KaaS Technical Expert Series: Cyber Security Mesh Architecture (CSMA)
welcome to our next broadcast of knowledge as a service series where we provide technical experts to our customers and discuss interesting topics and emerging technologies that might help the organization and maybe that you were curious about. I'm Director of Technology for Mobius Partners and I've been working on Technology Solutions with clients for over 20 years primarily with a focus and networking and security but I'm also joined by my colleague Kyle. Hi everybody. I also am kind of an old school techie I've been in the industry for getting close to 30 years now but I have worked in the majority of roles in or a plurality of roles where I've been a customer, vendor and partner. I think I enjoy the partner aspects the most. I agree. I like the how we get to go out and see/work in a lot of different environments
and get exposed to lot of different approaches and technologies as part of that which is one of the things that I think makes Mobius Partners valuable to our customers For those of you new to Mobius Partners, we are local solution provider in your backyard but we have a global reach helping our clients with their journey across the ever changing landscape of IT and today we're here to talk with you about Cyber Security Mesh Architecture or CSMA as we'll call it to make it brief and add to our acronym soup in technology Gartner expects CSMA to be a focus of successful digital enterprises in the next 2-3 years the cost of security breaches is real & tangible now before being hacked was seen more as a possible threat that was manageable with some investment like a an insurance equation. You spend enough to protect enough but the use of ransomware and automated hacking tools to monetize those hacking efforts has really changed the equation. Hacking used to be just for Prestige of that bad actor so they could go back to their other online friends "look what I did and I wrote my name across somebody's website." that was
enough motivation for them but now they can make money selling data on the dark web. They can make money extorting your company to not release your data or if they can make money by making new pages to get access back to your own data so this profit motive that has monetized security attacks really has changed the economics of security and to put it to numbers they're expecting that organizations that adopt a CSMA approach will reduce the financial impact of security incidents by 90 and the average cost of a security incident it's measured starting with seven digits so these are significant dollars that affect your company's bottom line and obviously it's the reason why all of us have jobs in the IT industry but IT organizations tend to view their environment as silos that need protecting you know networking servers databases storage identity management Etc but hackers they don't think this way and they don't care about how your company has created your teams they see one big shiny attack surface and they only need one way and they don't care which way it is to get in so what are those forces that are pushing us to change our approach in security obviously top of list is going to be the Advent of private public hybrid and multi-cloud strategy everybody is using cloud services to some extent so just think about the adoption of Office 365 or Salesforce you know those are all out there being used you know Kyle you you're obviously focused in cloudy technologies for your customers that you work with you know describe what their cloud their cloud strategies are like these days . cloud strategies is are ever evolving as more people kind of understand or or get a common understanding of what cloud is because everybody still sort of has their own idea of what a cloud is really what it boils down to not really caring where the application resides at the end of the day your end users don't care as long as it's running so whether you're building a cloud on-prem or you're using the public Cloud for financial reasons, what do you want to do OpEx as opposed to CapEx and a lot of people are actually saying that hey hybrid is probably the best approach because the stuff that's in-house needs to stay in-house for whether it's security reasons or performance reasons but we could save some money by shifting other workloads to the cloud or even using software as a service where they're not even owning the infrastructure whether it's on-prem or in the in the public Cloud so there is a quite a shift in how people are seeing it going from cloud first to cloud only to cloud smart and everybody has their own way of doing things but I think you make a an extremely valuable point is that we all have heard about this is how you kind of do security when you own this stuff but how are we going to do security do we just trust that they're doing the right things out there or are there tools that we can do to verify that so I do have a question. You talk
about ransomware and that is a huge thing right tons of money is shifting hands right now because of ransomware but is is that strictly what CSMA is for and is that the problem that it solves? well that is certainly a big one I would say ransomware is in the headlines a lot these days and that it's one of the biggest forces in the new the economics of security but if it's not just ransomware. There are all sorts of what we call persistent threats rights existing in environments obviously there's still things like social engineering and phishing that are going on to get into Enterprises and take advantage of them so for sure ransomware is you know top of mind for everybody these days but it obviously includes so much more than that and the list isn't getting shorter unfortunately the list is getting longer another one of those forces that are you know pushing us the change in approach to security for CSMA is BYOD which you don't really hear people talking about much anymore why did it go away no obviously it didn't go away so because it's become the norm right so people don't even it's not even its own topic anymore how many people do you know not getting their email on their cell phone that they went and picked out themselves they purchased it they pay for the monthly service and so you also have that same thing with laptops so a major percentage of work is getting done on devices not even owned by the organization and maybe not even managed by the organization Kyle, how many different devices to use to work in some capacity? I know for me it's at least three that I'm using on a regular basis. Three sometimes four. yes, so that for proliferation of devices and not owned and managed by the company has definitely been a big change and remote access has always been a factor but work from home initiatives that were thought to be temporary responses to the pandemic have really taken hold and stayed with us so our mode of working is different and has changed pretty significantly and quickly over the last two or three years so that has definitely been a big difference and what that has taught us is that there is no edge to your network The edge has become blurry and very hard to define really the edge of your network is wherever your data sits and it's also where your employees are sitting accessing that data whether they're at home or sitting at a coffee shop somewhere so that is now the edge of your network and then there's also been a shift in Philosophy for DevOps right shift left to have security starting early on in the process and to be integrated as part of the development process itself because obviously a lot of hacks come through software defects and bugs so that has also been a key trigger for the need for Automation and integration of security tools and so what CSMA really is is a change in strategy and philosophy to how you accomplish data security it isn't a new technology that you go out and buy like a network sensor or a Security application Security started with a focus on endpoints and the network edge but needs to shift to centralized administration of data but with decentralized policy enforcement so ultimately your data needs the protection not the devices themselves this means refocusing attention on identity and context. The reality is the assumption now is that you will have
a security breach right the question isn't if it is when and more importantly the question is how long will it take for you to detect the breach in contain it. In security we refer to that as dwell time and while the numbers vary from source to source the average time to detect a security incident is in the range of 200+ days that's 6-9 months before an organization discovers the incident and begins responding to try to contain it and a lock out their some malevolent actors that have gotten in and then also trying to figure out what happened while they were there, what did they lose and that takes a lot of additional time and cost to deal with that and we've seen this many times with headline grabbing incidents like Yahoo, Home Depot, Target and Colonial Pipeline. So some of these folks were exposed for months and months and months without knowing it while there was exfiltration of data going on and sometimes you know having their operations shut down like in the case of a Colonial Pipeline. So it is a real impact to businesses so I have a question for you Shannon. So in the security space there are many different pillars that have to watch out for whether it's physical security end user knowledge that they need to know so they can prevent being susceptible to phishing attacks and and training and and all that stuff at the same time there's all the firewalls intrusion detections and and the like but this sounds more like it's a way of doing security but not a specific piece of technology or is it just trying to build a better SIM that handles context better okay so it SIM is definitely an important tool and the portfolio that a customer has to have but it is not about buying any of those individual pieces and parts to both on what CSMA is really about is it gives us five tenants to work with that we can respond with NIT to this new reality of security and the very first of those and arguably the most important is that everything that you're putting in now must be API driven to allow for integration so that is key to making it all happen this allows your ecosystem of technologies to communicate and integrate which allows your IT staff to interact with fewer tools and this goes back through our discussion about you know the public, private, hybrid multi-cloud. These are all different areas all with different services and applications and you need tools and services that are API driven to allow this integration over things to happen and the the second tenant and going back to the SIM you need strong analytics and intelligence if you aren't collecting the data and analyzing it then you're almost doing nothing and of course SIM tools are all about that that's what they can provide but it's so much more than that everything is a potential source of security information especially what we like to call indicators of compromise it's applying the approach of big data to security and next also we have distributed identity management because it's no longer about just having Microsoft Active Directory running in your data center right we have Federation, we have single sign-on, multi-backdrop indication and cloud strategies have rendered that nearly impossible to have a single approach to Authentication another one is Consolidated policy management so while we need security across multiple tools and environments the policies controlling access shouldn't change or be different so you need a way to bring them all together into a single policy management system to make those available across the different tools that you're going to be utilizing in your environment the and then also finally is enriched dashboards if you don't have analytics feeding dashboards that can be reviewable across your it organization then you don't really have a chance to respond to security incidents in a timely manner and as we talked about the numbers earlier it obviously isn't happening in a timely manner even with organizations that have brought a lot of resources to bear to that problem and the major technology manufacturers have responded with offerings to address this need and this approach it does not mean you have to choose a single solution provider for your let's call it enterprise security fabric there definitely are some benefits in doing so but again with a focus on API enabled tools it isn't required and and probably more importantly there isn't a single manufacturer provider that can do everything the best they're all going to have gaps that you need to fill and that's why it's so important to have those API enabled tools to make that all happen so this is probably making our listeners trigger a lot of questions that might have you thinking but what do I do what do where do I start? I'm suggesting that your approach should probably be thinking about your security operations center, your SOC as we call it and most larger organizations have an actual security operations center although the maturity and effectiveness varies a lot but smaller companies do not which primarily based on differences in scale and size of staffing for them it's not realistic so if you think about a SOC how do I get alerts? How do I how does my organization respond to those alerts? This gets you to start thinking about tooling and integration and that's why it can be a very effective way to start approaching this concept of CSMA and I know a lot of our listeners may be thinking but I don't have a SOC not everybody can just go out and hire seven people to sit in a SOC and respond to indicators of compromise because on average you need seven people to cover a 24x7 shift when you include things like clock time vacation sick days, training, all that stuff well and we're all interconnected now globally and so your time at your time zone doesn't matter to hackers. Security is not a
daytime business hours functioning it is 24x7 it has to be diligent and it has to be always ongoing but an organization can get a SOC capability without building it internally so managed services isn't anything new to us perhaps the MSP you work with can already provide that additionally to you so you can be talking to them about providing that to you in in some way Also SOC as a service is an actual thing now so you could look into that for your organization and if your MSP isn't able or willing to interact with your need for a SOC and you probably should be looking for one that will, and of course, we're here to help. You need technology collaborator like Mobius Partners to help you establish strategy and to execute on that and make that transition so that's uh it's important to to not try to take everything on yourself and find those trusted advisors that can help you navigate these troubled waters that we're now steering these days Okay so thanks for your time I I hope you heard some useful information today I'll wrap things up here and open up for any questions that you have you can also reach out to us at firstname.lastname@example.org and you'll also get an invitation to our next knowledge as a service podcast where we'll talk about passwordless authentication and yes that's a real thing now passwordless authentication and also thanks to Kyle for joining Do we have any questions sitting out there? There there is one question I think you you did touch on it pretty well, but maybe we can kind of give a specific example. If you can give any organization one call to action on where to get started... That focus on your SOC (security operations center) which again doesn't mean you have a building with a room that looks like the Defcon War rooms that we we see on TV which actually is that way for some of the large organizations who have very security sensitive environments I worked for some yeah and some were pretty impressive. I've worked for one and I've done tours of them and and they're they're
certainly impressive but that's the reality is that not everyone's going to get that kind of SOC but the SOC as a service allows someone else to build that and you just start paying for a slice of it economically in a way but it's you know soccer is also you know it is in of itself a a methodology and philosophy so it's not just about a guy sitting in a chair staring at this screen so if you haven't had discussions in your it organization and with your executive management about how you accomplish soft and you know that's definitely a big missing part of the conversation equation and again once you start thinking about that that's when you start looking at how my tools are bringing those things together and to do that right then it has to be API driven so like now those tenants that we were talking about for a cyber security architecture you know all those things start to flow on one after the other and to me, that's the one call to action would be to reach out to us or your trusted Security Professionals to have discussions around where you might have some some lacking in this space and if this is the right path for you and how you can get started because everybody is going to be slightly different advisor yeah and it's always important to have trusted partners to work with because the reality is technology and security is so wide now it touches everything - you just can't have an expert in everything right as much as we would all like you know our teams and organizations to be built that way to have an expert everything it's just it's not realistic um that you're going be able to accomplish that so you probably have gaps and skills also you know which has been a challenge for organizations in the past you know five years is that there just aren't enough people in the security realm two to hire and fill these positions and even when you work internal to an organization right here your exposure to different things going on becomes more limited right and to some extent maybe you operate a little bit with blinders on and so that is one of the values that working with technology partners provides is they we are seeing what other people are doing we've seen what works we've seen what doesn't work which is different for every organization so that is always a strong recommendation is to make sure that you will have a trusted technology partner to help you through these things indeed I don't see any other questions out there so I think it's probably safe to wrap up thank you everybody for for joining we will make sure that this gets posted to our podcast, on LinkedIn, etc Thank you for joining us today and I hope you join us for our next one on passwordless authentication for Knowledge as a Service (KaaS) podcasts and of course again reach out to us at email@example.com if you want more and with that we will bring it to a close. Thanks and we appreciate your time for joining us.