This February, sixty security practitioners met in Dallas for the first annual Cyber Defense Matrix conference, an intimate day of workshops and talks focused on making the most of Sounil Yu’s popular framework.
Adrian Sanabria, a practitioner with more than 20 years of experience and repeat presenter at RSA, shared his use case for the Matrix - visualizing breaches and incidents.
He told the audience in Dallas, “This is a use case that occurred to me back when I started to do research on breaches. I wanted to understand why companies failed, why breaches happened, and I started collecting all this data. But it's kind of tough to zoom out to the big picture. So when I came across Sounil's Cyber Defense Matrix, I immediately knew the use case I wanted to use it for.”
Why conduct breach post-mortems?
“A failure is a terrible thing to waste,” was written across Adrian’s presentation slides. His stance on breach post-mortems is simple: the industry won’t provide them for you, but the learnings from thinking through reported breaches are critical for improving your own security controls.
“If you look at other industries and how they handle failures generally, it's pretty common to have a public report of what happened so that others can learn from your mistakes and improve. Not so much the case in cybersecurity.”
Instead, most cyber breaches are reported on in the media hours or days after the incident, with very little analysis on how they happened.
“These headlines tend to boil it down to something simple. Somebody didn't patch something, somebody got phished. But ultimately, the breaches are a lot more complex and … there's a ton to learn from diving into the details.”
Why visualize breaches?
Some teams may briefly talk through incidents and breaches reported in the news, but Adrian advocates for a more systematic, visual approach. The reasons are simple:
- Visualizations make patterns visible.
- Patterns answer questions or inspire new ones.
- We can see things that are invisible when looking at raw data.
The Cyber Defense Matrix provides a simple framework any person or team can use to visualize breaches in the same way, in order to recognize patterns over time and prioritize controls that can prevent similar incidents from affecting their organization.
How to visualize incidents and breaches with The Cyber Defense Matrix
- Using the information (articles, threat intelligence reports, etc) you’ve gathered about a breach, identify and list all of the control failures you notice.
- Color code each failure. Red for technology control failures, blue for people-oriented control failures, and green for process failures.
- Map each failure to The Cyber Defense Matrix category that best matches the failure.
- Discuss with your peers - this analysis is subject to opinion, so seeing your own analysis across multiple breaches is useful.
Example 1: Code Spaces
The story of Code Spaces, a small, scrappy 2010s company of just five engineers, is a sad one, but it offers many useful lessons. Out of only 23 companies to ever be “killed by a breach,” Code Spaces is the only cloud-first organization on the list, says Adrian. So what went so horribly wrong? It’s easy to see when the failures are mapped onto The Cyber Defense Matrix.
In the Code Spaces breach, an attacker got access to their AWS and was DDoSing them while demanding a ransom. Code Spaces refused to pay up, and when they tried to wrestle control back, the attacker deleted everything and wiped them out.
Adrian listed nine control failures in the Code Spaces breach:
- Root AWS account had full access/control
- Nothing segmented across IAM, AWS accounts, or VPCs
- Product and corporate/back office infrastructure all in one place
- Insufficient backups outside AWS to recover customer or business data
- Failed to detect the attacker gaining access to the environment
- Failed to detect the attacker creating additional IAM identities
- Skipped the containment step of incident response
- Attempted eradication before containment
- No Incident Response Plan
When color coded and mapped to The Cyber Defense Matrix, the critical lesson becomes clear: process is a critical security control, and a poor one leaves you incredibly vulnerable.
Example 2: Equifax
A post-mortem on large breaches like the infamous 2017 Equifax breach is easier but more lengthy, given the additional amount of information released to the public. Adrian identified 30 failed controls in this breach, and visually represented the size of their impact in his Matrix post-mortem.
- No asset inventory
- No software inventory
- No file integrity monitoring
- No network segmentation
- Neglected SSL Inspection (SSLV) Appliance
- Neglected SSLV failed open
- SSLV lacked certs for key systems
- SAST failed to find Struts due to user error
- No anomaly detection on web servers
- Custom snort rule didn’t work
- Custom snort rule wasn’t tested
- Network scanner didn’t find Struts
- Failed to detect webshells
- Failed to detect interactive activity
- Admins stored cleartext creds in open shares
- Least privilege principles not followed for database access
- Ad Hoc DB queries not restricted
- No DB anomaly monitoring
- No field-level encryption in DBs
- No data exfiltration detection
- DAST scanning failed to detect vulns
- Ineffective IR plan/procedures
- No owners assigned to apps to DBs
- Comms issues due to corp structure
- Lack of accountability processes
- No followup on patching status/results
- Old audit findings were not addressed
- Insecure NFS configs
- Logs retained for less than 30 days
- Nonexistent or ineffective IR testing
Watch Adrian Sanabria’s full Cyber Defense Matrix Conference talk
About The Cyber Defense Matrix book and conference
Created by Sounil Yu, former Chief Security Scientist at Bank of America and current CISO and Head of Research at JupiterOne, the Cyber Defense Matrix brings order and organization to the cybersecurity landscape.
Simple in form, easy to grasp, and highly versatile, the matrix is already helping organizations from the Fortune 500 to top government agencies strengthen protection against rising cybersecurity threats.
In 2023, the first annual Cyber Defense Matrix conference was hosted in Dallas, TX. Download a copy of the book from JupiterOne, and stay up to date on future conferences and workshops.
