
Welcome everybody. Uh my name is Steve Dyson. I'll introduce myself here in a minute. Um but the talk that we're going to have today is around the Cyber Defense Matrix and how it can help with uh compliance readiness. And as we were discussing a little bit before, kind of the pain point especially on more of the security team, the defensive side of you know, great, cool, we're compliant, but what does that actually mean for me?
Uh who am I? Uh my name is Steve Dyson. I'm a cybersecurity director at Echelon Risk and Cyber. I work in our risk advisory practice. Uh been in uh true cybersecurity now for a little over 11 years. Uh started out in the incident response side of the house as an IR consultant. Built out the security operations team for a mid-size regional healthcare system in the Philadelphia area. Uh prior to joining Echelon Risk and Cyber, I was with Palo Alto Networks Unit 42 for a little over 4 years. Uh and prior to coming into cyber, I worked in law enforcement and uh the military. Um big kind of where I have a passion especially when we're talking
compliance. Uh graduated law school uh 2 years ago. Um really just wanted to be more effective with communicating with lawyers especially in the consulting space. Um and again kind of bridge that gap between, you know, the true urgency on the defensive side with the more of the compliance, the checkbox side, and the uh kind of shielding of of incident response uh within the the lawyering. So, what are what are the problems that we're really trying to talk about today? Um too many tools, not enough clarity. Um many cyber security programs uh have 50, 100, 200 different tools, uh different security controls. And there isn't really a good understanding of how they actually integrate together and how
they actually build a a integrated full defense. Uh you know, often times there's pressure from leadership. Um Shawn Thomas had a great talk yesterday uh afternoon and you know, one of the questions was around metrics. Metrics are great. Metrics are a great way of communicating things, but what matter to the defender doesn't necessarily matter to leadership and vice versa. And it's really hard to bridge that gap of what actually matters to the other. Uh often times as well on the leadership side, the the problem of I didn't have any incidents this month or I had minimal alerts. They see that as why am I spending money on this? We see it as things are working well. A good security
program is going to result in a lot of zeros. That's a good thing. That's not a bad thing. That means that the spend is working. But on the leadership side, they see a bunch of zeros and they think, well, why am I paying for this or why am I paying you? Uh what we're going to talk about here today is is hopefully going to help kind of bridge that gap as well. Uh tool sprawl uh usually results in a lot of redundancy, um a lot of things looking at the same either asset class, uh same type of information or reporting on the same things. And you know, occasionally you can have conflicting information from those as well.
Um so, you know, the CDM here isn't necessarily just about visibility into what are my defenses look like and where are their gaps. It can also be, hey, I have 20 things that are looking at this exact same thing. Do I really need all 20 things? Um and then finally, regulatory pressure. Um you know, there's been a number of new regulations, a number of new frameworks over the last you know, five plus years. And interestingly, a lot of them are actually putting more pressure on the defenses, which is a good thing. It means that, you know, people are listening that, you know, regulations are actually putting in things into uh stuff that matters, not just trying to
get away from kind of the check marks exercise. But it also puts a lot of pressure into the answers. Um Um, you know, how are we actually doing this? What are we doing with this? How are we making sure that it isn't just a check marks exercise? So, to that end, um, we run into the compliance trap. So, um, over the last two-ish years, uh, 83% of breached organizations were complying at the time of breach. Uh, you know, what does that mean? Well, compliance doesn't necessarily mean I have good defenses or I'm going to be resilient in the face of a breach or I'm you know, nothing bad is going to happen. Some of that is just the inevitability
of breaches are going to happen, attacks are going to happen, things are like bad things are going to happen. There is no truly pure defense. But, the other side of the coin is just because I passed that audit or just because I say I'm compliant doesn't mean that I'm going to be resilient. Big box there. Uh, zero compliance certifications prevent breach. So, again, just because I have a SOC 2, just because I passed ISO 27001, just because I have any of the other litany of either frameworks compliance, uh, standards, again, doesn't mean that I'm actually going to prevent anything bad from happening. I need to have the strong underlying defenses. So, you know, really, if you think about
compliance, compliance is more of a backward-looking exercise. So, over the last year, over the last X amount of time, this is how compliant I am. This is how I complied with either uh, the requirements or the controls of the associated framework, um, or regulation. Uh, security is more forward-looking. How are we preparing for what comes next? I'm more worried about next week than I am about last week. Um, so, with that in mind, um, who here is familiar with the cyber defense matrix? Couple hands, awesome. You guys are ahead of the game. Uh, so, what is the cyber defense matrix? Uh, Suno Yu uh, created the original CDM back in 2014. Um, it is a powerful tool for
understanding your defenses and building a better path towards cyber security maturity. Um, if you think about it as a matrix here, the top are going to be functional areas. Um, so really, you know, the different stages of either, you know, detection, life cycle, whatever you want to call it. The original CDM aligned to NIST CSF 1.0. Um, so we have identify, protect, detect, respond, and recover. And then the rows are asset classes. So, what am I actually looking at? What are the things that I'm looking at? Um, we'll get into a little bit more in uh, later in the the presentation, but the asset classes are also flexible. So, you can shift them, you can change the
terminology to really align to your organization or the priority, or if we're talking a specific compliance framework, what is the urgency in that compliance framework? You know, what are the assets that really fall into that? Terminology here, you know, we say assets often times assets means something a little bit different to, depending on who you're talking to. Really, when we're talking about asset classes here, you can think about it as types of things that we're protecting. Most programs focus on the first two, endpoint and networks. Often times there's a little bit of a trade-off for the others. Um, you know, some programs are more robust and have better coverage, some are not. Um, but again, if you just think about it as
it's the multi-layered approach to all the different things that are important to my organization. The exercise that you then do for the CDM is the cross mapping. So, for this function and this asset class, what do I have in place from a security control or tool perspective to actually protect this? Um, an area where often times people lack are they're not true with what's the maturity of this thing. Like, just because I have a tool doesn't mean that it's working well. Um, you know, often times with the technology question, it's technology is up here and everything else is down over here. As As as I have the technology, it's robust. Not looking at is there anybody looking
at it? Is it tuned? Can I actually see what's going on? Do I have alerting? Is anybody actioning those alerts? Do they sit there for a month? You know, that's not an effective tool. Um so again, you know, when you're filling out the CDM, you need to be true with yourself and you need to be true with the capability of the control that you're looking at. Um you know, again, you'll see governance is missing. Um so the govern function from the CSF 2.0. We'll touch on that here in a little bit, but you know, govern is important and govern doesn't just simply mean being papered to death here. It's really, you know, if I have a tool, is there a person? Is
there a process? Is there a way of using this either with the rest of my program um or even independently by itself to actually get something out of it. Um again, a tool that's there, um you know, we kind of live in a a field now where the technology people are, "Hey, you have this, you are forever protected." Or my favorite uh when I was with Palo Alto Networks was, "Hey, if you use XIM, you're going to be SEC compliant." Fantastic. The SEC doesn't require you to have a SIM. It requires you to understand what's happening. Uh you know, do your breach notification, you know, again, take action, but it doesn't require you to have a SIM. So how is
your SIM making you SEC compliant? It's not. So, you know, often times we're you know, we're hearing all this fluff, but leadership is getting it even worse. And all they're hearing is all you need is this tool and all of your compliance problems are out the window. You know, that's not true. Um and again, a CDM is a really good way of showing them, "Great. Cool, you have this tool. It satisfies this cell. It satisfies this cell. We're missing all of this." So, the CDM and compliance itself, um you know, what are some compliance problems? Uh life in balance or I'm sorry, life cycle in balance. Uh security budgets are often focused more on identify and protect. Um
and it and again, that's not necessarily a bad thing. The earlier you can catch something, the earlier you can identify, the less I have to worry about the other functions. But, you can't also just ignore those other functions because hey, I'm going to identify it quickly or I'm protected. You know, I did it doesn't matter if I can't detect it. You need to have a well-balanced program. Um it's always going to shy kind of one way or the other. And I would say if you're going to shy one way or the other, shy more towards the left towards identifying protect. Um but, you know, again, you want that full coverage. Uh oftentimes for most programs, 70 to
80% of the spend actually goes into identify and protect. Um and oftentimes there as well, that's that spend is focused more on network and endpoint, you know, kind of ignoring the other asset classes. Uh paper controls, the audit uh artifact problem. Uh controls are designed to satisfy auditors. So, my program is set up that I pass the audit or you know, I have the evidence that I need to pass the audit. I don't really care if it's working. I don't care if I have continuous monitoring. I don't care if it's going to work next week. Right now, I have what is needed to pass that audit. Um and it's kind of hell or high water, I'm
passing that audit. Um you know, the CDM works to operationalize that compliance. So, um you know, you can't just point to a tool or a process or a team that fills the cell. It's it's robust. It's meant to be full. Um as well as you're you're as you're do it truthfully, you're going to see some cells that are empty. And and those are really the ones that hey, does this actually matter to my organization? Do I actually need to have something here? Or is that okay? Um you know, you don't have to fill in every cell and not every cell needs to be the most mature. Um but again, you need to make sure that you
have that answer of is this actually important to the organization? Is this going to cause a problem by by the gap being there? And then finally, the the main value proposition here for, you know, using the CDM hand in hand with compliance is uh you know, the compliance is a checklist. The CDM here is meant to be a coverage map. So, by joining those together, I I'm doing both. I'm passing that audit, but I'm also seeing my my compliance across the board. Like, I'm seeing it as an effective cybersecurity program. So, this is of the frameworks that we're going to discuss here in a second, this is really the synthesis of all of them combined. So, kind of the average that
you see based on the requirements of the frameworks. And you'll see right side, a lot of red and a lot of yellow. So, with respond and recover, most of the frameworks don't have robust coverage there. They might have, "Hey, you need a DRP. You need to have an incident response plan." You know, it's very basic. You know, if you think of NIST CSF, it really kind of trails off with respond and recover. You know, there's controls there, there's subcategories, but they're not the most robust and they're kind of basic. You know, do I communicate if there's an incident? Do I have roles and responsibilities defined? All those are well and good, but like what all can go into that from a a
security control and technology perspective? Um, you know, oftentimes it's just kind of these are people problems. I have a plan, I have people, that's all I need. Um, or they're farmed out to a third party. Um, which again is fine, but how am I answering what our program can do or what our organization can do to actually answer these? Um, so again, you know, you kind of see that trail off and you also see a trail off as you move down with the asset classes. So, specifically around detect, where oftentimes there's robust detections for endpoint and uh, I would say users are kind of hit or miss depending on the program, but usually network and endpoint, we got a
lot of robust controls, a lot of visibility, and then we kind of trail off as we go into the other asset classes. So, the crosswalking the frameworks itself. And and really don't think about this as how how the CDM is going to make me compliant, think about this as, "Hey, we want compliance in this. How is the CDM, especially for the boots on the ground, the people that are doing the work, how is this going to make me sleep better the the that we say that we're compliant?" Um, you know, again, for most, you know, when I was in SecOps, a lot of time, okay, cool. Like, I worked in healthcare. Great, we're HIPAA. Yay.
Like, what does that actually mean for me? Um, you know, how is this going to make life any better? Or like, just because we have that, does it actually work? The CDM is answering that. So, this is really more of the assurance on on your side, hey, the program is working, as well as that answer and the ability to go to leadership and say, hey, like, you say we're compliant, we passed the audit, that's all well and good, but we have this glaring gap. Like, we do need more spend. We do need more uh, value in this area. So, with that in mind, mapping to NIST CSF [snorts] uh, 2.0, first glaring gap with the the current CDM, govern. Govern
isn't there. Um, so, you know, that is an area if you're looking to align to NIST CSF 2.0, make sure that you're including govern in that that consideration. Uh, govern, you can really think of as overarching across the other five functions. Um, so, it may you can make it a stand-alone column, or you can make it just kind of as the overarching column, um, uh, across all of the the other five. Um, you know, generally speaking, the the govern function is also looking to shift the accountability up to the board level. So, governance across the entire organization. Um, really taking ownership up to that that leadership position. And again, the CDM can help clarify to them, hey, this is what we
currently have, this is what we're actually doing, versus again, just the results of an audit. Um, you know, when you when you think about this as well, is um, you know, the NIST CSF 2.0 is typically going to be your starting point. So, most organizations, this isn't the sole uh, either framework or regulation or compliance function that they're looking to to map to. This is just a good way of either translating that from a control perspective, um, or again, just as a starting point of, hey, I want to get a base CDM built, this is a really good starting point. Other ones that commonly come into play, especially from a starting point, ISO 27001 and the CIS controls. Uh for ISO
27001, uh typically here we're going to be thinking Annex A. Uh Annex A has uh 93 controls. So, you know, again, if we're talking from a function perspective here, we got a lot of controls and they pretty much all fall into identify and protect. So, you know, again, great. ISO 27001, my left side of my CDM is packed full, my right side is a little lacking at this point from a visibility standpoint. So, again, just making sure that you're getting that that full visibility. Um CIS controls are somewhat dependent on which implementation group you're talking about. So, if we're talking IG1, we're again focused on identify and protect. As we introduce IG2 and IG3, we're starting to fill that out a little
bit more. Um so, again, just from a visibility standpoint, you know, the CDM is going to give you better visibility. Um Often times with the just kind of as an assessment on the CIS front, if if you have an organization that's looking to either implement CIS um or is already using it, I I personally like to go with the halves. So, you do a one and a half or two and a half. Uh what that's going to do is it's going to allow you to have a little bit more robust coverage um for across, you know, the 18 controls versus just the 15. So, making sure that you have a little bit more visibility. Um
you know, while the CIS controls don't specifically map one-to-one with the the functional areas within CDM, you know, the CIS is a little bit more tailored toward that toward that technology side. So, again, it's going to be a little bit better with a hey, I have this, you know, the answers to that that assessment or that that self-assessment is going to be a little bit easier to map within the CDM itself. Um and again, it gives you more strength in either those observations or if there are gaps identified, you can either come back and say, "Hey, the gap doesn't exist because we have this control." or great, that gap doesn't exist. Here's that corresponding gap in our security
controls. What do you propose that we do about it? So, you know, again, you know, have uh more evidence for that leadership discussion. Um and then finally, um you know, moving into more of kind of the regulated side of things. First is is DORA. Um you know, I'd say this is one that isn't necessarily as relevant to a lot of US-based organizations, um but uh you know, based more on uh EU-specific, um but if you're operating out of the EU, definitely something to keep account of. Um what's interesting with DORA is it almost maps one-to-one with the the areas that the CDM is looking at. It's it's almost the purest translation of a CDM into a regulation. Um
you know, generally speaking, that means say they're probably thinking along the same lines here. You know, we're looking at resilience as part of DORA, so it's going to be more of the recover focus. Uh in fact, it's probably the only one that I'm aware of that is that heavily focused on the recover side. So, really, the stronger side on this one is actually the right side versus the left side. Um one area though with the CDM, um you know, from an asset class perspective is DORA is very focused on supply chain and third-party risk management. So, this is one of those areas where you may want to add an asset class or shift your asset classes to
include that view into a third-party risk management or supply chain. So, you know, again, keep in mind the CDM is is flexible. You know, make sure that it fits your organization and what you're looking at from a regulatory or framework perspective. Uh within recover, um you know, most frameworks, most regulations treat that as aspirational. DORA doesn't. It's a mandatory requirement. Um so, again, you know, having that visibility, having that ability to fill that in with a robust uh view. Um the other thing that DORA requires is threat-led penetration testing. Um again, an area where a lot of organizations aren't necessarily doing it internally. They're typically farming that out to a third party. Um, but there
are specific requirements and there is a way to uh, really map what you're doing within that that penetration testing within the CDM, you know, across the different asset classes and making sure that you're covering all the required areas.
Okay. Uh, CMMC, um, you know, becoming kind of an urgent thing for many organizations that either didn't realize they were part of the defense industrial base or were really hoping that it didn't actually come into play. Um, similar to Dora, where's the focus area um, that, you know, the asset classes are are really missing? Third party risk management, supply chain. Um, you know, the cascading effect of from defense industrial base organization down the line in supply chain, you know, that's an area that you also need to look at uh, as you're building out a CDM or as you're looking at CMMC compliance. Uh, somewhat dependent here, especially from a CDM perspective, if we're going level
one, level two, or level three. So, with level two and level three, you know, kind of the the mandatory function here, the fact that it has teeth versus the self-assessment, still important to do that CDM, but obviously it's more important there, especially from a continuous monitoring perspective, you know, what do I actually have in place? Like, what is the evidence that I have, you know, especially from an assurance perspective internally? How am I making sure that what I'm saying on paper is actually in place? Um, you know, that's kind of the the quickest way for a lot of organizations have gotten themselves in trouble with CMMC is by either over promising um, within their their audit or their
assessment or again, assuming that things are in place and not really having that view into what actually is in place. Um, data here is going to be that that primary asset class um, related to controlled unclassified information. So, CUI is really the driving force of CMMC. So, if you're looking to comply with CMMC and you're doing your CDM, data is really should be you know, big box around it. This is the area that I need to have the most robust controls in. It will fawn out into the other asset classes um because obviously it follows the data, but keep in mind it follows the data. So the data is going to be the driving force here of either the enclave
that I need to make sure that I have those robust security controls in or, you know, at least that's starting point. So if I start with controls on the data and then work my way out, I'm going to be in pretty good shape here. Um you know, if you're leading up into say level two or level three, um you know, a good kind of pause here would be to actually do that CDM. So, you know, especially if you're not part of that direct audit, do your CDM, be able to have those answers um and that's a really good time again to have that leadership discussion of hey, you we want CMMC, these three things are
going to prevent us from actually obtaining it or prevent us from maintaining it and not potentially getting a fine. Um you know, this is the time to spend on it. Similarly FedRAMP, um so, you know, again government focused. Uh this maps a little bit better with the CDM because the baseline is 853. Um you know, control perspective really depends on if we're talking moderate or high, um which is really going to be driven by, you know, the intended use there within the cloud. Um but again, really focused on app, so application for asset classes and data. Again, I did a little bit easier to to uh kind of map to the the true CDM without a lot of movement there. Um but
you know, as you're doing this, really focus on on obviously the cloud. So that's the other thing with the CDM is, you know, focus on the area that the the requirements are pushing you towards. FedRAMP isn't a requirement across your entire program. You know, it is per se, but really we're talking about the cloud specifically here in the application. Um if that doesn't come into play for the your entire enterprise, then you know, that's not something that I necessarily need to look at with the CDM. So in theory, you could have multiple CDMs you know, across the different frameworks or or compliance needs of your organization. You [sighs] know, here continuous monitoring so specifically the detect
function is a requirement similar to the CMMC front. So you know, you saw kind of that tail off with the example you know, the crosswalk where as a moving out of end point and networks you know, kind of tails off on the detection side. You need to make sure that you have robust detections here. You know, especially cloud specific detections if we're talking FedRAMP. SEC cybersecurity rule not going to lie. This is probably my favorite. It probably scared the bejesus out of most organizations and most people when it first came out of how like how am I going to report this within four business days or what am I actually going to say? Why I like it is it is one of the few
regulations that kind of takes the burden off the security team and puts it on leadership. You know, leadership tries to funnel it down. We had some organizations where you know, we're building an incident response plan with them and they're like, "Hey, leadership needs me to make the materiality decision." Hell no. If leadership is asking you to make a materiality decision, 100% push back. If you need to call me, I would gladly yell at them because materiality should be with the business not with the security team. Security team can provide evidence. They can provide information on what's occurring but the materiality of the business needs to be with the business not with the security team. This is one area where the CDM doesn't
really satisfy the requirements here of the SEC cybersecurity rule but it does provide more evidence into this is why we can't comply or this is why we can't give you that answer of what's occurring. The other thing is it gives you the assurance of the program is working. So, I can actually give leadership those answers to be able to be compliant here. This also gives you a lot of evidence where again, if you're lacking on that respond and recover side, hey, we will fail at this. Um, you know, we will not be able to comply. We are likely going to get a fine. We're likely going to get pushback from the SEC if we file our 8K um, or
10K and, you know, that's a problem. Um, so again, this can be a nice quiver in your arrow in your quiver um, to to really get either that spend or, you know, push on this is why we need, you know, X, Y, and Z. Um, you know, again, detect function here is probably going to be your most important cuz obviously the sooner we can detect something, the sooner I can actually say something bad has happened and then we can file our uh, you know, notification of incident um, you know, within that that four business day timeline. Uh, PCI DSS um, you know, payment card specific. Uh, you know, a lot of PCI DSS is really
going to be that protect function. So, tokenization, encryption, HS HSMS, key management, uh, protect column is going to be very dense. Um, and again, often times that's going to be that first three asset classes, network, endpoint, and data. Um, and then kind of a fall off from a a user perspective. Um, you know, again, for for most programs here. Um, you know, where things start to to kind of fall off are in the respond where often times for most payment card organizations, the notification that a breach occurred is MasterCard or Visa reaches out. Often times there there isn't necessarily that same visibility into uh, their CDE into, hey, you know, something happened, something was moved
out or I don't have an answer of how large it was. Like I know something happened, I don't quite know what happened or what cards were impacted or maybe I just put my head in the sand and say like it was impacted but I didn't see any data leaving, so nothing bad happened. And then Visa or MasterCard reach out. So, you know, again, it's a nice practical exercise to to make sure that, hey, you know, are the defenses where they should be and and do I have an answer if something bad happens? Woah.
Uh HIPAA, um HIPAA security rule is going to be the the best, uh you know, kind of mapping here of the CDM. Privacy Omnibus, um you know, privacy especially, there isn't much of an overlap if we're talking, you know, cyber defenses, more so just can I detect a breach has occurred and can I give the answer of how many records were were impacted. So, really, you know, focus here on the the security rule. We have three safeguard categories with the caveat of HIPAA 2.0 might be changing some of this, so this is active as of right now. Subject to change, but the safeguard categories administrative, physical, and technical. Technical is obviously going to be the
best mapping here if we talk if we're talking the CDM. But again, it's not a true one-to-one. So, similar to PCI DSS, it's not going to be a great like, hey, this is specifically the functional areas that I'm looking at, but more so it's going to give you again that assurance that I can detect something has happened, I can respond to it. You know, I'm not necessarily as specifically tied to identify and protect. really where most health care lives is identify and protect. You know, they're very reactive, they're prone to not having a good answer into kind of the record side. And you'll see that a lot with with, you know, again, the the privacy notifications where
the public statement is, hey, a million records were breached here or a million records were impacted. And then a week later they do further investigation, and it's really only 150. Nobody cares about the second conversation. They care about, hey, a million records were were breached here. You know, nobody really looks at that that first or the second number there. So again, you know, the better you can have a handle on the detect and respond, the better clarity you can give for these conversations and put leadership in a better light. So, what are some things to kind of keep in mind here as you're looking at, you know, compliance in the CDM? As an inventory, so the asset class rows
are configurable. You should align them to your organization. You should align them to your industry or the framework that you're specifically wanting to look at. And again, some of this is going to translate between frameworks, some of it will not. And it's fine here to have a couple of different CDMs across a couple different frameworks here if that's what your organization is using. You know, making sure that you know, if you're financial services specifically looking for CMMC, a recommendation would be to add in an additional asset class for third-party risk management or supply chain. You know, again, making sure that you have that visibility. We were talking AI before. If you're an AI organization, you know, some of your assets may change
there from an asset class perspective as well. So again, you may want to add different ones. We'll actually touch on a different framework here for AI here shortly. Current state honesty. The The more honest you can be about what's going in there, the better results you can get. Like the CDM is not the time to be wishy-washy. The CDM is the time to be, you know, take the rose-colored glasses off and be as transparent as you can into the effectiveness. You know, the intent of the CDM is to be a view into the actual defenses, but also using it for the conversation that you need to have of why. Why do I need something? Cuz again, typically leadership is why
do you need that? We haven't had an incident in 6 months. Well, we haven't had an incident in 6 months because we got lucky because if you look here, respond is completely empty. You know, we don't have anything that falls into there. Um so, it's really giving you that that pushback. Um oftentimes with the CDM and sometimes this is difficult for organizations, you probably want to do it with at least two people to have point counterpoint. Um you know, again, doing it by yourself is perfectly fine, but if you can have another person that either disagrees with you or you know, hey, play devil's advocate. Uh I hate to say this, but you could even
use if you're by yourself, use a chatbot or AI to just hey, play the role of counterpoint. Argue with me. Oops. You know, tell me why this might not fit into this cell. Um you know, I'd be a little careful of what information you're providing, but again, if you need someone to push back on you, just make sure that there's somebody on the other side so that you're actually coming to that true point. Uh compliance overlay. Uh multiple frameworks uh are really where the CDM plays dividends in audit preparation. So, when your CISO is asking you, are you compliant? You can really answer that, you know, to the affirmative or to the negative in a
visual manner with the CDM. So, again, it isn't just hey, yeah yes, we're going to pass the audit, but here's the counterpoint. This is where we failed from a defensive program perspective. Uh gap reading. So, prioritization here really is an art. Um you know, again, like I said, you're you're going to have multiple gaps and you're going to have multiple strengths. Not everything needs to be in the green. Not everything needs to be the most mature. Make sure you're strategizing your gaps based on actual need um either from a compliance perspective or again, just from a program perspective. Uh we'll touch on how you can help kind of get some visibility into those gaps here
in a second. Um but mine that I usually like to align to if we're having these conversations are look at your threat landscape. Look at your threat profile. Where are there areas that actually might be used against me? Um and where are there ones where hey, we have such robust controls uh say on the protect side that like the likelihood of this occurring is pretty small. There might not be the need to spend a lot on the respond for that asset class, but I might have better spend elsewhere. And then finally reporting. Really the matrix itself is is generally speaking board ready. You know, you are going to have to explain probably you know, what what do
I mean by asset class here? What are the functions mean? So there's definitely some preparatory work that needs to go into explaining it. But generally speaking you have a heat map that you can show and they're going to see a bunch of red or gaps and their immediate response is going to be how do we close those? So it is really a nice way of kind of translating a fairly easy exercise into generally speaking a board ready presentation obviously with some cleanup. So you know, great. We understand the CDM. What are some things that I can do with the CDM or expanding upon the CDM to again better answer some of those questions? What I came up with was the cyber
posture map. You know, generally speaking you know, I sort of a CDM 2.0. Really additional function here of govern. So really looking at govern across the board and then providing sub information for within the cells. So you know, if we're talking you know, identify across network what things or what types of technology would generally fall into those areas. What it allows you to do is actually kind of plug and play multiple items across cells. But then also get better visibility into you know, the program doesn't necessarily built in a way where we're mapping network to identify, but we might be looking at threat intelligence or we might be looking at asset inventory. You know, getting a better visibility
into you know, what we commonly would call things into where they would generally fit within the cyber defense matrix. Also provide here maturity scoring. So again, you know, when I'm doing these with either an organization or on my own, I also like to provide kind of multi-layered maturity. So not necessarily just is it in place, is it not in place. We do want to look at the quality of that. Uh, you know, we say quality in most SecOps is going to go to it does is the tool good? I'm less concerned about that when when I'm talking, you know, maturity here and it's more do I have a tool? Is there a person that can look at it? Do I have
detections? You know, again, the quality of the tool itself. You can overlay the actual does this tool work well? Um, you know, especially if you're doing this in your own organization of hey, I have this this tool that you dumped on me and it's awful. This is a good way of kind of counterbalancing that point. The other one that I've been working on is an AI CDM matrix. Um, I will caveat with this with this is a 100% a work in progress. This is not the final state. Um, but again, kind of remapping those asset classes into what would usually go into, um, you know, a typical AI usage. Uh, the intent of this is is again, this
isn't meant to be a full program view into your full enterprise, but it's more specific to AI, what is my program doing? Similar functions, you know, identify, protect, respond, and recover with govern over top. Um, and again, you'll see here for most organizations we're really left heavy. Um, you know, especially for I mean, I would say they're left heavy, but again, there's a lot of gaps on the left-hand side as well. Um, you know, again, it's just kind of trying to rethink what, um, you know, what defenses, what things can go into, um, you know, kind of your your AI security. A driving force for this, I would say is more into the types of
attacks and less so the threat actor themselves. Um, you know, yes, there are novel approaches and yes, there are different techniques that are used by different threat actor groups if we're talking targeting AI, but generally speaking, you know, pick something like OWASP top 10, you know, um, MITRE ATLAS. Uh, again, align more to the techniques when you're providing those answers versus kind of the true threat actor at this moment in time. Um and again, caveat, work in progress. If you see anything that you think would be great to add, please let me know uh cuz 100% want to make this better. Uh and then finally, um you know, as I said, uh not to shout out Sean Thomas
again, but great talk yesterday uh you know, for the uh threat detection life cycle. Uh that's another way of really adding in another layer to the CDM. So, if we think about it from compliance to CDM, what comes after that? So, compliance again, the checkbox. Uh rearward looking, how did I do over the last X period of time? Security CDM forward looking, what can I do in the future? Attack uh detect and defend. So, the kind of the MITRE suite is is a way of kind of layering on the the extra there. Um So, attack, you know, the offensive lens, what are the likely threats facing my organization? What are the TTPs that are going to be used? Uh defend, uh more
of the defensive counterpart. Um Structure vocabulary for the defensive side. So, you know, kind of the counterpoint to attack. Uh and my personal favorite, which is detect, which is the operational bridge. So, I'm looking at the quality of my log sources. I'm looking at my custom learning use cases and providing that answer of from an attack standpoint, what is likely going to be used against me? From a defend perspective, what do I have in place and what can I do to to kind of counterpoint those uh those TTPs? And then from a detect perspective, where are there potentially gaps within the underlying logic behind those defenses uh to provide those those answers. Um so again, you know, if I'm
doing something like this, you know, this is where you're really getting the effectiveness of the tool. So again, I might have a SIM and it might be the best SIM in the entire world, but I don't have any data sources. So, I can't actually detect anything and I can't alert on anything, so it's not that good. Um you know, detect and defend are really going to help provide those uh those answers. And again, that extra layer here. Um Um I like to use this back in my sock days of a way of just kind of a thought exercise for especially more junior people. Get to know our tools. Get to know what we can do and what we can't do.
And again, take that CDM and kind of translate that into what we can actually see and what we can actually do. This can help form a prioritization standpoint as well as just an overall quality perspective. Um So, you know, if you think about it as your CDM is your strategic posture map, attack is your threat model, defend is your countermeasure library, and detect is your operational scorecard. So finally uh [sighs] you know, as noted, when you're doing your CDM, be as specific and actionable as you can. Uh don't just say, you know, go use the CDM. You know, if you're going to do it, make sure that you're aligning to a framework. Um make sure that's a
priority for your organization with the framework. Make sure that you're looking at the specific controls. You know, be honest with yourself with your security controls. If there is a gap, you know, treat this as a way of really providing evidence of why that gap needs to be closed. So, if you think about compliance frameworks tell you what is required, the CDM tells you where you stand with those requirements from a security control perspective. Uh you know, generally speaking, the the universal blind spots are going to be detect, respond, and recover. Uh and specifically for most frameworks, detect and recover. Um Usually, those are going to be very underpopulated and also an area where most of the
frameworks don't have a lot of good controls around you know, kind of answering how robust those defenses are. Uh then finally, the the matrix can serve as a shared language between security teams, executives, and auditors. Again, translating those requirements into a common language and putting actual security controls behind it versus just simply wishy-washy. I have something maybe and I'm checking that box. So, uh any questions that anyone has? Yes.
So, you know, the question is, you know, how to kind of bridge the gap beyond just is there something in place with the CDM and is it actually effective? Uh specifically with the CDM, no. Um oftentimes we recommend or we will do as an exercise like a purple team or something like that after this as a way of again taking that next step. So, you know, if we did a step after, you know, attack, defend, and and detect, it would be like a purple team or red team. So, I have this exercise, you know, from a compliance perspective. I understand what I need. I'm checking to see if I have security controls to fill that need. I'm then
making sure that on paper they work and they align to the threats that I'm facing. And then it would be an actual exercise. Um and you could even do something like Atomic Red Team, you know, something internally where it's just uh you know, hypothesis ship and threat hunting, you know, something of you know, validating that these controls are actually working. So, not specifically in the CDM, but that is a great exercise to do afterward. And I would say generally that's kind of where you're going to split from the compliance side. You know, compliance team doesn't really care as long as it's there, you have that common language. The security team is I need to make sure
it's actually working and doing what it should be. So, great question. Any other questions? Yes. >> You covered the ran spread five. I'm curious if you spent any time >> They are moving really fast. I would say generally speaking, if we're talking CDM here, there isn't much of a difference between, you know, building out the CDM if it's 20X or rev five. Um, you know, again, I would say it's somewhat based on the priority there for the organization of kind of which way you're going. And then you would just kind of want to reorganize the thought process in what you're putting in to make sure that you're again either not going too far or not going far enough
to make sure that you're kind of answering those questions. Yeah. Oh, sorry. And the question there was what is the you know, why I had rev five there and not necessarily 20X is there really a difference there? Sorry. Any other questions? Yes.
No. So, the question around was the defend taxonomy. So, defend is a project from Mitre. So, it is an existing taxonomy. And really kind of the easiest way to think about it is it's the inverse of attack. So, you're still using the attack matrix and it's more of if I have this tool or this defense, what can I detect against? Um, but defend is a is a project from Mitre. Yes. Yeah. Uh, if you're familiar with the center for threat informed defense, you know, that's some of what they do as well when they're doing their evaluations or actually looking at the defense as well. Yeah. Any other questions? Yes.
Uh, by my So, where did the universal blind spot of detect uh, respond and recover come from? Doing these over many, many years. And these are kind of the common areas as well as looking at uh the requirements of the different frameworks. Generally speaking, they are light on those functions. So, this isn't to say that all programs have gaps here. It's more of when we're talking frameworks, generally speaking, they're more aligned to identify and protect. Any other questions? >> Yes.
>> So, the the question was around, you know, we talked today about CDMs for specific frameworks, but you know, uh a question around CDMs for specific areas. Uh yes, I mean, that's the flexibility of CDM here is, you know, again, I would say I wouldn't go crazy and do like a million CDMs because, you know, it gets to a point where it's somewhat conflicting information, what is the source of truth? But yeah, I mean, if you're talking like, "Hey, I'm talking to the DevOps team." You could build one that's app-specific and kind of aligned to DevSecOps. You know, you could build one for your cloud team. You know, you can really use this as a thought exercise to A, understand
what other teams are doing, um cuz they might actually play a role in your your defenses that you don't necessarily realize or that you do realize and you want to put on paper. So, yeah, I mean, the flexibility here is you can adapt to either different teams, um again, the different asset classes, you know, the rows are really very flexible. The one area that I would say is the columns, I would try to stick to a common column as much as you can just to allow the translation of the information. Um you know, if you have a bunch of different columns that we're talking different functional areas, you start to lose some of that transparency
between, like, the interoperability. Um but again, the asset classes are are really you can kind of move them wherever. But yeah, like a great exercise to you know, kind of show your defenses across multiple different teams and areas. Any other questions? Yes.
Mhm.
Yes.
Mhm.
Yes. Mhm.
I agree. I mean, more of a statement and I'm not really going to be able to summarize all that for the the recording, but uh all all great points. I mean, uh you know, there some of the conversation yesterday was around, you know, the fact of, you know, the the compromising the updates, the NPMs, you know, there there's a different transit for a lot of attacks here that isn't necessarily falling into what traditional security controls are looking at. So, some of it is a paradigm shift, some of it is different techniques. Um you know, again, that's why I like to really layer in the you know, attack, defend, detect because, you know, again, it isn't necessarily about just the CDM.
It isn't just about what tools are in place for security controls. Sometimes it's the extra things that we're doing that, you know, we want to make sure that we're getting credit for. Um yes, you know, the the common uh I have a tool and now it's not working anymore or the company has gone bankrupt. Again, the hope would be here that by layering in um you know some of that redundancy or the question of everybody sitting there we have all the answers. We're breaking for the day and then that one guy raises his hand. What about this tool that we used 20 years ago that's still here? Okay, where does that fit in there and
how do we rip that out? Um And you know again, you know the the overarching on any security program is is budgeting. Um you know that is the the boogeyman that again you can have a perfect security system I wouldn't be able to do anything so the business won't be able to operate and then on the inverse it's going to cost a lot of money. Nobody wants to pay for it. The hope with exercises like this is spread the spend out and and actually be true with yourself if these are the things that I actually need. I don't need you know the A class you know the A 4 pluses tool in this area cuz it isn't
really a priority for organization and yes great you went to a demo and they showed it to you and it was awesome and now you're really pushing for it. We already have 20 things that cover that. Um we don't need that. We could spend this a lot better elsewhere. So 100% across the board from everything you said. Um and really you know I hope kind of the main takeaway here is is again the goal here is to put more uh ammo into your hands to have these conversations versus just being truly driven by that check mark um that's required for the audit. Um and I know we're almost at time so one last question. Okay. Well, thank you all for your time.
Appreciate you spending a little bit of time this Sunday with me. Thank you. >> [applause]