CISO on CISO Perspectives
The expanding attack surface, increasingly sophisticated cyber threats and network security complexity create challenges for organizations in virtually every industry. A cybersecurity mesh architecture is an approach that is designed to create a collaborative ecosystem of security tools operating across the digital infrastructure. The primary objective is to place security everywhere it’s needed, anywhere in the network, even as users, devices, and applications multiply and become more mobile.
Cybersecurity Experts Discuss Cybersecurity Mesh Architecture
Mesh architectures offer a wealth of benefits to businesses, but they require cybersecurity professionals to completely rethink their approach to security. That’s why Fortinet Field CISOs Alain Sanchez, Joe Robertson, and Courtney Radke joined us to discuss the approach and what it means for CISOs.
What does a cybersecurity mesh architecture approach mean for CISOs?
Alain: With the explosion of edge devices, the complexity of the architectures, and the paramount importance of securing our hyperconnected world, the old-school approach of using security point solutions that aren’t natively integrated doesn’t make sense anymore. In the past, some level of security could be reached by wrapping a layer of interconnectivity around security technologies. But these days are gone. Integrated, automated platforms that provide visibility and trigger superfast defense mechanisms are being adopted even as we speak.
Joe: In fact, Gartner® has done a good job of succinctly describing how to streamline threat defenses with its Cybersecurity Mesh Architecture (CSMA) in its report, Top Strategic Technology Trends for 2022: Cybersecurity Mesh.1
Because cybersecurity is so complex, streamlining cannot be done by simply removing devices. If anything, organizations will need more tools to detect ever subtler tactics and techniques in the future. To reduce complexity, devices need to share threat information and shrink the gaps that attackers slip through. Many executives I meet with are looking to consolidate vendors down from 40 to 50 to a more manageable 5 to 10. But to simplify without losing security coverage requires interoperation and communication among devices.
Courtney: The timing of this discussion couldn’t be more appropriate. We’ve seen the number of security vendors increase significantly and become more pervasive. With that said, CIOs have been looking at the consolidation of technology and functions for some time now. Almost every tech leader I speak with has expressed a desire to decrease sprawl, reduce unnecessary singular-use products and widgets, and move into a more cohesive platform approach.
What are the key attributes of this new security architecture?
Alain: A cybersecurity mesh architecture is how advanced security strategies are designed as we speak. The explosion of edges is already a reality, and mobility and work-from-anywhere are now second nature for a large percentage of the connected population over the last 24 months.
The pandemic accelerated the trend toward a mesh architecture, but many organizations were headed that way already with the focus on platforms and integration. For example, securing the OT environment requires seeing, monitoring, and acting on a scale that is broader than the typical IT inventory. This visibility needs to go beyond the company boundaries and deeper into packets. At the same time, corporations of all sizes are seeing the need for a native and direct integration of concepts like zero-trust network access (ZTNA) and endpoint detection and response (EDR) as part of their strategies. And because the human brain is not fast enough to correlate and evaluate the damage of events happening in different locations, automation is a must these days.
Broad reach, native integration, and advanced, artificial intelligence-based automation are the key attributes of this mesh approach. They are precisely the core attributes of the Fortinet Security Fabric, which was introduced in 2016.
Joe: The key ideas behind a cybersecurity mesh architecture are:
1. A wide variety of security devices, tools, and applications are needed to identify, block, and quarantine attacks.
2. The devices should share threat intelligence by communicating with each other directly, preferably using standardized formats rather than through a SIEM or SOAR intermediary.
3. The devices in the mesh should be able to take on-board threat intelligence from a variety of external sources, such as the Cyber Threat Alliance, MITRE, CISA, and vendors.
4. The mesh should be able to incorporate scripts, playbooks, artificial intelligence, and machine learning to correlate, analyze, and respond to threats, attacks, and unusual behavior in real time.
Courtney: Like other industries, a technology explosion has been occurring in retail. They want to learn more about their consumers, create more tailored and consistent experiences, and hopefully gain more loyalty and wallet share. As we know, adding technology often comes at a cost to security. Many times, there is a lack of focus on protecting the whole environment cohesively in favor of the individual pieces. I see the security challenges manifest in three ways:
1. You cannot protect what you can’t see. Do you have the tools and services in place to detect advanced threats, even in encrypted traffic?
2. You cannot see where you aren’t looking. Does your visibility extend across your entire digital landscape?
3. When you see something, can you identify it? What intelligence sharing exists between teams, tools, and partners to better mitigate risk and reduce dwell time?
A cybersecurity mesh architecture aims to consolidate visibility, policy management, identity, and intelligence into a single consumable platform that stretches throughout the entire attack surface, reducing security gaps and blind spots more effectively and affordably than performing these roles separately.
What should organizations consider going forward?
Alain: If I judge by the massive adoption of our Fortinet Security Fabric, I’d say the cybersecurity mesh architecture approach has already been adopted for a while, in reality. As we understand it, Gartner gave it a name and a fundamental approach, but corporations have been adopting mesh architectures for a while now.
Joe: Keep in mind that the CSMA doesn’t have to happen all at once. Organizations can add pieces to the architecture a few bricks at a time. As they choose new security tools, they can select those that adhere to an intercommunication philosophy. Our Fortinet Security Fabric mesh architecture has been available for a number of years now, and over time, customers keep adding to it. Perhaps they start with a next-generation firewall, then add intrusion protection, then endpoint detection and response, and so on.
Courtney: The CSMA is a strategy that provides alignment for organizations that want to embrace the concept quickly. The Fortinet Security Fabric is the most mature and well-defined mesh architecture example to date. Still, organizations may feel like they have to make sweeping changes before seeing any results. Luckily, the shift doesn’t have to occur all at once. While big changes may help set the foundation, an iterative approach can still provide significant benefits and opportunities for greater integrations on the journey to a more complete mesh architecture.
What do you think are key pillars of a cybersecurity mesh architecture approach?
Alain: We believe that approaching the network side and the security side together is a paramount condition for a successful mesh strategy. We call this concept Security-driven Networking. Organizations shouldn’t have to compromise between network performance and superior security. Today, we’re witnessing the ability for advanced security to enable levels of innovation we’ve never seen before. Organizations can consider innovations, collaborative applications, and real-time delivery of advanced services that were inconceivable before. In addition to security-driven networking, zero-trust network access, adaptive cloud security, and open architectures are other fundamental building blocks of a mesh design.
Joe: Any mesh architecture must be built around a next-generation firewall, identity and access management, the network, and integrated management, analysis, and response tools. All of these solutions need to have versions appropriate for data centers, clouds, branches, and remote. Other tools, devices, and applications can and should be added on, but these are the most important items. Much of the “smarts” for security is in the NGFW, with its capacity for deep-packet inspection and L7 analysis. In addition to security intelligence, it is also crucial to know who and what is in your environment, hence the identity and access pillar, which includes remote access, branch interconnectivity, identity management, and zero trust. I include the network as one of the fundamental pillars because all threats traverse the network at some time, so the network is the logical place to intercept, identify, block, and quarantine them. The network should be an integral part of the security architecture. And finally, the management of all of this must be simple and understandable for the network and security staff to use. Due to the sheer volume of traffic, events, and threats, much of the correlation and supervision must be automated with tools that incorporate machine learning and artificial intelligence.
Courtney: The success of a CSMA approach relies on the convergence of network and security everywhere. A mesh architecture needs to protect people, devices, and data on any network regardless of the edges they cross. The firewall is at the core of the approach, providing high levels of security and robust inspection for the edge at the edge to increase the speed and effectiveness of detecting threats in real-time. Zero-trust methodologies must also be part of the approach because establishing identity and assessing posture is critical, and it’s more decentralized with multiple sources feeding in. Protection of the endpoint using EDR and XDR will also be necessary as the need to support increasingly connected experiences rises. A unified policy management and orchestration engine with supporting APIs must allow for many native and third-party integrations as well as meaningful automation and valuable intelligence for everything to come together. Without this unification, many organizations are unlikely to adopt CSMA and instead maintain the status quo until a compelling event forces a change.
Gartner, Top Strategic Technology Trends for 2022: Cybersecurity Mesh, 18 October 2021, By Felix Gaehtgens, James Hoover, Et Al.
Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.