So we're now talking about software-as-a-service security, the forgotten element, and the speaker, I know him as a passionate tech-savvy person who loved computers since he was a child. He's also experienced CISO, had already survived a couple of serious incidents, and he has gained this experience in different industries such as finance, automotive, and now recently, what is it, sport or fashion? So he's working for a big sports company located in Germany, I can't say the name, you can guess, in Herzogenaurach. So welcome, on stage, Michael Schrank. Good to have you here.
Thank you, Berthold. All right, so let's start with the obvious stuff. If you haven't guessed it yet, this might be a hint. So I'm working for an amazing company, and that's maybe also a good point to start with. Berthold was already so kind to introduce me. Everything that I'm telling you today is my own opinion. So I'm not talking for my company.
So please, also, if you want to take photos or make quotes or whatnot, please quote me, but don't quote my company. And that being said, I would have a question for you folks, so that I get a better feeling who is here today. Are you on the more technical side of information security, or are you more on the governance side? Let's start with the technical ones, if you can quickly raise your hands.
All right, and then I expect the rest to be more on the GRC side. Perfect. So good news is, I'm quite convinced that for both of you, you will hear something interesting today in my talk. And this talk is a bit more technical, but again, I must see so. So don't expect too deep technical details. I'm too far away from those by now. But the topic I want to talk to you about, actually, is cloud security. And I want to talk a bit about the evolution that we saw there. And in contrast to the talk that just happened before me, that obviously was a vendor talk, I will tell you the truth.
And also the reality, how I see it as a customer, and also what worked for me and what didn't work for me. Because quite obviously, as you could see in the presentation as well, most vendors will tell you that they can tick all the boxes for things that you need. But ultimately, when you then start using them, you might have a different experience. So my journey actually with cloud security became most important for me when I joined my current company. Because the company I previously worked for as a CISO was Daimler, so Mercedes-Benz and all of their brands.
And they had a very traditional footprint. So they had more than 200 data centers back then when I was working for them. All of those data centers with a different technology stack, but everything very traditional.
And again, I mean, think about the automotive industry and all the legal issues they had in those years. They were a bit hesitant to go into US clouds back then. So they didn't have as many cloud environments yet.
Now, what happened then to me was I joined this other amazing company and found that it was a cloud-first company. So the CIO there had a very clear strategy that all of the data centers they had, and there weren't many left actually, will be emptied. And there will be no new servers put in, but rather everything will be moving to the cloud. And that's what they did. And so I also found as a CISO, and again, I'm not very deep down technical anymore due to that position, that all of a sudden people were talking about they have cloud-native environments.
So they have container workloads and we need to secure them. And I asked myself as well, that's kind of a new technology. I need to learn something new. And that's one of the important things I want to tell you also from my experience now. We all live in this very fast evolving world, also with technology. And many of you raised your hands when I asked whether you are more on the technology side.
Well, as security folks, we not only need to understand the technology, but also how it can be attacked, quite obviously. But on the other hand side also, how we can defend it. And the thing that I did was I did some basic trainings, obviously how that technology works. But on the other hand side, I started looking into how can you secure those environments in a smarter way. And this is where all of those beautiful buzzwords on the slide come up.
So overall, you will hear a lot that your companies are using infrastructure as a service and platform as a service, but also software as a service solutions. And obviously, we all need to understand what that is. But let me dive into one of those topics and why I'm mentioning it. I guess every one of you, no matter if you're on the governance or technology side, know that your company has someone who is using a vulnerability scanner. So either you're seeing the results or you're maybe the poor person who needs to administrate that scanning solution. But every company has that by now.
Reality is that tomorrow, if you're just in cloud native environments, you shouldn't have a person anymore that is using a network based vulnerability scanner. It doesn't make sense. There is way smarter solutions to come to the same conclusion in those environments. So that also means, and you can see that on the market right now, vulnerability scanning vendors and management vendors, they are trying to pivot. They are all of a sudden acquiring cloud security solutions because they are realizing the same as well. Their old product isn't fit for the purpose anymore.
And so, from my perspective, a very important takeaway is if we think about security in cloud environments, rethink what technology you're using, but also re-skill your teams. You need to have the people understand that their job isn't gone tomorrow, but it's a different one. And there are smarter ways of doing it. And when I'm talking about that, I mean, for example, with things that are on this list here, like cloud security posture management.
So checking whether the cloud environment is securely configured, whether you have S3 buckets, storage buckets that are open to the internet, everybody can access the content of them and so on. This is basic technology you should by now have in place. So if you now think, oh, Michael is telling me something new, then better go back tomorrow and check again what technology you're using.
And also, for the governance folks that are here, if I say you should have that technology, it doesn't make sense that people just buy that security technology. So if you had a vulnerability scanner and no vulnerability management process, you can also buy a CSPM solution, for example, and it won't help you in any way because you need the processes around it as well and also the policies.
Now, to share a bit more of my experience, one topic came up at one point that was in those container environments that quite obviously you can't run your regular EDR solution there anymore. So hopefully by now, all of you will agree that you have an EDR solution on every laptop, on every workstation, which gives you the opportunity to see what's going on there, detect malware, but also figure out what the attackers are doing on those platforms.
Now, in the nature of those container environments, you can't just deploy your regular EDR solution there. That also means you have servers right now that don't have, and let's put it to the point, the easiest point, an antivirus. Would you want to have that? That's a big question. And I think in the beginning, and that happened to many companies and it happened to me as well, I was number one, not aware that we couldn't use that more traditional solution for it anymore. Number two, I didn't think about the solution yet.
But then I figured out at some point, obviously, that is part of that cloud native workload protection. There is solution vendors out there that give you the runtime security so that you can detect things in runtime. I was super happy when I discovered that. I went back to my team and said, hey, folks, I think we have a gap there. And I think we need to close it. My architecture team went out, selected the best vendor in the market, and we deployed it. Great story to the point that when we started deploying it, everything broke. Full production outage.
Fortunately, we were only in the staging environment at that point, but the whole cluster failed. And that's the worst thing that can happen to us, right? We security folks go in, are smart. We want to make something more secure so that it doesn't break. And then boom, it breaks. I think many of you had maybe that discussion just a few weeks back when CrowdStrike EDR had that challenge and broke a lot of machines. The reason why I'm telling you this so openly is the technology would have been the right one, but it was the wrong step at the wrong time.
We were just learning how to secure those environments. And if I say we, then I don't only mean my security organization, but I also mean the IT organizations that are running those environments. They also had to learn. They had to learn how to use the new vulnerability management tools. They had to understand what they are actually deploying there for endpoint protection, so for runtime protection. I thought I had learned something. Then I joined the new company. We had the same challenge because we had so many cloud environments. So we deployed another vendor.
I was smart because I thought maybe vendor number one didn't do a good job at my last employer. We are selecting the other one this time. We deployed it. And two weeks later, there was a Kubernetes update and boom, everything broke again. So the reason why I'm saying that is, and you can see I'm smiling about it, despite the fact that it wasn't a nice thing to experience. You need to be careful with the technology that you select, and you need to find the right way to roll it out. What did we do?
We actually didn't sign the contract for the runtime protection, but we rather said, okay, let's go on a journey together. So those IT teams and also the security team and start with the basics. So make sure that, for example, containers that we are deploying are secure when we deploy them. That doesn't do anything in runtime yet. So things can't break that easily yet. But this way we build trust and we started with the rollout.
Now, that's been a bit what's going on in the market. There were new solutions, people adopted them. And one of the things that I still want to mention there is, you all have seen that there were so many new cloud security providers.
So by now, worst case, if you're very cloud native, you will have 10 of them for different purposes. The good news is, and that is something that we have done now, even this year, to the full extent, providers have consolidated their capabilities.
And yes, you just saw a presentation by Palo Alto, but I can also tell you there is others as well, that by now, out of most of those terms on the slide, those vendors, platform vendors can cover them. And I can only encourage you, go back, review your security architecture for cloud environments for IaaS and PaaS right now, because the market has changed in the last five years. And now is a good time actually to consolidate things. Why am I saying that?
Well, there is something new right now coming up. And this brings me to the second part that also goes back more to the topic of my talk. We all kind of ignored SaaS security. And I will come to that in a moment while I'm saying it that way. What we can see right now is that the attackers are refocusing. So in the past, we did see that they attacked our environments that we had with AWS, etc. And they didn't focus yet on SaaS providers. But all of us are using SaaS.
And I can confidently say that because literally every company has sometimes thousands of SaaS solutions that they are using every day. Those slides are coming from one of the SaaS security posture management vendors. And I'm very happy that I can reuse some of the things they have shared with me. This slide illustrates that at the moment, there is a rise of the high profile attacks that happen or start from SaaS environments. And the one that I want to really share, because my predecessor at my current job is the one who was affected by it, was the MGM hack.
So I'm pretty certain most of you have seen on the news that a while back, the MGM resource in Las Vegas and Macau had some issues because they were attacked. The way they were attacked was super remarkable for me as a CSO to see because it was a big shift in how those attacks typically work out. They are using Okta as their identity provider. And what the attacker did was the attacker got an admin access to Okta.
Yeah, that's bad already. We all wouldn't want that. But the attacker did one super smart thing. Instead of doing a lot with that admin access, they just added a second identity provider that is trusted by that Okta instance. And that's it. And what the attackers could then do is that second identity provider that was trusted was their own one. So they could create an email address of the CEO of MGM, for example, in their own environment, on their own domain. And that email address and account would have access to everything that was in that Okta as for this person, what they can access.
And with that, they got through the whole company and everything went down what we saw. The interesting thing is, it was a SaaS attack that started in SaaS. It was an admin account takeover. And you wouldn't have seen it. If this was O365 or whatnot, you wouldn't have seen it. And I will come to that in a moment.
Now, for me, one of the most important things from this talk is that hopefully you all go out and say, yeah, we totally get it. SaaS security is something we need to focus on, but not in terms of GRC.
So far, and again, I like to admit how we did it in the past, when my company selected a new SaaS solution. My GRC team, third-party risk management team, would go there, would check that SaaS vendor. And if that SaaS provider would send them a SOC2 certificate, they would have wet eyes and would be happy. End of story, more or less. What would happen on top, because we want to go an additional mile is, I would tell my architecture team, hey, please look into that solution and make sure that we configure it in a secure way.
Well, reality is, number one, an admin can change anything, anytime. Number two, we don't know if we understand that solution properly.
So, even a security architect can make a mistake. And therefore, there is something new on the market now with those SaaS security posture management solutions that helps you actually to check what the posture of that system is.
So, what is the configuration, not only on that day when you deploy it, but also half a year later. And that's what I'm advocating for, because we need to focus on that.
Yes, you need to do the basics we talked about in terms of securing the platforms we have in the cloud, but we also need to focus more on this topic. And to give you a bit of feeling, what those solutions are doing is, number one, I mentioned it already, they can help you monitor the configuration of the solution itself. And we tested all of the big providers in that market this year to see whether we want to invest yet. And I want to name them because I think for you it's important also that you can look it up afterwards. Those are namely Obsidian, Security, Adaptive Shield and AppOmni.
Those three were the ones that we tested. One of them has a benefit that the others didn't have. One of them caught an active attack in our environment. Fortunately for us, we are using Microsoft Defender for Identity. We caught the same attack.
So, the security operation center saw it, but they only saw it three hours later than this one SaaS security provider. And that's also why I'm right now advocating quite a bit for those solutions. They connect directly to your SaaS solution.
So, you don't need to wait for logs go to Microsoft, in our case, and Microsoft parsing it, etc., but rather they directly check it. And that's why, number one, they are faster. But the second thing, and that brings me back to that Okta case and so on, sometimes in those SaaS solutions, our admins are doing a very smart thing.
So, best case, they will be logging in with our identities, right? The identities of our companies with single sign-on. But the reality is they can also create local accounts in those SaaS solutions because sometimes it's bothersome to use SSO. You wouldn't see if there is a local admin account. Your other systems wouldn't tell you that. That local admin account could get stolen.
So, we can detect pretty well when one of our SSO accounts got stolen. So, from our identity provider. Because we are using Defender for Identity, so we can see if all of a sudden somebody logs in from another country and stuff. The thing is for those SaaS solutions, if somebody created a local account, you are blind. We can't see anything. And therefore, those solutions are helping you there as well. Looking at the time, I'm coming up to the end of my talk.
And again, I hope that I, and I just want to briefly summarize it, I hope that I could give you some insights into number one, what happened to the cloud security market. So, yes, there is an abundance of tools out there. But the good news is by now, there is platform providers where you can consume most of that functionality.
So, number one, best go and get such a solution where you get all of the features rather than picking 10 of those vendors and trying to orchestrate them. Number two, and that's the main theme of the talk, quite obviously, SaaS security is important. I need to admit that I didn't focus on it too much in the past.
Also, because again, very often in our industry, there wasn't a need yet, because the attacks were not so much focused on SaaS in the past. We've seen now they are nowadays focused on it and it's on the rise.
So, familiarize yourself with that as well. And if you have any questions, please feel free to reach out. My contact details are here. And thanks so much for listening in today. Thank you.
Normally, I would have interrupted you because you took more time. But I saw all the interesting people here. And therefore, I just let you talk. Thank you very much. I also want to point you to a session which we are going to have tomorrow with Mike Small, who will present his research about cloud security posture management solutions. I think you already were in contact with him.
So, perhaps we see each other there as well. Yeah, thanks so much. Thank you.