntoPlaybooks & Checklists
New Discoveries
andWar Stories!
EmbeddedInto
Technology
#RSAC
Use Case 11: Identify technology gaps or overreliance in your technology portfolio
23
Identify Protect Detect Respond Recover
Technology People
Process
Devices
Applications
Networks
Data
Users
Degree ofDependency
#RSACModel Shortfalls: Where is analytics? GRC? Orchestration?
This framework supports the higher level functions of orchestration, analytics, and governance/risk/compliance, but they are represented on a different dimension
GRCAnalytics
Orchestration
24
#RSACComparison of Models: Gartner’s Five Stylesof Advanced Threat Defense
25
Source: Gartner
Time
Whe
re to
Look
Real Time/Near Real Time
Post Compromise(Days/Weeks)
Network
Payload
Endpoint
Network TrafficAnalysis
NetworkForensics
PayloadAnalysis
Endpoint BehaviorAnalysis
EndpointForensics
Style 2Style 1
Style 5Style 4
Style 3
Enterprise Assets
Style 4
Style 1
Style 5
Style 2Threat Actor
Assets
Style 3
#RSAC
Applying the Cyber Defense Matrix
26
This weekUse the matrix to categorize vendors that you encounter in the Expo Hall
Ask them where they fit and don’t allow them to be in multiple shopping aisles
In the first three months following this presentation you should:Send me feedback on how you have mapped vendors to itOrganize your portfolio of technologies to see where you might have gaps
Identify vendors that may round out your portfolio based on your security design pattern (a.k.a. security bingo card)
Within six months you should:Send me feedback on how you used the Cyber Defense Matrix and improved it
#RSAC
Sounil Yusounil@gmail.com
Recommended