How (and why) to visualize breaches with The Cyber Defense Matrix

by

This February, sixty security practitioners met in Dallas for the first annual Cyber Defense Matrix conference, an intimate day of workshops and talks focused on making the most of Sounil Yu’s popular framework. 

Adrian Sanabria, a practitioner with more than 20 years of experience and repeat presenter at RSA, shared his use case for the Matrix - visualizing breaches and incidents. 

He told the audience in Dallas, “This is a use case that occurred to me back when I started to do research on breaches. I wanted to understand why companies failed, why breaches happened, and I started collecting all this data. But it's kind of tough to zoom out to the big picture. So when I came across Sounil's Cyber Defense Matrix, I immediately knew the use case I wanted to use it for.”

Why conduct breach post-mortems?

“A failure is a terrible thing to waste,” was written across Adrian’s presentation slides. His stance on breach post-mortems is simple: the industry won’t provide them for you, but the learnings from thinking through reported breaches are critical for improving your own security controls. 

“If you look at other industries and how they handle failures generally, it's pretty common to have a public report of what happened so that others can learn from your mistakes and improve. Not so much the case in cybersecurity.” 

Instead, most cyber breaches are reported on in the media hours or days after the incident, with very little analysis on how they happened. 

“These headlines tend to boil it down to something simple. Somebody didn't patch something, somebody got phished. But ultimately, the breaches are a lot more complex and … there's a ton to learn from diving into the details.”

Why visualize breaches?

Some teams may briefly talk through incidents and breaches reported in the news, but Adrian advocates for a more systematic, visual approach. The reasons are simple:

  • Visualizations make patterns visible.
  • Patterns answer questions or inspire new ones.
  • We can see things that are invisible when looking at raw data.

The Cyber Defense Matrix provides a simple framework any person or team can use to visualize breaches in the same way, in order to recognize patterns over time and prioritize controls that can prevent similar incidents from affecting their organization. 

How to visualize incidents and breaches with The Cyber Defense Matrix

  1. Using the information (articles, threat intelligence reports, etc) you’ve gathered about a breach, identify and list all of the control failures you notice. 
  1. Color code each failure. Red for technology control failures, blue for people-oriented control failures, and green for process failures. 
  1. Map each failure to The Cyber Defense Matrix category that best matches the failure. 
  1. Discuss with your peers - this analysis is subject to opinion, so seeing your own analysis across multiple breaches is useful. 

Example 1: Code Spaces

The story of Code Spaces, a small, scrappy 2010s company of just five engineers, is a sad one, but it offers many useful lessons. Out of only 23 companies to ever be “killed by a breach,” Code Spaces is the only cloud-first organization on the list, says Adrian. So what went so horribly wrong? It’s easy to see when the failures are mapped onto The Cyber Defense Matrix.

In the Code Spaces breach, an attacker got access to their AWS and was DDoSing them while demanding a ransom. Code Spaces refused to pay up, and when they tried to wrestle control back, the attacker deleted everything and wiped them out.

Adrian listed nine control failures in the Code Spaces breach:

  1. Root AWS account had full access/control
  2. Nothing segmented across IAM, AWS accounts, or VPCs
  3. Product and corporate/back office infrastructure all in one place
  4. Insufficient backups outside AWS to recover customer or business data
  5. Failed to detect the attacker gaining access to the environment
  6. Failed to detect the attacker creating additional IAM identities
  7. Skipped the containment step of incident response
  8. Attempted eradication before containment
  9. No Incident Response Plan

When color coded and mapped to The Cyber Defense Matrix, the critical lesson becomes clear: process is a critical security control, and a poor one leaves you incredibly vulnerable.

Example 1: Code Spaces

Example 2: Equifax

A post-mortem on large breaches like the infamous 2017 Equifax breach is easier but more lengthy, given the additional amount of information released to the public. Adrian identified 30 failed controls in this breach, and visually represented the size of their impact in his Matrix post-mortem.

  1. No asset inventory 
  2. No software inventory 
  3. No file integrity monitoring
  4. No network segmentation
  5. Neglected SSL Inspection (SSLV) Appliance
  6. Neglected SSLV failed open 
  7. SSLV lacked certs for key systems
  8. SAST failed to find Struts due to user error
  9. No anomaly detection on web servers
  10. Custom snort rule didn’t work
  11. Custom snort rule wasn’t tested
  12. Network scanner didn’t find Struts
  13. Failed to detect webshells
  14. Failed to detect interactive activity
  15. Admins stored cleartext creds in open shares
  16. Least privilege principles not followed for database access
  17. Ad Hoc DB queries not restricted
  18. No DB anomaly monitoring
  19. No field-level encryption in DBs
  20. No data exfiltration detection 
  21. DAST scanning failed to detect vulns
  22. Ineffective IR plan/procedures
  23. No owners assigned to apps to DBs
  24. Comms issues due to corp structure
  25. Lack of accountability processes
  26. No followup on patching status/results
  27. Old audit findings were not addressed
  28. Insecure NFS configs
  29. Logs retained for less than 30 days
  30. Nonexistent or ineffective IR testing
Example 2: Equifax

Watch Adrian Sanabria’s full Cyber Defense Matrix Conference talk 

About The Cyber Defense Matrix book and conference

Created by Sounil Yu, former Chief Security Scientist at Bank of America and current CISO and Head of Research at JupiterOne, the Cyber Defense Matrix brings order and organization to the cybersecurity landscape.

Simple in form, easy to grasp, and highly versatile, the matrix is already helping organizations from the Fortune 500 to top government agencies strengthen protection against rising cybersecurity threats.

In 2023, the first annual Cyber Defense Matrix conference was hosted in Dallas, TX. Download a copy of the book from JupiterOne, and stay up to date on future conferences and workshops. 

New call-to-action
Sarah Hartland
Sarah Hartland

Sarah is the Director of Demand Generation at JupiterOne. She has been a content creator and curator since 2012, with experience in the media, adtech, and cybersecurity industries. Sarah is passionate about making technical concepts accessible for all.

Keep Reading

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
Blog
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Blog
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.