The cyber defense matrix is an organizational tool designed by Sounil Yu to assist security teams with inventorying current security measures, identifying gaps in current tools, and planning future security investments. Enterprise secrets management solutions fit many spaces of the matrix and integrate with services that fit others.
Operational function | Purpose |
---|---|
Identify | Inventory assets and their vulnerabilities, measure the platform’s attack surface, establish baseline activity, model threats, and otherwise assess risk. |
Protect | Prevent or limit impact, patch known vulnerabilities, manage access, and establish more robust security practices. |
Detect | Discovering anomalous events, identifying intrusions, and analyzing security analytics. |
Respond | Acting on detected events by securing the platform, rotating secrets, and assessing impact. |
Recover | Resuming normal operations, restoring services in case of outage, documenting learned lessons, and demonstrating resiliency. |
The NIST operational functions of the Cyber Defense Matrix represent the phases of a cybersecurity incident. Identifying and protecting assets are structural security functions that should always occur before an incident. As vulnerabilities are discovered through detection functions, teams respond and recover with security measures during and after the incident.
The Y-axis categorizes various company assets by class. These are:
Asset class | Examples |
---|---|
Devices | This includes workstations, servers, phones, tablets, storage, network devices, infrastructure, and more. |
Apps | These are software interactions and application flows on devices. |
Networks | Connections and traffic between devices, applications, and both physical and digital communication channels. |
Data | Content at rest, in transit, or in use by devices, apps, or networks. |
Users | The people using any other assets, including developers, customers, and third parties. |
Together, these axes form the Cyber Defense Matrix. By filling out this matrix, security leaders can evaluate where protections are strong or weak. The matrix also helps guide decisions on future investments. For instance, in the cross-section of Network and Identify, a security team might identify that their hybrid work environment is unsecured when employees access their work environment from home or cafe wifi. In Network and Protect, a plan mandating a VPN with multi-factor authentication would then be formed.
Secrets management touches many parts of the matrix. Sensitive credentials, such as API keys, service tokens, and database passwords, span multiple asset classes and operational functions.
Some teams add Secrets as a distinct row in their version of the matrix to give this area explicit focus.
We’ll go through a few examples of secrets management within the cyber defense matrix framework, with an emphasis on how features of an enterprise secrets management solution might solve security issues.
Because many secrets managers don’t identify loose secrets in repositories, enterprise solutions integrate with secrets detection services that do. These services work in tandem to locate vulnerable or exposed secrets and revoke their privileged access before hackers exploit them.
Additional note: When choosing third-party services or cloud hosting architecture, do your research! Add secrets management into your team’s search criteria, and only choose third-party integrations that demonstrate a commitment to security.
Secrets management solutions fall primarily into this category. Here are a few features that enterprise solutions should have.
1. Secure, encrypted, centralized storage replaces less secure locations, preventing secrets sprawl and its associated security vulnerabilities and development inefficiencies.
2. Customizable access permissions facilitate the implementation of the principle of least privilege. Access controls also help securely onboard and offboard employees.
3. Automated, platform-wide synchronization enables the many security benefits of routine secrets rotation without the development inefficiencies that plague manual secrets management. Regularly scheduled rotations protect the platform from old or forgotten secrets.
Enterprise secrets management solutions should include audit and activity logs for every action related to secrets use. This enables a security team to quickly identify suspicious activity and locate the compromised credentials or accounts.
Automated revocation and rotation practices enable security and development teams to quickly change the value of a secret, regaining administrative control over compromised credentials.
Enterprise secrets management features like secret versioning allow teams to roll back a secret’s value to prior versions in the event of a mistake or a leak.
Filling in the cyber defense framework for the secrets asset class might look something like the table below, though your team should use the framework however makes most sense for your organizational needs.
Operational function | Enterprise features |
---|---|
Identify | Integrate with detection services to limit secrets sprawl |
Protect | 1. Secure, encrypted, centralized storage 2. Customizable access controls with IAM integration 3. Automated, platform-wide synchronization without downtime |
Detect | Audit and activity logs for secrets use and access |
Respond | Automated secrets rotation of compromised credentials to regain administrative control and limit the scope of a breach |
Recover | Secret versioning, enabling rollback to prior values |
While security should always remain at the forefront of executive decisions, revenue-generating initiatives and development efficiency are also very important! Most teams are looking for a solution that integrates with existing systems to strengthen their security posture without inhibiting the workflow. An enterprise secrets management solution should integrate with a host of other services to ensure smooth operation. Here are a few important examples of integrations:
1. Secrets detection services help identify the scope of secrets spraw
2. Identity access and management services with SSO and SAML authentication make access to secrets more secure.
3. Integration with cloud providers and cloud-native secrets managers reduces the risk of duplicate secrets and secrets sprawl, particularly in multi-cloud environments.
It is a cybersecurity framework that maps five functions (Identify, Protect, Detect, Respond, Recover) across asset types such as devices, apps, networks, data, and users.
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.