 Hi, I'm Sunil Yu, and I'm the creator of the Cyber Defense Matrix. The Cyber Defense Matrix is a model that I created to help navigate the cybersecurity landscape, and I think it has some applicability for some of the challenges that we see in healthcare. A little bit about me before we get started. So I'm currently the CISO and head of research at Jupiter One. Jupiter One is a startup that is building a cloud-native cyber-asset management and governance solution. Before Jupiter One, I was the Chief Security Scientist at Bank of America. And while there, I had the opportunity to serve in a couple different roles. One of them was to be a mad scientist where I had a chance to build a lot of interesting and new crazy capabilities. Aside from building capabilities, I also was the main person that was in charge of looking at new startups and testing those capabilities to see whether or not all the claims that they make actually work. And then lastly, I had a chance to be a red team lead where I got a chance to break a lot of things. Now, in my role as a product evaluator of a lot of different startups, I faced an immediate challenge, which was just trying to dissect through all the buzzwords that they throw at me to understand, one, what they do, and two, to see whether or not it actually meets the need that I have. Well, one of the responsibilities I had as the Chief Security Scientist was to develop the technology roadmap for the organization. Well, to be able to do that, you have to understand where you have gaps, right? But when you just stare at a bunch of buzzwords like you see here, it's hard to find a gap because what you see is all there is. If I were to ask you what's missing out of here, you would have a hard time just because it requires you to have to dissect every word here and understand what might be missing. So I needed a better, more structured approach. And in my attempt to come up with a more structured approach, I came up with, again, something I call the cyber defense matrix. The cyber defense matrix at its core consists of two dimensions. On one dimension, it's the things that I care about, these five asset classes, devices, applications, networks, data, and users. On the other dimension, it's the five functions of the NIST cybersecurity framework, identify, protect, detect, respond, and recover. When we bring these two dimensions into a five by five grid, we get what I call the cyber defense matrix. And the cyber defense matrix provides a 50,000 foot strategic view of the entire cybersecurity landscape. It provides a view that helps us understand where we might have gaps in our program, where we need to go, where our capabilities fall, all the things that we need to do to run a mature and robust cybersecurity program. What you also see on the bottom is something that I've conjectured or asserted depicts the degree of dependency that we have on people, process, and technology as we go across the five functions of the NIST cybersecurity framework. So when it comes to the functions of identify and protect, we should largely rely upon technology to do the work there. As we move to detect, respond, and recover, what I have found is that despite whatever technologies that come our way, we still have a very heavily dependent upon people to do a lot of the work on the right side of boom. Boom, by the way, is between protect and detect. And on the right side of boom, it tends to be that we need people to do a lot of the work there. Throughout all five functions, we have an equal amount of dependence on process, meaning we always have a need for process throughout all five functions. It's not something that we should disregard. So to be able to test the cyber defense matrix then, I would want to take all those buzzwords that we saw previously and see whether or not I can find a home for each one of these buzzwords, right? And for the most part, I was able to do that. I was able to take a lot of those buzzwords and fit them in. And in doing so, I can see, for example, what the buzzwords mean in relation to the function and the asset class where it's trying to perform some security function. It also allows me to see adjacencies. It lets me see gaps as well, potentially in the marketplace. Now, just because there's a word in one of these boxes, doesn't necessarily mean that all the individual functions within the five functions of the NISAP security framework are actually being performed. So, again, it's a 50,000-foot view. And as you get lower into the 25,000 and 10,000 and 5,000-foot view, as you see more granularity and start seeing more tactical view of the landscape, we'll see more gaps emerge just because there's only someone you can see at this sort of scale. Now, the cyber defense matrix, I wanted to find an easy way to put it into practice or help people put it into practice. So, I came up with an approach that I call the stack. And the stack is, I use a food analogy when describing the stack because, well, we all have to eat foods so hopefully it's something that everyone can relate to. The stack uses the cyber defense matrix as a foundation and then what we are going to do is to map various layers. And these layers consist of different parts of how we make food. So, the first layer is a recipe. These are proven practices. These are frameworks. These are architectures that we have to abide by. And this represents the things that we have to do, the kind of requirements that we have to meet to have a robust cyber security environment. The next layer is our pantry. Basically, what do you have today in your existing portfolio capabilities that can help secure your environment? The third layer is the market. So, what can you find in a grocery store? What's available from vendors to help you meet to fulfill the recipe that you're trying to make? Now, not everyone can eat every kind of food. Likewise, within a business, not everyone can adhere to all the security controls that we want to implement. So, we have to somehow capture business constraints and exceptions and things that will cause impact to the business. And so, these allergies is something that we also want to capture in the matrix as well. And then lastly, we want to capture nutritional needs. And this represents the risks that we see in our environment. The attack surfaces, the threats, the vulnerabilities that can potentially harm us. And the combination of these then is what I call the stack. What we're going to do is to map each of these different layers to the cyber defense matrix, and I'll show you how we might go about doing that. In doing so, we should be able to answer these three questions. How secure are we? And to answer that question, we would look at our existing capabilities. Next, how secure should we be? And here, we're looking at proven practices plus the risks that we have to address. And then lastly, how do we get there? And for this, we're going to look at what's available in the market plus be mindful of the constraints that we have to deal with. And my hope is that we can take this approach. I've used this approach for enterprise security, but my hope is that we can use a similar type of approach to help us address some of the challenges that we see in healthcare. So first, let's look at our pantry. Now, if you're trying to do enterprise security, there's a lot of capabilities that are at our disposal. Unfortunately though, I think when it comes to healthcare, many of those capabilities don't exist. And so we have to be mindful that our pantry may be a little bit more thin for healthcare. And also just understanding what's available for the enterprise security market gives us a template, if you will, to say, hey, why don't we have some of these capabilities for healthcare? Let's find investment to be able to build some of these capabilities out. So capturing the existing capabilities, that's representation of how secure we are. Let's now move to the proven practices. One of the ways that proven practices are articulated is through the CIS controls. As a version 7, actually, they already map directly to the cyber defense matrix. So if you look at version 7 and the more recently released version 8, you'll see that there's actually already a mapping to the cyber defense matrix. I'm not a healthcare expert and I haven't worked in healthcare before, but I'm not sure to what degree the CIS controls can apply to healthcare environments. But I suspect that a good amount of it can overlap or can be applied in those environments. But nonetheless, I think it's important to recognize that not everything is going to fit exactly. But the CIS controls at least is a starting point to be able to say, here are controls that we can implement, but not only that, here's a set of controls that we can implement in a certain priority order. So we should do number one first before we do number two, number two before we do number three, and so on and so forth. So anyway, the CIS controls provides an example of how we take this notion of recipes and map it directly to the cyber defense matrix. Again, the CIS has already mapped it to the matrix, so the work's already been done for you. And this gives you a sense of the controls that you would need to implement for each of these boxes, as well as the priority order that you would follow. So we've captured existing capabilities, we've captured proven practices, and to be able to answer the rest of the question on how secure we should be, let's also look at risks. And to that end, the cyber defense matrix provides a way that we can actually visualize our risk and attack surfaces and vulnerabilities and so on and so forth. So here's an example of how we can look at attack surfaces. If I look at a traditional three tier web application, there's a lot that I need to secure. I need to secure the server, I need to secure the application, I need to secure the network, I still need to secure the data. And when we consider all that I need to secure and the attack surface is associated with it, we can see that there's a lot of controls that are needed. Compare that to let's say a serverless function where I can remove much of my attack surface or at least transition the risks associated with that to the provider that's providing the serverless function. But ultimately, it gives me a visual depiction of a path that I want to encourage others to take, which is I want to move from this traditional three-tiered architecture to one that actually has a reduced attack surface. And the reduced attack surface is something that gives us an opportunity to be more secure because we're building on more defensible infrastructure that has fewer attack surfaces. Just being able to visualize this I think is a powerful way to help our partners and stakeholders move to more defensible infrastructure overall. And it allows us to understand again what controls can be maybe needed to be able to address some of the risks that we see. Another mapping that I'm sure you guys, or another mechanism, another tool that I'm sure many of you all familiar with is the MITRE attack framework that characterizes a lot of the TTPs that we see attackers following. And if we look closely at the MITRE attack framework, you'll see that there's also specific asset classes that are represented in the TTPs. So not everything or many of the TTPs that you see in the MITRE attack framework tend to be device-oriented, attacking things like your workstation and windows and so on and so forth. But there are other TTPs in the attack framework that map to an attack against an application or an attack against a network or data or users. Within each of the TTPs, there's also additional information in terms of how would you find these attacks? How would you know that an attack occurred or one of these TTPs were used? And so it captures information like what data sources you need. It also captures information on what protective mitigations you might want to put in place. And if you're not familiar with the cyber analytic repository or CAR, CAR.mitre.org, it also provides the analytic approach or method, the logic to be able to look for these attacks within one's environment. And what I've done here is to be able to just map each of those different types of information to the different asset classes that are within the cyber defense matrix. So that maps the attack surfaces and the risks that we see in our environment and to be able to characterize how secure we should be. Lastly, we want to understand how do we get there. And to that end, let's look at market capabilities. So what sort of vendors are out there? Now, I tried to do my best here to find vendors that are specialized towards the healthcare market. And it seems to be relatively small. Now, again, I don't know the mid-market as well. And so if I make a mistake here or if I left somebody out, please forgive me. I'm not endorsing any of these vendors. In fact, the ones that you see here are really based on how easily I could find their logo. So I'm sure I'm missing plenty of vendors out there. And the mapping itself again, it's based on what I could dissect in the marketing language that I see in the vendor website. But nonetheless, I think overall you can still see that there's interesting concentrations and gaps as well. Interesting concentrations in that there's a lot of companies that are helping to identify the presence of medical devices. But a lot of the other places are a bit weaker in terms of being able to perform the various functions that you see in the cyber defense matrix. By the way, also there's plenty of vendors who will come to me and say, hey, no, I do X, Y and Z. There's a distinction that I want to make between I do something versus I support something. So there are capabilities where a particular vendor will definitively do something associated with, let's say, identifying devices. But oftentimes they may not necessarily protect them. Rather, they will enable something else to protect that device. And so it requires a bit of synthesizing or just dissecting the wording of the marketing details. But that's an important facet of understanding how to use this matrix rapidly. To understand the primary function of a particular vendor product and a secondary one, the secondary one or a second order function tends to require another first order capability to be in place. And that's something that the cyber defense matrix also helps us understand and navigate as well. So that's the market capabilities. And then lastly, we want to understand constraints. And to that end, if we had our own way, if security folks could have our own way, we might want to actually implement, I think we may want to implement all these controls that we have available to us. But that may not necessarily be the most wise or cost efficient. A lot of people look at the cyber defense matrix as a bingo card. You can see why that's the case. But our goal in security isn't always to play blackout. We don't necessarily need to check all the boxes on here. What we want to be able to do is to be able to declare bingo by filling in just enough boxes that satisfies our risk tolerance for the environment. And oftentimes, some of these boxes we may not be able to check because they create some sort of business impact. There's some sort of allergy associated with implementing a certain control here or there. To be able to capture that systematically, the cyber defense matrix again provides a great organizing framework to be able to see what controls we have, but also where we need to consider the business impact that may come from implementing a certain set of controls. In certain environments, we may have no constraints at all. So for example, in a call center, we can implement whatever controls we want. But again, like I said, we may not want to because it's expensive. And for the particular environment that we're dealing with, we may be willing to accept some degree of risk and not have to implement every possible control that even if we could implement every possible control, it just may not be cost effective based on the risk exposure that we might have. In other cases, we may not be able to implement a sufficient amount of security controls because it creates some degree of business impact. And ultimately, what we want to be able to do is to have a systematic mechanism where we can capture those conflicts, those trade-offs, those risk management trade-offs where we're saying we're willing to forego a certain set of security controls even though we want to implement them or need to implement them because it's going to create some business impact. Or alternatively, when we implement a certain set of security controls that does create business impact, at least we're doing it knowing that it's going to create some business impact. And we've negotiated that and discussed that with other stakeholders where they're willing to accept that business impact as well. An example of this in the financial services environment would be something like high-speed trading. So high-speed trading, if you put a firewall in there, you might as well close business because it's all predicated on dealing with again information very quickly. And so we may have a security requirement to put a firewall in place, but we know that that's going to create some significant business impact and so we forego the use of the firewall. But there may be other compensating controls or other mitigating controls. What we want to be able to do systematically as a community is to be able to capture these constraints for these different types of user environments or different types of business environments and be able to say, okay, consider there are alternative design patterns that helps us still increase the security posture or address the security challenges that we might have for that particular environment without creating business impact. I'm sure that in pretty much every organization you have some sort of sales and marketing team where you have some set of developers or analysts. We oftentimes are recreating the wheel every time as we learn how to work within these environments by creating a set of controls without creating a business impact. This understanding and these design patterns that we come up with, what I'm hoping we can do with the cyber defense matrix is to find a way to consistently capture these design patterns and these things that we learn so that we don't have to always keep recreating it and also be able to improve upon it over time as well. So now I've mapped each of these layers to the cyber defense matrix and in doing so we can now see how each of these layers can help us answer the question of how secure should we be and how do we get there. And what we want to do is to then combine these five layers and in doing so we can actually understand our overall decision space and the range of risk management options that we have in front of us. So in combining these we can then say there are a couple of areas for example right here where it may be just table stakes, just do it sort of opportunity. So in this particular situation right here we have a proven practice that we know we should implement. There are commercial capabilities available. There's an active risk issue that's here but we just don't have any existing capabilities and there's no business constraints that limit our ability to implement a control. So that will be a situation where we could just do it. There's no nothing really stopping us. Conversely let's look at this situation over here where it's a similar sort of circumstance with a proven practice with commercial capabilities available with an active risk here as well but there is a mission constraint or some business constraint. And so in those situations what we want to be able to do is to recognize that there is some business impact that may occur if we implement some control. But ultimately it's a discussion that we need to have with the business to say do we want to address this issue? Do we want to forego it and accept the risk associated with it? There are other opportunities to mitigate that control by putting in controls elsewhere. All right. Now what I've showed you is these five layers is a starting point for how I look at using the cyber defense matrix but we can go beyond even in capturing additional information that helps us further develop and mature our security program. Think of the initial five things that we talked about before as creating the food, right? Now it's a question of how good does it taste or how cost effective is it? And so what we want to be able to do is capture measurements here. As I mentioned earlier the cyber defense matrix is a great organizing construct and we can organize lots of interesting information into the matrix here. And so here's an example of how we can organize, for example, the metrics and measurements that we have associated with our program as well as how much we're spending associated with each of the different buckets or each of the different capabilities that we see in the cyber defense matrix. What I'm showing here is just a range of different things that we could potentially capture and organize into the cyber defense matrix. Measurement is a really hard challenge for many of us and I would offer there's a couple of different levels of measurement that we can use to understand our security program and then subsequently be able to capture it. Some of the measurements are easier, some of them are harder. Easier ones are going to be just do we even have the capability at all? Do we have a firewall, for example? It's like saying that we have a vaccine. The next level is the firewall turned on. Has we actually opened the vaccine vial? The next one would be are we actually turning on the features associated with the firewall? So number two can be yes, we have a firewall, but it's just it hasn't any rule. Number three would be we've actually put in specific ACLs into the firewall. And then number four is well, okay, great, you have a firewall, you have some product, you have some capability. How well does that actually work in dealing with the threats that we see? And then lastly is a cost that we introduce cost, which is ultimately how cost effective is it relative to the security benefit that we're getting. Each of these different, there's again, different levels of difficulty in getting these values. And I don't expect any organization to have all these values. But we oftentimes have some of these values, but don't really have a great home for it. And what I will propose is that the cyber defense matrix at least provides us a place to organize this information, put it in a place where we can see it relative to other bits of information, and just be able to methodically improve upon what we already have today once it's organized in this fashion. Now the cyber defense matrix, I've just showed you really just a small handful of use cases. My original use case, as I mentioned, was just to map vendors. But back in 2016, I showed a whole bunch of other use cases, which I'm not really presenting here. But if you wanted to dig further into some of these, feel free to look at the link here and you'll see some of the use cases that I presented then. And in 2019, I gave an update to that as well with a ton of other use cases. At this point in time, I have roughly about 50 some use cases, which will take me too long to go through in this session. But nonetheless, it's a very interesting framework that we can use to understand our space better and be able to find ways that we can improve the security posture of our environment. As I mentioned, I use this at the Bank of America. I've used it since then to be able to understand the space better and to create new use cases. I think it has a lot of applicability for healthcare, especially since some of the problems that we're seeing in healthcare we've already addressed in the enterprise security space. The enterprise security space, in fact, provides a template for what the healthcare side needs to also address as well. So why not use what we learned and the structures and the approaches and understand how that can be used to help guide investment and areas for investigation. And with that, if you have any additional questions or want to get additional information about the Cyber Defense Matrix, here's how to contact me. And I hope that you find the Cyber Defense Matrix useful. If you have any use cases that you come up with or you wanted to offer any feedback on what you saw, please feel free to reach out. And thank you very much.