As the former chief security scientist at Bank of America, Sounil Yu was in charge of vetting and recommending new cybersecurity technologies for adoption but constantly found himself drowning in a sea of vendor offerings and market confusion. "I was staring at this mess of buzzwords that don't really make any sense and trying to decipher what we actually needed," he said.
Yu -- now CISO and head of research at JupiterOne and a fellow at the National Security Institute -- wanted a systematic way to determine what problem a given product solves and where it would fall within Bank of America's broader security strategy. So, in 2015, he developed the Cyber Defense Matrix, a framework to help beleaguered security leaders sort through the plethora of technologies vying for their attention in a chaotic market landscape. According to Yu, hundreds of major organizations around the world use the matrix to map products and services to their security programs, inform their purchasing decisions and create technology roadmaps, as well as identify strategic imbalances in how they budget and allocate resources in their security programs.
What is the Cyber Defense Matrix?
On its x-axis, the Cyber Defense Matrix captures the NIST Cybersecurity Framework's five operational functions: identify, protect, detect, respond and recover. On the y-axis, it shows the five classes of assets an enterprise can secure: users, data, networks, applications and devices. Security awareness training, for example, would sit at the intersection of users and protect, while cloud backup would be at data and recover. The construct aims to contextualize new tools and technologies within an organization's existing security portfolio, illustrating how they might -- or might not -- add value.
"It made it easier for me to turn 'buzzword soup' into something a lot more coherent. I could organize information, put it in the right buckets and then make decisions," Yu said.
Beneath the Cyber Defense Matrix's five-by-five grid, a horizontal continuum illustrates how people, process and technology requirements change depending on the NIST function. On the left side of the matrix, for example, identification and protection rely heavily on technology, while detection depends equally on technology and people. Recovery, on the far right, is difficult to automate and requires a high degree of human intervention. Process, meanwhile, remains equally important across all functions.
How does the Cyber Defense Matrix work?
To explain how the Cyber Defense Matrix works in practice, Yu used an extended food analogy: Today's crowded, confusing cybersecurity market is like a grocery store with all its items piled in a big, disorganized heap on the floor. Product labels use inconsistent and even misleading terminology and jargon, leaving customers confused about what they need and how to find it, he said.
Sounil YuCISO and head of research, JupiterOne
To use the Cyber Defense Matrix, an organization should first identify what it already has in its "pantry," or current environment, and map those resources onto the grid. At this point, the matrix will likely look like a bingo card, with some grid squares occupied by existing products, projects and people, and others empty, highlighting security program gaps.
The company should then consider its attack surfaces, threat environment and risk appetite, all of which inform its unique "nutritional needs," as well as its business and technical constraints, or "dietary restrictions." Imagine someone who aims to consume more plant-based protein, for example, but also has a severe nut allergy -- that person would be ill-advised to start eating almonds, despite their nutritional goals. Similarly, Yu said a CISO in a high-speed trading environment needs to mitigate risk but can't do so at the cost of fast connectivity. "If I introduce latency through security controls, then I might as well close shop because I won't be able to make any money," he said, adding that he would capture that constraint by mapping it onto the relevant area of the matrix.
Another enterprise -- for example, one with few technical constraints and the ability to deploy almost any security control without undermining business goals -- might aim for "blackout bingo," with mechanisms in place across each of the 25 matrix squares. If a company has a higher tolerance for risk, on the other hand, executives could decide to strategically limit security spending and leave some areas of the grid empty.
"We just want to be able to understand our tradeoffs and reassess our assumptions," Yu said. "Then, it becomes a business discussion: Are we willing to suffer a certain amount of loss from a security incident relative to the loss we'll face if we implement a certain set of security controls?" In this way, the matrix also helps organizations align security with business objectives.
Yu added that a typical enterprise's needs and constraints vary from department to department. By applying the Cyber Defense Matrix to individual business units, large organizations can coherently capture internal differences to tailor security strategies to lines of business and identify which controls make sense companywide.
"It's like a restaurant that must serve vegans, celiacs, vegetarians, omnivores and other people with different dietary needs and tastes," Yu said. "It's not one size fits all."
What are the Cyber Defense Matrix use cases?
According to Yu, the Cyber Defense Matrix's use cases have continued to emerge and evolve since he first developed the framework to vet cybersecurity vendor offerings. These include the following:
- aligning security initiatives with business objectives;
- allocating resources;
- assessing new technology, such as zero trust;
- assessing security portfolio gaps;
- capturing business constraints;
- creating cybersecurity roadmaps;
- measuring ROI;
- understanding internal responsibilities and handoffs;
- understanding why some available tools don't get used internally; and
- visualizing attack surfaces.
Yu will lead an interactive learning lab session at RSA Conference on Tuesday, May 18, 2021, in which participants can learn more about the Cyber Defense Matrix, explore existing and emerging use cases, and discuss how to apply the framework to their organizations.