Cyber defense matrix - A new model for optimal composition of cybersecurity controls to construct resilient risk mitigation

Most enterprises aiming to deploy cost-effective security configuration follow information security standards and guidelines to adopt cybersecurity controls such as CIS Critical Security Controls (CIS CSC) [2]. With the increased dependency over cyber, the landscape of cyber attacks is escalating quickly, and as a consequence, hundreds of cybersecurity controls have to be delineated to implement NIST Cybersecurity Framework (i.e., identify, protect, detect, respond and recover) [6]. The security configuration comprised of the appropriate set of security controls requires not only to be optimized regarding Return on Investment (RoI) but also to be resilient in order to tackle the failures against diversified cyber attacks. However, the composition of such optimal and resilient cybersecurity portfolio (security configuration) is a highly complex and error-prone task as there are exponential numbers of ways to construct a portfolio due to a large number of security controls, threats, resource, and usability constraints. The objective of this research is to develop a novel and an automated approach to compose the optimal and resilient risk mitigation planning by selecting the most critical security controls (CSC) considering affordable residual risk (risk appetite), budget, resiliency, and enterprise-oriented usability constraints. We developed a model named “Cyber Defense Matrix (CDM)" that resemblances the deployed cyber defense strategy. The structure of CDM incorporating three dimensions: Security Function (what), Enforcement Level (where), and Kill Chain Phase (why) enables the composition of multi-layer and multi-stage resilient defense configuration. Our approach leverages CDM to determine which security controls are needed for “what" security function (Identify, Protect, Detect, Respond, and Recover), “where" each security control should be enforced in the cyber systems (Network, Device, People, Application, and Data), and “why" they are effective (i.e., against what attack and wherein the kill chain). We formulate the approach to compute the resilient cybersecurity planning as CDM using SMT constraints.