Cybersecurity mesh, CyberSOC as a lever to reduce the cost of cyber attacks

Coupled with the digitization of financial flows and new Cloud ecosystems, the evolution of threats has challenged organizations’ highly centralized security policies. This traditional, highly siloed, top-down approach to cybersecurity can be challenged, through the concept of the cybersecurity mesh proposed by Gartner. From concept to operational reality, a modern CyberSOC is perfectly in line with these strategies aimed at limiting the impact and cost of cyberattacks.

Centralized security shows its limits

In just a few years, cyber-attacks have become one of the main risks that companies are facing. While it is arduous to estimate their overall cost, some more fragmented indicators give an idea of their impact. For example, the average ransom has gone from 50,000 to more than 200,000 dollars over the past 3 years, and the annual income (largely) exceeds one hundred million dollars for the largest ransomware groups. This trend primarily reflects the digitalization of our societies and economies. Cybercriminals only track money. It is also due to the evolution of IT infrastructures and architectures that are more open, complex, distributed, if not fragmented by the move-to-Cloud and new ways of working. Thus, it offers even more entry points to attackers, and makes the traditional strategies of cyber defense — designed for computer models more centralized and siloed — obsolete.

The cybersecurity network as an answer

To adapt to this new context and provide an answer to these new challenges, the experts — led by the American firm Gartner — propose to companies to adopt an approach called cybersecurity mesh. It aims to implement solutions that are interoperable enough to support unified governance and business processes across hybrid and/or multi-cloud assets. The idea is to simplify the collaboration between the different security controls around four pillars. Firstly, the analysis of cyber-attacks with advanced threat intelligence and information on those in preparation, allowing to adjust the detection and response mechanisms of the company. Also, an IAM (Identity and Access Management) abstraction layer to orchestrate multiple identity domains across multiple clouds. Then, a homogeneous security posture, with identical rules and procedures applied to environments that are not technical. Finally, unified views on reports and dashboards to monitor assets or metrics powering cybersecurity governance.

Well-informed, modern CyberSOC at the heart of the mesh

Gartner’s approach also highlights concepts that are already well known to operational security specialists. For example, having high-quality sources of threat intelligence has become vital for any security incident detection and response structure. Flows and other CTI (Cyber Threat Intelligence) portals also serve as support for certain detection rules and enrich the analysis processes. The growing interest in the MITRE ATT&CK matrix — which was set up in 2013 to describe and list adverse behaviors based on actual observations — also illustrates the willingness of today’s SOC to learn from the latest attacks and, more broadly, use the attacker’s perspective to structure its activities.

Interoperability and orchestration as assets

Similarly, interoperability logic is at the heart of the orchestration and automation work carried out for several years on the SOAR (Security Orchestration, Automation and Response) platforms. These allow SOC to implement a fundamentally multichannel detection, interfacing by API, well beyond SIEM and EDR, with all the tools capable of generating relevant signals: network traffic analysis probes, CASB (Cloud Access Security Broker), CSPM (Cloud Security Posture Management), mail security gateways, anti-spam buttons, etc. They also allow to automate security and remediation actions on most IT infrastructures and services, making the response processes independent of the different technologies selected. For example, a discovered malicious IP address may be automatically blacklisted across the edge (firewalls, proxies, DNS, etc.), but also on devices with local filtering capability.

In this logic of detection and extended response, the Extended Detection Response (XDR), dear to security editors, naturally positions the SOC at the heart of the meshing strategies. As for whether the cybersecurity network keeps its promise of reducing the impact of cyber-attacks, if not definitively conclude, it is difficult to consider that a SOC able to detect earlier and secure faster would go the wrong way.

Want to implement cyber mesh in your organization? Contact us.