printer friendly version

Making a mesh for security

Credential-based attacks have reached epidemic levels. The 2025 Verizon Data Breach Investigations Report (DBIR)¹ underscores the trend: 22% of breaches now start with compromised credentials, while Check Point External Risk Management² found that leaked credential volumes surged 160% year-over- year. Attackers increasingly prefer to ‘log in’ rather than ‘hack in,’ leveraging a flood of exposed passwords, API keys, and tokens circulating from breaches and dark web leaks.

Africa is particularly vulnerable. Misconfigurations are a common cause of cyberattack penetration. When combined with a severe shortage of skilled cybersecurity professionals and rapid digitisation, the continent is a sitting duck for cybercriminal activity. Recent research by Check Point Research for August 2025 found that Africa is the most targeted region, with organisations experiencing an average of 3 239 attacks per week.

For African CISOs in particular, the message is clear: identity is now the perimeter, and defences must reflect that reality with coherence and context.

The expanding credential threat

Credential abuse now goes far beyond passwords, as attackers exploit keys, tokens, and AI-driven phishing to expand risk across cloud and SaaS.

• Beyond passwords: Attackers target API keys, OAuth tokens, SSH keys, and cloud service tokens. Many of these bypass MFA and can persist even after password resets.

• Infostealer malware: According to Check Point Research, families like Lumma, RedLine, and StealC surged 58% in 2024, harvesting browser-stored credentials and session tokens en masse.

• AI-enhanced phishing: Generative AI tools now craft flawless phishing emails, fake portals, and even voice-cloned calls, bypassing awareness programs and traditional filters.

Why traditional security fails: fragmentation

Credential attacks succeed because tools do not work together. Traditional security systems often operate in isolation, leaving gaps that attackers can exploit.

Siloed visibility: IdPs see logins, firewalls track traffic, endpoints catch malware, but none connect the dots. A suspicious login may be logged, but without endpoint or network context, it is dismissed.

Inconsistent policies: MFA on VPN, but not SaaS; strong AD passwords, but static API keys in the cloud. The 2024 Snowflake breach³ exploited precisely these gaps, enabling attackers to enter environments with inconsistent MFA enforcement.

Slow threat sharing: An endpoint may detect infostealer malware, but the alert never reaches SaaS or the IdP quickly enough. Attackers replay stolen credentials, while defenders are still correlating logs.

Hybrid Mesh Architecture: the unified model

Fragmented defences leave gaps. A Hybrid Mesh Architecture closes them by unifying identity, policy, and threat intelligence across all environments by blending:

• Gartner’s Cybersecurity Mesh Architecture⁴ (CSMA): Distributed controls with unified intelligence.

• NIST SP 800-207 Zero Trust: Continuous verification, least privilege, and adaptive access.

• Hybrid Mesh Firewalls (HMF): Combining hardware, virtual, and cloud-native enforcement into a single policy layer.

With Hybrid Mesh, identity becomes the connective tissue: a login anomaly detected by one tool automatically propagates across endpoints, firewalls, and SaaS platforms. AI-driven analytics and automation enforce real-time responses, reducing mean time to detect (MTTD) and mean time to respond (MTTR).

Hybrid Mesh is not just an architectural concept; it actively stops credential abuse. By combining prevention, remediation, and rapid response, it disrupts every stage of the attack lifecycle.

Threat prevention – one detects, all block: Prevention in a Hybrid Mesh means no tool works alone. A detection in one layer immediately triggers protection across all others.

• A phishing detection in email security propagates instantly to endpoints, firewalls, and SaaS.

• Infostealer malware detected on an endpoint automatically triggers protective policies across the mesh.

• Suspicious logins flagged by the identity provider (IdP) flow directly into network and endpoint controls.

• AI-driven continuous threat exposure management (CTEM) platforms feed internal exposures (e.g., vulnerabilities, misconfigurations) into the mesh, enabling prioritised, risk-based enforcement.

Proactive remediation – closing exposures: Hybrid Mesh with external risk management (ERM) discovers external credential exposures and enables real-time remediation, reducing enterprise risk and strengthening resilience.

Coordinated detection & response – containing the impact: Even with prevention and proactive remediation, some intrusions succeed. Hybrid Mesh responds by:

• Quarantining devices infected with malware.

• Micro-segmenting networks to block lateral movement.

• Revoking tokens to cut off session hijacking.

• Enforcing just-in-time access for privileged accounts.

Conclusion

Credential abuse will remain the attacker’s preferred weapon. From phishing to OAuth token theft, adversaries exploit weak silos and delayed responses. A Hybrid Mesh Architecture shifts the balance.

By unifying detection, enforcing consistent identity-aware policies, and automating response, it reduces risk, shortens dwell times, and empowers defenders. For CISOs, the imperative is clear: replace fragmented controls with a Hybrid Mesh to protect the enterprise at the speed attackers move.

Find out more at www.checkpoint.com

^[1] https://www.verizon.com/business/resources/reports/dbir/

^[2] https://blog.checkpoint.com/security/the-alarming-surge-in-compromised-credentials-in-2025/

^[3] https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html

^[4] https://www.checkpoint.com/cyber-hub/cyber-security/what-is-cybersecurity-mesh-architecture-csma/

Share this article:

Further reading: