Case Study 1: Mapping Meridian's Defenses — A Control Framework from a Single Near-Miss
"We didn't get lucky. A control did its job. My problem is that I can't yet tell you which of our other doors are unlocked — so we're going to build a map." — Dana Okafor, CISO, Meridian Regional Bank (constructed)
Executive Summary
The phishing attack that opened this book failed because one control — a phishing-resistant security key — held. That outcome was a success, but it left CISO Dana Okafor with an uncomfortable question she could not answer: which of Meridian's other defenses would hold, and which would not? Knowing that one door was locked tells you nothing about the rest of the building. This case study follows security architect Sam Whitfield and junior analyst Theo Brandt as they take the single, well-understood near-miss and use it to bootstrap Meridian's control framework — a structured map of every defensive control, classified on the two axes from §3.3 (function × nature), used to find the gaps before an attacker does.
This is an analysis exercise, not a build. You will watch the chapter's principles stop being definitions and become a working diagnostic: classifying real controls, running a gap analysis, and discovering — as nearly every organization does — that the defense is lopsided toward prevention and nearly blind on detection. The scenario, the inventory, and all figures are constructed for teaching (Tier 3).
Skills applied: control classification (function × nature); gap analysis using the control matrix; reading a defense in depth and identifying which layer held; distinguishing preventive from detective from corrective controls in a live incident; translating a technical map into a board-legible risk story; connecting principle to program.
Background
Two weeks after the near-miss, Meridian's security program is, in maturity terms, exactly where most mid-size organizations live: it has controls, but it does not have a framework. Over fifteen years the bank accumulated a firewall here, antivirus there, a password policy, a locked data center, a VPN for remote staff, and — most recently and most consequentially — FIDO2 security keys for high-risk users, the control that had just proven its worth. Each was bought to solve a specific problem at a specific time. No one had ever laid them all out together and asked the structural questions: Where are we strong? Where are we blind? If this control fails, what catches the attacker next?
Dana frames the assignment to Sam in the language she will later use with the board. "We have a pile of controls and no picture of how they fit. I want a control framework: every control we own, labeled so I can see at a glance what kind it is and what it protects. Start from the one incident we understand completely — the phishing near-miss — and build outward. By the time you're done I want to be able to point at our defense and say, honestly, here is where we're covered and here is where we're not."
Sam recognizes this as the §3.3 matrix made operational, and he recognizes the deeper point. A control framework is not bureaucracy; it is the difference between having controls and knowing your security posture. It is also, looking ahead, the structure that compliance frameworks (Chapter 28) and the board metrics pack (Chapter 36) will plug into. He pulls Theo in, because the fastest way to learn how defenses fit together is to classify them one by one.
The Analysis
Phase 1 — Anatomy of the near-miss: which control actually held?
Before building a map of everything, Sam has Theo do something deceptively simple: take the one incident the team understands completely and classify every control that touched it. This grounds the abstract matrix in a real event and surfaces the first lesson.
Theo lays out the chain of the phishing attempt as a sequence of layers, classifying each control on both axes and recording whether it held:
Attack: phishing email -> credential-harvesting page -> attempted SSO login
Layer Control Function Nature Held?
----- ------------------------------ ------------ -------------- ----------------------
1 Secure email gateway preventive technical NO (clean new domain,
link-only payload)
2 Security-awareness training preventive administrative PARTLY (9 ignored,
1 reported, 1 clicked)
3 FIDO2 phishing-resistant MFA preventive technical YES (password alone
was useless)
4 SOC log review / reported- detective technical/ YES (Theo found the
email triage administrative failed logins)
🛡️ Defender's Lens: Read down the "Held?" column and the structure of real defense appears. The first two preventive layers failed or partly failed — which is normal, not a scandal; §3.5 told you every preventive control eventually fails. The bank was fine because an independent third preventive layer (the FIDO2 key) held and a detective layer made the event visible. This is defense in depth behaving exactly as designed: an attack plus a human mistake did not equal a breach. The classification is not paperwork — it is what lets Sam say precisely why the outcome was a near-miss and not a headline.
Sam draws out the two findings that this single classified incident already yields. First, the win was architectural, not lucky: the outcome depended on a preventive layer the attacker could not bypass (the cryptographic binding of the FIDO2 key to the real site) backed by a detective layer. Second — and this is the seed of the whole engagement — the detective row is thin. The only detection in the entire chain was a human reporting a suspicious email and an analyst manually pulling logs. There was no automated alert when one user's machine visited a freshly registered look-alike domain, and no automated alert on the burst of failed logins. The bank detected this incident because an employee happened to report it. That is a fragile way to detect things.
⚠️ Common Pitfall: Declaring victory after a near-miss and moving on. Many organizations treat a control that held as proof the program is fine. Sam treats it as a sample: if the detective layer was this thin in the one incident we caught, how many incidents are we not catching because no one happens to report them? A near-miss is the cheapest possible data about your real posture. Mine it.
Phase 2 — Inventorying and classifying the bank's controls
With the method proven on one incident, Sam and Theo extend it to Meridian's whole control set. They walk the environment and the documentation and list every control they can find, then classify each on the function × nature matrix. They deliberately do not yet judge quality — the first goal is simply to place every control so the shape of the defense becomes visible.
A representative slice of their inventory:
| Control | Function | Nature | Serves (CIA) |
|---|---|---|---|
| Perimeter firewall (default-deny inbound) | Preventive | Technical | C, I, A |
| FIDO2 security keys (high-risk users) | Preventive | Technical | C, I |
| Endpoint antivirus / anti-malware | Preventive | Technical | C, I |
| Full-disk encryption on laptops | Preventive | Technical | C |
| Password policy (length, complexity) | Preventive | Administrative | C, I |
| Security-awareness training (annual) | Preventive | Administrative | C, I |
| Locked data center + badge readers | Preventive | Physical | C, I, A |
| Background checks for new hires | Preventive | Administrative | C, I |
| Manual SOC review of reported emails | Detective | Administrative | C, I |
| Antivirus quarantine alerts | Detective | Technical | C, I |
| Nightly database backups (untested restore) | Corrective | Technical | A, I |
| Documented (but un-drilled) IR notes | Corrective | Administrative | A, C, I |
🔗 Connection: Notice that the "Serves (CIA)" column ties this chapter's two big ideas together — the triad (§3.1) and the control taxonomy (§3.3). Every control protects some leg(s) of the triad and occupies some cell of the matrix. A truly mature framework lets you slice either way: "show me all our availability controls" (and discover they are mostly untested backups) or "show me all our detective controls" (and discover there are almost none). Meridian cannot yet do that fluently, which is the point of building the framework.
Phase 3 — The gap analysis: plotting controls on the matrix
Now the payoff. Sam plots the inventory onto the function × nature grid — the same grid from Figure 3.2 — and the imbalance becomes impossible to miss:
│ ADMINISTRATIVE │ TECHNICAL │ PHYSICAL
────────────────┼────────────────────────┼─────────────────────────┼──────────────────────
PREVENTIVE │ awareness training, │ firewall, FIDO2 MFA, │ locked data center,
│ password policy, │ antivirus, full-disk │ badge readers
│ background checks │ encryption, VPN │
│ ●●● │ ●●●●● │ ●●
────────────────┼────────────────────────┼─────────────────────────┼──────────────────────
DETECTIVE │ reported-email review │ AV quarantine alerts │ (none — no cameras
│ (manual) │ │ inventoried,
│ ● │ ● │ no door alarms)
│ │ │ (empty)
────────────────┼────────────────────────┼─────────────────────────┼──────────────────────
CORRECTIVE │ IR notes (un-drilled) │ backups (untested), │ (none inventoried)
│ ◐ │ no failover │
│ │ ◐ │ (empty)
────────────────┼────────────────────────┼─────────────────────────┼──────────────────────
COMPENSATING │ (none formal) │ (none formal) │ (none formal)
│ (empty) │ (empty) │ (empty)
● = present and reasonably mature ◐ = present but weak/untested (empty) = gap
Figure CS1.1 — Meridian's controls plotted on the function × nature matrix. The top-left-to-middle region (preventive) is dense; the detective and corrective rows are nearly empty, and the entire compensating row is unused. This is the classic shape of an immature program: heavily armored against getting in, nearly blind once an attacker is inside, and unrehearsed at recovering.
Sam talks Theo through what the picture says, because learning to read this grid is the whole skill:
- The preventive row is dense and the detective row is nearly empty. Meridian has invested almost entirely in keeping attackers out and almost nothing in seeing the ones who get through. By §3.5, some attackers always get through — so this is not a minor gap; it is the gap most likely to turn a future intrusion into a long, unobserved dwell. The near-miss was caught by a human, not a system.
- The corrective row is present but weak. Backups exist but have never been restore-tested (so their real value is unknown), and the incident-response notes have never been drilled. Corrective controls that have not been exercised are, in practice, hopes rather than capabilities — a point Chapter 24 makes central.
- The compensating row is entirely empty. This is not necessarily bad on its own — you only need compensating controls where a primary control is infeasible — but it flags that the legacy core-banking system (which cannot be fully patched or modernized) has no formally designed alternative protection. That is a latent risk waiting to be named.
- Physical detective and corrective cells are empty. No one had inventoried cameras, door alarms, or facility recovery. For a bank with 120 branches and a data center, that is a real blind spot, not a rounding error.
🚪 Threshold Concept: A control framework's power is not in the controls it lists but in the empty cells it makes visible. Before this exercise, Meridian's leaders would have described the bank as "well secured" — and pointed at the firewall, the antivirus, the encryption, the new security keys, all genuinely good controls. The matrix reframes the question from "do we have good controls?" (yes) to "do we have the right kinds of controls in the right places?" (no — we are blind and unrehearsed). Once you can see a defense as a grid with holes in it, you cannot unsee it, and you will never again mistake a pile of preventive tools for a complete defense.
Phase 4 — From map to priorities (and a board story)
A gap analysis that does not change what the team does next is just a diagram. Sam turns the picture into a short, prioritized set of recommendations, each tied directly to an empty or weak cell — and, crucially, each phrased so Dana can defend it to the board in the language of risk (Chapter 1) rather than the language of tools.
Priority Gap (matrix cell) Recommendation Serves
-------- ------------------------------ ------------------------------------ --------
1 Detective / technical (thin) Centralized logging + alerting detect
(seed the SIEM, Ch.21): auto-alert intrusions
on impossible-travel logins, failed- we now miss
login bursts, new-domain visits
2 Corrective / technical (weak) Restore-test the backups; build and survive a
drill an IR plan (Ch.24) ransomware
3 Compensating (empty) for the Design a compensating package for protect the
legacy core-banking system the unpatchable core: isolation + un-patchable
monitoring + tightened access crown jewel
4 Detective / physical (empty) Inventory and integrate facility close the
cameras/alarms into monitoring physical blind spot
🛡️ Defender's Lens: Look at priority 1. The single highest-value move is not another preventive control — Meridian already has plenty — but the detective capability it almost entirely lacks. This is the most common and most important finding in real maturity assessments: organizations are over-invested in prevention and under-invested in detection, precisely because prevention is what vendors sell and what feels like "real security." The matrix is what makes the under-investment undeniable. Note too that every recommendation names what it serves in plain terms — "detect intrusions we now miss," "survive a ransomware" — because that is how a control gap becomes a funded project.
When Dana presents this to the board, she does not show them the grid. She tells them the story the grid revealed: "Two weeks ago a control we invested in stopped a real attack — that worked exactly as designed. But mapping our full defense showed me that we are very good at keeping attackers out and nearly blind to the ones who get in, and we have never tested whether we could recover from ransomware. We caught the last attack because an employee reported an email. I don't want our detection to depend on luck. Here are the three investments that fix the biggest gaps, in priority order." That is the control framework doing its real job: turning a pile of controls and a single near-miss into a defensible, prioritized, board-legible plan — which is the program increment this chapter contributes.
🔄 Check Your Understanding: Meridian's backups occupy the corrective / technical cell, so the matrix shows that cell as "present." Yet Sam rates the backups a weak ◐ rather than a full ●. What is the difference between a control being present and a control being effective, and why does an untested backup illustrate it perfectly? (Hint: think about when you discover whether a backup actually works.)
Discussion Questions
- Sam insisted on starting from the one incident the team understood completely (the near-miss) before inventorying everything. What are the advantages of bootstrapping a control framework from a single, well-understood event rather than starting with a blank comprehensive checklist?
- The gap analysis revealed that Meridian's defense was lopsided toward preventive controls. Why do organizations so reliably over-invest in prevention and under-invest in detection? Name at least two forces (technical, commercial, or psychological) that push budgets toward the preventive row.
- The compensating-control row was entirely empty, which Sam flagged as a latent risk for the legacy core-banking system. Is an empty compensating row always a problem? When is it fine, and when is it a warning sign?
- Dana chose not to show the board the matrix itself, presenting the story it told instead. Was that the right call? What is gained and what is lost when a technical artifact is translated into a narrative for executives?
- Every control in the inventory was tagged with the CIA leg(s) it serves. Pick one control that serves multiple legs and one that serves only one, and explain how that affects its priority if budgets are tight.
Your Turn
Take an organization you know well (your school, employer, or a small business you can reason about) and reproduce Sam and Theo's process at small scale:
- List eight to twelve security controls the organization actually has (ask, or reason from what you can observe — locks, logins, cameras, backups, training, antivirus, and so on).
- Classify each on both axes (function: preventive / detective / corrective / compensating; nature: administrative / technical / physical) and note which CIA leg(s) it serves.
- Plot them on the function × nature grid and identify the two emptiest cells.
- Write three prioritized recommendations tied to specific gaps, each phrased in one sentence a non-technical leader could act on (say what it protects, not what tool to buy).
Keep it to one page. If you cannot decide a control's classification, that ambiguity is itself useful — note it, because some controls genuinely span functions (a control that both detects and responds), and recognizing that is part of the skill.
Key Takeaways
- A control framework is the difference between having controls and knowing your security posture; its value is the structured map, not the list.
- Classifying the controls in a single well-understood incident (the phishing near-miss) is a cheap, powerful way to bootstrap the framework and reveals immediately why the outcome was a near-miss: a preventive layer held and a detective layer made it visible.
- Plotting controls on the function × nature matrix turns gap analysis from opinion into a picture; the empty cells are the finding.
- Meridian's defense showed the classic immature shape: dense preventive controls, nearly empty detective and corrective rows, an entirely unused compensating row — well armored against getting in, blind once an attacker is inside, and unrehearsed at recovering.
- A control being present is not the same as a control being effective: untested backups and un-drilled IR plans occupy their cells but cannot be trusted until exercised.
- The highest-value next investment was detection, not more prevention — the single most common finding in real maturity assessments, and one the matrix makes undeniable.
- The framework's ultimate output is a prioritized, board-legible plan: each gap becomes a recommendation phrased in terms of the risk it reduces and the asset it protects — the program increment this chapter contributes to Meridian.