Breaking down the Cyber Defense Matrix
Learn how the Cyber Defense Matrix helps security teams identify gaps, align defenses, and build a stronger cybersecurity strategy.
TL;DR
The Cyber Defense Matrix is a strategic framework for organizing cybersecurity practices across your organization. It helps security teams identify gaps, align tools with operational functions, and create a more resilient security posture. This guide explains how the Cyber Defense Matrix works and how teams can implement it.
What is the Cyber Defense Matrix?
The Cyber Defense Matrix is a framework for organizing security practices. The intention behind the matrix is to facilitate more intentional and conscious decisions by categorizing assets, actions, vulnerabilities, and other relevant security considerations into a clear and communicable format.
Strategic vs operational cybersecurity
The Cyber Defense Matrix is a strategic framework, more than an operational framework. In breaking down a holistic cybersecurity approach, there are various organizational levels at which different strategies, software services, and analytical frameworks are implemented. For example, analyzing customer use metrics or implementing identity access management services are operational cybersecurity approaches. They directly impact day-to-day operations. Identifying and communicating a company-wide cybersecurity plan by analyzing a strategic framework is a strategic cybersecurity approach. These operate in tandem, one guiding the direction of security implementation, the other executing that guidance in real-time.
Sounil Yu provided the following image in a presentation on “The Limits and Potential of the Cyber Defense Matrix” at the Cyber Defense Matrix Conference in 2023
How does the Cyber Defense Matrix work?
Developed by Sounil Yu over more than eight years, the Cyber Defense Matrix begins with the five operational functions of the NIST Cybersecurity Framework:
| Function | Description |
|---|---|
Identify | Inventory assets and their vulnerabilities, measure the platform’s attack surface, establish baseline activity, model threats, and otherwise assess risk. |
Protect | Prevent or limit impact, patch known vulnerabilities, manage access, and establish more robust security practices. |
Detect | Discovering anomalous events, identifying intrusions, and analyzing security analytics. |
Respond | Acting on detected events by securing the platform, rotating secrets, and assessing impact. |
Recover | Resuming normal operations, restoring services in case of outage, documenting learned lessons, and demonstrating resiliency. |
The NIST operational functions mark the X-axis of Yu’s matrix and represent the passage of time during a cybersecurity incident. Identifying and protecting assets are structural security functions that should always occur within the organization. As vulnerabilities are discovered, whether through an internal scan or a day-zero vulnerability of another platform, security teams must move quickly before threat actors take advantage of the vulnerability.
The final three operational functions, detect, respond, and recover, represent security measures in the event of a cybersecurity incident. These are situational security functions that occur under very specific circumstances. While detection processes should be a routine part of cybersecurity, detecting an anomalous event must trigger the appropriate security inspections.
The Y-axis of the Cyber Defense Matrix categorizes various company assets by asset class. These classes are:
| Class | Description |
|---|---|
Devices | This includes workstations, servers, phones, tablets, storage, network devices, infrastructure, and more. |
Apps | These are software interactions and application flows on devices. |
Networks | Connections and traffic flow among devices and apps, as well as physical and digital communication paths. |
Data | Content at rest, in transit, or in use by devices, apps, or networks. |
Users | The people using any other assets, including developers, customers, and third parties. |
Together, these axes form the primary grid of the Cyber Defense Matrix. Within their respective cross-sections rests an organization's plan for implementing the security measure. For instance, in the cross-section of Network and Identify, a security team might find their hybrid work environment unsecured when employees are signing in to their work environment from home or cafe wifi sources. In Network and Protect, a plan for mandating a VPN with multi-factor authentication is considered.
The matrix does not solve cybersecurity weaknesses; instead, it provides a structure for discussing strategic actions.
The final metric of the standard Cyber Defense Matrix grid is the Degree of Dependency measure at the bottom of the matrix. This demonstrates the degree of involvement and responsibility between preventative software systems and direct human control and intervention.
Generally speaking, preventative operational functions, like those in the Identify and Protect categories, rely on a systemic approach to security. This means implementing secure systems to prevent a breach in the first place. Situational elements, like those in a cybersecurity incident's Detect, Respond, and Recover phases, will require a more hands-on approach from security teams.
The green bar for Process/Govern is shown to be consistent across all operational functions to represent the importance of premeditated cybersecurity protocols. All cybersecurity processes should be well established before they become a necessity. The worst experience in cybersecurity is encountering a crisis you aren’t prepared for.
How to implement the Cyber Defense Matrix
The role of the Cyber Defense Matrix is twofold. It serves as both a review and a roadmap for current and future cybersecurity protocols. For review, your security team should identify the systems and software currently in operation for each box. Questions like, “How often are we checking our devices for malware?” or “What systems are in place for recovering data in the event of a breach?”
After thoroughly examining your current cybersecurity capacity, the Cyber Defense Matrix becomes a roadmap for future implementation. What sections are missing? Which protocols are missing or unclear, and how can we shore them up? The Cyber Defense Matrix won’t protect you from data breaches, but it can show you the security considerations your team might be missing.
Additional matrix layers
In his talk at the 2023 Cyber Defense Matrix conference, Sounil Yu added additional layers to the Cyber Defense Matrix. Yu added a third vertical dimension to his matrix for these additional layers. This third dimension acts as an additional lens applied to the original matrix, shifting the perspective being applied.
Yu asks questions about applying his matrix to threat actors and customers. What devices are hackers connected to? What software are they using to identify and exploit vulnerabilities? What devices do customers most access the software from? What about third-party services?
Layering different perspectives of the Cyber Defense Matrix together helps paint a more holistic picture of your company’s cybersecurity landscape.
FAQs
It is a strategic framework for mapping security functions (Identify, Protect, Detect, Respond, Recover) against asset types (Devices, Apps, Networks, Data, Users).
Related Content
Explore More
Enter the new era of secrets management
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.
