Uploaded byPriyanka Aash
CyberSecurity Portfolio Management
This document discusses approaches for cybersecurity portfolio management. It addresses questions around identifying necessary versus unnecessary security products, gaps and overlaps in an existing portfolio, and defining a security strategy. Various frameworks are presented for conducting a structured portfolio analysis, including the OWASP Cyber Defense Matrix, CyberARM, Gartner's Security Posture Assessment, and the US-CCU Cyber-Security Matrix. Effective use of an existing security portfolio involves identifying control overlaps, integrating products, automating workflows, replacing multiple products, optimizing configurations, and ensuring appropriate coverage of assets based on a threat model.
More Related Content
Similar to CyberSecurity Portfolio Management
CyberSecurity Portfolio Management
- 1. CyberSecurity Portfolio Management :Approaches Bikash Barai, Ravi Mishra
- 2. What problems arewe trying to discuss here? • What Security Products Do We Really Need & Don’t? • How do we Identify Gaps & Overlaps in Portfolio? • How do we define our Security Products Strategy? • What security products can be replaced or dropped? • How do we understand & categorize security vendors using a standardized approach? • How do we make the optimal use of my existing cybersecurity products portfolio?
- 3. Current State ofSecurity Spending • Mostly Ad-hoc / Unplanned spending • Overinvested in Some Areas • Underinvested in Some Areas • Sub-optimal choices • How Many Security Tech do You Need to start the security program: • As per 451 Research – Experts View: • Range from 4 to 31 • Generally – PCI as baseline
- 4. Shelfware – What’sMost Likely to End up there? Source: Javvad Malik, 451 Research
- 5. And Why? Source: JavvadMalik, 451 Research
- 6. CyberSecurity Tech Spending: Approaches • Compliance Driven – What’s the minimum required to stay compliant? (e.g.: PCI-DSS) • Frameworks Based – What does NIST CSF / ISO 27001 etc. require? • What are Others / Peers Doing? • As a Vendor, what Customer Commitments do we have ? • Budget Driven – How can we have 100% utilization of our FY budget? • Based on Structured Portfolio Analysis – OUR FOCUS FOR TODAY • What’s required for a balanced portfolio? • Do we have enough / right controls based on our threat model?
- 7. Frameworks for StructuredPortfolio Analysis • OWASP - Cyber Defense Matrix (Sounil Yu) • CyberARM – UNCC • Gartner – Security Posture Assessment • Security Architecture using Threat Modeling • US‒CCU Cyber-Security Matrix
- 8. OWASP Cyber DefenseMatrix https://www.owasp.org/index.php/OWASP_Cyber_Defense_Matrix
- 9. OWASP - CyberDefense Matrix • Common Language Based on 5 Asset Classes & NIST CSF Source: Sounil Yu, RSAC 2016 Presentation
- 10. Sample View –Based on Mapping Tech Source: Sounil Yu, RSAC 2016 Presentation
- 11. Identify Gaps &Overlaps Possible Gaps Possible Overlaps Source: FireCompass.com
- 12. Views Across AssetOwners – Not Just Org Source: Sounil Yu, RSAC 2016 Presentation
- 13. Classify the Productsyou’re Evaluating Source: Sounil Yu, RSAC 2016 Presentation
- 14. Use Cases Summary 1.Identify Gaps & Overlaps (Design Patterns) 2. Understand the Security Posture of Others (Vendors, Employee etc.) 3. Understand where Vendor’s Offerings Fit 4. How Solutions in One Area Support Others (e.g.: TI) 5. Identify Orchestration Patterns 6. Decide on Platform vs Product Approach
- 15.
- 16. CyberARM :Enhancement ofCDM • Phases of kill-chain has been introduced as the 3rd dimension of CDM. • Each class of security controls has now three attributes: Kill-Chain Phase, Enforcement Level, Security Function(SF). KC Phase Security Function Enforcement level Identify Protect Detect Respond Recover People Network Device Application Data Control Exploit Deliver Recon Weaponize Execute Maintain Source: http://www.ccaa-nsf.org/cyber-defense-matrix.html
- 17.
- 18. Gartner: All FrameworksAre Rewordings of the Same Stuff Source: Gartner
- 19. Gartner: Security PostureAssessment Source: Gartner
- 20. Gartner : SampleView for SaaS Source: Gartner
- 21. Gartner: Five Stylesof Advanced Threat Defense Source: Gartner
- 22. US-CCU Cyber-Security Matrix ByU.S. Cyber Consequences Unit (US-CCU) - www.usccu.us Can ALSO use the Matrix to Evaluate Defenses • A method for assessing the collective effectiveness of accumulated defensive measures • A way of comparing and evaluating defensive products and services • A basis for quantifying Vulnerability in a way that can be utilized in a rigorous risk analysis *Automation ~ IoT Devices
- 23. Other Approaches –Nigel Wilson Source: https://nigesecurityguy.wordpress.com/
- 24.
- 25. Threat Modeling Attacker TradecraftVulnerability Action Target Result Objective Nation State - high motive; high capability Advertise wrong BGP routes Excessive/improper access Spoof Ports Theft Financial Gain Nation State - high motive; low capability Cable physically severed User behavior ReRoute People Data loss Intellectual property Nation State - low motive; low capability DNS cache poisoning Zero day Copy IP addresses Control Strategic advantage Hacktivist - Anonymous SYN floods (denial of service) Privilege escalation Read Big data Destroy Mayhem Hacktivist - Lawsuit Data subpoenaed User manipulation Probe Classified Information Reputational damage Bragging Rights Traditional attention seeking hacker Targeted phishing Unpatched systems Bypass Customer data Monetary loss Damage economy Opportunist SQL Injection Posting personal data Flood Contacts Deny Industrial espionage Malicious insider Cross-site scripting Insecure application development Deny Keys Shareholder action Non-malicious insider (accident) Password cracking Known worm/virus Identity Fraud Credentials Regulatory investigation Malicious privileged user (administrator) Malware Masquerade Physical theft Gain trust Physical attack (guns/ bullets) Infiltrate Social engineering Source: Michael J. Lewis, Chevron
- 26. Current Control SetVersus a Threat Source: Michael J. Lewis, Chevron
- 27. Putting it alltogether – Addressing the Threat Maintain Maintain & Improve Implement Patching, AV, Email Security Awareness Training Virtualized browser Hardened build Incident Response (Crisis Management) Specialized threat detection / APT Sec IPS (Intrusion Prevention System) SIEM Source: Michael J. Lewis, Chevron
- 28. Magnificent 7 • Encryption •SIEM • Vulnerability Management • IDS/IPS • AV • Firewalls / NGFWs • Monitoring (General) Source: 451 Research Other Recommended Solutions: • Email Security Gateways • Phishing Simulation & Awareness • Web Security Gateways • Application Security Testing
- 29. How Do weMake the Best use of Existing Investments? 1. Identify Control Overlaps – Tech which are protecting the same thing with similar capabilities? 2. Integrations - Some products can greatly benefit by getting data from others? 3. Orchestration - Reduce analyst workloads by automating workflows 4. Replacement - What products can replace multiple products and help us save time & cost? Products vs Platforms 5. Configuration Optimizations – Are we using the recommended settings? 6. Deployment Footprint – Can security tech in one area be extended to other? Can it be tweaked to do more than it does now? (E.g.: DLP) 7. People – Do we have enough trained people and are they using it correctly?
- 30. Are we Securingthe right things? • Crown Jewels • Users • Data – PII, PHI, Financial, IP, Employee, Vendors etc. • Employee Assets • Cloud Infra – SaaS, PaaS, IaaS? (and email if applicable) • Shadow IT • Applications, Networks, Endpoints • IoT • Vendor Access to Systems / Networks / Data
- 31.