Augmenting the Cyber Defense Matrix
John C. Checco, D.Sc.
Information Security Executive ∴ Innovator ∴ Firefighter ∴ Speaker
Most of you by now have heard about the Cyber Defense Matrix, a security model envisioned by Sounil Yu (a former manager of mine) that coalesces the operational areas of the NIST CSF - Identify, Protect, Detect, Respond and Recover - with a set of commonly accepted asset classes - Devices, Applications, Networks, Data and Users.
The novelty that Sounil brings to this chessboard is the myriad of ways it can be used to map, measure and justify the security defense posture of any organization. Sounil is a "regular" at RSAC, having given multiple talks and workshops on the CDM. (One of my favorite talks is actually an early one given at ACoD.)
Is Improvement Sacrilegious?
As I look at the complexity of security - zero-day exploits, multi-stage attacks and the long-game approach - I ask myself "can we improve upon the current CDM work?" i.e. Can we improve the CDM mapping capabilities by augmenting the operational defense axis? (FYI, I am in no position nor mindset to actually augment the NIST CSF ... yet.)
Operational Security - PREEMPT
I would be so bold as to add PREEMPT as a column in the operational areas of the matrix. So ... What is meant by PREEMPT?
PREEMPT is the fundamental removal of the threat, vulnerability and/or attack surface from the environment.
Example #1: If you are familiar with threat modeling, this should be quite easily explainable. For any application threat model, have you ever listed "inability to access pen and paper" as a potential vulnerability? No, because the application is electronic, and items such as pen and paper are not part of that environment. The migration of a business process from pen and paper (circa 1970) to an application (1990+) has made the pen and paper obsolete - or, in other words, preempted the pen and paper availability issue.
Example #2: For all you dog and cat people out there, what makes MacOS better than Windows, or vice versa? (It really doesn't matter, but ...) if you wanted to PREEMPT the issue of ActiveX threats, then you could change all your systems to MacOS. Or moving to Chromebooks would PREEMPT an entire set of OS and local storage issues.
Example #3: Okay, if the first two examples didn't convince you (as they were a bit trite), then the best relevant example I can present is the migration to Passwordless MFA. Getting rid of passwords as an authentication model preempts an entire class of threats: from brute force attempts such as rainbow tables to credential spraying.
The use case for PREEMPT is to look for solutions that are not bolt-ons to existing infrastructure, but holistic replacements for existing threat-laden technologies/processes.
Asset Security - TRANSACTION
My second alteration would be at the asset level, and (if I could) I would ask that TRANSACTIONS be added as a viable asset to any protection model.
TRANSACTION defines the life-cycle and purpose of any piece of data from end to end, regardless of the number of steps, processes or organizations it must cross.
Actually the Forrester Research concept of Zero Trust does talk about WORKLOAD protection, but I feel that "workload" is too narrow in that it only encompasses a single step in a transaction - i.e. the one within your operation control - rather than the end-to-end life of a transaction.
Example #1: The next time you order and eat a burger, think about the safety precautions and cleanliness steps taken (or not) from the kitchen that cooked your burger, back to the facility that ground that burger, back to the butcher that portioned the meat, back from slaughterhouse that processed the animal, back to the farm that raised the animal, back to the companies that make the grain (and antibiotics) that are needed for the animal. We must have a lot of trust in the process, because if any part of this goes sideways we can get very very ill.
Example #2: Execution of a stock trade is an example of a transaction that needs to be protected from end to end. The data itself is useless unless it can move from initiation to routing to validation to matching to confirmation to enrichment to verification to clearing to settlement to reconciliation. This process touches many people, systems and organizations - all of which need to have protection in concert.
Example #3: Distributed Ledger (aka Blockchain) is a technology purpose-built around protecting a transaction. It covers the end-to-end sanctity of the transaction, including audit. (As a side note, DL is now being used to track meat processing from cow to plate.)
The use case for TRANSACTIONS is to allow an asset to be defined, treated and protected as a living entity - as opposed to a cog in a larger machine in which we ignore the connecting cogs. (SWIFT should take this to heart.)
Summary
In assessing your organization's security posture, there needs to be a balance between too much simplicity versus too much granularity - both of which leads to broad misclassification of gray areas, which can then lead to making the wrong assumptions or decisions on a security focus.
Using the Cyber Defense Matrix is a great tool; and I believe the additions of "operational PREEMPTing" and "TRANSACTIONS as an asset" makes your security mapping clearer without adding confusion.
(BTW, I have discussed these additions with Sounil in the past and although we do not agree, his views on this are equally interesting; and I suggest to reach out to him to find out more.)
Let me know your thoughts.
Engineering & Product Leadership | Entrepreneurship | Software Architecture | AI & Cyber-security Expert
2 年Great perspective and thanks for the effort to make this model more useful! My quick thoughts: 1. I do agree we need a better focus on activitities mentioned under PREEMPT like Threat Modeling and others, but I also recognize that we can model it under existing PROTECT column, to keep the matrix simplers and easier to use. 2. Modeling a Transaction as an Asset Type doesn't sounds right, as unlike other assets types, it only exists at a point of time - when trnsaction is being executed and not yet finilized. But considering how critical crypto assets become today, I do think it worth to consider adding Digital Assets as an addiotnal row, like a crypto wallets and smart contracts, as an Asset Type. The opposite argument can be that we can include it under the Users for Wallets or under Applications for Smart Contracts, but Digital Assets row sounds a better approach, IMO. Would love to hear how Sounil Yu and others see it.
Cybersecurity Scientist | US Navy Cryptology Community Veteran | VFW Member | Autistic | LGBTQ | INTJ-Mastermind
4 年Preempt is one of the 'EFFECTS' defined in NIST 800-160 vol 2 in Appendix H page 156. It's one of just over a dozen different effects the defender can have on adversary behavior that in turn has an effect on the defender's risk. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2.pdf
NetVPro | Help People. Solve Problems. Add Value. | Cybersecurity and Protection | Trail Riding ?? | Passionate Adventurer ??
4 年Improvement should never be thought of as sacrilegious, I found this writing relevant and thought provoking. I've seen and read some of Sounil Yu's work and am a HUGE supporter of the DIE model of data retention. The Block chain people don't seem to have the Ephemeral part included, which to me, speaks of App Developers who never thought about security. To your point in this article though, what do you make of Prevention Without Detection by using AppGuard as a zero-trust end point protection technology?
Freewheel, at Comcast Advertising
5 年Would be good to see more practical examples. The concepts seems a bit theoretical. But get it that we need to begin to look at security a built-in process not bolt-on.