Hello, good afternoon, good evening, or good morning, wherever you are, and welcome to everybody, and thank you for joining this session on Cloud Early Warning Systems from CSPM to CNAPP. My name is Mike Small, and I'm a Senior Analyst with KuppingerCole, and my co-presenter today is Andre Rall, who is Director of Cloud Security at Uptycs.
So, in terms of housekeeping, you, the participants, will all be muted centrally, and we will control this. There is no need for you to do anything yourself.
However, if you have any questions, then the best way to deal with questions is to input them through the Q&A panel that you will see on the right of your screen. We're recording the webinar, and the recording of the presentation will all be available in the days following this presentation.
We're also going to run some polls, and you will be able to use these polls whilst the presentation is taking place, and when I start the poll, you'll be able to input to it, and then you'll get a message saying that the poll has closed, and hopefully, we'll have time to be able to talk about the results at the end. So, the first poll is, what is the biggest security challenge in your hybrid multi-cloud environment? You should now see a poll window that has popped up, and you can pick which of the answers you would like. Do you think that the biggest problem is understanding the real risks?
Is the problem to do with complexity? Is it not managing the shared responsibility aspects of cloud security? Is it inconsistency of tools, or is it a lack of transparency of the controls?
Well, while you're thinking about your answer, we will carry on. In terms of the way the presentation is going to run, I will be presenting for the next 20 minutes or so on why cloud services need dynamic rather than static controls, and then following that, my colleague, Andre Rowell, will in fact talk about the benefits of using a simple platform, and hopefully, we will have 20 or 15 minutes available for Q&A at the end.
So, what has driven all of this? The answer is digital transformation. Organizations have been racing for various kinds of pressures, including those that came from COVID and worldwide shortages, in order to become smarter, to become better connected with their customers, and to be more efficient and effective.
However, digital transformation is about using the cloud, and it depends upon the cloud, to enable this agile and business-led change through flexible development rather than predefined, never-delivered software that is responsive to immediate feedback and can quickly be adapted to meet the requirements of the customers. However, this digital transformation depends upon the cloud, and the use of cloud services brings with it some new risks as well as some different ways in which old risks become manifest.
So, when you look at the issues at a business level, and I think it's important to understand this at a business level, because people often sort of get deep into the technology, there are only really three things that matter. Most organizations are concerned about being compliant and the cost of compliance failures. Organizations want to keep their data secure, so data breaches are bad for your customers, they're bad for your intellectual property, and they are bad for your reputation. And finally, last but not least, is business continuity.
As organizations have become more and more dependent upon their digital services, they become more, if you will, at risk if those services are interrupted in any kind of way, and ransomware and hackers have recognized this vulnerability as a deep and rich vein to mine to attack your systems, and of course the cloud is all-pervasive. So, to give you one of the more specific challenges that comes from from the use of virtual and cloud services, is that infrastructure is no longer physical, infrastructure is code.
It started with software-defined networks and cloud services are effectively software-defined services. Now, when I had a server that sat in my office or in my data center, I had physical control over it. When you have a virtual server or a virtual resource that is inside of a virtual environment, that has to have entitlements, it has to have access rights, which prevent other people using the physical infrastructure from getting at your resource, and to allow your resource to access the things that it needs. And here is an example of how this went wrong.
Capital One was ultimately fined because of a data breach which worked like this, that someone figured out how to get into a server, a virtual server, because there was a misconfigured web access firewall, which of course allowed, should have prevented a customer, an administrator access, but they were able to get in.
Once they got in, they found that the VM that was running this stuff had been configured to have excessive entitlements, which is quite common, because what is important is that you want the system to run, so it's better to give more entitlements rather than less, but that's a security risk. And those entitlements were used by the hacker to access S3, the data in S3, which was encrypted, and because they had these entitlements, they could do that. So here is one example of a new kind of risk that comes from virtual systems and cloud virtual services.
So these challenges include more than just that. There are other challenges, and one of them is in fact shared responsibility. So there has been a lot of confusion in some organizations and some people's minds about who is responsible for what. And whilst there were early concerns that the problems of security were that the cloud service provider was going to fail to provide a secure service, what has actually happened is that the responsibilities of the users of those services have been not fully met.
That is to say that cloud service tenants have not properly controlled access to the services that they use. They have loaded applications which contained vulnerabilities and misconfigurations which made the cloud, the use they were making of the cloud vulnerable, and that they were not properly configuring the whole of their use of these virtual services. And so understanding this division of responsibilities is critical to a secure cloud deployment. Another challenge that comes from the use of cloud is that each of the cloud services tends to provide some tools.
And whilst these tools are perhaps very good and very tuned to the individual service, those tools are specific. So the tools that you need to configure AWS are different from the tools that you need to cover, to secure Google Cloud, or the tools that you need for Azure, or for OpenStack, or for VMware. And all of those tools are different and that leads to an ad hoc approach. The same problems exist in each of the different environments, the same risks exist, the same kinds of vulnerabilities exist, but you have a different tool and a different way of dealing with them.
And this leads to ad hocery. Now one of the solutions to this is what I would call cloud acronym soup. That the vendors of cloud security tools recognized that there were holes and so they came up with solutions. So you have cloud infrastructure entitlement management, or CIM, which is to deal with controlling cloud infrastructure entitlements. You have cloud workload protection platforms that are looking at controlling the vulnerabilities in the virtual services, including containers, Kubernetes, and servers. And those cover those things.
Then you have cloud extended detection and response, looking at threats and how to detect them when they are working their way through your cloud services, how to block them, how to remediate them, and how to respond to them, as well as helping you to improve security hygiene. And finally, there was this thing called cloud security posture management, which was going to give you a kind of governance and risk reporting for your use of the cloud. So what was, you just wanted one solution, what you got was many, and each of these are not integrated.
They all, if they're from different vendors, could have different user interfaces and different ways of working. What in fact is needed is a consistent single platform that covers all across the multi-cloud environment, including all of the different kinds of functionalities that you need, like including things like data security, as well as Kubernetes posture management. And so that is what we believe is needed. So this cloud security platform that we're talking about should have a set of capabilities.
And our view as analysts is that the fundamental capabilities that these things, these should provide, is that they should have some form of inventory that allows you to see what needs to be secured. And this is important because cloud environments are incredibly dynamic with services and servers being instantiated and destroyed within milliseconds. You can only secure what you know you have. They need to provide visibility of what the risks are and what the threats are to those different virtual resources.
Now, since these virtual resources are dynamic and created as required in milliseconds, you can't, you don't have time in the cloud to implement security by post instantiation scanning. You have to have some kind of guardrail that prevents you from actually getting vulnerabilities exposed in the first place. And so this effectively means policy-based controls that prevent the creation of resources with vulnerabilities that you don't want. And it should have integrated coverage of all of the areas.
And so this picture that you can see is an example of the kind of assessment that we have made in the reports that we write about this subject. So I'm going to look at some of these different areas in a little bit more detail.
Now, these tools that we're talking about need to be aligned with the risks. And the tools have to help you to find, to identify, to find, and remediate the risks. And in terms of cloud entitlements, the most important risk is excessive privileges. That time and again, developers will create resources that have all the privileges they might need rather than just the privileges that they do need. And that provides a scope for hackers and attackers to get in and to do things.
They need to have strong authentication to protect against cloud takeover of your infrastructure elements or of your infrastructure administration. And remember that in the cloud and in a virtual environment, infrastructure as code has entitlements. And these need to be managed as well as the entitlements of users. The cloud network itself is at risk. The cloud network is a virtual network, a software-defined network, and it is subject to all of the kinds of risks that the old-fashioned networks that you were used to. That do you know what the topology is?
Because you can be sure that one of the things that the hackers are going to do is to use their network discovery tools to find out what you have and where it is. Can your topology, do you have a common way of configuring this across the different cloud services? The in-cloud network within the different environments is often different. And how can you manage routing? How can you be sure that only the protocols that you want can get through? And how can you implement a zero trust?
And that leads you on to understanding zero trust, leads you on to understanding who and what is making access, when and from where. And that, in many cases, relates back to certificates. And certificates are notorious for being badly managed. In a problem, how many self-signed certificates do you have in your environment? How many contain weak encryptions? Or can you trust the certificate route? So all of those things lead to risks. And all of those things need to be managed. The compute services and so forth contain all the risks that you used to have.
You can have missing patches, which lead to vulnerabilities. You can have misconfigurations with known common vulnerabilities and exposures. You can have root account exposed. And in terms of the fact that these are virtual resources, you can have the virtual resources, which themselves pose problems. Because they may have excessive privileges. They may be dormant, and you don't know you have them. And they may actually exist, but don't have a physical owner, which means nobody's going to look after them. And that needs to be treated. And those risks exist whichever cloud environment you're in.
The Kubernetes, or the software development environments, themselves have problems. And these problems are related to registries. Do you know what registries you have? And how are you managing them? Are you managing the images? And are you scanning those images for vulnerabilities? And what about third-party packages? Do you have drift of containers? Are they not being patched properly? Or are they regressing to pre-patched levels? And how do you know, and are you able to detect whether or not when your images are running, whether they are behaving strangely?
And how can you detect risks and threats from behavior analysis? And finally, you really need to have a way of being able to understand where your risk is. And not just a million risks, because everything has some kind of vulnerabilities. But you need to be able to understand what are the most important risks. Can you understand your risks in terms of the impact they would have on your business? Can you understand them and categorize them in terms of some kind of risk score, or in terms of level, so that you can prioritize what you want to do?
Can you understand from these tools how well you are complying with the laws and regulations under which your organization is obliged to operate? Can you see how well you are performing against frameworks and best practices? And all of this functionality should be available inside inside and in a consistent way with a single pane of glass across all of the tools. So that is what is leading us from CSPM to cloud-naked application protection platforms, giving security and compliance for the multiple cloud.
So the summary of what I've been saying is that digitalization is increasing the business risks, especially of business continuity, because as you become more dependent upon IT, the impact of an attack becomes greater. And the more that businesses depend upon the cloud, the more they are exposed to these attacks. The cloud and virtual services bring with them additional responsibilities as additional challenges, as well as all the regular ones that you were used to.
The challenges of understanding shared responsibility, of the dynamic resources, and the fact that each cloud provides its own set of tools that have different looks and feels and user interfaces, and are different from whatever you had on-premises. This led to this cloud acronym soup of multiple individual siloed applications, all of which were different.
And what is actually needed is a single cloud security platform, which provides a complete and comprehensive approach with dynamic guardrails to prevent you from going wrong, with threat detection to help you to know when you're under attack, and which supports best practices and compliance. So now we're going to have the second poll, and this is going to ask you which identity and access management challenges do you find most pressing in the current landscape? Is it maintaining an accurate and up-to-date lifecycle of users' identities? Is it balancing security with user experience?
Is it integrating your IAM solutions across cloud and non-cloud? Is it about keeping up with the rapidly changing regulations and compliance requirements? And while you're filling this over, I'm now going to hand over to my colleague, Andre Rael, who is the Director of Cloud Security and Compliance at Optics. So over to you, Andre. Thank you. As mentioned by Mike, my name is Andre Rael. I oversee threat research here at Optics. We look at attacks on clouds, how the cloud is being exploited, manipulated.
We reverse engineer that, and we bake those into our products so our customers can benefit from detecting threat activity. So let's get into it. So what I wanted to start off with was just a little bit about the growth of the cloud. We know the cloud is very prominent. We know a lot of companies are using it, and I'm not going to go over every single tile you see here, but I'm going to highlight a couple. The very first one is the bottom right. So by 2026, the cloud market is expected to get to $947 billion. Just for reference, that number in 2021 was around $450 billion.
So that's a $500 billion growth within a five-year period. Astronomical. The second number is the bottom middle tile. It's an estimated 175 zettabytes of stored data will be in the cloud. And for those of you googling what a zettabyte is, let me save you some time. One zettabyte is one billion terabytes.
So, you know, to go off what Mike was saying about moving to the cloud, digitalization, data is going into the cloud at an exorbitant rate. Everything we do today, there's some aspect of our lives that touches data and being stored within the cloud. But with that, so too are the attacks. So threat actors know the cloud is a haven for nefarious behavior.
You know, they are our security experts, whether we want to believe it or not, but the cloud is essentially their playground. They get to play in the cloud, attack it, exploit it on a daily basis. They only need to be right one time, right? As defenders, as legitimate businesses out there, we have to be correct and defend all the time. So they just need that one crack to be able to exploit a business. Some of the numbers here, the one that really stands out to me is the middle one. I found a report by TELUS cloud security report. You can go and find it online.
But when they polled, it was thousands and thousands of users across different roles, different verticals, business units. And 19% said that they don't know, excuse me, they know where all their data is stored. Said differently, 81% said they don't know where all their data is stored. So it's becoming a very big problem to keep tabs on data, cloud infrastructure, the ephemeral nature of the cloud, and the growth that a lot of these companies are experiencing. When I talk to companies and I present webinars and consult, the one thing I emphasize is you have to assume breach.
And what do I mean by that? Is assume your environment is going to be breached. It's not a matter of if, but it's a matter of when. And as you deploy design architect around, grow in the cloud environments, keep that mindset. As you can see just from articles throughout this year, we're seeing that the cloud is becoming more and more of an emphasis. Attackers are targeting the cloud more and more. Even cybercrime groups are offering six figure salaries, bonuses, paid time off. That's how lucrative the cybercrime is becoming. And a lot of that cybercrime is shifting towards the cloud.
So switching gears a little bit, getting into CSPM. So what outcome does CSPM actually deliver? In a very high level analysis, you have asset discovery that'll tell you configurations for those assets. You'll be able to secure your posture and then you'll have compliance. You'll get a compliance audit to be able to see where you stand in terms of your compliance checks. But I like to categorize CSPM as your risk assessment. So having a CSPM in a cloud environment several years ago was great.
But as the landscape has shifted and as more companies are moving to the cloud and as the cloud itself is growing, we're seeing that a CSPM is not enough. You need a holistic view across these technologies. Some of them that Mike already outlined. But threat actors, as an example, they don't think in silos. So they're not just going to go look at a particular service and its configuration. They're going to look at everything in your environment and they're going to try and attack you in a way to achieve their outcome or to attack or approach their target. Excuse me. The landscape has expanded.
And what do we mean by that? That configuration vulnerabilities are not just the only threat out there, right? What about runtime threats? How do you ensure that your posture management solution and your workload protection and your identity security all coexist? The cloud is a very interconnected, intertwined set of technologies. You can't be effective in the cloud without using one or more of these intertwined technologies. And that's why we firmly believe that having something like a cloud native protection platform, CNAP, is becoming the standard. We're seeing it more and more.
The industry is going that way. Consumers are wanting a CNAP. Most CISOs we speak to, they're in a position now where they've got security tools sprawl. They've got all these security tools. They don't have the right resources, the right skills to educate their team on how to use all of these tools. So they're trying to consolidate. And this consolidation play is going right towards a CNAP. By not having a CNAP, as you can see in my graphic, you're having blind spots.
You're leaving blind spots to yourself and your company because a CSPM gives you a very specific view, but it doesn't give you the peripheral view that you need within an environment. So what is CNAP? Mike touched on this a little bit, but I know there's a lot of acronyms being thrown around. I like to look at it as more of a, what are some of the problems? What are some of the tasks that a CNAP can help with? So here we have CSPM for risk assessments. If you have identity or you need identity, that's going to be your CHEM in response. And then workload security, right? CWPP.
So we see this as some of the founding pillars of what makes up a CNAP, but we firmly believe that endpoint XDR has to be included within CNAP. Why? If you look back at this year and you look at some of the breaches that have occurred across several industries, most of them have occurred because the developer's laptop was targeted, right? Either they downloaded malware, it created a reverse shell, or they were breached because they had a third party music player that wasn't patched.
They got in, they mined credentials, use those credentials to move laterally into the company's environment, and then from there move into the customer's environment, essentially. So a CNAP is exceptionally important for if you're in the cloud or you're thinking about moving to the cloud, because as you can see, it eliminates a lot of those blind spots that will be present without a single platform. The other benefit of a CNAP is, again, it's a single platform. So if you have a set of engineers, security engineers, you have to go and give training on a one particular platform.
You don't have to have them context switch between multiple platforms and really lose sight of what the end objective is, which is protecting the environment versus trying to learn how to use a tool. As mentioned, developers, we see it time and time again, the industry is seeing it, the developer laptop is being targeted. So I have a very basic illustration here that how ThreadActor will be able to have the user download malware onto a developer laptop. The ThreadActor gains access to the developer laptop. They are able to look for a personal access token, trying to access Okta.
They can look for ways to access GitHub. GitHub is very important because they can clone repositories, they can access repositories to find credentials. And then once they have credentials, they can move laterally into AWS. And then once they're in AWS, if they have the right permissions and credentials, they can actually exfiltrate data within that environment.
But again, the developer laptop is a critical starting point for ThreadActors. Now, for audience members, you may be thinking, well, I don't have developers, you know, I'm safe.
Well, insert name of employee who works remotely using a laptop or a desktop. They will be in scope for an attack by ThreadActors.
At Optics, as mentioned, we believe that XDR should firmly be within the CNAP pillar of technologies because it'll give you an early warning system. So if a ThreadActor accesses a laptop and they attempt to access Okta or attempt to make a suspicious Git call, we will be able to detect that. We will alert you. So before they even get into the cloud environment, you have to have this early warning system.
And again, this starts off by using a solution like XDR on an employee or developer's laptop. Here we have an example of a suspicious Git event called Impossible Travel. So for those of you who are not familiar with the term, Impossible Travel is a single credential making a change or update from two geographically dispersed locations, meaning there is no way humanly possible that someone could have made the call in India and made the call in the United States within a couple of seconds apart. So we have detected this.
We can alert you to say that someone's credentials were used to clone a Git repository. You need to take some action on this.
But again, these are all those early warning systems that you need to look for prior to getting into your actual cloud environment. Everyone looks at the cloud environment and thinks, well, I just need to protect that and I'll be safe. But peripherally around that, look what else has access to the cloud environment. And that's where you're going to focus your efforts. And that's where CNAP will help you tremendously. So let's get into some of the pillars that make up CNAP. So as mentioned, here we have the CSPM.
And again, some of the examples I'm going to go off here are very simple, but they should get the point across. And these are just some of the tip of the icebergs in terms of what we can actually detect for as you use the CNAP platform. Example one, right? You have assets, we discover assets, we visualize those assets for you, and we can let you know which of your assets are open to the internet. Now you're wondering why is that a problem?
Well, if it's open to the internet, all I need is an internet connection to target your particular asset. Example two, do you have a root account access key? Does that exist? Hopefully not, because that should never, ever happen. Root account should be used to create your other accounts. And then you should essentially lock and encrypt the credentials for that root account password so that no one can get in there and use that account for anything. Here we have SIM, right? Cloud Identity Entitlement Manager security.
So some of the warnings or alerts we can generate, you have several users within your environment. We can very quickly identify which ones have, for example, full administrative permissions. We can also show you if there are several users and they have a very long set of permissions, we will go in and show you, Joe and Mary have got all of these permissions in the last 90 days that only use the subset. We'll show you what that subset is, and then we'll recommend to say, remove the additional permissions. Why is that important?
Well, if Joe or Mary's credentials get compromised, the threat actor now has the ability for all of those excessive permissions. And you just may find that those excessive permissions may be the catalyst that allows for data exfiltration, that allows for ransomware. KSPM. So if you need Kubernetes security, right? We're seeing a big shift of companies using Kubernetes containers, and it makes a lot of sense because as you take those applications from on-prem, you create microservices. Containers is a great way to shift it from on-prem into the cloud.
But Kubernetes container has been around for a couple of decades, but it's still a little bit nuanced in terms of the deep security knowledge required to run a Kubernetes container. Required to securely scale Kubernetes. So an example of what we can detect for, right? We can find container escape to the host system. So essentially what we're saying here, that a Kubernetes container successfully exploited certain permissions to access the host file system and resources.
What this will allow them to do is view the critical configuration files on a Kubernetes node, known as a kubelets configuration. And just with that, they're able to interact with the control, potentially take over the entire cluster. The second one, default service account lateral movements. So we find time and time again, that default service accounts on Kubernetes are set up with excessive permissions. And this presents a very big security risk. Why?
Because should these accounts be compromised, authorized users can gain access to the entire cluster, allowing them to move laterally to some of the susceptible pods. So it's very important to have eyes and ears on these types of nuances, so that you can understand your security risk posture as it relates to Kubernetes.
Next, we have CWPP, cloud workload protection platform. So really what this means in a very simple way, do you have applications or workloads running on an EC2 instance, on a VM, on a compute machine? What we're going to do is we're able to scan those instances and really tell you your posture for that. So what are the vulnerabilities? Do you have any compliance issues? Do you have any secrets on those instances? And the great thing about UpTicks is we can do agentless and agent.
So just like the agent we install on the laptop that helps for that early warning system, we can install an agent on the instances. We have customers who do both. So maybe in a production environment, they want an agent. In the non-production environment, they want agentless. But going into some of the examples here, we can detect reverse shell. So someone downloaded malware, that malware is a reverse shell, allows a threat actor to connect back to the instance. We can detect it and block it as your early warning system. We can also detect for SSH keys.
So if you SSH into a laptop, into an instance from a laptop, we can see those keys and we can tell you proactively, hey, Joe's laptop has SSH keys. If his laptop were to get breached, someone could SSH into a EC2 instance. That EC2 instance has an administrator role. That administrator role gives them the keys to the kingdom. We visualize that for you, enabling you to see very clear and in layman's terms what your security threat is that you need to address, as well as giving you remediation guidance on how to remediate that. And here we have CDR, Cloud Detection and Response.
This is really behavioral activity. And what do we mean by that?
Well, we have two types of behavioral activity. We have pattern-based and we have anomaly-based. On the pattern-based, a threat actor is when they steal credentials and they get into an environment, they need to perform reconnaissance to find their way around, to understand where they are, what they have access to and what they can do. Those are patterns. We know the patterns that they will follow, right? There's tools out there. We have researched a lot of this. We've collected a good amount of pattern-based detections that we've built into our product.
So for example, if someone were to go and use a tool exploitation framework tool called Paku, widely used by threat actors, if they were to use that in your environment, we will be able to detect it, present it to you, show you in layman's terms what they did, how they did it, and then give you guidance on how to remediate that. Either manually, step-by-step, or we'll give you the one-click ability to go and remediate. And then anomaly-based, right?
One of the biggest challenges cloud teams have today, defenders, SOC analysts, is being able to differentiate between legitimate and illegitimate behavior. As mentioned in the beginning of this talk, a threat actor needs to be right one time. So how do you find that one API call, that one action, out of a bucket full of API calls? That's where anomaly detection comes in. So if you have Joe or Mary, let me pick on Mary for a little bit.
If Mary has called S3 all the time, and now all of a sudden she's trying to run instance, or she's trying to create user, create access key, our anomaly detection system will detect that. It'll flag it and say, here is Mary's baseline behavior, but here is the abnormal behavior that she's creating. Look at this, make sure this is okay. Is Mary's credentials, have they been compromised, or has her roles and responsibilities within the company actually changed?
Finally, just to sum it all off, threat actors are cloud security experts. As mentioned, the cloud is their playground.
At best, we as security-minded folks, we're always at best one step behind the cloud security, excuse me, threat actors. If you think about a CSPM, it's important, but on its own, you're going to have blind spots. So don't just employ a CSPM, find additional tools, find a CNAP platform that has all of these abilities to mitigate a lot of those blind spots. You need to focus on multiple attack surfaces. So not just the cloud environment that you're in, but look peripherally, what has access? What other attack surfaces could a threat actor use to move laterally into your cloud environment?
And then finally, again, keeping yourself secure by using a CNAP, you'll get complete coverage, but also the benefits are you have fewer tools to go and train your team on. So your team, instead of going, I like the analogy of six miles wide, half a mile deep, you can go a mile wide and six miles deep in one particular tool.
That's it, Mike. Thank you. Back over to you. We now have another poll, which is how would you describe your organization's current stage of CNAP adoption? And so the questions are, are you fully adopted or are you in partial adoption or still thinking about it or not even considering it? And so you should now see this poll on your screen, if I'm correct. So while you're answering that, I'm going to now put us back onto Andre and I, and we will have, have a conversation. So I've just got to find the appropriate bit of, sorry.
So we're going to move on to questions and I've got to go back to the Zoom meeting. Lovely. Okay. So thank you, Andre, very much for that.
Well, you finished off with talking about thinking like a threat actor. Would you like to expand on what you really mean by that?
Yeah, definitely. And we get this question quite a lot, but you know, if you can you know, if you can employ the mindset of a threat actor, it puts you in a position where you're able to understand how threat actors think. It's a very unique way in how they think and how they approach attacking a entity, a cloud environment. So when I say think like a threat actor, you know, if you have blue team members on your team, if you have a security team, they're always almost focused on how to defend, how to threat times, how to look for that nefarious behavior.
But I employ companies to flip that around a little bit, teach them how to be a red team and teach them how to attack, how to think like a threat actor, go and write, excuse me, go and learn some of the tools that threat actors use. You know, I wrote a blog several weeks ago, just highlighting some of the tools that threat actors will use and what's the benefit. But once you understand the outcome that tool delivers, you will very quickly realize why that's important. And then you'll realize, oh, if my environment is that presence, should I build that? Should I mitigate that?
Should I remove that? And then further along, as companies mature, as they start planning and building and configuring the environments, you know, that'll be one of the questions that comes to mind is, hey, how do I think like a threat actor? And if a threat actor were to get hold of this or breach this, what would the blast radius be? So that's what thinking like a threat actor means. Yeah. So in a sense, it's not thinking about how well defended you are, but thinking about how the threat actor will find the easy way in. And this is the challenge that they usually get in.
They don't actually have to do the impossible. They don't have to decrypt the most complex encryption algorithm. They find a hole in the system, which means they don't have to do it. And this is the simple way in that you never thought of.
Yeah, exactly. It's very, you know, finding the cracks, right? So there are many cracks in cloud environments.
You know, when I was at AWS, overseeing the account takeover division, we had customers, you know, Fortune 100 companies come back to us after we detected a breach in their accounts. And it was just mind-blowing how little awareness they had around that particular exploit.
So yeah, there are many tools that find the cracks. So for teams to go and learn those tools, it'll quickly surface what cracks you have in your strategy. Yeah. So it's an interesting thought that you go away and learn the tools and techniques that the threat actors are using as a way of being better at defending yourself. That's good. That's good.
Now, it's interesting because I don't see any questions from the audience. But if there are any, please, can I ask you to put them into the Q&A poll, and we'll look at them.
Now, I'm interested because I was looking at the polls, and it's always useful to talk about what the polls were. And the first poll was talking about the biggest challenge. And the interesting thing about this is that the top of this was complexity.
Now, I don't know, what's your take on this, Andre? Okay. So the poll questions just came up. Let's see. Yeah.
So, you know, what I see a lot of is you have folks, companies, who have a very robust on-prem strategy, security strategy, and they've been doing it for years. And they try and shift over to the cloud. And time and time again, they'll bring their security strategy over to the cloud. And that's like mixing oil and water, they don't mix. So what I find is they're trying to take their understanding and their biases from on-prem, and squeeze it into the cloud and try and figure it out. The cloud in itself is exceptionally complex.
So if you take someone who is well-versed in cloud, you can ask them how complex it is on its own. Now you're adding an on-prem to connect, to communicate with each other.
Again, these biases tend to get in the way of being able to achieve an outcome. But it is very, very difficult to try and get on-prem hybrid cloud environments to connect to each other. And a big part of this is, again, I think you have a lack of skills, lack of knowledge. Folks who have done this time and time again, folks who understand it, folks who have experienced on-prem, who try and do the cloud, have experienced the cloud, they try and do the on-prem thing. To have that mindset shift change is also very challenging for folks to do.
So it's interesting because there was another set of surveys done by another vendor, which basically said that the biggest friend of being hacked is being too complex. So simplicity is your biggest friend for improving security. And I think one of the areas that we have both been talking about is that the more complex, we have a complex environment, which is made worse by complex tools. And having a single simplified set of tools, a common user interface, a common way of doing things across this multiple environment must be an improvement.
Yeah, definitely. The challenge you also have is in the cloud, you have identities for users, identities for machines, identities for software.
On-prem, you don't have all of these identities. So it's trying to correlate and match identities on-prem, across the cloud. The other piece of the cloud, it's very ephemeral. It's always changing. It's also complex. From day one, when you create a cloud account, you have thousands of APIs, thousands of permissions that you have to navigate.
On-prem, you don't have that. So to your point, Mike, yeah, having this complexity is very, very prevalent. That's why even more so having a CNAP is exceptionally important. Because what a CNAP does, it almost has an abstraction layer that allows the end user to gain a simplified view and understanding of their complexity. They don't have to be a cloud security expert. They don't have to be an on-prem expert. But a CNAP will provide a great user experience that allows them to feel like there's a simplified approach to managing those environments. Yeah.
So taking the point you were making about identities, there's an interesting result from the second poll. And I don't know, Oscar, if you could display the results there. Because the biggest challenge from the second poll, which was maintaining an accurate, but it was actually integrating IAM solutions across heterogeneous cloud and on-premises environments, was one of the biggest challenges that the people have. And this is precisely what you were talking about before. And it's to do with identity. And as you have previously said, identity is the new frontier.
That getting into the identity of any of the cloud elements or any of the cloud administrators is a major threat. Yeah. Yeah. Identity is a new perimeter.
You know, on-prem world, your perimeter is a firewall. In the cloud world, your perimeter is identity.
Identity, I like to say, is like the nervous system. If you have a weakened nervous system, you're going to be vulnerable and you're going to be open to attacks. So it's very important to focus on identity. The top answer response here, integrating IAM solutions across heterogeneous cloud and on-prem, very challenging. Because of the complexity and because of how nuanced identity can be, it is very hard to get this right. And a big reason we see why this is one of the reasons we see lending itself to this is we almost prefer to give more permissions as humans, right?
We don't want to restrict people, even in principle of least privilege. Oh, just have a couple more permissions because I don't want to steer from you and constantly bother me to say, hey, I can't access it. I can't access it. So we'll say, okay, there's more permissions. Let me know when you're done. Then maybe go and access it. They get sidetracked. They forget to tell them they're done. Those permissions now live there. So identity and integrating it, I definitely resonate with us in that it's very complex and very difficult to get right.
So can you sort of say in a nutshell how your solution helps with that area? Yeah, what we do is we will put a spotlight on your identity. So what do I mean by that is we will visualize your identity for you because conceptually trying to identify or see what identity means or is, is very difficult. But once you visualize and understand what a user is, what the permissions are, what they can access, it becomes a little bit easier. So we will go and find your identities, the entitlements without you having to tell us. That's another thing, right? Is that we have identity creep.
We have users, roles, permissions. People don't know why they were created, who used it last, what they accessed. We can answer those questions for you. So we can help you understand what is your identity risk in any of your cloud environments. Yeah. And identity risk is probably the major area. And the problem is, as you say, there's all this stuff out there and it's not visible. And so you need to get visibility in terms of what is really a risk. And that's the critical thing. And the other piece of that is the ephemeral nature, like I mentioned, right?
It's not a static look at it once, forget about it. It's constantly changing.
Again, in the cloud, you have multiple identities, right? Machine, user, software. How do you keep track of that? How do you know what's interacting with each other? What's spinning up, what's going down, what's being created, not created. It becomes very complex very quickly. So that's where we can help you. Yeah.
And that's what I was starting off talking about at the very beginning, that the static approach that was traditional to the on-premises traditional security, where things changed slowly and environments were very much under control, is not the right approach for the dynamic and ephemeral nature of the cloud. So the final poll, which is interesting, which is to do with how well or how far are you along with adoption? And so perhaps you would like to just finish off by giving your advice and what you think the organizations that are using the cloud should be doing in the area of CNO.
Yeah, I would definitely, first of all, ensure you understand your business, right? Ensure you understand which services you're using, understand what your outcomes need to be within your business. Once you have that, it becomes easier to integrate and evaluate a CNAP because then what you're going to focus on is, as a CNAP, does it give me the visibility and does it help me become compliant? Does it give me the visibility and identity on Kubernetes?
You know, you may have companies who don't ever use Kubernetes, but your CNAP has KSPM. Well, it's not going to be of use to you. But I would say, as you go through this, look at your use cases, look at your infrastructure and see how much of a risk it's presenting to you, how much of a risk it's surfacing.
You know, hopefully the CNAPs, as you begin adopting these, they'll uncover risk that you had no idea even existed. Then you know you're on the right path to integrating the right CNAP.
But also, as your business scales and as you grow and evolve, you know, your business may require, for example, Kubernetes. At that point, having the CNAP already integrated is very easy because then you just activate the KSPM pillar and now you have visibility into that. So overall, great to see that partial adoption versus not considering or still evaluating.
But yeah, CNAP is at first, I think, a little tricky for folks to kind of navigate. But once you see the value that it offers, it becomes a no-brainer to continue with that CNAP platform.
Yeah, thank you. So we're now coming to the end. So I think the message from today is that nearly every organization is now using the cloud and you cannot just rely on your traditional on-premises security approaches. You have to take a different approach because of the complexity. So would you like to just say a final word, a final piece of advice before we finish, Andre?
Yeah, just to say, you know, thanks for listening, everyone. Definitely, as you move towards the cloud, it's a journey. It's going to get very complex. It's going to be very scary at times. But I think if you take some of the advice that I've given, you'll be in a good position.
You know, finding cloud security experts to hire into your team is a must. I know that's difficult.
You know, I know they're few and far between. I know they're expensive. If you can't hire the right experts into your team, find a security vendor who has those experts because they will guide you and help be your eyes and ears. They've learned the lessons. They've uncovered some of the exploits and nuances that are problematic for entities.
Okay, thank you very much. Thank you very much, Andre, for your contribution to this. And thank you very much to all the participants for taking the time to listen and to be involved in this call. Thank you very much, everyone. And good afternoon.
Thanks, everyone. Thanks, Mike. Bye-bye.
