The NIST CSF framework identifies five primary and essential domains of security activities: identify, prevent, detect, respond, and recover. Security monitoring and threat detection solutions align more closely with the domains of detect and respond. With such a dense market, it’s important to have clear means of identifying what solutions will work for you and your organization. Having a way to think about finding the right answer is more important than finding the right answer in one organization and taking it from place to place.
Cyber Defense Matrix
The cyber defense matrix is a model put together by Sounil Yu. It can be used in a variety of ways, one of which I’m personally a big fan of around vendor evaluation and portfolio management.
Mapping out a particular use case or class of technologies on the matrix is a useful way to identify coverage opportunities and gaps relative to the level of investment. One thing I like to do with the defense matrix tool is to expand each asset class category to be more representative of the environment I’m working in, on a more granular level.
For example, taking devices and breaking it down to:
- Devices – Workstations
- Devices – Mobile Devices (Corp-Issued)
- Devices – Mobile Devices (BYOD)
- Devices – On-Premise Servers
- Devices – Cloud-Based Servers
Another example is with applications.
- Applications – Custom-Built Applications
- Applications – SaaS/PaaS
- Applications – Self-Hosted COTS
Depending on the need for security monitoring, coverage can matter a great deal and you may need better coverage for particular asset classes.
The cyber defense matrix can also be used alongside a traditional decision matrix that maps out various features and cost elements.
Relation to Existing Cybersecurity Technology Portfolio
In this day and age, integrations are critical to an effective portfolio. Technology solutions need to be able to work effectively alongside other solutions to get the most value out of them. Otherwise, your team (or extended team) will be spending valuable time and resources analyzing and pulling context out of one solution and making it work in another.
A specific example of this is connecting a monitoring and alerting solution to a case management solution, where details and incidents are tracked. Ideally, details and context from various monitoring, detection, and alerting solutions can automatically push details into a case management solution for analysts to consume and to aid reporting.
Whenever evaluating a new cybersecurity technology, it’s important to consider it alongside your existing portfolio. Unless other things in your portfolio are subject to change alongside this new solution, then it needs to be considered together. Specific things to look for include, but are not limited to:
- An accessible and well-documented API
- Specifically built out integrations for tools you use
- A team that is willing to hear you out and build integrations upon request (prioritized accordingly)
- Connectors built for the new solution with any SOAR tools you may use
Operations and Maintenance
Tools, nowadays, have a wide range of deployment models, each of which influences the cost and amount of work that needs to happen. The team resources available to you should be an influencing factor in the decision. That said, this needs to be considered alongside the security posture you’re comfortable with, features, integration opportunities, cost, and coverage.
SaaS-based delivery models will oftentimes allow you to deploy and get started with the most speed and stability. There is no installation process. There is no setup of servers and network resources. Inversely, self-hosted deployment models may require a bit more initial setup time. However, it will allow you to control more of the overall technology stack and security as well as may allow you to scale more cost-effectively.
Because security monitoring is just one part of an overall effective security strategy, this cannot be the sole focus of your entire team. Your team’s bandwidth to manage, operate, and administer solutions must be considered. If you use a managed security solutions provider (MSSP), this may be more feasible after the initial setup.
Want more cybersecurity insights? Visit the Cybersecurity channel: