A well-designed cybersecurity mesh architecture (CSMA) is composable, standardized, linked, and extensible via APIs. These characteristics make it much easier for security and security process data to be classified, segmented, and poured into machine learning (ML) systems for analysis and pattern identification.
This capability can unlock many additional and novel possibilities for making a CSMA more effective and proactive. Here are some ways that a CSMA can be paired with ML systems to improve security..
Automated Security Posture Adjustment
Imagine AI that dynamically adjusts your security posture based on current global threat landscapes, fine tuning security controls to react to emerging threats and your own specific risk profile.
If ransomware gangs are targeting medical companies, then AI systems run by those companies or by managed service providers protecting those companies can automatically ingest likely attack patterns and use them to scan log files for signs of intrusion attempts and early Indicators of Compromise.
The AI systems can also increase security measures around known penetration vectors — for example, pushing for a reset of all cloud secrets, enforcing multi-factor authentication step-ups for known target systems, or increasing the frequency of certificate rotations to reduce the chances of a man-in-the-middle attack.
An AI system that leverages the latest threat intelligence to modify posture via a CSMA could make it much harder for many types of sophisticated attacks to gain a foothold. Broadly, AI combined with CSMA could analyze the potential impacts of threats on your organization and automatically tighten security controls before the threat reaches your network.
Intelligent Asset Inventory
AI can analyze what’s discovered or monitored in CSMA and identify likely gaps in inventory coverage based on past inventories or on collective intelligence. Asset inventories of hardware and software can be challenging to get right. Asset management systems rarely capture all assets and usually have “blind spots.”
Because software development moves quickly, with new code shipping daily or even hourly in many organizations, keeping an accurate inventory of software becomes more and more challenging.
On the hardware side, trends like bring-your-own-device, the Internet-of-Things, and work-from-home make conducting accurate asset inventories that truly cover all devices exposed to the network more and more difficult. AI systems can aggregate data from existing asset inventories and study other data sources such as software code repositories, network logs, purchase orders, and more to construct a “digital twin” of organizational assets that fills in the gaps.
This AI-enhanced inventory can be used to mitigate security blind spots in the CSMA and to improve security posture. In addition, having a more accurate and comprehensive asset inventory can guide a CSMA to improve process mining by better identifying what processes to scan for and where process capture gaps may lie.
AI-Driven Cybersecurity Drills
AI can simulate sophisticated cyber-attacks based on emerging threats, providing real-world attack scenarios for training purposes. These AI-generated drills would be far more complex and realistic than standard penetration tests, continuously challenging and improving your security team's readiness.
By connecting an AI simulator to a CSMA and to current threat intelligence, AI-driven exercises could be constructed on the fly to reflect ongoing attacks — even Zero-Days recently identified in the wild that still lack a patch. The cost of setting up these drills currently is considerable.
An AI system could reduce dill setup costs considerably and even make them an ongoing part of the daily work of cybersecurity teams.
Decentralized AI-Powered Decision Support
In a CSMA environment, AI could be deployed at various nodes, helping stakeholders make independent security decisions at each point. This decentralized AI approach can lead to quicker, localized responses to threats, reducing the reliance on centralized decision-making.
We already see tools rolling for this purpose, like Microsoft’s Security Copilot. That said, a CSMA will improve any AI-powered decision support system because, as we stated in this article already, a properly constructed CSMA dramatically improves the ability of AI systems to access and analyze security data and security process behavior data.
While current generations of LLM-powered decision support tools can provide advice to security teams on how to react to specific security events, CSMA-powered decision support that includes process mining of security behaviors and response patterns could also provide suggestions on how to improve processes.
By identifying weak spots in processes, security bottlenecks, and actual behavior patterns, AI plus CSMA can provide decision support for the most important and hardest-to-fix part of security — the human element.
Smart Quarantine or
Gating of Network Segments
AI could intelligently isolate parts of the network exhibiting suspicious behavior, effectively quarantining them to prevent the spread of potential threats.
This goes beyond simple network segmentation, employing a dynamic and intelligent isolation strategy that is made possible with true software-defined networks and more flexible network operations made possible by using orchestration systems like Kubernetes.
A CSMA as a single source of truth for all network information, from global networking down to individual networking designs for microservices and small containerized applications running in Kubernetes, would provide the necessary control and intelligence point for quarantine and gating of network segments most likely to be used as vectors to spread attacks.
AI-Powered Security Process Mining
A CSMA not only pulls in network scans, vulnerability scans, and log files from endpoint detection. It also collects information from ticketing software, chat tools, and email, among other communication and coordination platforms.
These communication and coordination systems provide a blow-by-blow account of how security teams behave and interact, particularly in the face of security incidents. An AI system could analyze these information sources and identify security processes based on workflows, connections, and natural language communications.
The AI could also map these processes and human responses to different security events back to changes in security controls affected in response to the events. The AI could also accelerate post-mortems and root-cause analysis to determine if the processes followed matched the processes laid out in playbooks that security teams had built and were supposed to follow.
In other words, leveraging information from a CSMA, an AI could be used to connect the dots between disparate actions and fill in blanks that previously might have required interviews or manual review — and may not have been accurately captured. Ultimately, process mining and putting telemetry on process compliance would enable governance, risk, and compliance teams to measure adherence to proper security processes.
Taking AI+CSMA from Good to Great
The pace of attacks has quickened. The adversaries are more sophisticated. CISOs are looking to AI for an edge over the bad guys. AI is already deployed in many security controls and point solutions.
However, AI is far more powerful and useful if it is built on bigger pools of high-quality data. A properly designed and deployed CSMA offers opportunities for data aggregation and classification across the widest range of security-related activities and processes.
By aggregating both information from controls and scans and data about how security teams respond, a CSMA can provide the most holistic view of security posture to AI tools. This, in turn, makes AI tools far more effective by enabling them to understand cause and effect to a much greater degree. Pairing AI with a CSMA can, if done properly, provide CISOs with a significant advantage in their efforts to secure their organizations and manage risk.
About the Author: John Morello is the Co-Founder and CTO of Gutsy. Previously, he was the CTO of Twist lock and helped take the company to over 400 customers, including 45% of the Fortune 100, and a $.5B exit to Palo Alto Networks where he served as VP of Product for Prisma Cloud. John holds multiple cybersecurity patents and is an author of NIST SP 800-190, the Container Security Guide. Prior to Twistlock, he was the CISO of an S&P 500 global chemical company. Before that, he spent 14 years at Microsoft where he worked on security technologies in Windows and Azure and consulted on security projects across the DoD, intelligence community, and at the White House. John graduated summa cum laude from LSU and lives in Baton Rouge with his wife and two sons. A lifelong outdoorsman and NAUI Master Diver and Rescue Diver, he's the former board chair of the Coalition to Restore Coastal Louisiana and current board member of the Coastal Conservation Association.
