The term “fabric” originally described a means of creating and using malleable data and applications that could move to any corner of the enterprise. But consider whether an enterprise fabric should be applied to siloed security solutions, too.
Just what is a security fabric, and how do you implement it? First, it’s important to clarify terminology.
Depending upon which security vendor you talk to, an overarching security fabric that covers your entire enterprise could also be referred to as a “mesh” or a “framework.” Each attempt to address the same challenge: Implementing security in a way that breaks down security silos and covers every inch of IT, from edge devices to the corporate data center.
Reaching this goal isn’t easy. In the first half of 2022, there were 236.1 million malware attacks and 623.3 million ransomware attacks worldwide. Phishing attacks eclipsed 500 million in 2022. Suffice it to say that hundreds of thousands of bad actors who are working 24/7 around the world had a field day finding holes in IT networks.
Here’s how they did it: They exploited the poor security habits of users who inadvertently ushered security attacks through the door; and by exploiting holes in network, system, and data security that IT hadn’t filled.
The technical issue of leaving holes open in IT infrastructure that bad actors exploit exists in most enterprises. One reason is that security software and solutions are often purchased on a one-off basis to meet specific needs. When security solutions are purchased piecemeal, it’s easy to leave holes open because you’re not looking at the big picture. Plus, you probably don’t have a budget that allows you to view that big picture. Instead, you do the best with what you have.
A second issue that impairs the development of a corporate-wide security fabric is limited IT expertise regarding what would be needed to run a fabric.
NIST estimates in a report that there is a worldwide shortage of 2.72 million security professionals. The NIST research also cites soft skills (54%) as the most glaring skill that security professionals lack.
IT departments that can’t procure outside talent can mentor and cross-train personnel who already are on staff. IT should also cross-train users who are now being asked to monitor and maintain IT assets that exist in user areas at the edges of enterprises. However, this training is likely to focus on technical skills. It still doesn’t address the soft skills that many technically oriented individuals lack.
Building a Security Fabric
An IT security fabric must accomplish three things:
1. IT must be an overall architecture that is capable of covering every entry point into an enterprise’s IT assets, and not a collection of piecemeal solutions.
What does this mean? When you begin to think “fabric,” you’re no longer focused on one-off, siloed security solutions that patch specific problems when they arise. Instead, you should be identifying an overall security architecture for your company and the expertise, policies, and tools that you need to implement and sustain it.
This quickly can evolve into a six-figure (or more) security investment, and not all companies can afford that.
That’s why security mesh solutions and expertise are offered from cloud-based vendors (Fortinet, Checkpoint, etc.) that can step in with both security fabrics and knowledge. The cloud payment model also gets you away from the large capital investments that your company can’t afford.
2. IT must address the outside environment (e.g., cloud, business partners, the corporate supply chain, etc.) as well as internal security.
What does this mean? A chain is only as strong as its weakest link. So, if your purchasing department hires a supplier that practices lax security and doesn’t vet its data or systems, and that data moves into your network, you might suddenly find yourself under a malware attack, The same goes for IT vendor-partners, particularly those that sell Internet of Things (IoT) sensors, cameras, and other devices. Often, these devices arrive with wide-open security presets. Those will let anything in unless IT has a policy/procedure in place to review and set security to enterprise standards before any incoming devices are dispatched.
Equally important is your security mesh. Is it global, covering all cloud and outside ecosystems that your company interfaces with as well as your internal IT assets? If your mesh fails to do this, it isn’t a complete mesh.
3. A security mesh is about people and policies, too.
What does this mean? In late 2021 97% of corporate executives interviewed in a survey by security provider Egress said they were concerned about employee security breaches..
Employee data breaches often result from errors like opening an email link from a source that seems to be trusted but is a phishing attack. In other cases, employee data breaches can be the work of hostile employees who are willfully trying to disrupt networks or make off with intellectual property.
Training employees in sound security techniques and behaviors, auditing these behaviors with regular social engineering audits, and teaming with chief executives, HR, and user department managers all should be on IT’s security mesh agenda. This is where the development of soft skills, such as excellent communications and being able to train, factors in for an effective security strategy.
What to Read Next:
6 Worthless Security Tactics That Won't Go Away
AI: It's the New Security Frontier
Security Top IT Investment Priority in 2023