“By 2024, organizations that adopt a cybersecurity mesh architecture to integrate security tools, so that they work together as an ecosystem, will reduce the financial impact of individual security incidents by 90%, on average.” – Gartner
In 2017, Equifax, one of the largest credit reporting agencies in the United States, suffered a massive data breach that exposed the personal information of nearly 147 million consumers. The breach resulted in estimated financial losses of over $1.4 billion, including legal settlements, regulatory fines, and remediation costs.
One of the critical factors that contributed to the Equifax breach was the lack of integration and coordination between the company’s disparate security tools. The attackers exploited a known vulnerability in the Apache Struts web application framework, which Equifax had failed to patch. Despite having multiple security tools in place, including intrusion detection systems, web application firewalls, and vulnerability scanners, the company was unable to detect or prevent the breach.
The lack of integration and communication between these security tools led to several missed opportunities to identify and remediate the vulnerability. The vulnerability scanner, for instance, did not have an up-to-date version of the Apache Struts component, which led to the vulnerability being overlooked during scans. Additionally, the intrusion detection system failed to flag the suspicious activity due to misconfigurations and a lack of proper monitoring.
If Equifax had implemented a cybersecurity mesh architecture, as recommended by Gartner, the various security tools would have been integrated into a cohesive ecosystem, working together to identify and respond to threats more effectively. This would have increased the likelihood of detecting the vulnerability and the subsequent intrusion, potentially preventing the breach and saving the company from the significant financial and reputational damage it suffered.
What is Cybersecurity Mesh Architecture?
So, what exactly is cybersecurity mesh architecture (CSMA)? It is a flexible approach to cybersecurity that combats challenging trends in the modern security environment like the growing attack surface, the end of the traditional network perimeter, and the proliferation of siloed security tools.
According to Gartner, CSMA provides four layers that enable interoperability and collaboration across an organization:
- Security analytics and intelligence
- Distributed identity fabric
- Consolidated policy and posture management
- Consolidated dashboards
These layers help to take security tools and data out of silos and optimize their effectiveness in a more cohesive security posture. This takes the form of centralized policy management and orchestration, but also things like applying cross-domain intelligence to new contexts, such as taking risk scores from one tool and using them to assess an event detected by a different tool.
How MSSPs Can Achieve Consolidation
A good CSMA will mitigate the following risks:
- Missing relevant information because data is spread out between tools
- Missing patterns because alert structure is not standardized between tools
- Missing steps in an investigation process because SOPs are not defined
Consolidating your tools to create a mesh architecture can be achieved in a couple of different ways. One is to simply purchase an “all-in-one” suite of tools from a single vendor. These suites might comprise network, endpoint, identity, email security, and more.
Because they are made by the same vendor, they are likely to work effectively in concert. But for MSSPs, this is not always feasible. Your customers will expect you to be able to work with the best-in-class tools they prefer, not to force them into a specific toolset.
That’s why, for MSSPs, a better way to achieve consolidation and reap the benefits of mesh architecture is to deploy a vendor-agnostic solution that offers holistic automation capabilities.
In our experience, security teams that deploy a CSMA rely on five capabilities:
- A consolidated alert queue, including comprehensive case management.
- A normalized data structure to enable cross-tool data analysis.
- Flexible automations that can handle the enterprise’s use cases.
- Integrations that fill the gaps between tools.
- Environment-wide reporting, analytics, and monitoring.
With a tool that can deliver on all five, MSSPs can transform siloed security tools into a unified ecosystem that work together to mitigate the impact of individual incidents. In our work with MSSPs and enterprises, we have found that security orchestration, automation, and response (SOAR) is uniquely positioned to meet these criteria and consolidate tools that don’t have natural compatibility.
SOAR platforms that Gartner refers to as “open-compatibility SOAR” don’t come with the risk of vendor lock-in that is found with other options like XDR or suite-based SOAR.