Ethan Smart, appNovi’s Co-Founder and Chief Solutions Architect, joined David Raviv of New York State Information Security Meetup’s podcast to discuss the recently released Guide to Understanding Cybersecurity Mesh Architecture and the impact the novel strategy has on how enterprises identify security control gaps, prioritize vulnerabilities, and enable efficient non-disruptive incident response.
The transcript is below.
David Raviv
Welcome to another episode of the New York information security meetup. And I have the great pleasure to introduce Ethan Smart, who’s a co-founder and chief architect for appNovi. Right is that correct?
Ethan Smart
Right, that is right. Chief security architect, solutions architect. But sometimes just dishwashing officer, just an architect.
David Raviv
Hey, so the reason why I wanted to chat with you today and we’re doing this completely impromptu is that I came across a great article, a whitepaper that you just released about cybersecurity mesh architecture. And let me ask you this one question. Why does it say that, you know, reading time is 15 minutes and it took you about at least 45 to go through it. Was that speed reading?
Ethan Smart
Either you’re just really fast or LinkedIn’s reading algorithm is just really bad. So I’m curious as to which one it is.
David Raviv
Yeah and especially when, you know, it’s technical, you know, technical papers and you need to take time and digest. Yeah and I think this is why I wanted to get on an a quick call and discuss and to allow people who don’t have the time to review and actually read the article, which I highly recommend people do is, but just to give the net of it and then allow people to consume it while you know, whether you’re shopping at Target or on the lawnmower or picking up the kids from the daily camp activities. So why don’t we just jump right into it? Ethan, talk to me about so the article itself is about specifically about cybersecurity, mesh architecture, CSMA for short term, that’s right.
Ethan Smart
So we, we did not come up with CSMA, but we are big believers in it. So CSMA really is a product of Gartner. So it’s something that both Gartner has been picking up on. But the industry as a whole really has been focusing on it. And it’s because I think about this every time I go to RSA or Blackhat, if you look out on the floor, the vendor floor, the Expo hall, there are so many vendors and you can extend that to every enterprise and even down to insurance providers, hospitals, banks, everyone who has a cybersecurity program has too many tools. Right and there’s been a lot of different attempts to try to consolidate all the different reporting, whether it’s in the cloud or onprem, a lot of these tools are needed to be integrated in a meaningful way by maybe some of the large vendors. But even with the large vendors, sometimes there’s a best-of-breed solution that you throw in there. So you might not always go to one provider to try to solve the problem of too many tools, a lot of consoles, and a lot to manage. Centralizing reporting on posture management is hard, and up until today, what everyone has tried to do is push reporting centrally of all these tools into something like a SIEM, right? But that’s kind of inefficient because there’s only so much event and log data, you know, that you can do reporting on centrally. And so what CSMA is all about is about tying all of your different security tools, regardless of vendor – regardless of the ecosystem they live in – into a single place. So that you can do posture management, whether it’s apps, cloud, onprem, IoT, all in a single place and fully understand everything at once. What it is that your posture looks like, how well your controls are implemented, and then using that data really to centralize that data to enable the business. Right, let app teams move faster, get out of the way of digital transformation. Become an enabler of those things.
David Raviv
And it’s super interesting and I think now is the time. Maybe I came across the Gartner official definition and even that is not simple. So let me just do that here. Gartner defines cybersecurity mesh architecture as a composable and scalable approach to extending security controls, even to widely distributed assets. Its flexibility is especially suitable for an increasingly modular approach consistent with hybrid multi-cloud architecture. CSMA enables more composable, flexible, and resilient security ecosystems rather than every security tool running in a silo. And this is something you’re familiar with silos. As cybersecurity mesh enables tools to interoperate through several supportive layers, such as consolidated policy management, security, intelligence and identity fabric. Should I just, you know, should I?
Ethan Smart
Yeah I think I think we almost need, like, 10 seconds of silence after this one. Yeah, Yeah. Let’s all just bow our heads and take a moment for the grand notion. No really, at its core, there’s an ever-expanding attack surface. This isn’t new to any practitioners. Cloud or onprem, it’s ever-expanding. And as you have an attack surface that expands, you have security controls across all of those things that expand. And because you have so much attack surface in so many consoles to which you’re trying to protect that attack surface, that leads to a couple of things. When it’s not centralized in a meaningful way, it’s a lot of overhead to manage. You know, how many tools do you have to upgrade if they’re on prem, even if they’re SaaS? How many logins are you managing? How do you ensure everything’s deployed properly? So it’s a lot to manage. It’s hard to actually know what your attack surface looks like because its multiple controls across multiple attack surfaces and not always correlated. Without CSMA you have limited context in decision-making. So I take this as an example. Let’s say you’re a US environment like your cloud is connected with onprem, right. And there’s an attacker that’s spreading across both of those. Teams without CSMA are looking at two different consoles thinking it’s two different incidents when it’s one. So you the lack context without CSMA and you also might not know if it’s a critical app without business data or if it’s just the cafeteria server menu, there’s an incident on, right? So a lot of overhead – it’s hard to know what your attack surface is, limited context, decision making and the number one things as incidents take longer and vulnerabilities take longer to respond to, that’s without CSMA. And so with CSMA, you could just flip that on its head. It’s trying to do the opposite, centralize it so that you’re more agile. It’s easier to report and you need fewer resources, which with the great resignation and, and all this talent gap in security, I think implementing solutions that require less resources is a fundamental decision-making process that CISOs are going through right now.
David Raviv
Yeah, absolutely. And where are we collectively in this industry, in cybersecurity industry, in terms of adopting this type of technology? You know, there’s always this maturity curve, right? So some companies have not turned on MFA yet, and then some companies have all the tools and have already figured it out. So in your view as a practitioner, where are we kind of in the adoption cycle of this?
Ethan Smart
It’s a good question, right, because often when there are new things that come out, like new methodologies, new architectures, you know, you look back and people are like, well, I still haven’t enabled MFA, like, right, I’m still trying to see those are like I’m trying to convince my infrastructure team to stop using telnet, right? And so the I think what is fundamentally different about CSMA that’s great is that it’s, it’s actually just a better approach on even trying to solve some of the simpler things like centralizing your data and understanding things in context is not a heavy AI or ML use case, right? It’s a data ingestion problem and a data visualization problem. And so it’s the barrier to embracing cybersecurity. Mesh architecture is a lot, lot, lot lower than if you think about something like zero trust, which requires segmentation, which as a methodology overall requires a lot more buy-in and culture change where CSMA is just, hey, you should centralize all your data points for, for analytics, right? Like you should just know how everything works together and posture management should be centralized. That’s a lot easier of a barrier to cross or chasm to cross, excuse me, as opposed to something like a zero trust, which is important as well. And so I think as an industry because it’s newer, right? There’s a long way to go. We’re trying to accelerate that at appNovi by making a cybersecurity platform where it’s more plug-and-play to adopt a system-type architecture. But I know there’s others that are big proponents of cybersecurity mesh architecture that are pushing it. And so I would say we’re early in the journey, but the sooner that people start adopting it and moving towards a cybersecurity mesh architecture, I think a lot of other things will start to fall into place. Even some of the basic things will fall into place faster.
David Raviv
So let’s say I listened to this podcast and say, OK, it makes total sense. Where do I get started? Like, what kind of consideration do I need to have in terms of implementing a platform like appNovi or others? To basically to get the most of having visibility and control over the, as you mentioned, the cybersecurity mesh architecture.
Ethan Smart
Yeah, that’s a great question. So I would say the thing that people are already doing today, regardless of technology, is most CISOs are doing a good job of when they pick any solution, regardless of its appNovi or not, of selecting solutions that are very focused on integration. Right selecting solutions that, you know, will interoperate, share data with other solutions regardless of whether it’s under the same vendor umbrella or not. So I think that’s very important. If you’re not doing that today as a security architect if you’re not doing that today as a CISO, someone who’s more technology-oriented, is ensure that when you’re making technology decisions, your technology is very focused on interoperability with the rest of your solution stack. What I would say is an easy button is important when you are adopting a solution like appNovi because it’s all about interoperability of what you already own. We’re not a new scanner, we’re not a new agent. It’s collecting what you already own via API, via streaming. We’re making it more meaningful, creating what we call cross domain intelligence. So sharing what each of your tools say together, even if they’re not a security tool. Like networking data and security data, combining those things for more meaningful outcomes and more centralized posture management. And as you mentioned, the data. Most of the data has been collected already by various different tools. It’s just making sense of it. And a distributed scale is the issue, right, with the various different platforms.
David Raviv
So how do you specifically overcome that? I’m assuming that a lot of these tools spit out the data kind of different various types of formats, timing, I mean, you name it. I can’t even begin to fathom what would be the lifting associated with trying to integrate all those different data sources into one and even further than that, making sense of it all. So how did you overcome that?
Ethan Smart
So what you know about myself and my co-founder Joe is we’re ex-practitioners and we’re actually ex-engineers, right? So we’ve, we’ve gone through it and we’ve been developers too? So we’ve gone firsthand through the experience of our customers because we used to be them. My data in an incident is in so many formats, in so many places. A SIEM is really good at telemetry, right. But it might not necessarily have all the agent metadata from my SentinelOne or my Crowdstrike agent. Right, it’s sitting in a JSON store somewhere else. And if I want to know right away on an incident how critical it is to the business, I got to go look in ServiceNow or Azure. And all of these things across XML, json, CSV, Kafka, and data lakes. Right, I could probably throw something in there like data marsh or something like that as well, data swamp. But it’s in a lot of places and a lot of formats, so we had appNovi really focused on including and leveraging in-product ID and other mechanisms when we can take data from anywhere in any format and then centralize it in a meaningful way. So if you have an agent, if you have a vulnerability management scan or multiple vulnerability management scanners, all those things might have data about a device. Having a specific CVE and app is the only tool that will centralize that and say, by the way, all three of these tools are saying the same thing and maybe this fourth is not right. And so we’re focused on centralizing whatever types of data you have anywhere, no matter what form, being able to bring it into appNovi. And we mean anything. When we talk with our customers, we mean anything. If it’s a device, if it’s a user, if it’s a switch, if it’s mainframe. We’ve talked to some customers about bringing in file management systems from like the 80s or like or early 90s, which is insane to think about. Listen, I love the 80s. Yeah, it was the best. Yeah, the best night. Like just insane, insanely dated dinosaur data that we’re still taking in and able to ingest and put in a correlated meaningful way.
David Raviv
So what’s a typical deployment look like? Where do you start again? It’s all about getting the most impact in the shortest amount of time. And showing the proof of value associated with acquired technology. What’s our process look like and where do you start? What are the typical applications that you onboard?
Ethan Smart
First, it’s a good question. So I’ve heard this many, many times, from many, many vendors, but it is still so true. You cannot protect what you can’t see. And so we think a very critical piece of getting started in the journey is adding your infrastructure data. So adding if you have VMware, adding VMware, if you have Nutanix add Nutanix, if you’re in the cloud, add your Cloud Infrastructure. And then if you work back from infrastructure, you think like your agent, right? Usually, it’s centralized into a security agent, right. So your EDR AV platforms, right. Adding those and then we want to get into how are those things related. Right so add your networking data, your flow data, add anything else that you can think of that you think is relevant, right? Security vulnerability scanners. But the core is to add what you know, you have added that which is infrastructure, add your security metadata agents and scanners and then our customers add anything else. We have some of our customers add their org charts into appNovi – we’re able to ingest that. A lot of them are adding their identity platforms if it’s ID logging, if it’s Sailpoint if it’s any of the other vendors like Okta. Adding anything you could think of. Because of all of those things, when you’re trying to centralize reporting, centralized posture management requires fundamental pieces to be able to support that.
David Raviv
It’s super interesting in the problem, I think with a lot of the aggregation of alerts is that it’s always post facto, you know, like SIEMs, it’s like something happened. You see it after it already happened. Is there something you can do with this type of mesh architecture visibility to allow the company to be proactive in terms of risk associated with the infrastructure?
Ethan Smart
Yeah, definitely. Because it’s not just about the retrospective. Right and digging into what’s already happened. That’s certainly a piece of what we do. And SIEMs in general, it’s a problem that they were supposed to solve. But from a risk perspective, it’s certain once you combine all your different pieces of information together and achieve what’s cross domain intelligence. Sharing networking with security, security with app teams, when you correlate those things, there’s a lot of very meaningful findings that CISOs and security teams find that they did not realize that they had. And so I’ll take this as an example. We worked with a customer where they added their security data in. And so the first question they were able to answer was, what devices they had that were vulnerable. And then when they added in their networking data, they realized now they know what devices are critically vulnerable that are also exposed to the internet. Right, so that just changed the way they prioritize their vulnerability management. And then they added their CMDB or system of record – I’m trying to remember which one it was exactly, probably ServiceNow. And once they added that ServiceNow data, they realized not only do we know what has a critical vulnerability, what’s exposed to the internet, but now I know which of those are crown jewel applications or storing sensitive data. So when you are combining this data in a meaningful way outside of just a log management solution, there is a lot of very meaningful, proactive risk findings you can find that you would have otherwise never been able to do.
It’s super interesting. So people buy for two reasons. One is to get closer to pleasure or get away from pain.
David Raviv
Yeah which one? Which category is this?
Ethan Smart
While I would love to be a Ferrari or a Lamborghini, appNovi is really more like maybe a Honda Civic, I could say maybe like just a really economy version of Tesla, right? And so what we’re doing is solving a pain specifically, right? I would love to be like the fun thing and for pleasure and try to build the UX certainly for analysts to enjoy. But at the end of the day, these are problems that I dealt with, that Joe dealt with, in our days as practitioners. And we really wanted to solve this problem once and for all, which is understanding your data in a meaningful way, correlating in a meaningful way, and make all the decision-making far more practical and context-oriented than before.
David Raviv
How does the CISO or the head of security justify the cost or investment associated with purchasing a platform such as appNovi? There’s a certain budget and they already spent the money on all the various different tools and they are coming back to the same well asking for more requires some magic. So can you maybe just give me an insight into how does that work?
Ethan Smart
Yeah, it’s a great question. So there are a couple of different things. When we talk about ROI with our customers, and I’ll start with the true security-oriented ones, we have noticed when we’ve worked with our customers and they have all their data combined in a single place, it’s very easy to query, and when centralized in one place we’ve cut MTTR down. Right, meantime to response down by, by over 85% with a number of our customers. These are large telcos. Large insurance providers down to midsize have all shared a reduction in over 85% in response. So if you think about that in times of an incident, $1 lost per minute in a critical incident, cutting down that time by 85% is significant. So they can do the math on the ROI of 80%, 85% in an incident. The other thing is how much manual time and effort is spent on doing things like security control validation, like how many hours per week and does a security engineer spend validating all his controls are in place? How much does he make hourly? And appNovi automates that. So that’s how much savings you’re going to have per week. So those are two easy ROI calculations that we talk a lot about.
Another thing is when you combine security’s data with application teams data and networking teams data, there is also an ROI on the security team becoming an enabler of digital transformation. Because if you’re migrating to the cloud, if you’re spinning up a new application, if an application team needs to know what their network dependencies are, if a new firewall is going in today to get all of that data, it’s spread across multiple places. If you can get to it, stored in inefficient methods like tables that you have to dig through rows and rows and rows of it. But appNovi is a solution that combines all those things in a meaningful way and can tell you, yeah, you can move that app to the cloud because I know exactly how many controls are implemented onprem, how many controls will be implemented there. I can model what the risk of that will look like. I can tell you exactly what its network dependencies are because we’ve centralized that data, can visualize that data. And so security using cybersecurity mesh architecture in general as a framework can do that with ease and drive digital transformation as the CISO, and then certainly appNovi as a solution is aimed at doing that as well.
David Raviv
And what about making the most out of your existing investments? You already most likely purchased the tools and are paying for it and you’re only getting a fraction just due to the fact that it shows you the data in silos. Would you get more out of your existing investment as well?
Ethan Smart
Absolutely. So, David, you and I were having a conversation recently with a CISO. Right, and what did he say about projects? They always come into things late and overbudget, which results in delays and more budget. And so when you have spent a lot of money as a CISO on all your different solutions, there are two things that end up being the greatest time suck and end up turning into a loss for that expensive solution, one of which is the time to actually implement. So if you have just bought the new agent right off the shelf, it’s, it’s bright, it’s shiny, it’s amazing. It has machine learning and AI, but finding all the assets that you actually have to deploy them on and finding all the assets that are still reporting into your legacy system is a huge, huge, huge time-saving. And the second thing is, once they’re actually fully implemented across the environment, how are you continuously validating that they’re up to date working, reporting, you know, not turned off right which is another huge time sink. And so what appNovi really helps you do is ensure that you have complete coverage of your tools, help accelerate the implementation of new tools with the same posture management reporting as you had before, because that abstracts, no matter what tool you’re using. I can just tell you, here’s how many assets are protected or not protected, right? So ensuring that things get implemented faster and that once they actually are implemented, you’re getting the most out of them.
David Raviv
So how do I get smart on this cybersecuritymesh security architecture? If I wanted to reach out to you or find the whitepaper on the website. What’s the easiest way to do so? And what’s the easiest way for people to reach out to you? To know more?
Ethan Smart
So you can check out www.appnovi.com. We’ll probably link it somewhere. You can go to my LinkedIn profile. You can talk to me. It doesn’t have to be a new conversation. We can have a cybersecurity mesh architecture framework conversation. I’m happy to talk about it, not just at a solution level, but at a framework level because it’s something I’m very passionate about. So you can certainly find me on LinkedIn and find out. Appnovi is on LinkedIn, go to our website, and find the white paper on cybersecurity mesh architecture. But there are other resources out there too like cybersecurity mesh architecture is something that is going to be fundamentally important to any CISO. Someone who wants to be a difference maker or a disruptive disruptor in an organization should learn about it. And I would look at Gartner, I would look at the other tools out there other than just AV because this isn’t just an app sales pitch, right? This framework really can enable a lot of amazing things for your organization.
David Raviv
Thanks so much, Ethan, for spending the time with me today and enlightening us about the cybersecurity mesh architecture. Sounds like a real thought, not one of those buzzwords that are being put upon us by Gartner as an analyst. It sounds like it really can be beneficial to the organizations and putting a stop, you know, stopgap solution for a longer term for risk posture management and making the most out of your existing tools. So until then, thank you very much all for joining us, and looking forward to seeing you at the next one. Listen up and be well. Thank you.
