The Cyber Defense Matrix
Published 02/11/2022
This blog was originally published by JupiterOne here.
Written by Sounil Yu, CISO & Head of Research, JupiterOne.
In a world where cybersecurity threats evolve and proliferate at dizzying speed, a confusing and disordered cybersecurity landscape makes it all too difficult to ensure that our assets are defended from harm. The Cyber Defense Matrix is my attempt to organize the many activities that we perform within this landscape into a clear, coherent, and comprehensive scheme to guide the work of security professionals, solution providers, investors, and others in the field.
Over the years, I’ve discussed the Cyber Defense Matrix with hundreds of workshop attendees at RSA, brainstormed on its use cases with colleagues, advised organizations from the Fortune 500 to top government agencies on its usage, and continued to iterate on its nuances. However, these types of conversations do not scale well and demand more and more of my time.
To enable greater scale in sharing the lessons that I’ve learned in using the Cyber Defense Matrix, I’m excited to announce the availability of the Cyber Defense Matrix in book form.
The book is available as a complimentary download from JupiterOne. Join me in upcoming discussions on the book on the next episode of Cyber Therapy on Tues., Feb. 15, and a JupiterOne webinar on Wed., Feb. 23. I’ll also sign copies at this year’s RSA Conference, where I’ll elaborate on new use cases in my sessions, Cyber Defense Matrix: Revolutions and Cyber Defense Matrix Learning Lab. I hope you’ll join me there!
The road to the Cyber Defense Matrix
The Cyber Defense Matrix has been evolving over many years of thought, discussion, and practical application in my work as a cybersecurity professional. Its genesis was a desperate need I faced as the Chief Security Scientist at Bank of America.
Chartered to define the company’s long-term security technology strategy, I met with hundreds of cybersecurity startups to determine what capabilities they offered and how they might fit into our portfolio. I found the world highly confusing to say the least. Each vendor had its own way of talking about the space, its own jargon and marketecture, making hard to understand what each one actually did, how they related to each other, and how these solutions matched up with the needs we had. I needed to create a common framework encompassing the full spectrum of requirements across our environment, with a consistent way to define and map each solution into this structure.
Simple in form, easy to grasp and memorize, the Cyber Defense Matrix is also rich in angles and viewpoints to deepen one’s understanding of the cybersecurity landscape. The matrix plots the five distinct functions of the NIST Cybersecurity Framework (IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER) against the five classes of assets in need of defense (DEVICES, NETWORKS, APPLICATIONS, DATA, and USERS) to provide a high-level overview of the entire cybersecurity environment. There’s nothing terribly novel about these two dimensions, but by cross-mapping them, we can extend this familiarity in new ways to bring insight to a space that badly needed it.
This two-dimensional view reveals patterns and sequences that make gaps easier to perceive. For example, if we’re maintaining an inventory (a subfunction of the IDENTIFY function) across devices, applications, networks, and users, the Cyber Defense Matrix will immediately highlight the fact that we’re not doing so for data. Why not? Should we be? Is there a solution to do so?
The Cyber Defense Matrix also includes a gradient of dependencies on technology and on people across specific functions. On the left side of the scale, we find functions better executed by technology, such as an inventory that can be completed more quickly, completely, and accurately by automation than by a staffer with a clipboard. On the right side, we find areas where human expertise becomes more critical, such as an understanding of the psychology and motivations of insider threats, or the intricacies of response and recovery operations. This gradient can help us think about whether we’re relying too much on one or the other for a given function—a common factor in processes where outcomes aren’t living up to expectations.
Putting the Cyber Defense Matrix to work for cybersecurity professionals, investors, and vendors
While the Cyber Defense Matrix has proved highly useful for mapping security vendors, this is only one of many use cases where it offers value. For cybersecurity professionals, the matrix can help identify gaps in security controls, prioritize investments, develop a roadmap, understand organizational responsibilities and handoffs, and inform conversations with executive leadership. For solution providers, it can highlight promising areas for new product development. For investors, it offers a way to discover problems that have yet to be addressed through a commercial product, and to understand a prospective company’s market opportunity and potential—a use case I myself have embraced in my work as the CISO-in-Residence at YL Ventures.
Imagine going through life always knowing exactly where to put things—which pocket or shelf or drawer is the right place for each item you come across. As a hopelessly untidy person that would mortify Marie Kondo, this kind of organized mindset has always eluded me in mundane personal matters, but the Cyber Defense Matrix has brought exactly this kind of order to my work in cybersecurity. And there’s no end to the ways this mental model can be applied. It’s not just about organizing vendors—it’s achieving a new understanding of how different elements of the entire cybersecurity ecosystem fit together, helping us explore and navigate a space that had typically been so challenging to comprehend.
One of my favorite things about the Cyber Defense Matrix is its living, breathing nature. While its structure remains constant, new use cases continue to emerge as people find novel ways to leverage it. Over the past few years, I’ve invited other practitioners to join me at my sessions at RSA to present their own experiences and use cases with the matrix, and I always come away newly inspired and eager to discover the next hidden gem within the Cyber Defense Matrix. If you discover a new use case, I would love to hear from you!
Download a complimentary copy of the book from JupiterOne.
Related Articles:
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024