A Guide to Cybersecurity Mesh Architecture (CSMA) Whitepaper

July 12, 2022

The founders of appNovi have created an educational whitepaper to help cybersecurity professionals understand cybersecurity mesh architecture (CSMA) and the benefits of implementing across the enterprise.

You can access the full whitepaper here, or read the unformatted document below.

What is Cybersecurity Mesh Architecture?

Networks always change. Whether that be through the adoption of new technologies, or in response to economic trends. The impact of COVID pushed the enterprise to an increasingly edgeless digital infrastructure that constantly changes and expands their attack surface. Enterprises responded by employing new technologies or expanding existing products across their growing infrastructure. Between work from home employees, traditional office infrastructure, and on premise and multi-cloud datacenters, the complexity of securing the attack surface through tools managed by several teams has increased.

Gartner increased its visibility and discussion on Cybersecurity Mesh Architecture (CSMA) which is expected to continue given continued sociological and technological trends. According to Gartner CSMA is “a modern conceptual approach to security architecture that enables the distributed enterprise to deploy and extend security where it is most needed.” 

Why Cybersecurity Mesh Architecture? 

Enterprises historically took the approach of selecting best-of-breed solutions for the appropriate security control implementation. EDR, Firewalls, NAC, IPS/IDS, SIEM, and more now make up the network and security tech stack. While these tools were architected to ensure a simple deployment, they are limited in interoperability with other security and networking tools which impedes effective data and alert management due to the reliance on manual data aggregation and analysis. Organizations that rely on a single large vendor’s portfolio of tools still employ a number of best-of-breed tools or niche solutions. The utilization of a diversity of tools is typical to overcome technology gaps in the large vendor tool portfolios (e.g. operational technology, IOT). The result is:

  • Increases to operational overhead (+cost)
  • Incompleteness of attack surface mapping (+risk)
  • Limited context in decision-making (+risk)
  • Longer MTTR on incidents and vulnerability response (+cost and +risk)

While separation of teams, tools, and data represent a strength in specialization, they often result in operational silos. Silos are able to focus on a particular domain of cybersecurity to identify and resolve specific types of risks and threats. Security teams span several specialized domains and must collaborate with other teams including infrastructure, networking, threat, applications, and non-technical stakeholders including leadership. When specialized teams respond to a threat, the lack of cross domain intelligence (CDI) across teams impedes efficient analysis of threats and inhibits effective communication of risk aligned to each team’s perspectives. CSMA enables CDI by abstracting complex security specializations into a commonly accessible depiction to understand all aspects of risk across infrastructure, security, identity, applications, and business importance.

CSMA also enables organizations with siloed security teams to drive greater ROI from each team’s existing investments, effectively prioritize risk based on business impact, and enable efficient non-disruptive incident response through cross domain intelligence. Meshing network and security services makes security accessible to those without specialized or technical experience, and ensures effective comprehension of risk and threats across teams and stakeholders.

The Four Common Outcomes of Not Implementing Cybersecurity Mesh Architecture 

Increased Operational Overhead

Silos of data and expertise pose a challenge. When there is nothing in place to aggregate each of these silos into a central repository (e.g. SIEM, data lake), enterprises require more personnel to analyze security events and threats. Oftentimes organizations hire less experienced analysts, each of whom must gain their own experience, and employ a volume-based approach to resolving alerts and security incidents while trying to retain existing personnel.

Without CSMA security teams must pivot between consoles and databases, remember each tool’s proprietary query language, and manually compile and analyze the data of each cyber asset to understand its connections and validate security control implementation. For security analysts this is a repetitive, tedious, and complicated process that displaces value-add risk reduction activities while disproportionately investing in simple auditing. Consider the simple effort of logging into the vulnerability management console and other cyber asset inventory management systems to retrieve data. Data sets must be merged and analyzed to identify gaps between inventories to identify unmonitored assets. Each individual data point (e.g. EDR agent deployment) adds another layer of data retrieval and analysis. Each unmonitored asset requires a ticket for remediation which includes creation and submission. Simple tasks like this create a significant challenge when the volume of security control gaps surpass remediation capabilities, meaning prioritization is then another layer of analysis.

The analyst’s only requirement of security control gap identification is to conduct a data match between all security tools’ data. One of the oldest adages in IT is if you need to do something more than once, you should automate it. Without the ability to practically implement consistent automated security gap control identification, organizations continue to expand head count and reassign highly valuable analysts to low-value add manual exercises. The most beneficial solution to this problem is providing the ability to construct predefined searches across the contextually aggregated data set automatically, and trigger appropriate outcomes to address identified security control gaps. As an added benefit, when this data is centralized and accessible, it also results in the ability to easily gain asset intelligence for security teams to reduce MTTR and mean time to containment (MTTC) of an incident. CSMA provides the ability to mesh your network and security services to automate the asset analysis and integrate outcomes with your existing remediation solution.

Broader Attack Surface and Increased Security Risk

When organizations grew beyond the perimeters of the office, each cyber asset became a potential ingress or more easily exploitable pivot point for a breach. Without a centralized repository to understand all the cyber assets on the network, the software on those assets, the vulnerabilities of each cyber asset, and how they communicate, understanding the attack surface is time consuming and often unachievable. This is a complex challenge for siloed security and network teams, as the result of approaching risk in a vacuum inhibits the ability to see the forest for the trees.

Understanding your attack surface without data convergence requires manual correlation across massive independent data sets. Beyond analysis time, significant manual analysis efforts only represent a point of time, and fall out of relevance quickly. CSMA converges your network, security, identity, application, and cyber asset data to identify and map your attack surface automatically, which results in easily identifiable changes to the network without any significant effort by analysts. When this data is converged, it means specialized teams can easily understand other perspectives on risk, such as anomalous user behavior, or network access relevant to exploitation.

Limited Context in Decision Making

When siloed teams rely on their own tools data set without the context achieved by meshing security and network services, decisions are made without business context. For example, a vulnerability management team may focus on targeting the medium and higher severity vulnerabilities while using a predictive threat intelligence tool to prioritize those that are being exploited in the wild. Enterprises with hundreds of thousands of cyber assets have millions of vulnerabilities, and will never be able to resolve all risks. Often this means that teams rely on vendor-provided risk scores, or an aggregate calculation that includes other values. Without including context across the business and network, pursuing a non-contextually relevant risk score results in ineffective risk prioritization and uncertain business impact. 

Consider the example of a critical risk vulnerability on Server A and a medium risk vulnerability on Server B. Server A’s critical vulnerability is being actively exploited by attackers, and becomes a priority based on this intelligence. Server B’s medium-risk vulnerability is more complex to exploit, is less frequently seen targeted by attackers for this reason, and is deemed less important for remediation/mitigation. Yet ask any penetration tester and they’ll tell you they target what they identify during reconnaissance, and if Server B is accessible and vulnerable it becomes an eligible target, whereas Server A may not be connected through the access necessary for exploitation and is unseen/mitigated based on network access controls. Then consider that although these two servers are objectively both vulnerable, Server A hosts the menu offering for the employee cafeteria and Server B processes payments for consumers across the northeastern US seaboard. With this context it becomes immediately clear Server B is a priority to reduce risk based on business impact. Without this type of asset intelligence and business intelligence achieved through CSMA, enterprises struggle to achieve effective risk prioritization and reduction.

The impact across teams are:

  • Vulnerability management teams decide on cyber asset priority and patches without broader business or network context
  • Security operations teams make decisions within the context of their own SOC technology stack and not the business
  • Networking teams make decisions based on routing and ambiguous IP addresses

The results are actions that have to be either rolled back due to disrupting the network or an extended time for implementation because other teams must be engaged, educated, and convinced before implementation takes place, or inaction due to uncertainty of disruption. 

One of the benefits of CSMA is the ability to share Cross Domain Intelligence or “CDI,” a term increasingly used by the US Department of Defense and Gartner. CDI allows the convergence of different knowledge and data silos to enrich each team’s processes and decision making. When network and security services are meshed, vulnerability management teams quickly identify which vulnerable assets are part of crown jewels applications and are receiving traffic that is a requirement for a specific CVE’s exploitation. This level of analysis requires domain experience across networking, vulnerability analysis, and penetration testing, but CSMA automates the data aggregation, analysis, and abstracts the results into a visual and interactive format that simplifies the complex. The outcome of implementing a CSMA is making security accessible to all, overcoming siloed specializations, and making well informed vulnerability management decisions.

Extended Mean Time To Respond (MTTR)

As a result of limited context in decision making, core tasks to the business result in exaggerated MTTR. Unexpected disruptions occur when quarantine or service suspension implications are not understood, or inaction is the only option when outcomes of changes are uncertain. Security operations that lack awareness of business critical services and applications hesitate to respond due to risks of impacting the business. The result is increased dwell time of attacks, higher probability of ransomware attacks, and unpredictable disruptions across enterprise environments.

CSMA automates security data aggregation and analysis, and enables CDI to provide an informed picture of risks and threats. Analysts reduce MTTR when they immediately identify a vulnerable server’s owner, the users of the server based on login activity, the connections of the cyber asset to other cyber assets (and which of those assets are application components), and the security events impacting the server. When cyber asset and application dependencies are understood, response actions are refined to those that will not disrupt the network.

Why use a Cybersecurity Mesh Architecture?

CSMA has benefits for every enterprise that extend to more teams than cyber security. It enables infrastructure and applications teams to be more agile and reactive as they architect and deploy new applications for the business. CSMA helps the network team maintain consistent network visibility and context regardless of changes made in the environment. Meanwhile CSMA helps the security team maintain a centralized security posture management and analytics layer. 

When CSMA is implemented, enterprise IT gains a way to:

  1. Increase agility – Reduce deployment times and accelerate digital transformation
  2. Increase resiliency – Understand interdependencies by achieving cross domain context for better uptime and recovery
  3. Increase efficiency – Allocate experienced personnel to higher-value tasks
  4. Reduce risk – Implement business-specific risk reduction programs that are unique to your network

Modern challenges necessitate Cybersecurity Mesh Architecture

With the acceleration of remote work, adoption of public and private cloud, IoT intermeshment with traditional IT, the proliferation of ransomware, and lower barrier entry for startups to challenge large enterprises, there has never been a more critical need to adopt a CSMA. The network no longer has an edge, trust is at zero, assets are proliferating and managed by different teams, and visibility is partitioned to siloed teams. Without a centralized place to assess if appropriate layers of security controls are properly implemented across the network, enterprises face a more complicated challenge in identifying and managing their attack surface than ever before.

The centralization of security control assessment enables enterprises to save operational overhead and prioritize business-impactful risk. With a centralized platform for CSMA, smaller teams achieve more, larger teams communicate and coordinate more effectively, and siloed teams leverage one another’s tools to align to risk reduction based on business impact and not by irrelevant risk scores.

Benefits of a Cybersecurity Mesh Architecture

Enablement of Cross Domain Intelligence

CDI allows teams to mesh their data together so that each team has embedded domain intelligence in their decision making processes. When CDI is enabled, security makes informed non-disruptive decisions when responding to an incident. The result of immediate accessibility and analysis of network and security services provides:

  • Cyber asset intelligence
  • Security control gap identification
  • Network connections and dependencies
  • Business and application impact of quarantine or network changes
  • Ownership of the asset for coordinated response
  • Identification of insider threats

As silos of data converge, security teams benefit from embedded intelligence to progressively provide answers to questions in the most contextual way possible. 

Accelerated Incident Response and Risk Reduction

As CDI enables maturation in the security processes, security operations are increasingly more efficient. Prior to leveraging a CSMA approach, incident response teams would have to manually correlate large data sets to answer core questions around asset intelligence, extending MTTR and Mean Time to Containment (MTTC). Consider most alerts may only have an IP address, a hostname, an interface, or in the case of an insider threat even a username. Incident cases and alerts often have very limited context and require manual enrichment. Analysts then query multiple data sources to answer questions such as:

  • What device is tied to that IP address?
  • Is the device part of a core business function or service?
  • Does the device store sensitive data?
  • Will containment lead to any business down time?
  • What devices has an affected user recently logged into?

Security teams that leverage CSMA query security data in a cohesive manner to gain immediate answers to these questions and can communicate findings effectively through visualization. The result for incident response is the reduction of analysis down to minutes from hours. Vulnerability management teams are able to prioritize assets based on business and network context, quickly identify asset owners and clearly communicate risk, and understand which vulnerabilities are the most prevalent based on network context or most important based on business applications. Scheduled cyber asset queries are meshed with specific remediation outcomes such as SOAR playbooks or ITSM tickets to eliminate manual security gap control analysis and remediation.

As a significant ROI consideration, your SIEM’s aggregated data becomes immediately usable across security teams for proactive risk reduction in addition to the more common application of reactive security. When logs are contextually converged through CSMA, it results in business-specific risk analysis, which results in prioritization of the most contextually exposed assets, and integrated or manual remediation results in reduced breach probability. Beyond a quantifiable and qualifiable risk reduction method, the general accessibility of data across teams results with technical people communicating effectively with non-technical people, and non-technical people able to communicate technical subjects with their teams.

More Agile and Flexible Infrastructure 

Leveraging CSMA ensures that your security and infrastructure tool data converges in a cohesive and structured manner for universal consumption. The result is consistent validation and enforcement of security policies. This allows for new application and infrastructure deployments to be done repeatedly and quickly at scale, while any deviations are regularly identified and automatically submitted for remediation. CSMA increases the return on investment of existing security and networking technologies by increasing the utility of the data sets without obligating analysts to manually engage with them. In sum, each monitoring and alerting solution is interwoven with one another to provide a navigable mesh of your network and security data.

How to get started with adopting CSMA?

Establish an asset inventory

The first step to achieving a CSMA is to establish a method for cyber asset management. Organizations may purchase a tool that integrates with existing tools (e.g. CAASM), build their own, or utilize a CSMA platform that provides integration capabilities. The core capability of these tools is aggregating all your cyber asset data to construct repeatable queries to identify those with gaps in security controls. Constructing a cyber asset database provides the repository of assets and attributes to have effective automated analysis of assets and their properties for attack surface identification.

Understand asset connections

Organizations maintain network traffic monitoring tools but often underutilize them due to manual analysis and difficulty to correlate them. However their traffic data becomes immediately useful without any manual intervention when converged with your cyber asset inventory to construct attack surface mapping. This enables you to identify direct and indirect dependencies of assets and their importance to business applications.

Contextualize Risk

Vulnerabilities retrieved from a SIEM, NDR, CNPP, EDR, scanner, or other tool provide the ability to automatically analyze the attack surface for the contextual exposure necessary for exploitation of assets to direct proactive risk mitigation and remediation efforts. Including security event data provides the ability to embed events in security data visualization and understand what happened, where, ingress, blast radius, and impact to business applications.

Understand ownership and application relevance

Enterprises with identity-based security controls augment their cybersecurity mesh with the context of cyber asset ownership to fully construct an understanding of network, security, application, and identity data to fully contextualize a risk. Including identity also provides security teams with the ability to identify insider threats, targeted individuals, or gaps in security controls such as domain access without MFA enabled.

How does appNovi enable CSMA?

appNovi is a Cybersecurity Mesh Architecture platform that leverages your existing infrastructure and security technology stack to accelerate your CSMA adoption. appNovi connects your existing siloes into a centralized database for easy access and usage without requiring specialization in security or proprietary query languages. A single source of truth is created by converging all your network, security, infrastructure, business, application, and identity data to provide centralized security data analytics, consolidated posture management, and dashboards of risk across all tools. 

appNovi provides major benefits for enterprises:

  1. Significant reduction in manual analysis of security data
  2. Consolidated analytics and posture management 
  3. Accelerated incident response and risk reduction
  4. Increased visibility and security accessibility through visualization
  5. Reduction in hiring and turnover costs through ease of use and CDI

About appNovi

appNovi provides cybersecurity mesh architecture by integrating with your existing network and security services. appNovi customers mesh and visualize their data for network-wide attack surface mapping, vulnerability prioritization based on business risk, and enable efficient non-disruptive incident response.