Security has never been more complex than it is now. At the same time, it will never be this simple again.
When we sit down to analyze our security posture, the controls we have in place, our procedures and processes, vulnerabilities, threats, and many, many other factors, where do we start? How do we know if we’re seeing everything? What exactly is this notion of navigating security and how do we go about doing that?
Like many of us, Sounil Yu, CISO and Head of Research at JupiterOne, had these same questions. Shortly after, circa 2014, the Cyber Defense Matrix was born. Last month, JupiterOne sponsored the inaugural Cyber Defense Matrix conference – here’s what we learned.
Navigating the Cyber Defense Matrix
The Cyber Defense Matrix is built based on the NIST Cybersecurity Framework and maps:
- The five asset classes: devices, applications, networks, data, users
- The five operational functions: identify, protect, detect, respond, recover
- The degree of dependency on people, technology, and process.
From left to right, the identify and protect columns speak to structural awareness. Situational awareness takes over in the detect, respond, and recover columns.
As we move from left to right, the degree of dependency on technology is inverse with the degree of dependency on people. Our dependency on process, however, remains constant throughout all five functions. This continuum helps us pinpoint where we rely on which resources.
The Cyber Defense Matrix is like an onion
While this Matrix is broad in what it covers, it only covers the assets owned and controlled by the enterprise. Rather than creating additional rows and columns to accommodate the complexity of what we do in cybersecurity, Sounil added ‘layers’ to illustrate further intricacies.
For example, IP addresses might be in the Identify, Network cell. But are we identifying our IP addresses or the threat actor’s IP addresses? These layers can extend to third party or vendor assets, customer assets, threat actor assets, and more.
Organization: The first step to communicating risk
At its core, the Cyber Defense Matrix is about organization. It’s a way to standardize your security data in a way where all relevant parties can collectively look at and analyze the information in a useful way.
“All models are wrong, but some are useful.” – George Box
The Cyber Defense Matrix can be adapted to a variety of different use cases - but Sounil states that understanding the distinctions of your audience, the words used, and the functions is crucial. Some of the use cases Sounil identifies in the Cyber Defense Matrix book include:
- Mapping security technologies & categories
- Security measurements and metrics
- Developing a technological roadmap for security programs
- Understanding security handoffs between teams
- Investigating and rationalizing new technologies
For example, although a globe can help us understand the scale of the world we live in and its geography, it isn’t necessarily the right tool to use when you’re lost in a building and searching for a specific room. Similarly, how we communicate risk at a strategic, high-level is vastly different from how we communicate risk at an operational level. The translation layer is critical.
Let’s face it – cybersecurity gaps exist
The reality of today’s security landscape is that there are gaps everywhere - in your tech stack, in your compliance controls, or in your security team’s skill sets. The Cyber Defense Matrix can help you map your gaps for each operational function and asset class; the degree to which each cell is filled, however, depends on your organization’s size and maturity.
The Cyber Defense Matrix can be adapted for a variety of audiences from practitioners to investors, and can help organize information in a consumable, actionable way. It can stretch to inform and identify gaps in multiple areas of your security program – including measurements and metrics, resource allocation, tech investment roadmaps, business constraints, and organizational handoffs.
To learn more about the Cyber Defense Matrix, check out Sounil’s eBook here.