SASE: The path to intelligence-led Secure Access Service Edge

What a difference a year makes. As companies emerge blinking from the pandemic, their networks will look very different than they did at the beginning of 2020. Altered working practices, punctuated by a migration from the office, have changed network traffic and access patterns. Companies are already changing their security postures to cope with this new environment. As they do so, it's important to keep cybersecurity intelligence front and center.

Companies grappling with the security challenges of a distributed workforce are turning to a concept called secure access service edge (SASE). First highlighted in a Gartner research note in mid-2019, it combines cybersecurity and networking as a single entity to help manage more complex access patterns.

SASE combines key network security functions such as secure web gateway, cloud access security broker, firewall-as-a-service, and zero trust to manage access to computing resources from anywhere at any time. It does this at scale by focusing on a user's identity rather than the device that they're using. It will make access decisions automatically in the cloud by combining that identity information with a panoply of other factors that describe a user's context.

It's a fascinating service proposition, but many have omitted a critical factor that is crucial to a well-rounded cybersecurity practice: cybersecurity intelligence.

An intelligence-led approach to security complements a SASE initiative's automated access policies with data to harden cybersecurity defences. It keeps a SASE solution dynamic and relevant by constantly updating it with new threat information, managed by a dedicated security operations center (SOC) that responds quickly to emerging cybersecurity issues.

Data lies at the core of an intelligence-led approach. Cybercriminals never stand still, and neither should a company's cybersecurity operation. A robust security posture relies on an evolving picture of the threat and vulnerability landscape.

That begins with vulnerability intelligence about potential weaknesses. Companies operating a SASE initiative must monitor the virtual cybersecurity functions that make up a SASE framework, watching for signs of trouble. They must also protect the hardware and software components that users access via that framework, ranging from remote storage systems to business applications. New vulnerabilities emerge across enterprise systems every day. Mapping those weak spots to specific installed products and services will help companies to patch them quickly.

The other critical component of this intelligence-led approach is threat data. A service provider must collate and organize information about the threat actors targeting enterprise systems, whether led by organized crime, sponsored by government backers or organized by hacktivists. It will monitor these attack groups' techniques as they evolve over time. Threat intelligence also watches for new exploits that take advantage of known vulnerabilities, alongside zero-day attacks exploiting vulnerabilities that are not yet widely known.

This data comes from a mixture of sources. The service provider's internal research and development is a primary source, as is data that it picks up from daily operations. It will combine this with data from aggregated threat feeds, distilling indicators of compromise into a comprehensive, reliable source of threat information. Look for a service provider that regularly works with law enforcement to get an extra layer of quality information about emerging cyber threat conditions.

That data is processed in a cybersecurity intelligence chain that relies heavily on a highly capable 24x7 SOC. Human operators there will prioritize threats, highlighting the need for urgent patches and neutralizing the most critical threats first.

SASE projects are large, complex initiatives with many moving parts. They will involve staged deployments aligned with commercial considerations such as contract expiry dates for existing products and services. At Orange Cyberdefense, we advise folding an intelligence-led approach into your SASE solution as it unfolds, designing it in from the beginning using a three-part process.

Every SASE implementation will be different, based on the company's unique technical needs and risk profile. This early stage is the time to make a case for an intelligence-led SASE initiative among key decision-makers. Work with a service provider to build and design a reliable and consistent cybersecurity experience.

A consultant will help to assess your current posture and define the cybersecurity priorities that will inform your broader SASE initiative as it unfolds. This includes analyzing business security drivers, identifying threats, and mapping them against specific risks to the company.

Evaluating your current cybersecurity architecture will prepare you for a gap analysis, enabling you to map your existing protection measures against your SASE vision to create an architectural road map. Your consultant will help to identify the most appropriate SASE framework for your business.

During this phase, you can work with your service provider to design a SASE architecture that secures the connections between users, applications, and data. It will protect users from cyber threats regardless of their location. Use the consultant's mix of cybersecurity and network knowledge to implement the solution based on industry best practices. This architecture should include a managed cybersecurity service component that threads constantly evolving threat and vulnerability data through your SASE operations.

This final stage is where threat intelligence and managed SOC services mesh closely with the SASE solution. It is also a stage that never ends, because it repeatedly monitors and refines your cybersecurity posture. Human operators, with the help of automated cybersecurity detection and response resources in the SOC, will monitor all the components of the SASE solution and combine that telemetry with threat intelligence to spot emerging incidents early.

If there's one takeaway for organizations considering SASE, it's that this is more than a mere technology solution. It's a discipline that requires a constant feedback loop to keep protective measures tightly matched with real-world threats.

Considering vulnerability and threat intelligence in the design of your SASE initiative will help to future-proof your company against tomorrow's attacks. This will empower you to manage mounting attack vectors and malicious network traffic while seeing where the threats are coming from tomorrow, rather than what hit you yesterday.

Defining a good approach to drive your long-term SASE strategy is challenging, but we are here to help you. Click below to find our how the SASE mindset can help address your business transformation.