Defense Measures Mapping
From Overview to Action
A reference chapter only has value when teams can directly use it to plan, design, and deliver.
In Defense Measures Mapping, the goal is to document choices that teams can execute consistently and repeatably.
This keeps this chapter from being theory, making it a usable compass for consistent execution.
Immediate actions (15 minutes)
Why this matters
The core of Defense Measures Mapping is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.
Web Security
| Measure category | Concrete implementation | See |
|---|---|---|
| Input security | Parameterized queries, strict validation, safe templating | Web 01, Web 02, Web 03, Web 04, Web 05, Web 12 |
| Parser and protocol hardening | Safe XML parser configuration, SSRF controls, deserialization restrictions | Web 06, Web 07, Web 08 |
| Browser security | CSRF protection, CORS policy, clickjacking mitigation, headers baseline | Web 09, Web 11 |
| Access & sessions | MFA, session security, password and login policy | Web 10, Web 11, Web 16 |
| API governance | Object-level authorization, schema validation, rate limiting | Web 14 |
| Safe file processing | Upload allowlist, content validation, isolated storage | Web 15 |
| Transport security | TLS 1.2+, HSTS, safe cipher configuration | Web 13 |
| Structural assurance | Security in SDLC, quality gates, periodic review | Web 17 |
Network & AD Hardening
| Measure category | Concrete implementation | See |
|---|---|---|
| Access security | MFA, initial access policy, phishing resilience | Network 01, Network 13, Network 21 |
| Endpoint and OS hardening | Baselines, script and application control, least privilege | Network 02, Network 03, Network 11, Network 12 |
| Identity and directory security | AD hardening, Kerberos hardening, credential protection | Network 04, Network 05, Network 07, Network 08 |
| Segmentation and lateral movement reduction | Network segmentation, management zones, strict firewalling | Network 06, Network 15, Network 19 |
| Monitoring and detection | Centralized logging, SIEM use cases, persistence control | Network 09, Network 16, Network 18 |
| Traffic control | Tunneling restrictions, DNS and mail security, wireless controls | Network 10, Network 13, Network 20 |
| Availability and recovery | Backup strategy, recovery tests, continuity measures | Network 17 |
| Data platform hardening | SQL Server configuration, feature restriction, auditing | Network 14 |
Cloud Hardening
| Measure category | Concrete implementation | See |
|---|---|---|
| Platform baseline | Provider hardening, account/project structure, policy guardrails | Cloud 01, Cloud 02, Cloud 03, Cloud 04 |
| Workload security | Container and Kubernetes hardening, serverless controls | Cloud 05, Cloud 07, Cloud 11 |
| Supply chain security | CI/CD hardening, artifact trust, IaC policy controls | Cloud 06, Cloud 12 |
| Identity and secrets | Least privilege IAM, secret manager, key rotation | Cloud 03, Cloud 13 |
| Segmentation and data flows | Isolation between accounts/networks, controlled egress | Cloud 08, Cloud 09 |
| Detection and governance | Audit logging, detection rules, drift control | Cloud 09, Cloud 10, Cloud 12 |
Measure priorities (30-60-90)
| Phase | Focus | Minimum outcome |
|---|---|---|
| 0-30 days | Access + visibility | MFA, centralized logging, critical hardening baselines |
| 31-60 days | Segmentation + secrets | Least privilege IAM, secret manager, network segmentation |
| 61-90 days | Assurance + review | CI/CD gates, recovery tests, metrics on the board table |
Quick selection by organization type
| Organization type | Implement first | Then |
|---|---|---|
| Web-intensive | Web 01, Web 10, Web 11, Web 14 | Web 15, Web 17 |
| On-prem AD-heavy | Network 04, Network 05, Network 06, Network 07 | Network 16, Network 17 |
| Cloud-native | Cloud 02, Cloud 06, Cloud 11, Cloud 13 | Cloud 10, Cloud 12 |
| Hybrid | Network 15, Cloud 08, Cloud 13 | Network 19, Cloud 10 |
How to use this page
- Start with your domain (web, network, cloud).
- Select the first two measure categories per domain that are not yet in order.
- Open the linked chapters and turn them into concrete implementation tickets.
- Repeat monthly with demonstrable evidence (config, logs, tests, KPI/KRI).
Summary
This mapping is a measures compass: you use it to quickly choose what you need to implement, in what order, and which chapters to follow up on for technical execution.
Further reading in the knowledge base
These articles in the portal give you more background and practical context:
- Incident Response -- when things go wrong
- Compliance -- following rules without losing your mind
- Least Privilege -- give people only what they need
- Patch management -- the most boring thing that can save your life
- Backups -- the most boring topic that can save your life
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
