Watch our latest fireside chat with Doug Cahill: Cybersecurity Integrations: The ROI Black Hole

Why vendors need to enable customers’ cybersecurity mesh architecture

Cybersecurity Mesh

For anyone who lived through the late 1900s, the word “mesh” conjures an image of brightly (sometimes painfully so) colored stretchy tops that resemble a net. In the fashion world, mesh is a loosely woven fabric with a pattern of holes that makes it flexible. 

As with many things, the technology world has adopted the term “mesh” to refer to a network design with interconnecting, non-hierarchical nodes to promote flexibility and redundancy. In parallel, the cybersecurity world has adopted the phrase Cybersecurity Mesh Architecture (CSMA) to describe a unified system that integrates diverse security tools and methodologies. 

To differentiate themselves in a crowded market, security vendors must embrace the cybersecurity mesh architecture and build integrations to support their customers’ journeys. 

What Is a Mesh Architecture?

A mesh architecture is a network design in which each node, such as devices, servers, or systems, connects directly to others rather than relying on a central hub. To extend the textile to technology analogy: 

  • A mesh in fashion has holes where a mesh technology has nodes.
  • A mesh in fashion connects the holes with threads while a mesh technology connects the nodes with networks. 

A mesh architecture typically promotes:

  • Decentralized communication: Nodes can communicate directly with other nodes or through intermediate nodes. 
  • Resilience: If one connection or node fails, traffic takes alternative paths. 
  • Scalability: Adding new nodes does not disrupt the existing network. 

What is a cybersecurity mesh architecture (CSMA)?

A CSMA starts with the premise of decentralized communication, emphasizing interoperability among diverse cybersecurity tools to build a scalable framework that integrates security controls. The decentralized security architecture integrates controls across various network components, creating a modular architecture that responds to complex environments, including hybrid and multi-cloud infrastructures. 

By focusing on integrations across security products, this approach streamlines operations, reduces tool sprawl, and improves an organization’s security posture. With this vendor-agnostic architecture, security teams can create a tailored security response by combining various products and technologies. 

At a high level, a CSMA supports securing digitally transformed business models by:

  • Decentralizing security controls: Integrations across various network elements and security tools enable adaptability. 
  • Promoting integrations: Focusing on interoperability enables security teams to leverage analytics models for improved threat detection and incident response. 
  • Vendor-agnostic security management: Eliminating vendor lock-in enables a customized cybersecurity technology stack.
  • Monitoring security in real-time: Integrated tools generate real-time data across various security vectors to build resilience and ensure continuous insights. 

What Are the Five Layers of a Cybersecurity Mesh?

The CSMA framework redefines the traditional security perimeter to ensure adaptability by breaking down conventional security data silos. Each of the five integrated layers makes connecting security tools easier while emphasizing a context-aware approach for continuous monitoring. 

  1. Security Analytics Intelligence Layer (SAIL)

These technologies ingest data to enable organizations to adopt quantitative risk scoring. By leveraging data analytics, organizations gain a greater understanding of cybersecurity risk and can use it to make decisions about their programs. At this security intelligence layer, organizations should have the ability to:

  • Use native integrations to normalize data ingested from other components. 
  • Classify data to trace it back to the original source. 
  • Calculate risk scores for behaviors, activity, history, and criticality with machine learning (ML) models. 
  • Identify likely threat actor targets using data about tactics, techniques, and procedures. 
  • Suggest response actions based on available integrations. 
  • Quantify the threat landscape to reduce threat exposures. 
  • Simulate attacks against the environment using data from threat intelligence and dark web monitoring. 
  • Provide safety assurance around artificial intelligence (AI) models. 
  • Model risk across development, test, preproduction, and production environments. 
  • Incorporate third-party risk management data to drive analytical risk models. 
  1. Infrastructure Management Layer

A CSMA must have two-way communications across security, identity, and IT technology stacks. Essentially, this layer consists of application programming interfaces (APIs) that share data across the various tools for data analytics and automated response capabilities, thereby improving the organization’s security posture. 

This layer facilitates these interactions to enable:

  • Visibility and observability across all digital assets to ensure appropriate protections. 
  • Data collection to build accurate asset inventories and baseline behaviors. 
  • Direct change orchestration for faster incident response, containment, and eradication. 
  1. Distributed Identity Fabric Layer

In a digitally transformed business world, identity has become the perimeter. However, as organizations onboard more users and machines, their identity and access management (IAM) needs to grow, too. CSMA accounts for organizations’ current IAM needs and challenges while preparing for future use cases and requirements. While tool consolidation at the layer may be appealing, organizations need the flexibility that a CSMA provides as they manage emerging identities, like machine identities. 

Often, they need multiple tools to address the diverse identity and access control needs related to zero trust architectures, like:

  • Identity lifecycle management: onboarding, recovering, provisioning, and microcertifying users.
  • Authentication hubs: validating user identity and issuing access tokens. 
  • Identity threat detection and response (ITDR): protecting the infrastructure’s identity. 
  • Existing standards: including JSON Web Tokens (JWT), OAuth, and Fast IDentity Online (FIDO)
  1. Consolidated Policy, Posture, and Playbook Management Layer (PPPM)

Even the smartest technologies require directions. The PPPM layer is the centralization location for building security policies and posture configurations that drive the automations and workflows. Orchestrating configurations and translating security policies across diverse toolsets becomes even more critical as organizations integrate point products into their CSMA using APIs. 

At this layer, security teams select their policy standard framework then compare internal and external standards and frameworks to:

  • Identify the necessary policies and postures across security tools. 
  • Create playbooks. 
  • Orchestrate configurations and postures. 
  • Inform the intelligence layer about configurations and postures. 
  • Monitor security tools to ensure compliance. 
  1. Consolidated Dashboard for Operations

Ultimately, the first four layers exist to generate the dashboard layer that provides security teams with data-driven insights. Increasingly, consolidated, intelligent dashboards across various technologies offer real-time visibility by ingesting security data from various sources and applying analytics models. This layer should provide:

  • Customization for reporting. 
  • Centralized correlation across the different layers and their days. 
  • Audio and other new ways to view attacks in real-time. 
  • Map behavioral changes to known attack chains and patterns. 
  • Recommend automated response and containment activities to prevent attackers from achieving objectives. 

Why Must CSMA Be Vendor-Agnostic?

CSMA responds to a very specific customer need: the ability to choose the right technology for the organization’s use case. Increasingly, customers manage anywhere from 70 to 130 discrete tools to manage security, yet they still struggle to gain insights. CSAM’s focus on integration allows customers to choose the products that best suit their unique needs. 

Often, security teams find themselves forced to choose between the point product that solves their problem and the tools that integrate into their current vendor landscape. However, CSMA provides the way through with the ability to integrate technologies and enabling interoperability across the diverse spectrum of security controls, including:

  • Alerting and event management
  • Incident response communications
  • Vulnerability management 
  • Data storage
  • Identity and access management
  • Network security 
  • Asset management
  • Endpoint security 
  • Cloud security
  • Email security

To achieve this objective, CSMA must be vendor-agnostic as no single security vendor can provide the best-in-breed technology across all these categories. 

Why Security Vendors Struggle To Effectively Enable CSMA

Unlike traditional product categories, CSMA requires customers to integrate disparate technologies. While vendors claim their products are interoperable, many provide limited out-of-the-box integrations. 

Instead of offering vendor-agonistic options, they provide customers with a vendor-limited approach. 

Cost

The reality is that building native integrations across every security tool is overwhelmingly expensive. When organizations build the APIs internally, they have to reallocate internal developers, meaning they spend less time enhancing the core product, ultimately creating an operational cost. Simultaneously, the costs of outsourcing API integration development and the necessary ongoing maintenance have longer-term financial impacts that many organizations forget to take into account.

Technical skill

Security APIs present unique challenges that business APIs do not. Security APIs require experience with a wider array of data formats and schemas. Formats could be any of the following:

  •     Syslog
  •     JSON
  •     XML
  •     Vendor specific formats, like Palo Alto, Cisco, Microsoft Windows Event logs

Meanwhile, each schema comes with its own:

  •     Field names
  •     Structures
  •     Nesting

Instability

While any API outage is a problem, a security API that breaks can lead to customers failing to detect a potential incident. Security APIs are more fragile than business-level integrations because they are dynamic. In security, APIs often undergo updates to respond to new threats or use cases, which means they can break any time the vendor:

  • Adds new fields
  • Changes field names
  • Updates the entire log structure

Synqly: The CSMA Infrastructure Management Solution that Connects Security Tools, Securely and Cost-Effectively

The Synqly Mesh Integration Platform makes it easy for security vendors to integrate with a wide array of partners, empowering vendors to deliver the most comprehensive and effective cybersecurity solutions and elevate the collective strength of our cybersecurity ecosystem.

Synqly, built by security veterans specifically for security vendors, understands how to build and maintain security tool APIs. Our unified security API extends the value of security tools’ capabilities by aggregating multiple APIs into a single, standardized endpoint, enabling easier integration across diverse tools. 

Designed around the premise that APIs should be core to a security solution’s product, Synqly enables vendors to offer out-of-the-box integrations across any number of other security tools. As customers increasingly seek to implement CSMA across their security stack, vendors can differentiate themselves by leveraging Synqly’s platform as the infrastructure management layer that connects their solutions to other nodes across the mesh architecture. 

With our simple, secure, and scalable integrations, organizations can rapidly meet customer needs without incurring the high costs, in both time and money, associated with building integrations. 

https://www.synqly.com

Richard brings over 15 years of experience in cybersecurity product strategy, threat intelligence, and marketing to Synqly. Drawing on his extensive background, he writes about market trends, enterprise attack surfaces, and the value of seamless security ecosystems. At Synqly, Richard is focused on eliminating "integration debt" and helping vendors effectively communicate the power of a faster, more secure approach to integrations.