KaaS Technical Expert Series: Cyber Security Mesh Architecture (CSMA)

welcome to our next broadcast of  knowledge as a service series where we provide   technical experts to our customers and discuss  interesting topics and emerging technologies   that might help the organization and maybe that  you were curious about. I'm  Director of Technology for Mobius Partners and  I've been working on Technology Solutions with   clients for over 20 years primarily with a focus  and networking and security but I'm also joined   by my colleague Kyle. Hi everybody.  I also am kind of an old school techie I've been in the industry for getting close to   30 years now but I have worked in the majority of  roles in or a plurality of roles where I've been a customer, vendor and partner. I think  I enjoy the partner aspects the most. I agree. I like the how we get to go out and see/work in a lot of different environments

and get exposed to lot of different approaches and technologies as part of that   which is one of the things that I think  makes Mobius Partners valuable to our customers   For those of you new to Mobius Partners, we are local solution provider in your backyard but   we have a global reach helping our clients with  their journey across the ever changing landscape  of IT and today we're here to talk with you about Cyber Security Mesh Architecture or CSMA   as we'll call it to make it brief and add to our acronym soup in technology   Gartner expects CSMA to be a focus of successful digital enterprises in the next 2-3    years the cost of security breaches is real & tangible now before being hacked was seen more as   a possible threat that was manageable with some investment like a an insurance  equation. You spend enough to protect enough  but the use of ransomware and automated hacking   tools to monetize those hacking efforts has really changed the equation. Hacking used to be just for Prestige of that bad actor so they could go back to their other online friends   "look what I did and I wrote my name across somebody's website." that was  

enough motivation for them but now they can make money selling data on the dark web. They can   make money extorting your company to not release your data or if they can make money by making new   pages to get access back to your own data so this  profit motive that has monetized security attacks   really has changed the economics of security  and to put it to numbers they're expecting   that organizations that adopt a CSMA approach will  reduce the financial impact of security incidents   by 90 and the average cost of a security incident  it's measured starting with seven digits so these   are significant dollars that affect your company's  bottom line and obviously it's the reason   why all of us have jobs in the IT industry but IT organizations tend to view their environment as   silos that need protecting you know networking  servers databases storage identity management   Etc but hackers they don't think this way and they  don't care about how your company has created your   teams they see one big shiny attack surface and  they only need one way and they don't care which   way it is to get in so what are those forces that  are pushing us to change our approach in security   obviously top of list is going to be the Advent  of private public hybrid and multi-cloud strategy   everybody is using cloud services to some extent  so just think about the adoption of Office 365 or   Salesforce you know those are all out there being  used you know Kyle you you're obviously focused   in cloudy technologies for your customers that  you work with you know describe what their cloud  their cloud strategies are like these days . cloud strategies is are ever evolving   as more people kind of understand or or get a common understanding of what cloud   is because everybody still sort of has their  own idea of what a cloud is really what   it boils down to not really caring where  the application resides at the end of the day   your end users don't care as long as it's running  so whether you're building a cloud on-prem   or you're using the public Cloud for financial reasons, what do you want to do   OpEx as opposed to CapEx and a lot of people are  actually saying that hey hybrid is probably the   best approach because the stuff that's in-house needs to stay in-house for whether it's   security reasons or performance reasons but  we could save some money by shifting other   workloads to the cloud or even using software  as a service where they're not even owning the   infrastructure whether it's on-prem or in the in  the public Cloud so there is a quite a shift in  how people are seeing it going from cloud first to  cloud only to cloud smart and everybody  has their own way of doing things but I think  you make a an extremely valuable point is that   we all have heard about this is how you  kind of do security when you own this stuff but   how are we going to do security do we just trust  that they're doing the right things out there or   are there tools that we can do to verify that so  I do have a question. You talk  

about ransomware and that is a huge thing right  tons of money is shifting hands right now because   of ransomware but is is that strictly what CSMA is for and is that the problem that it solves?   well that is certainly a big one I would say  ransomware is in the headlines a lot these days   and that it's one of the biggest forces  in the new the economics of security but if it's   not just ransomware. There are all sorts of  what we call persistent threats rights existing   in environments obviously there's still things  like social engineering and phishing that are going   on to get into Enterprises and take advantage of  them so for sure ransomware is you know top of   mind for everybody these days but it obviously includes so much more than that and   the list isn't getting shorter unfortunately  the list is getting longer another one   of those forces that are you know pushing us the change in approach to security for CSMA is BYOD which you don't really hear people talking  about much anymore why did it go away no obviously   it didn't go away so because it's become the norm  right so people don't even it's not even its own   topic anymore how many people do you know  not getting their email on their cell phone that   they went and picked out themselves they purchased  it they pay for the monthly service and   so you also have that same thing with laptops so a major percentage of work is getting done   on devices not even owned by the organization  and maybe not even managed by the organization   Kyle, how many different devices to use to work in some capacity? I know for me it's at least   three that I'm using on a regular basis. Three sometimes four. yes, so that for proliferation   of devices and not owned and managed by  the company has definitely been a big change   and remote access has always been a factor but  work from home initiatives that were thought to   be temporary responses to the pandemic have really taken hold and stayed with us so our   mode of working is different and has changed  pretty significantly and quickly over the last   two or three years so that has definitely been  a big difference and what that has taught us is   that there is no edge to your network The edge has  become blurry and very hard to define really the   edge of your network is wherever your data sits  and it's also where your employees are sitting   accessing that data whether they're at home  or sitting at a coffee shop somewhere so that   is now the edge of your network and then there's  also been a shift in Philosophy for DevOps right   shift left to have security starting early on in  the process and to be integrated as part of the   development process itself because obviously a lot  of hacks come through software defects and bugs   so that has also been a key trigger for the need  for Automation and integration of security tools   and so what CSMA really is is a change in strategy  and philosophy to how you accomplish data security   it isn't a new technology that you go out  and buy like a network sensor or a Security   application Security started with a focus on  endpoints and the network edge but   needs to shift to centralized administration of  data but with decentralized policy enforcement   so ultimately your data needs the protection  not the devices themselves this means refocusing   attention on identity and context. The reality is the assumption now is that you will have  

a security breach right the question isn't if it  is when and more importantly the question is how   long will it take for you to detect the breach in contain it. In security we refer   to that as dwell time and while the numbers  vary from source to source the average time   to detect a security incident is in the range of  200+ days that's 6-9 months   before an organization discovers the incident and  begins responding to try to contain it and a lock   out their some malevolent actors that have gotten in and then also trying to figure out what happened while they were there, what did they lose and that takes a lot of additional time   and cost to deal with that and we've seen this  many times with headline grabbing incidents   like Yahoo, Home Depot, Target and  Colonial Pipeline. So some of these folks   were exposed for months and months  and months without knowing it while there was   exfiltration of data going on and sometimes you  know having their operations shut down like in   the case of a Colonial Pipeline. So it is a real impact to businesses so I have a question for   you Shannon. So in the security space there are  many different pillars that have to watch out for   whether it's physical security end  user knowledge that they need to know so they can   prevent being susceptible to  phishing attacks and and training and and all   that stuff at the same time there's all the firewalls intrusion detections and and the like but this sounds more like it's a  way of doing security but not a specific piece of   technology or is it just trying to build  a better SIM that handles context better   okay so it SIM is definitely an important  tool and the portfolio that a customer has to have   but it is not about buying any of those individual  pieces and parts to both on what   CSMA is really about is it gives us five tenants  to work with that we can respond with NIT to this   new reality of security and the very first of  those and arguably the most important is that   everything that you're putting in now must be  API driven to allow for integration so that is   key to making it all happen this allows your  ecosystem of technologies to communicate and   integrate which allows your IT staff to interact  with fewer tools and this goes   back through our discussion about you know the public, private, hybrid multi-cloud.   These are all different areas all with different  services and applications and you need tools   and services that are API driven to allow  this integration over things to happen   and the the second tenant and going back to the SIM you need strong analytics and intelligence   if you aren't collecting the data and analyzing  it then you're almost doing nothing and of course   SIM tools are all about that that's what they can  provide but it's so much more than that everything   is a potential source of security information  especially what we like to call indicators   of compromise it's applying the approach of big  data to security and next also we have distributed   identity management because it's no longer about  just having Microsoft Active Directory running in   your data center right we have Federation, we have  single sign-on, multi-backdrop indication and cloud   strategies have rendered that nearly impossible  to have a single approach to Authentication   another one is Consolidated policy management so  while we need security across multiple tools and   environments the policies controlling access  shouldn't change or be different so you need   a way to bring them all together into a  single policy management system to make   those available across the different tools that  you're going to be utilizing in your environment   the and then also finally is enriched dashboards  if you don't have analytics feeding dashboards   that can be reviewable across your it organization  then you don't really have a chance to respond   to security incidents in a timely manner and as  we talked about the numbers earlier it   obviously isn't happening in a timely manner even with organizations that have brought a   lot of resources to bear to that problem  and the major technology manufacturers    have responded with offerings to address this  need and this approach it does not mean you have   to choose a single solution provider for your  let's call it enterprise security fabric there   definitely are some benefits in doing so but  again with a focus on API enabled tools it isn't   required and and probably more importantly there isn't a single manufacturer   provider that can do everything the best they're  all going to have gaps that you need to fill and   that's why it's so important to have those  API enabled tools to make that all happen   so this is probably making our listeners trigger a lot of questions that might have   you thinking but what do I do what do where do I start? I'm suggesting that your   approach should probably be thinking about your security operations center, your SOC as we   call it and most larger organizations have  an actual security operations center although   the maturity and effectiveness varies a lot  but smaller companies do not which primarily based on differences in scale and size  of staffing for them it's not realistic   so if you think about a SOC how do I  get alerts? How do I how does my organization   respond to those alerts? This gets you to  start thinking about tooling and integration   and that's why it can be a very effective  way to start approaching this concept of CSMA and I know a lot of our listeners may be thinking  but I don't have a SOC not everybody can just go   out and hire seven people to sit in a SOC and  respond to indicators of compromise because on   average you need seven people to cover a 24x7  shift when you include things like clock time   vacation sick days, training, all that  stuff well and we're all interconnected now   globally and so your time at your time zone  doesn't matter to hackers. Security is not a  

daytime business hours functioning it is 24x7 it  has to be diligent and it has to be always ongoing   but an organization can get a SOC capability  without building it internally so managed   services isn't anything new to us perhaps  the MSP you work with can already provide that   additionally to you so you can be talking to  them about providing that to you in in some way   Also SOC as a service is an actual  thing now so you could look into that   for your organization and if your MSP isn't able  or willing to interact with your need for a SOC and you probably should be looking for one that will, and of course, we're here to help. You need technology collaborator  like Mobius Partners to help you establish   strategy and to execute on that and make that  transition so that's uh it's important to to not try to take everything on yourself and find those trusted advisors that can   help you navigate these troubled  waters that we're now steering these days   Okay so thanks for your time I I hope  you heard some useful information today I'll   wrap things up here and open up for any questions that you have you can also reach   out to us at info@mobiuspartners.com and you'll also get an invitation to our next knowledge as   a service podcast where we'll talk about passwordless authentication and yes that's   a real thing now passwordless authentication  and also thanks to Kyle for joining   Do we have any questions sitting out there?  There there is one question   I think you you did touch on it pretty well, but maybe we can kind of give a specific example. If you can give any organization one call to action on where to get started... That focus on your  SOC (security operations center) which again doesn't mean you have a building with a room that looks like the  Defcon War rooms that we we see on TV which actually is that  way for some of the large organizations   who have very security sensitive environments  I worked for some yeah and some were pretty   impressive. I've worked for one and  I've done tours of them and and they're they're  

certainly impressive but that's  the reality is that not everyone's   going to get that kind of SOC but the SOC as a service allows someone else   to build that and you just start paying for a  slice of it economically in a way but   it's you know soccer is also you know it  is in of itself a a methodology and philosophy   so it's not just about a guy sitting in a chair  staring at this screen so if you haven't had   discussions in your it organization and with your  executive management about how you accomplish   soft and you know that's definitely a big missing  part of the conversation equation and again once   you start thinking about that that's when you  start looking at how my tools are bringing those   things together and to do that right then it  has to be API driven so like now those tenants   that we were talking about for a cyber security  architecture you know all those things start to   flow on one after the other and to  me, that's the one call to action would be to   reach out to us or your trusted  Security Professionals to have discussions around   where you might have some some lacking in this space and if this is   the right path for you and how you can get started because everybody is going to be slightly different advisor yeah and it's always  important to have trusted partners to   work with because the reality is  technology and security is so wide now   it touches everything - you just can't have  an expert in everything right as much as we would   all like you know our teams and organizations to  be built that way to have an expert everything   it's just it's not realistic um that you're going  be able to accomplish that so you probably have   gaps and skills also you know which has been a  challenge for organizations in the past you   know five years is that there just aren't enough  people in the security realm two to hire and   fill these positions and even when  you work internal to an organization right here   your exposure to different things  going on becomes more limited right and to some extent maybe you operate a little  bit with blinders on and so that is one of the   values that working with technology partners provides is they we are seeing what   other people are doing we've seen what works we've seen what doesn't work which  is different for every organization so that is  always a strong recommendation is to make sure   that you will have a trusted technology  partner to help you through these things indeed I don't see any other questions  out there so I think it's probably safe   to wrap up thank you everybody for for  joining we will make sure that    this gets posted to our podcast, on LinkedIn, etc  Thank you for joining us today and I hope you join us for our next one on passwordless authentication for Knowledge as a Service (KaaS) podcasts and of course again reach out to us at info@mobiuspartners.com if you want more   and with that we will bring it to a close. Thanks and we appreciate your time for joining us.

2023-02-18 14:48

Other news