Gartner projects that organizations worldwide will invest $208.7 billion in IT security and risk management tools this year alone. However, despite this significant investment, Accenture reports that 74 percent of CEOs lack confidence in their organization’s cybersecurity posture. Contrary to the longstanding belief that deploying more security solutions will inevitably enhance protection against threats, the reality can often be quite different. In fact, a significant cybersecurity challenge arises from managing the immense volume of data generated by numerous IT security tools, leading organizations into a reactive rather than proactive approach.
The expanding attack surface and mushrooming regulations (e.g., PCI DSS 4.0, NIST, FISMA, etc.) necessitate more frequent security posture assessments, resulting in the deployment of a myriad of security tools, each focused on individual attack surfaces and vectors. However, these solutions are often siloed, making it difficult for security practitioners to report on exploitability posture, identify critical business areas, and demonstrate the effectiveness of security initiatives and controls. Breaking down these silos frequently requires manual efforts to aggregate and correlate data, leading to critical issues not being addressed in a timely fashion. According to IBM’s 2023 Cost of a Data Breach Report, 67% of breaches were discovered by third parties rather than internal resources. Ultimately, the goal is to shorten the window attackers have to exploit software or network configuration flaws. While big data sets can assist in putting specific behavior into context, there are significant technological challenges to overcome.
Limitations of Today’s Security Data ETL
While security monitoring generates big data, in its raw form, it remains only a means to an end. Information security decision-making should be based on prioritized, actionable insights derived from the data. To achieve this, big security data needs to be correlated with its business criticality or risk to the organization.
Specific integrations exist between different products, often driven by vendors or occasionally by support for standards. However, a more common approach to integrating products is through Security Information and Event Management (SIEM) solutions, where a SIEM solution collects events from these products. Security Orchestration, Automation, and Response (SOAR) platforms can then orchestrate responses based on the analysis of these events. Nonetheless, not all data can be ingested by these tools, and the data that is leveraged is often stateful. Issues with attribute mapping and contextualization often lead to data quality problems, raising concerns about reliability and fidelity.
Unlocking the Power of a Cybersecurity Mesh
This is where a cybersecurity mesh architecture (CSMA) comes into play. It enables security practitioners to establish more connections between tools, allowing them to collaborate indirectly through the cybersecurity mesh, influencing each other’s functionalities. Security postures can span across different security products, and security intelligence becomes more effective and predictive. According to Gartner, organizations that adopt a cybersecurity mesh architecture to integrate security tools into a cooperative ecosystem can reduce the financial impact of individual security incidents by an average of 90%.
But how can you implement a cybersecurity mesh without incurring exorbitant costs or requiring a complete overhaul of your existing infrastructure?
Recognizing that many organizations struggle to operationalize their security tools, a new breed of technology vendors (e.g., Dassana, Avalor, Cribl, Leen, Monad, Tarsal) has emerged that offer a solution that normalizes data, adds organizational context, and attributes data to its rightful owners. This allows organizations to extract vital insights to expedite time-to-remediation, enhance the productivity of security teams, and ultimately bolster the effectiveness of security controls.
When assessing these vendors that promise to unlock the power of a cybersecurity mesh architecture, decision makers should consider the following core selection criteria:
- Domain Expertise: As this is an emerging technology category that will attract many vendors to jump onto the bandwagon, conduct your due diligence focused on the domain expertise of the founding team members and associated subject matter experts. Align with those that encountered the challenge of managing diverse data streams from disparate security tools in the past and set out to reimagine the security data ETL (Extract, Transform, Load) process.
- Security Data ETL Approach: To unlock the power of a cybersecurity mesh, you have to overcome the limitations of traditional data ingestion, normalization, and correlation processes. Check if the vendor is consolidating all data into a single data lake. Once the data is consolidated, a single API should suffice, simplifying maintenance considerably. Following this approach, the platform can now ingest all raw data into the data lake, offering numerous advantages and enabling deeper insights. The true innovation to look out for is in the approach to the normalization process, treating it as a content problem rather than a mapping one.
- Time-to-Value: You don’t want to end up with yet another SIEM-like tool that simply aggregates and leaves the rest of the heavy lifting to you. Thus, assess if the vendor provides contextualized output that delivers immediate value. You should be able to leverage either self-service analysis to query any dataset or even more valuable, utilize native apps to address specific use cases (e.g., risk-based vulnerability and attack surface management, security KPIs and resource planning, security control effectiveness management).
Conclusion
Traditionally, extracting vital insights from the onslaught of data produced by a myriad of security tools to expedite time-to-remediation, enhance the productivity of security teams, and ultimately bolster the effectiveness of security controls has been both costly and time-intensive, often necessitating DIY projects. Unlocking the power of a cybersecurity mesh promises to overcome these limitations and finally deliver a return on investment.