CSMA is More Than XDR — Introduction to Cybersecurity Mesh Architecture

Not surprisingly, during recent meetings, customers often asked me how to manage all cybersecurity tools. According to the Gartner Top Security Technology Trends for 2022, I am not alone. It is top of the mind of many CISOs that a consolidated while distributed security architecture is essential to fight the cyberattacks’ perfect storm: multi-cloud and remote work security.

It looks pretty contradictory with each layer, but it is not. Let’s consider the following service-based application as an example:

• AWS Lambda and Azure Functions are being used as content pages from containers in different Cloud providers, including Google Cloud Run;
• Cloudflare is being used as a CDN (Content Delivery Network);
• Developers use Okta as an Identity services provider.

It is actually what customers are using nowadays. Just consider how many service providers and models are in the picture. And what’s more? It is only part of the big picture. To protect anything under these conditions stresses the existing cybersecurity architecture.

Therefore, it is time for a new and better approach — Cybersecurity Mesh Architecture (CSMA) which aims to reduce the need for one specific computing environment.

Everything is Decentralized (Workforce, Perimeter, Information, and More…)

Because of COVID, companies accelerated their digital transformation initiatives to get ahead of the curve in a battle for existence. As a result, many companies have adopted the latest technologies to enable and encourage remote working trends.

With the work-from-anywhere scenario and remote working being the “new normal,” organizations have their assets, employees, partners, and customer base globally distributed in different locations. Thus, critical data and assets are exposed outside the traditional security perimeters, making it challenging to rely on legacy controls to protect them against advanced cyber threats.

The traditional technology stack is breaking down because more people use microservices. They’re also using blockchain and other trust models to adopt an information-centric security model that works with distributed services (key to cloud security, web3, and DevOps).

A recent Gartner report states that new attack surfaces have opened up due to a pandemic-inspired shift to remote work. Remote workers, cloud adoption, DevSecOps, IoTs, and other parts of digital transformation require flexible and scalable cybersecurity strategies. The answer to this problem is a scalable, integrated, and automated cybersecurity mesh architecture.

What is Cybersecurity Mesh Architecture (CSMA)?

Gartner has specified a growing gap in interoperability between security tools. Moreover, there are wasteful overlaps in multiple devices or software— each being paid for through its own licensing.

Under CSMA, each device will be introduced into the infrastructure as an integrated, carefully designed part of a consolidated security posture. Also, Gartner defines the cybersecurity mesh as a distributed architectural approach to flexible, scalable, and reliable cybersecurity control.

According to the report: “Top Security Technology Trends for 2022: Cybersecurity Mesh”, below are the four fundamental layers of a CSMA:

1. security analytics and intelligence
2. consolidated dashboards
3. distributed identity fabric
4. consolidated policy and posture management

Using key management as an example, storing a secret key in Microsoft Azure is different from using that in AWS or Google, such as:

• Azure Key Vault;
• AWS CloudHSM;
• Google Cloud Key;
• On-prem HSM appliance.

While each application/ service is distinct, technically and operationally, they are being used to meet a similar policy goal (keeping the key/ secret from being exposed or unauthorized access). As a result, the same consolidated policy and posture management translate to different configurations and deployments in various form factors, i.e., distributed security controls.

Similarly, consolidated policy and posture management translate abstract policy objectives to specific configurations on individual providers that benefit overall security posture. For example, developers often re-use keys to access different resources and forget to separate those from developments with productions.

For example, a cloud security posture management platform can help ensure that all encryption key accesses are monitored and comply with corporate policy or security standards. It can also align all configurations with different providers.

Common Languages in Cybersecurity Space

To have better integration and let all the tools work together, they need to “talk” to each other. For example, we are familiar with “IOC” — Indicator of Compromise in threat intelligence sharing. However, it would not be possible if all vendors shared their own sets of indicators without standardization.

As a result, CSMA also needs common languages — like open standards and common APIs to support the integration of different vendors. Below are some examples of existing common standards:

• IOC — STIX/ TAXII, SIGMA
• Threat Intelligence — OpenDXL (McAfee), SCAP v2 (NIST)
• Network — Netflow, IPfix
• Authentication — SAML, OAuth, FIDO2
• Framework — MITRE ATT&CK and D3FEND, CVSS, OWASP Top 10
• Threat Hunting — Yara, Snort, ZEEK

Suppose we need CSMA to work in a SOC environment where cybersecurity professionals are serious about security monitoring. We need a standard process to collect and correlate events and logs. To make threat intelligence meaningful analytics and intelligence, we need to put together information about threats and assets. Therefore, not just the data exported from all security devices but also other data sources like identity and assets’ context information should also be standardized.

Lastly, there is integration in every part of the data flow to have tools work seamlessly together. As security professionals, we need to keep doing what we are doing in the short term. We can do our job by using any number of products that help accomplish the four layers of CSMA (as described above).

As a result, organizations align their multi-cloud and work-from-anywhere strategies to decouple from the policy enforcement. Adopting CSMA also helps eliminate silos in the security stack, and we will see less and less “perimeter-based” security in the latter stage.

How to Do it? Think As a Zero Trust Dates Back

Just like the adoption of Zero Trust, practitioners who understand the advantages of the CSMA model can be on the lookout for security products that support it. The endorsement of zero trust as a plausible architectural model has changed how cybersecurity practitioners assess and audit cloud-native companies.

Consider what the Zero Trust journey begins and what it becomes nowadays. The concepts supporting zero trust are not new:

• Stephen Paul Marsh coined ZT in April 1994 for his doctoral thesis on computational security at the University of Stirling.
• The complications of determining the perimeter of an organization’s IT infrastructure were highlighted by the Jericho Forum in 2003, discussing the trend of what was later coined “De-Perimiterisation.”
• In 2009, Google implemented a Zero Trust architecture referred to as BeyondCorp.
• John Kindervag, an industry analyst at Forrester Research Inc, popularized the term “Zero Trust Network” in 2010.

And now, companies and vendors have formed around the zero trust architecture. It has also driven new features and innovation in existing vendors’ product portfolios. As a result, it has driven initiatives in end-user technology organizations.

Likewise, acceptance of CSMA as a feasible architectural strategy can potentially simplify architectural discussions around multi-cloud, hybrid cloud, container security, and security orchestration and response.

Final Words

The concept of the cybersecurity mesh assumes how widely available truly composable security services are. As a result, these solutions feature an architecture created to scale agilely through an API-first approach. CSMA also names common frameworks for everything — from contextual and threat analytics to threat intelligence (TI), and security controls integrated via APIs.

According to Gartner’s predictions,

“By 2024, organizations adopting a CSMA will reduce the financial impact of security incidents by an average of 90%.”

A practical cybersecurity mesh architecture will demand stronger, consolidated policy management and governance. For example, it’ll be crucial to orchestrate more suitable “least-privilege” access policies, which organizations can accomplish using a centralized policy management engine with distributed enforcement.

Yet, we still need some glue to help us stick all the available tools together. Luckily, with the recommendations in Gartner’s CSMA report, integration becomes possible with common cybersecurity languages — APIs and Open standards and carefully puts all the existing security stack into play.

---

Thank you for reading. May InfoSec be with you🖖.