Event Recording

The Concepts and Technologies that Comprise Contemporary Cybersecurity Fabrics


Log in and watch the full video!

In this keynote, we will begin by describing the current threat landscape, and then by defining and scoping out the overall set of complementary and overlapping security technologies that are available in the market today. 
SASE: Secure Access Service Edge = connectivity + security
Zero Trust: access control at the network, application, identity, and data layers
EPDR, NDR, and XDR: detection & response products and integrated solutions
SOAR: Security Orchestration Automation & Response - a way to centralize existing security components, leverage best-of-breed tools, and improve incident response.
This session will set the stage for more detailed discussions of these technologies that will follow.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Well again, good morning. Good afternoon, everyone. Thank you for joining us. And yeah, let's just launch right in here. Like I said, cybersecurity fabric is our way of looking at how to do a combination of frameworks and just an overall architectural principle for, you know, building a resilient cybersecurity infrastructure. So I thought it might be good to start off by taking a look at the current threat landscape, looking at, you know, some of the headlines that we've seen over the last year or so, just to kind of set the stage for, you know, why this is an important topic. So I, I love looking at the statistics. I think it, it really helps illustrate, you know, the, the threats that are present today, the different kinds of threats. So I gathered these from end of the year report from us, FBI. I thought, you know, just the sheer number of like fishing reports, business, email, compromise, you know, confidence, scams, cryptocurrency, and then tech support fraud. You know, I think these are illustrative of the different kinds of fraud that you see in the marketplace today. I mean, who hasn't gotten one of these voice fishing calls about tech support scams, you know, and the last one here, you know, 2300 reports per day, these are just the people that take the time to make a report. I'm sure the actual numbers or instances of these kinds of scams are far, far higher than that.
So we have cyber crime that we have to worry about data breaches, you know, data theft by advanced persistent threat actors that are sometimes state sponsored, corporate espionage, all kinds of different threats that, you know, we, as it professionals have to defend against. And, you know, on the fraud side, it's just about any kind of company or organization out there. You know, obviously we think of finance because that's where the money is, but government agencies, social media, insurance, healthcare, any, any organization that has money or something that can be converted into currency and stolen is a potential target for cyber criminals. Then we've seen many cases over the last few years of individual data breaches that have exposed more than a hundred million users PII, including a social media breach that exposed the PII of more than a billion users and cybersecurity adventures predicts that by 20 25, 10 0.5 trillion will be the, what cyber crime takes away from all sorts of different industries. So it's a huge growing problem.
So I thought we'd start by looking at just what do we mean by cybersecurity fabric? It's, you know, building an integrated interconnected set of security services. So our goals are at a high level protect our infrastructure, our data, our assets detect when something is amiss, be able to respond to that. And in many cases, if something, you know, drastic has happened, be able to recover from that. So this encompasses everything from, you know, the identity management layer, endpoint, security, and management, the different kinds of data, whether it be structured data in a database or unstructured, you know, documents and different kinds of files, regardless of where they're stored. You know, if it's hosted on a SAS application or on premises, or, you know, maybe some hybrid combination, and then also looking at the network layer itself, you know, the different wireless access points, corporate networks, and again, so many organizations use different aspects of cloud infrastructure. Today. There are many different angles that have to be considered, and then we need to wrap all of that with a governance and management layer, managing all these disparate systems can be very difficult. And the ability to pull that together for consistent policy enforcement is really key.
So we have a number of different tools that we're gonna be hearing about today. I thought I would just group what I think are, you know, for our, of the, the most up and coming or the ones that get talked about a lot. So we'll look briefly here at sassy secure access, service edge, zero trust XDR extended detection and response and soar security, orchestration, automation, and response. First up let's, let's look at XDR extended detection and response. This is kind of a grouping of tools, many of which you've probably heard of many of which you probably have already deployed in your environments today, but I thought we would start with looking at on the right side EPP and EDR. So endpoint protection, let's say that's next generation antivirus. Plus, you know, additional security features. They get deployed in an agent that goes on the endpoint about 10 or so years ago, EDR endpoint detection and response was another tool set that was developed to sort of go along at parallel with EPP tools to detect compromises and be able to remediate those commonly today.
They're sold as a package, you know, EPP and EDR. We call that E P D R. We just released a leadership compass on that subject reviewing vendors. You might wanna take a look at that then UEM unified endpoint management. That's also an agent based solution for managing all the different kinds of endpoints in an organization. On the other side, we see NDR network detection and response. Not everything can run an endpoint agent and for most effective coverage, you need sensors that can look at traffic going by on the network cloud workload protection platforms can help with that in the cloud. DDP is a newer kind of tool. It's distributed deception platforms. We see these increasingly being incorporated into XDR. These are solutions that kind of mimic assets and networks and data that you may have with the intent of drawing in attackers, keeping them away from your real resources, and then being able to study what kind of methods, tactics, techniques, procedures that the attackers use. So all of these things are kind of becoming packaged in a, in a core XDR offering by many of the network security stack vendors out there today, but also to keep the identity piece in mind, things like IGA, identity governance and user behavioral analytics are important, parts of XDR as well.
So, so security orchestration, automation, and response. Where did that come from? Well, first up, you know, 20 years or so ago, we had SIM solutions that came into being security information and event management. This is a place where, you know, all applications endpoints network devices would dump their logs. You know, the data is good, but it really wasn't particularly actionable created a lot of false positives, made it difficult for security analysts sometimes to sort out what was the most important thing to look at? Sore solutions came around starting maybe around 10 years ago to kind of fill in the gaps where SIM wasn't providing the actionable Intel. There were some startups that, you know, create an interesting and useful technology in that area to be able to help Analyst manage cases. Threat intelligence is an important part of that, you know, getting cyber threat intelligence that pertains to each individual case. So we saw vendors in the threat intelligence Porwal market, getting in and, and helping to make so platforms. And now we see that becoming integrated and we also see SIM solution providers taking on more sore features.
So like I said, you know, solar platforms aggregate data from all these different security systems and from the infrastructure, they help analysts with automating investigations, correlating different events from, you know, many different systems and de-duplicating them. They can be used for threat hunting in real time, across an enterprise, looking for indicators of compromise. And then the R of course is very important. You know, being able to respond to those threats, you know, engaging some of these other security tools generally via APIs. So I thought I'd show, you know, where these things fit together. You see the infrastructure and various security tools, all feeding information into the SIM. So sort of operates on top of that. Looking at the information gathered by the, the SIM creating cases, helping Analyst to manage those cases and pulling in real time, cyber threat intelligence, and then from the so console, ideally the security Analyst Analyst Analyst will be able to either take manual action or even, you know, program in automated actions to respond to different kinds of events that come up.
So let's introduce sassy, secure access, service, edge, you know, sassy. I thought I'd start by, you know, describing the two major use cases that I think sassy is really best designed for remote facilities, being one, you know, many organizations have branch offices, they may have kiosks in different places. They may have remote manufacturing or production facilities, warehouses, even conference facilities, you know, partners, shops, you know, lots of different kinds of facilities that need connectivity back to either the home office or to the cloud or both. Then we also have the, the work from anywhere paradigm that's become very pervasive. You know, VPNs have been around for 20 plus years and people have been working remotely for a long time, but the pandemic really accelerated that, and this will, you know, continue to be, you know, a common mode of, of production and all the employees or contractors that need access to corporate resources regardless of their location will need some sort of solution that, you know, optimizes connectivity and security.
So what is sassy exactly? You know, I think it's designed to address performance bottlenecks, cuz if you think about, you know, remote offices, you've got users, you know, that may have limited bandwidth going back to let's say the corporate data center somewhere and then bouncing out to get access to either applications hosted in infrastructures and service or SAS. So there's a lot of inefficiency with routing increases latency. Those don't have the individual level identity information integrated with that may not have business context and definitely is not really able to produce like an ongoing real time risk assessment. So sassy is really designed to, you know, be widely available, be highly scalable, provide uniform access to resources wherever they are, plus wherever the users are coming from too. And then provide that integrated security layer on top of all of that.
So we often hear, you know, in discussions about sassy, well, sassy is SDWAN well, sassy has to be more than SDWAN. So SDWAN software defined wide area networking that, you know, from a security perspective, it only really addresses the transport layer. Yes, you can encrypt SDWAN traffic, but you don't get, you know, the full on security experience that, that, that we know that needs to be delivered. So SASI is SDWAN plus security services plus unified management, all of, all of those components as well. So, you know, the design goals for SASI provides secure end to end communications provide consistent policy management and enforcement, you know, regardless of where the users are coming from, there are bits of information about the users, their group memberships and other attributes that should be evaluated, you know, at the time of an access request. And those, the policies that need to be enforced need to be enforced consistently. It can add security analytics that can provide information that can then, you know, feed into customer Sims and the there's a need for centralized administration. You think about how, you know, managing SDWAN or remote office connectivity plus VPNs today can be, you know, quite difficult. The idea behind sassy provide, you know, a central interface to be able to manage all those different kinds of access along with the access control policies.
So the components that we see as part of sassy, and we'll be evaluating sassy and leadership compass later this year are things like firewall as a service software defined parameters, secure web gateways, endpoint, you know, EPD R and UEM, DLP data leakage prevention, cloud X security brokers, which is essentially DLP for the cloud cloud security posture management, and then user behavioral analytics and zero trust. So with that, we'll talk about zero trust. You may have heard of zero trust before. It's an important concept in cybersecurity. We like to think of it as authentication authorization for every resource access request.
So, you know, it is widely regarded as a critical means for protecting it systems, data infrastructure. We also like to emphasize that there's no single product that you can buy that delivers all your zero trust needs. It's, it's a design principle concept that needs to be implemented in all the products that you use in order to achieve zero trust. It's an approach that sort of assumes the worst, which is true. You know, the likelihood of suffering, some sort of breach cybersecurity event, ransomware is pretty high year over year. Many people also like to say that zero trust is based on least principle privilege or, you know, say never trust, always verify. And again, this goes down to the individual request or transaction level, and it's really a good way to start architecting cybersecurity from the ground up.
So it is a concept that can be applied as an architectural model architectural principle. It's about continuous verification of each user, each device, the application that may be hosting the, the data and the, the information about what the user is trying to do the transaction itself. So looking at a multiplicity of different factors for each access control decision matching that against policy, and then rendering that decision in real time, you know, as everything else we do in cybersecurity, it's designed to make it more difficult for attackers to be successful. It's about also, you know, bringing in that identity layer that's often missing when people think about network security, you know, it's more than just matching TCP ports at a firewall and, and maybe looking at header information. This is looking inside, looking at the nature of each request and the individuals behind that and the, the devices that are involved as well, so that the data itself can be secured and, and ultimately stop attacks and increase productivity.
So putting this all together, cybersecurity fabrics, I thought I'd end up with, you know, a different look at our cybersecurity reference architecture. Again, we tie back to our, our main goals of protecting detecting when things are amiss, you know, understanding when anomalous behavior is malicious applying threat intelligence to that, getting information actionable information in front of security Analyst, enabling them to respond again, whether it be, you know, a manual set of actions that could be sort of predefined in a playbook or automating certain elements of the response. So that Analyst may not have to, to flip a switch, to start remediating things in cases, when things go really arise, being able to recover, you know, this includes, you know, backup and restore. And then again, placing this all under centralized governance, centralized management, so that security operations centers can be more effective in their duties as well. And drilling down on this chart, you can see that we've got things color coded, you know, to show which services, which solutions map up to each layer here. So with that, I'd like to conclude if you have any questions, we may have a minute for one now, or you can certainly contact me at the address below.