July 14, 2025 • 25 mins
Join G Mark Hardy in this special episode of CISO Tradecraft as he interviews Ross Young, the creator of the OWASP Threat and Safeguard Matrix (TaSM). Ross shares his extensive cybersecurity background and discusses the development and utility of the TaSM, including its applications in threat modeling and risk management. Additionally, Ross introduces his upcoming book, 'Cybersecurity's Dirty Secret: How Most Budgets Are Wasted,' and provides insights on maximizing cybersecurity budgets. Don't miss this episode for essential knowledge on enhancing your cybersecurity leadership and strategies.
OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/
Transcripts - https://docs.google.com/document/d/1anGewI3XccGnXoV3oE2h7BfelY5QxiSL/
Chapters
00:00 Introduction to the Threat and Safeguard Matrix
00:30 Meet Ross Young: Cybersecurity Expert
01:08 Ross Young's Career Journey
01:59 The Upcoming Book: Cybersecurity's Dirty Secret
03:04 Introduction to the Threat and Safeguard Matrix (TaSM)
03:48 Understanding the TaSM Framework
07:10 Applying the TaSM to Real-World Scenarios
19:32 Using TaSM for Threat Modeling and Risk Committees
21:58 Extending TaSM Beyond Cybersecurity
23:52 AI Risks and the TaSM
24:43 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, have you ever wondered aboutthe threat and safeguard matrix
(00:02):
that's on OWASP and how useful it is?
I got a special episode comingup where we're gonna talk to the
creator of that right after this.
(00:22):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
I'm your host, G Mark Hardy, andtoday we're gonna be talking with Ross
Young, the author of the Threat andSafeguard Matrix from OWASP, who also
does a lot of, other amazing things.
Ross, welcome to the show.
(00:43):
Hey, thank you G Mark.
So back, so good to be here.
So we've known each other for a number ofyears, and you have done a lot of work.
I remember when I first metyou, you were working as a CISO
for a financial corporation.
you've been a CISO foran investment group.
you've got a background that includes CIA.
(01:03):
why don't you just tell everybody alittle bit about you, because I think
they'll just find your story fascinating.
Thanks.
I started my career inthe federal government.
I always knew I wanted to dooffensive cybersecurity, so
I, did my internship at NSA.
I spent, 10 and a half years at theCentral Intelligence Agency, five
years on the offensive side, andthen also did a lot of DevOps and,
(01:26):
really helped secure the applicationsthat our folks were building.
And then I did, cloud securityat Capital One for two years.
Got to be there during the large CapitalOne data breach and spent four years
as the CISO a Caterpillar Financial.
And, most currently I've been the CISOin residence at Team8, which is one
of the largest Israeli venture capitalfirms that focuses on cybersecurity.
(01:49):
And you did this all before youturned 65, so that's pretty good.
So yeah, so you got an extensivebackground on things and one
of the things I love about youis you do a lot of writing.
you've actually got a bookcoming out as well as I recall.
You ready to talk about that yet?
Or is it still just in those, stealth
I've actually already posted just alittle bit of about it on LinkedIn.
(02:10):
So if you go to Ross Young on LinkedIn,you'll see that I'm writing a book called
Cybersecurity's Dirty Secret (02:14):
how Most Budgets Are Wasted because I found.
there's so much more wecan do with our budgets.
How do we make sure wemaximize every dollar?
How do we get, better, spending and,looking through broken processes
and fixing all of those things?
So currently I'm talking to lotsof CISOs to get some of their
(02:34):
stories to include in the book.
I've written over a hundred pages andit should be coming out, fairly soon.
So I haven't made any dates.
So please don't say, isit coming out in August or
Soon as a safe bet because no one'sgonna say, wait a minute, where is it?
It's not on, it's not here.
But yeah, I've, had a chance,full disclosure to do some
pre-publication review, and I lovewhat he's got to write on there.
(02:55):
It's, very valuable when it does come out.
It's gonna be something that I think.
Is gonna make the list of essential booksfor Chief Information Security officers
and for those who wanna become a CISO.
But one of the things you developed alittle while back is that I think has
really been very influential, has been thethreat and safeguard matrix or the TASM
and I. I'd love the logo that you came upwith a little Tasmanian Devil with a cape.
(03:18):
But for those who wanna follow along withus, if you're at your computer, it's the
OWASP Threat and Safeguard Matrix TaSM
. You can just go to owasp.org and look forTaSM or just Google it and pull it up.
And I'm gonna do that right now.
So I've got that on myscreen in front of you.
But Ross, tell me a little bit about,what is the TaSM, where'd it come
(03:39):
from, and really how do people use it?
And then maybe we'll walk througha couple scenarios of how it
could be incredibly useful.
Yeah, of course.
So I spent a lot of time researching otherfolks' models and frameworks and figuring
out what would help me, especially as Iwas stepping into my first true CISO role
as the CISO at Caterpillar Financial.
(04:00):
And one of the models that really stuckout to me is the Cyber Defense Matrix
by Sounil Yu and what he does on theleft hand side and the rows, he puts,
application data network, the traditionaltech layers that we see, and on the
NIST five functions on the, in, onthe vertical slices above, identify,
(04:21):
protect, detect, respond, recover.
And so the idea being that, how doeshe go to a place like RSA or Black Hat
and be able to quickly say, oh, you'rea DLP vendor, so I'm gonna put you in
the data column and I'm gonna put youunder the protect, let's say matrix.
Quadrant here, and it's really helpfulfor figuring out where things play at.
(04:42):
And I studied that model and Ithought, that's really helpful.
It helps me understand a lot of things.
But when I talk to my organizationalleaders, the chief financial officer, the
chief audit officer, data privacy, they'renot technical, I can't really have,
application layer discussions with them.
So I, I decided to transform that andinstead of putting the tech layers
(05:05):
on the side, I said, why don't we put
material threats to our company?
And so now you can say, how wouldwe identify, protect, detect,
and respond to a phishing attack?
Or how would I identify, protect,detect, respond, and recover
to a web application attack?
And now suddenly, when you thinkabout this, it allows us to quickly
(05:28):
build a defense in depth matrix.
Of how we're going to safeguard ourcompany against these material threats,
and I think that is the core of whatwe have to be able to do as a CISO.
That's fascinating.
So really what we did, and of courseSounil Yu has been on our show
more than once, and so for those.
Were not familiar with his work.
Go back and take a look, so rememberSounil Yu in terms of his model.
(05:52):
We had five columns and it included.
Identify and protectthat was left of boom.
And then detect, respond,recover, right of boom.
But here in this particular case,instead of looking at people and
technology and things, you'relooking at specific threats.
Now, the thing I like about the TaSMmodel is it's highly customizable
based upon your own perceptionof what your threats might be.
(06:14):
And so for those of us who are CISOsand security leaders, we should be
paying attention to threat intelligence,knowing what it is that we're most.
Worried about, for example, you could beworried about something like, a scenario
of, bring your own device issues or CEOimpersonation or there's a number of
'em that you offer up on your website.
But if we were to go ahead andthen be very specific about that,
(06:38):
we could say, okay, what are theelements that would allow us to
identify this particular threat?
And then in advance, how do we protectagainst it and should it materialize?
What are the things that we cando, detect, respond, and recover.
Now, unlike Sounil's Matrix where you'redropping products, descriptions, or
vendor names in here, what are you puttingin each of these little boxes instead?
(07:01):
Yeah, so we're using the term safeguardsand a safeguard could be a tool, it
could be a process, or it could be ahuman, perhaps doing human oversight.
And so just think of the examplehere of maybe your developers are
releasing a new AI model, right?
You could have a tool that scansthat AI model and says, oh,
doesn't comply with whatever.
(07:22):
You could have a human.
Maybe a second person whoreviews the lines of code before
it gets merged in a GitHub.
or maybe you have a process, right?
Where, different things haveto happen, in an organization.
So maybe you have to, verifythat things get changed once
a year or something like that.
(07:42):
so these are the different ways that theycan be applied out as safeguards and,
just to maybe call out on the threats.
one of the things I wouldhighly recommend is looking at.
The most common threats for the last year.
So think about, maybe you startwith the Verizon data breach
report and you say, I'm worriedabout, credentials being stolen.
I'm worried about phishing happening.
(08:03):
I'm worried about, just unpatchedvulnerabilities that are exploited.
You would wanna make sureyou go through those.
'cause those are just socommon and likely to happen.
But then there's gonna be thingsthat are unique to your business.
And I actually put a list of about 25different common examples of threats.
maybe you're really worried about yourcompany's CEO being deep faked, and that's
(08:27):
different for other companies than yours,but you're focused, your company is, Tesla
and Elon Musk is all over the board wherehe can easily be recorded and deep faked.
So things like that, I think is whereit's helpful to look at this and
then run that through the matrix.
Got it.
And so what you had mentioned thoughis that you're looking at safeguards.
(08:48):
So we're gonna populate our matrix,not with necessarily products or
tools, but safeguards, which couldinclude things such as user training.
being able to go ahead anddo non-technical measures
and things like that.
so what it sounds like is that we canuse, as you'd said, common sources.
(09:08):
what's bad this year?
If we go ahead and look atVerizon data breach report, we
could take a look at something.
For example, red Canary comes outwith a monthly report that says
these are the biggest things.
SOC coolish is now up at number oneor number five or whatever, and this
thing has changed and the like, and.
Click fix is, what I'm seeing is inmy environments where attackers are
(09:31):
convincing users who are perhapsnot familiar with Windows machines.
Oh yeah.
Just go ahead and do a WindowsR, a Control V and an Enter, and
that proves that you're a human.
Instead of counting the number ofmotorcycles or something like that,
which in fact it's just copying thebuffer into a command window running
it, which then will probably kick off aPowerShell script, which will download
(09:52):
some malware, which is then gonna go aheadand say, oops, your files are encrypted.
But your average user who does notunderstand what's going on under the hood.
So using that as an example, if wetalk about our threat and safeguard
matrix, and we're gonna populate a row,and I just pick this one because it's
something that I've been dealing with.
Lately in our scenarios, what wouldwe, for example, put down there in the
(10:13):
identified box when we're looking atClick Fix as being the potential threat?
Yeah, so I, I think you wouldwanna say, where could this happen?
How do we identify sources?
maybe it's on the end pointswhere users can input, new
applications or new scripts to run.
Maybe it's on the server side.
(10:34):
Do we think it's onnetwork or applications?
start to put that.
Then talk about, howwould we inventory that?
How would we know all theapplications or all the, laptops?
Do we have something that says, okay,here is our system inventory, or
CMDB or something like that we have.
Now, once we've identified those,another thing that actually falls under
(10:56):
this identify is how would we know?
Where there's some vulnerabilitiesaround these things, right?
So let's just say we know thatdevelopers have the ability to write
custom PowerShell scripts on our boxes.
That's probably a vulnerability if anybad actor can phish one of your developers
(11:16):
and then instantly run PowerShellscripts on their Windows laptops.
So it's, identify all of the assets,plus identify how vulnerable they are.
And then when you go into the protectphase, in that box, you would start
to say, what could I do that wouldactually prevent scripts from happening?
And you just think of maybe there'ssomething like an allow listing software
(11:43):
like a threat locker that would say youcan't run these scripts only, this, let's
call it Windows program has the ability.
And that goes through a process whereyou're actually gonna say, this has
been reviewed, this script has beenauthorized, and now it can be run.
And if it doesn't have that hashof that script, it's not gonna run.
(12:04):
So that allow, listing softwareis a great protect example of what
you could put in this example here.
all left to boom here.
Exactly.
So these are things that we can put intoplace today before we ever encounter
the actual threat in our environment.
exactly.
Yeah.
I.
And then if we keep continue andwe go, let's say we go write a
(12:26):
boom and then we go on detect.
So how do we detect that?
What would be things we would put in such?
For example, I'm wondering to see is auser trying to run a PowerShell script?
'cause your average userdoesn't run PowerShell scripts.
perhaps is somebody going toan unusual website like a .xyz?
Are they trying to download an executablefile, things like that, that we could
(12:48):
pick up with all of our tool sets.
So those are things that I wouldput into the detect box as well.
Yeah.
So things that would identifyan attack has happened, right?
an example is maybe someone is usingCrowdStrike or Windows Defender and it
gets some, threat detection and it says,Hey, this script ran, and you now have
(13:10):
that telemetry in your SIEM, right?
So those, EDRs, those SIEMswould have some of that data.
perhaps some of the Windows loggingfeatures, or different application server
logs, could also contain that informationof here's what was run in the bash shell.
History, type commands, right?
So any of those things wouldbe good examples of detect.
(13:33):
And then once you have those detects,then you could, start to move into
the respond and recover phases.
As I'm thinking on the Protect, I'mactually, going through and building
out this matrix is that another thingon the Protect is to be able to,
say, Hey, can I block people tryingto go to odd top level domains?
For example, I have not yet seen one ofthese click fixes that goes to a .com.
(13:57):
A normal domain, so to speak.
it's gonna go to some unusual extensionthat probably is not well regulated.
There's often some weird stuff out there.
So using a tool like an umbrella orthe like, or Z scale or something,
you can say, Hey, you just can'tget there from here, number one.
So that's protecting you.
And the other thought is thatfrom that perspective is maybe
(14:18):
you block brand new domains.
'cause a lot of these things, they'llspin up a domain to do this attack.
If they don't have any intention ofpaying for it, so after 72 hours, the
registrar says, Hey, you didn't pay.
We're shutting down your domain.
But hey, they've alreadyrun the ransomware campaign.
It's all about cost management.
Protect, detect.
Now in the respond phase, we wouldsay, okay, if this thing actually
(14:39):
materialized and something hit the fan,we would put the response in there.
And then for people trying to understandthe difference between respond and
recover, looking at the the cybersecuritymatrix and things like that, how would
you help people get them in the rightboxes between respond and recover?
Yeah, so responses tendto be temporary, right?
(14:59):
We're spinning up the incidentresponse team to do certain actions,
so maybe when we don't know how badthese PowerShell scripts are, we just
turn 'em off for the entire companybecause we don't want this to continue
just spreading and causing more harm.
But ultimately we're going tohave some PowerShell scripts.
(15:21):
We want to, let's say, turn backon because it's probably part of
the new laptop deployment scriptsby the help desk team, right?
So in the response phase,maybe we turn it off.
We actually say, oh my goodness,let's review the roles.
How many people have access to this?
Is it hundreds of developers, oris it only the three admins who
(15:44):
are on this help desk team, andwe kinda rightsize those things.
And then once, once we get that to aplace to where we feel it's safe, recover
is all about resuming operations, right?
So here we're gonna turn backthose, PowerShell scripts
back on, maybe one by one.
We have to review which ones we're gonnaturn on and others we're just gonna leave
off, or we've changed the roles around it.
(16:06):
Another example where recover isreally different also tends to be
on the DevOps side of the house.
So let's just say something had encryptedand stolen the data, we'd probably just
blow that server away and then just deploya brand new server versus trying to risk.
Let's say resuming an old server that weknow previously had malware that maybe
(16:27):
we removed it, but we didn't get all ofit, and then it still has malware on it.
So in that example, recover is, Hey, we'regonna roll out a new server, make sure
it's all patched, make sure there's noway the root cause of how the bad actors
got in is still accessible and now youhave something that's fully deployed.
Now with the structure and bybeing able to look at something
(16:47):
like a TaSM, that's also somethingthat I can share with others.
That is to say, I can go ahead and goto, let's say, if I'm trying to get
some budget for something to say, hereis a threat that we have identified.
I. It may or may not have landed onus yet, but we can all agree that
we are concerned about it becauseit's being targeted against us.
And then looking at these different steps,I could pick a couple of things that I
(17:10):
can say, these are measurable results.
And the things that you go ahead and youcan measure them, you can get them done.
And as you point out what gets done.
What needs to get doneis gonna get funded.
So after we've populated this TaSM,it's more than just being aware of the
actions to take, but your structurecould then be used to help drive a
(17:32):
push toward obtaining the tool setsor the capabilities that we need to
in fact improve our security, correct?
That's right.
So if you start reading on the page,you'll actually see I, I introduce a
cyber report card and, I just give anexample of what it could look like.
And when I was in my role, I wasstarting to say, what are the
(17:53):
things I'm most worried about?
I'm worried about, internetfacing vulnerabilities being
exploited by bad actors.
Okay, I should probably have ametric in there that says how fast
are we going to patch internet,facing servers or internal servers.
You probably have an SLA within yourorganization, and how do you show that?
And so month to month you show a status.
(18:14):
Where am I right now?
And then just because I'm at 15or 30 days, is that a good number?
I don't know on itself.
What I actually need to do is Ineed to do a trend analysis and
show where I was the month before.
Because if I was at, let's say 10days patching and now I'm at 50
days patching, that's a kind ofa bad trend for an organization.
(18:34):
And someone's gonna go and say, WTF,we need to actually go figure this out.
Why are we so much worse?
But if I was, at 50 days and now I'mat patching at 10 days, hey, let's go
celebrate, take everybody out to lunch.
'cause that's a really good improvement.
So that trend analysis really good.
And then the other thing I think youalso need is some type of goal or a
(18:55):
key, SLA that you're targeting.
maybe I have a policy that says weshall always patch within 30 days.
That's the generally acceptedSLA this organization has.
So when I'm measuring these things,I can look and say, oh, I'm, right
around that number, or I'm below it.
And when I'm not, are these things that Ibring up, to my executive risk committees?
(19:19):
Do I bring it up to the CIO inmonthly meetings just to show that
we are exceeding our organizationalrisk tolerance, if you will.
Wow.
So there's real utility there.
And another thing that I found thatas I'm looking at the way you've
described this is you could also useit TaSM for enhancing threat modeling.
(19:39):
And I'm thinking like, okay, fine.
If we're looking at applicationthreat models and discussions
and things like that.
This sounds like an interesting idea.
How would we use this TaSM structure thatyou developed to enhance threat modeling?
Yeah, so one of the things I findabout threat models, it feels like
everybody has their own differentway of doing a threat model.
And so if I did, a hundred threat modelsin one organization, I have a hundred
(20:02):
different standards, then it's really hardfor me to do a trend analysis that says
Hey, out of the a hundred threatmodels we did, 80 of 'em suffered
the same problem that maybe shouldbe an enterprise activity to fix.
And so what I like to dois look at two things.
One, create a simple data flowdiagram of whatever system it is
(20:23):
that you're trying to protect.
And then the second thing, let's justlook through the most common threats
that we typically see to applications.
And you can just think of the Strideacronym, spoofing, tampering, repudiation.
Information disclosure, denial of serviceand, elevation of privilege, right?
And you go in and say, howcould this app be spoofed?
(20:44):
How would we identify wherein the app that would happen?
And then how would weprotect that from happening?
And you go in and you work through that.
And now when you do that, you havea consistent way where you can go.
And actually talk to all the differentpeople and say, Hey, this is what we're
finding across all of our applications ina very consistent way, and we think this
(21:06):
is gonna be really helpful next year whenwe're planning our budget of what things
we need to tackle on an enterprise level.
And you can look for commonalities thatway too, because again, you benefit from
having a structured approach and you mightbe able to say that, Hey, a lot of our
applications, have these same findings.
If you go into the architecture.
Actual review boards, and you'relike, yeah, we should really focus on
(21:28):
that because we seem to be repeatingthis mistake over and over again.
You might miss that by looking atevery single thing individually,
but by being able to look atit in a comprehensive manner.
We do better.
So that's awesome.
how about for risk committees?
If you're trying to thinkabout more than that.
'cause we've been focusing pretty muchjust on, on cyber threats, but when
you're dealing with risk committees,they're not just interested in cyber.
(21:50):
They've got financial, legal, regulatorycompliance, hr, stuff like that.
Does, can that work over here as well?
So this is probably my favorite part ofthe model is it's one of the only models
that's just bigger than cyber, right?
you think of the CIA triad, you can'treally take confidentiality, integrity,
availability and apply that to anti-moneylaundering or how we're gonna handle
(22:14):
COVID risks and things like that.
But what you can do here is you can say,let's put all of the threats from the
company that are material in nature.
Then start ranking them so we can go aheadand say, finance is really worried about
changing interest rates because all thesecrazy tariffs that are going on right now.
Interesting.
Okay.
HR is really worried about all the NorthKorean employees coming into our company.
(22:38):
Gotcha.
Cyber, we're really worriedabout phishing, and now when I
start to rank all of these thingsas to how big, the risk is.
It allows cyber not just to be theone begging for money every year,
but now you have legal and HR andfinance actually saying, you know what?
Cyber is really the top number two andthree risks in our company and we think
(22:59):
we should really be spending more money.
And so you've built this coalition offorces, so supporting how you're going
to tackle material threats and moreimportantly, you're actually teaching the
NIST five functions now six, two, your.
Risk committee counterparts, people in HRhave never thought about how do I detect,
respond, and recover to certain things.
(23:22):
That's a cyber mentality.
So when we start bringing this knowledge,this Tradecraft to them, I feel like
we're helping them be more securewith the threats that are native to
financial, to hr, to legal, and givingsome of this, acumen from cyber.
And we are earning that C in CISOas a chief officer by being able to
(23:42):
bring new ways of thinking, betterapproaches toward solving business
problems, not just technical problems.
So yes, absolutely it extends beyond that.
And one last thought here.
What about ai?
Can this have any impacton our input of ai?
Absolutely, and, I won't spoil it andgo into all the details, but I put in
(24:02):
top seven AI risks that I saw acrossour organization and multiple companies,
after talking to hundreds of CISOs.
So you'll see there's sevenAI risks that I think are very
important to take a look at.
And then you can actually startplotting them through the matrix.
And here's the thing, the way you solve.
Sensitive data leaks is verydifferent than the way you
(24:24):
solve hallucination problems.
So making sure you understand how theyplay out in this matrix is really,
important because you're probablygonna have to buy very different tools,
put in very different processes, andimplement very different safeguards.
So take a look on the website and I thinkyou'll find some really helpful things you
could take back to your leadership team.
great.
we're gonna make this a shorterepisode because I think we wanted
(24:46):
to be, hit hard and hit fast.
But OWASP TaSM, if you can'tfind the website, we're gonna
put a link in our show notes.
But you can also Google OWASP TaSM.
First link will come right up,I think with any search engine.
Our guest has been Ross Young, theauthor of the OWASP TaSM, also a
person who's contributed significantlyto the cybersecurity community.
And I expect you'll see a lot more fromthis person, particularly 'cause he
(25:08):
is working on his book about how ourbudgets are wasted and things like that.
If you like our show, pleasego ahead and follow us on
LinkedIn if you're not doing it.
So already we have alot more than podcasts.
We also have a Substack newsletter.
We'll put out a steady stream of highsignal, low noise information that
you can get on our LinkedIn feed.
If you're following us on apodcast channel and you haven't
already given us a rating, giveus a five star or a thumbs up.
(25:30):
Why not?
'cause we're grade grubbing, butit improves our ranking so that
other people can find us as wellto help improve their Tradecraft
as well in the CISO environment.
We hope you've enjoyed the showand you find it very useful.
Drop us a note, touch us over onLinkedIn or something like that.
Would love to hear back from you here.
It's CISO Tradecraft, so thisis your host, G Mark Hardy.
Until next time, stay safe out there.
Hey, have you ever wondered aboutthe threat and safeguard matrix
(00:02):
that's on OWASP and how useful it is?
I got a special episode comingup where we're gonna talk to the
creator of that right after this.
(00:22):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
I'm your host, G Mark Hardy, andtoday we're gonna be talking with Ross
Young, the author of the Threat andSafeguard Matrix from OWASP, who also
does a lot of, other amazing things.
Ross, welcome to the show.
(00:43):
Hey, thank you G Mark.
So back, so good to be here.
So we've known each other for a number ofyears, and you have done a lot of work.
I remember when I first metyou, you were working as a CISO
for a financial corporation.
you've been a CISO foran investment group.
you've got a background that includes CIA.
(01:03):
why don't you just tell everybody alittle bit about you, because I think
they'll just find your story fascinating.
Thanks.
I started my career inthe federal government.
I always knew I wanted to dooffensive cybersecurity, so
I, did my internship at NSA.
I spent, 10 and a half years at theCentral Intelligence Agency, five
years on the offensive side, andthen also did a lot of DevOps and,
(01:26):
really helped secure the applicationsthat our folks were building.
And then I did, cloud securityat Capital One for two years.
Got to be there during the large CapitalOne data breach and spent four years
as the CISO a Caterpillar Financial.
And, most currently I've been the CISOin residence at Team8, which is one
of the largest Israeli venture capitalfirms that focuses on cybersecurity.
(01:49):
And you did this all before youturned 65, so that's pretty good.
So yeah, so you got an extensivebackground on things and one
of the things I love about youis you do a lot of writing.
you've actually got a bookcoming out as well as I recall.
You ready to talk about that yet?
Or is it still just in those, stealth
I've actually already posted just alittle bit of about it on LinkedIn.
(02:10):
So if you go to Ross Young on LinkedIn,you'll see that I'm writing a book called
Cybersecurity's Dirty Secret (02:14):
how Most Budgets Are Wasted because I found.
there's so much more wecan do with our budgets.
How do we make sure wemaximize every dollar?
How do we get, better, spending and,looking through broken processes
and fixing all of those things?
So currently I'm talking to lotsof CISOs to get some of their
(02:34):
stories to include in the book.
I've written over a hundred pages andit should be coming out, fairly soon.
So I haven't made any dates.
So please don't say, isit coming out in August or
Soon as a safe bet because no one'sgonna say, wait a minute, where is it?
It's not on, it's not here.
But yeah, I've, had a chance,full disclosure to do some
pre-publication review, and I lovewhat he's got to write on there.
(02:55):
It's, very valuable when it does come out.
It's gonna be something that I think.
Is gonna make the list of essential booksfor Chief Information Security officers
and for those who wanna become a CISO.
But one of the things you developed alittle while back is that I think has
really been very influential, has been thethreat and safeguard matrix or the TASM
and I. I'd love the logo that you came upwith a little Tasmanian Devil with a cape.
(03:18):
But for those who wanna follow along withus, if you're at your computer, it's the
OWASP Threat and Safeguard Matrix TaSM
. You can just go to owasp.org and look forTaSM or just Google it and pull it up.
And I'm gonna do that right now.
So I've got that on myscreen in front of you.
But Ross, tell me a little bit about,what is the TaSM, where'd it come
(03:39):
from, and really how do people use it?
And then maybe we'll walk througha couple scenarios of how it
could be incredibly useful.
Yeah, of course.
So I spent a lot of time researching otherfolks' models and frameworks and figuring
out what would help me, especially as Iwas stepping into my first true CISO role
as the CISO at Caterpillar Financial.
(04:00):
And one of the models that really stuckout to me is the Cyber Defense Matrix
by Sounil Yu and what he does on theleft hand side and the rows, he puts,
application data network, the traditionaltech layers that we see, and on the
NIST five functions on the, in, onthe vertical slices above, identify,
(04:21):
protect, detect, respond, recover.
And so the idea being that, how doeshe go to a place like RSA or Black Hat
and be able to quickly say, oh, you'rea DLP vendor, so I'm gonna put you in
the data column and I'm gonna put youunder the protect, let's say matrix.
Quadrant here, and it's really helpfulfor figuring out where things play at.
(04:42):
And I studied that model and Ithought, that's really helpful.
It helps me understand a lot of things.
But when I talk to my organizationalleaders, the chief financial officer, the
chief audit officer, data privacy, they'renot technical, I can't really have,
application layer discussions with them.
So I, I decided to transform that andinstead of putting the tech layers
(05:05):
on the side, I said, why don't we put
material threats to our company?
And so now you can say, how wouldwe identify, protect, detect,
and respond to a phishing attack?
Or how would I identify, protect,detect, respond, and recover
to a web application attack?
And now suddenly, when you thinkabout this, it allows us to quickly
(05:28):
build a defense in depth matrix.
Of how we're going to safeguard ourcompany against these material threats,
and I think that is the core of whatwe have to be able to do as a CISO.
That's fascinating.
So really what we did, and of courseSounil Yu has been on our show
more than once, and so for those.
Were not familiar with his work.
Go back and take a look, so rememberSounil Yu in terms of his model.
(05:52):
We had five columns and it included.
Identify and protectthat was left of boom.
And then detect, respond,recover, right of boom.
But here in this particular case,instead of looking at people and
technology and things, you'relooking at specific threats.
Now, the thing I like about the TaSMmodel is it's highly customizable
based upon your own perceptionof what your threats might be.
(06:14):
And so for those of us who are CISOsand security leaders, we should be
paying attention to threat intelligence,knowing what it is that we're most.
Worried about, for example, you could beworried about something like, a scenario
of, bring your own device issues or CEOimpersonation or there's a number of
'em that you offer up on your website.
But if we were to go ahead andthen be very specific about that,
(06:38):
we could say, okay, what are theelements that would allow us to
identify this particular threat?
And then in advance, how do we protectagainst it and should it materialize?
What are the things that we cando, detect, respond, and recover.
Now, unlike Sounil's Matrix where you'redropping products, descriptions, or
vendor names in here, what are you puttingin each of these little boxes instead?
(07:01):
Yeah, so we're using the term safeguardsand a safeguard could be a tool, it
could be a process, or it could be ahuman, perhaps doing human oversight.
And so just think of the examplehere of maybe your developers are
releasing a new AI model, right?
You could have a tool that scansthat AI model and says, oh,
doesn't comply with whatever.
(07:22):
You could have a human.
Maybe a second person whoreviews the lines of code before
it gets merged in a GitHub.
or maybe you have a process, right?
Where, different things haveto happen, in an organization.
So maybe you have to, verifythat things get changed once
a year or something like that.
(07:42):
so these are the different ways that theycan be applied out as safeguards and,
just to maybe call out on the threats.
one of the things I wouldhighly recommend is looking at.
The most common threats for the last year.
So think about, maybe you startwith the Verizon data breach
report and you say, I'm worriedabout, credentials being stolen.
I'm worried about phishing happening.
(08:03):
I'm worried about, just unpatchedvulnerabilities that are exploited.
You would wanna make sureyou go through those.
'cause those are just socommon and likely to happen.
But then there's gonna be thingsthat are unique to your business.
And I actually put a list of about 25different common examples of threats.
maybe you're really worried about yourcompany's CEO being deep faked, and that's
(08:27):
different for other companies than yours,but you're focused, your company is, Tesla
and Elon Musk is all over the board wherehe can easily be recorded and deep faked.
So things like that, I think is whereit's helpful to look at this and
then run that through the matrix.
Got it.
And so what you had mentioned thoughis that you're looking at safeguards.
(08:48):
So we're gonna populate our matrix,not with necessarily products or
tools, but safeguards, which couldinclude things such as user training.
being able to go ahead anddo non-technical measures
and things like that.
so what it sounds like is that we canuse, as you'd said, common sources.
(09:08):
what's bad this year?
If we go ahead and look atVerizon data breach report, we
could take a look at something.
For example, red Canary comes outwith a monthly report that says
these are the biggest things.
SOC coolish is now up at number oneor number five or whatever, and this
thing has changed and the like, and.
Click fix is, what I'm seeing is inmy environments where attackers are
(09:31):
convincing users who are perhapsnot familiar with Windows machines.
Oh yeah.
Just go ahead and do a WindowsR, a Control V and an Enter, and
that proves that you're a human.
Instead of counting the number ofmotorcycles or something like that,
which in fact it's just copying thebuffer into a command window running
it, which then will probably kick off aPowerShell script, which will download
(09:52):
some malware, which is then gonna go aheadand say, oops, your files are encrypted.
But your average user who does notunderstand what's going on under the hood.
So using that as an example, if wetalk about our threat and safeguard
matrix, and we're gonna populate a row,and I just pick this one because it's
something that I've been dealing with.
Lately in our scenarios, what wouldwe, for example, put down there in the
(10:13):
identified box when we're looking atClick Fix as being the potential threat?
Yeah, so I, I think you wouldwanna say, where could this happen?
How do we identify sources?
maybe it's on the end pointswhere users can input, new
applications or new scripts to run.
Maybe it's on the server side.
(10:34):
Do we think it's onnetwork or applications?
start to put that.
Then talk about, howwould we inventory that?
How would we know all theapplications or all the, laptops?
Do we have something that says, okay,here is our system inventory, or
CMDB or something like that we have.
Now, once we've identified those,another thing that actually falls under
(10:56):
this identify is how would we know?
Where there's some vulnerabilitiesaround these things, right?
So let's just say we know thatdevelopers have the ability to write
custom PowerShell scripts on our boxes.
That's probably a vulnerability if anybad actor can phish one of your developers
(11:16):
and then instantly run PowerShellscripts on their Windows laptops.
So it's, identify all of the assets,plus identify how vulnerable they are.
And then when you go into the protectphase, in that box, you would start
to say, what could I do that wouldactually prevent scripts from happening?
And you just think of maybe there'ssomething like an allow listing software
(11:43):
like a threat locker that would say youcan't run these scripts only, this, let's
call it Windows program has the ability.
And that goes through a process whereyou're actually gonna say, this has
been reviewed, this script has beenauthorized, and now it can be run.
And if it doesn't have that hashof that script, it's not gonna run.
(12:04):
So that allow, listing softwareis a great protect example of what
you could put in this example here.
all left to boom here.
Exactly.
So these are things that we can put intoplace today before we ever encounter
the actual threat in our environment.
exactly.
Yeah.
I.
And then if we keep continue andwe go, let's say we go write a
(12:26):
boom and then we go on detect.
So how do we detect that?
What would be things we would put in such?
For example, I'm wondering to see is auser trying to run a PowerShell script?
'cause your average userdoesn't run PowerShell scripts.
perhaps is somebody going toan unusual website like a .xyz?
Are they trying to download an executablefile, things like that, that we could
(12:48):
pick up with all of our tool sets.
So those are things that I wouldput into the detect box as well.
Yeah.
So things that would identifyan attack has happened, right?
an example is maybe someone is usingCrowdStrike or Windows Defender and it
gets some, threat detection and it says,Hey, this script ran, and you now have
(13:10):
that telemetry in your SIEM, right?
So those, EDRs, those SIEMswould have some of that data.
perhaps some of the Windows loggingfeatures, or different application server
logs, could also contain that informationof here's what was run in the bash shell.
History, type commands, right?
So any of those things wouldbe good examples of detect.
(13:33):
And then once you have those detects,then you could, start to move into
the respond and recover phases.
As I'm thinking on the Protect, I'mactually, going through and building
out this matrix is that another thingon the Protect is to be able to,
say, Hey, can I block people tryingto go to odd top level domains?
For example, I have not yet seen one ofthese click fixes that goes to a .com.
(13:57):
A normal domain, so to speak.
it's gonna go to some unusual extensionthat probably is not well regulated.
There's often some weird stuff out there.
So using a tool like an umbrella orthe like, or Z scale or something,
you can say, Hey, you just can'tget there from here, number one.
So that's protecting you.
And the other thought is thatfrom that perspective is maybe
(14:18):
you block brand new domains.
'cause a lot of these things, they'llspin up a domain to do this attack.
If they don't have any intention ofpaying for it, so after 72 hours, the
registrar says, Hey, you didn't pay.
We're shutting down your domain.
But hey, they've alreadyrun the ransomware campaign.
It's all about cost management.
Protect, detect.
Now in the respond phase, we wouldsay, okay, if this thing actually
(14:39):
materialized and something hit the fan,we would put the response in there.
And then for people trying to understandthe difference between respond and
recover, looking at the the cybersecuritymatrix and things like that, how would
you help people get them in the rightboxes between respond and recover?
Yeah, so responses tendto be temporary, right?
(14:59):
We're spinning up the incidentresponse team to do certain actions,
so maybe when we don't know how badthese PowerShell scripts are, we just
turn 'em off for the entire companybecause we don't want this to continue
just spreading and causing more harm.
But ultimately we're going tohave some PowerShell scripts.
(15:21):
We want to, let's say, turn backon because it's probably part of
the new laptop deployment scriptsby the help desk team, right?
So in the response phase,maybe we turn it off.
We actually say, oh my goodness,let's review the roles.
How many people have access to this?
Is it hundreds of developers, oris it only the three admins who
(15:44):
are on this help desk team, andwe kinda rightsize those things.
And then once, once we get that to aplace to where we feel it's safe, recover
is all about resuming operations, right?
So here we're gonna turn backthose, PowerShell scripts
back on, maybe one by one.
We have to review which ones we're gonnaturn on and others we're just gonna leave
off, or we've changed the roles around it.
(16:06):
Another example where recover isreally different also tends to be
on the DevOps side of the house.
So let's just say something had encryptedand stolen the data, we'd probably just
blow that server away and then just deploya brand new server versus trying to risk.
Let's say resuming an old server that weknow previously had malware that maybe
(16:27):
we removed it, but we didn't get all ofit, and then it still has malware on it.
So in that example, recover is, Hey, we'regonna roll out a new server, make sure
it's all patched, make sure there's noway the root cause of how the bad actors
got in is still accessible and now youhave something that's fully deployed.
Now with the structure and bybeing able to look at something
(16:47):
like a TaSM, that's also somethingthat I can share with others.
That is to say, I can go ahead and goto, let's say, if I'm trying to get
some budget for something to say, hereis a threat that we have identified.
I. It may or may not have landed onus yet, but we can all agree that
we are concerned about it becauseit's being targeted against us.
And then looking at these different steps,I could pick a couple of things that I
(17:10):
can say, these are measurable results.
And the things that you go ahead and youcan measure them, you can get them done.
And as you point out what gets done.
What needs to get doneis gonna get funded.
So after we've populated this TaSM,it's more than just being aware of the
actions to take, but your structurecould then be used to help drive a
(17:32):
push toward obtaining the tool setsor the capabilities that we need to
in fact improve our security, correct?
That's right.
So if you start reading on the page,you'll actually see I, I introduce a
cyber report card and, I just give anexample of what it could look like.
And when I was in my role, I wasstarting to say, what are the
(17:53):
things I'm most worried about?
I'm worried about, internetfacing vulnerabilities being
exploited by bad actors.
Okay, I should probably have ametric in there that says how fast
are we going to patch internet,facing servers or internal servers.
You probably have an SLA within yourorganization, and how do you show that?
And so month to month you show a status.
(18:14):
Where am I right now?
And then just because I'm at 15or 30 days, is that a good number?
I don't know on itself.
What I actually need to do is Ineed to do a trend analysis and
show where I was the month before.
Because if I was at, let's say 10days patching and now I'm at 50
days patching, that's a kind ofa bad trend for an organization.
(18:34):
And someone's gonna go and say, WTF,we need to actually go figure this out.
Why are we so much worse?
But if I was, at 50 days and now I'mat patching at 10 days, hey, let's go
celebrate, take everybody out to lunch.
'cause that's a really good improvement.
So that trend analysis really good.
And then the other thing I think youalso need is some type of goal or a
(18:55):
key, SLA that you're targeting.
maybe I have a policy that says weshall always patch within 30 days.
That's the generally acceptedSLA this organization has.
So when I'm measuring these things,I can look and say, oh, I'm, right
around that number, or I'm below it.
And when I'm not, are these things that Ibring up, to my executive risk committees?
(19:19):
Do I bring it up to the CIO inmonthly meetings just to show that
we are exceeding our organizationalrisk tolerance, if you will.
Wow.
So there's real utility there.
And another thing that I found thatas I'm looking at the way you've
described this is you could also useit TaSM for enhancing threat modeling.
(19:39):
And I'm thinking like, okay, fine.
If we're looking at applicationthreat models and discussions
and things like that.
This sounds like an interesting idea.
How would we use this TaSM structure thatyou developed to enhance threat modeling?
Yeah, so one of the things I findabout threat models, it feels like
everybody has their own differentway of doing a threat model.
And so if I did, a hundred threat modelsin one organization, I have a hundred
(20:02):
different standards, then it's really hardfor me to do a trend analysis that says
Hey, out of the a hundred threatmodels we did, 80 of 'em suffered
the same problem that maybe shouldbe an enterprise activity to fix.
And so what I like to dois look at two things.
One, create a simple data flowdiagram of whatever system it is
(20:23):
that you're trying to protect.
And then the second thing, let's justlook through the most common threats
that we typically see to applications.
And you can just think of the Strideacronym, spoofing, tampering, repudiation.
Information disclosure, denial of serviceand, elevation of privilege, right?
And you go in and say, howcould this app be spoofed?
(20:44):
How would we identify wherein the app that would happen?
And then how would weprotect that from happening?
And you go in and you work through that.
And now when you do that, you havea consistent way where you can go.
And actually talk to all the differentpeople and say, Hey, this is what we're
finding across all of our applications ina very consistent way, and we think this
(21:06):
is gonna be really helpful next year whenwe're planning our budget of what things
we need to tackle on an enterprise level.
And you can look for commonalities thatway too, because again, you benefit from
having a structured approach and you mightbe able to say that, Hey, a lot of our
applications, have these same findings.
If you go into the architecture.
Actual review boards, and you'relike, yeah, we should really focus on
(21:28):
that because we seem to be repeatingthis mistake over and over again.
You might miss that by looking atevery single thing individually,
but by being able to look atit in a comprehensive manner.
We do better.
So that's awesome.
how about for risk committees?
If you're trying to thinkabout more than that.
'cause we've been focusing pretty muchjust on, on cyber threats, but when
you're dealing with risk committees,they're not just interested in cyber.
(21:50):
They've got financial, legal, regulatorycompliance, hr, stuff like that.
Does, can that work over here as well?
So this is probably my favorite part ofthe model is it's one of the only models
that's just bigger than cyber, right?
you think of the CIA triad, you can'treally take confidentiality, integrity,
availability and apply that to anti-moneylaundering or how we're gonna handle
(22:14):
COVID risks and things like that.
But what you can do here is you can say,let's put all of the threats from the
company that are material in nature.
Then start ranking them so we can go aheadand say, finance is really worried about
changing interest rates because all thesecrazy tariffs that are going on right now.
Interesting.
Okay.
HR is really worried about all the NorthKorean employees coming into our company.
(22:38):
Gotcha.
Cyber, we're really worriedabout phishing, and now when I
start to rank all of these thingsas to how big, the risk is.
It allows cyber not just to be theone begging for money every year,
but now you have legal and HR andfinance actually saying, you know what?
Cyber is really the top number two andthree risks in our company and we think
(22:59):
we should really be spending more money.
And so you've built this coalition offorces, so supporting how you're going
to tackle material threats and moreimportantly, you're actually teaching the
NIST five functions now six, two, your.
Risk committee counterparts, people in HRhave never thought about how do I detect,
respond, and recover to certain things.
(23:22):
That's a cyber mentality.
So when we start bringing this knowledge,this Tradecraft to them, I feel like
we're helping them be more securewith the threats that are native to
financial, to hr, to legal, and givingsome of this, acumen from cyber.
And we are earning that C in CISOas a chief officer by being able to
(23:42):
bring new ways of thinking, betterapproaches toward solving business
problems, not just technical problems.
So yes, absolutely it extends beyond that.
And one last thought here.
What about ai?
Can this have any impacton our input of ai?
Absolutely, and, I won't spoil it andgo into all the details, but I put in
(24:02):
top seven AI risks that I saw acrossour organization and multiple companies,
after talking to hundreds of CISOs.
So you'll see there's sevenAI risks that I think are very
important to take a look at.
And then you can actually startplotting them through the matrix.
And here's the thing, the way you solve.
Sensitive data leaks is verydifferent than the way you
(24:24):
solve hallucination problems.
So making sure you understand how theyplay out in this matrix is really,
important because you're probablygonna have to buy very different tools,
put in very different processes, andimplement very different safeguards.
So take a look on the website and I thinkyou'll find some really helpful things you
could take back to your leadership team.
great.
we're gonna make this a shorterepisode because I think we wanted
(24:46):
to be, hit hard and hit fast.
But OWASP TaSM, if you can'tfind the website, we're gonna
put a link in our show notes.
But you can also Google OWASP TaSM.
First link will come right up,I think with any search engine.
Our guest has been Ross Young, theauthor of the OWASP TaSM, also a
person who's contributed significantlyto the cybersecurity community.
And I expect you'll see a lot more fromthis person, particularly 'cause he
(25:08):
is working on his book about how ourbudgets are wasted and things like that.
If you like our show, pleasego ahead and follow us on
LinkedIn if you're not doing it.
So already we have alot more than podcasts.
We also have a Substack newsletter.
We'll put out a steady stream of highsignal, low noise information that
you can get on our LinkedIn feed.
If you're following us on apodcast channel and you haven't
already given us a rating, giveus a five star or a thumbs up.
(25:30):
Why not?
'cause we're grade grubbing, butit improves our ranking so that
other people can find us as wellto help improve their Tradecraft
as well in the CISO environment.
We hope you've enjoyed the showand you find it very useful.
Drop us a note, touch us over onLinkedIn or something like that.
Would love to hear back from you here.
It's CISO Tradecraft, so thisis your host, G Mark Hardy.
Until next time, stay safe out there.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.