KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Cloud computing delivers the benefits of accelerated development without the hardware costs. But the dynamic nature of cloud services and the proprietary security features offered by different cloud service providers make it challenging for customers to manage the risks and to be sure they are meeting security and compliance obligations. Most organizations need some form of guardrails and ways to respond to suspicious behavior.
Join cloud security experts from KuppingerCole Analysts and Uptycs as they discuss the challenges of the shared responsibility model for cloud security and compliance, examine the range of ways available for dealing with the problem, and consider the benefits of cloud security posture management (CSPM) and cloud-native application protection platform.
Mike Small, Senior Analyst at KuppingerCole will describe the major risks in the way organizations use cloud services. He will also explain why cloud services need dynamic rather than static controls, list the tools that aim to manage these risks, and outline what to expect from a CSPM solution.
Andre Rall, Director of Cloud Security at Uptycs will describe the benefits of integrating security insights, of standardizing controls and policies, of taking charge of third-party code and resources, and of removing silos by using a single platform, data model, and user interface.
Cloud computing delivers the benefits of accelerated development without the hardware costs. But the dynamic nature of cloud services and the proprietary security features offered by different cloud service providers make it challenging for customers to manage the risks and to be sure they are meeting security and compliance obligations. Most organizations need some form of guardrails and ways to respond to suspicious behavior.
Join cloud security experts from KuppingerCole Analysts and Uptycs as they discuss the challenges of the shared responsibility model for cloud security and compliance, examine the range of ways available for dealing with the problem, and consider the benefits of cloud security posture management (CSPM) and cloud-native application protection platform.
Mike Small, Senior Analyst at KuppingerCole will describe the major risks in the way organizations use cloud services. He will also explain why cloud services need dynamic rather than static controls, list the tools that aim to manage these risks, and outline what to expect from a CSPM solution.
Andre Rall, Director of Cloud Security at Uptycs will describe the benefits of integrating security insights, of standardizing controls and policies, of taking charge of third-party code and resources, and of removing silos by using a single platform, data model, and user interface.
Hello, good afternoon, good evening, or good morning wherever you are. And welcome to everybody and thank you for joining this session on Cloud Early Warning Systems from C S P M to cna. My name's Mike Small and I'm a senior Analyst with Coppinger Cole. And my co-presenter today is Andre Roll, who is director of cloud security at Uptakes. So in terms of housekeeping, you, the participants will all be muted centrally and we will control this. There is no need for you to do anything yourself.
However, if you have any questions, then the best way to deal with questions is to in, in is to input them through the q and a panel that you'll see on the right of your screen. We are recording the webinar and the recording and the presentation will all be available in the the days following this presentation. We're also going to run some polls and you'll be able to use these polls whilst the pres presentation is taking place.
And when I start the poll, you'll be able to input to it and then you'll get a message saying that the poll has closed and hopefully we'll have time to be able to talk about the results at the end. So the first poll is, what is the biggest security challenge in your hybrid multi-cloud environment? You should now see a poll window that has popped up and you can pick which of the answers you would like. Do you think that the biggest problem is understanding the real risks? Is the problem to do with complexity? Is it mon not managing the shared responsibility aspects of cloud security?
Is it inconsistency of tools or is it a lack of transparency of the controls? Well, while you are thinking about your answer, we will carry on in terms of the way the presentation is going to run. I will be presenting for the next 20 minutes or so on why cloud services need dynamic rather than static controls. And then following that, my, my colleague Andre role will in fact talk about the benefits of using a single platform and hopefully we will have 20 or 15 minutes available for q and a at the end. So what has driven all of this, the answer is digital transformation.
Organizations have been racing for various kinds of pressures, including those that came from COVID and worldwide shortages in order to become smarter, to become better connected with their customers and to be more efficient and effective. However, digital transformation is about using the cloud, and it depends upon the cloud to enable this agile and business-led change through flexible development rather than predefined never delivered software that is responsive to immediate feedback and can quickly be adapted to meet the requirements of the customers.
However, this digital transformation depends upon the cloud and the use of cloud services brings with it some new risks as well as some different ways in which old risks become manifest. So when you look at the issues at a business level, and I think it's important to understand this at a business level because people often sort of get deep into the technology, there are only really three things that matter. Most organizations are concerned about being compliant and the cost of compliance failures that organizations want to keep their data secure.
So data breaches are bad for your bad, for your customers, they're bad for your intellectual property and they are bad for your reputation. And finally, last but not least is business continuity. As organizations have become more and more dependent upon their digital services, they become more, if you will, at risk if those services are interrupted in any kind of way. And ransomware and hackers have recognized this vulnerability as a deep and rich may vein to mine to attack your systems. And of course the cloud is all pervasive.
So to give you one of the more specific challenges that comes from, from the use of virtual and cloud services is that infrastructure is no longer physical infrastructure is code. It started with software defined networks and cloud services are effectively software defined services.
Now, when I had a server that sat in my office or in my data center, I had physical control over it. When you have a virtual server or a virtual resource that is inside of a virtual environment that has to have, it has to have entitlements, it has to have access rights which prevent other people using the physical infrastructure from getting at your resource and to allow your resource to access the things that it needs. And here is an example of how this went wrong.
Capital One was ultimately fined because of a data breach which worked like this, that someone figured out how to get into a server, a virtual server, because there was a misconfigured web access firewall, which of course allowed should have prevented customer A, an administrator access. But they were able to get in. And once they got in, they found that the VM that was running this stuff had been configured to have excessive entitlements, which is quite common because what is important is that you want the system to run.
So it's better to give more entitlements rather than less, but that's a security risk. And those entitlements were used by the hacker to access SS three, the data in S three, which was encrypted. And because they had these entitlements, they could do that. So here is one example of a new kind of risk that comes from virtual systems and cloud, cloud virtual services. So these challenges include more than just that there are other challenges, and one of them is in fact shared responsibility.
So there has been a lot of confusion in some organizations and some people's minds about who is responsible for what. And whilst there were early concerns that the problems of security were that the cloud service provider was going to fail to provide a secure service, what has actually happened is that the responsibilities of the users of those services have been not fully met. That is to say that cloud service tenants have not properly controlled access to the services that they use.
They have loaded applications which contained vulnerabilities and misconfigurations, which made the cloud the use they were making of the cloud vulnerable and that they were not properly configuring the whole of their use of these virtual services. And so understanding this division of responsibilities is critical to a secure cloud deployment. Another challenge that comes from the use of cloud is that i i is, is that they, each of the cloud services tends to provide some tools.
And whilst these tools are perhaps very good and very tuned to the individual service, those, those tools are specific. So the tools that you need to configure a w s are different from the tools that you need to cover to, to secure Google Cloud or the tools that you need for Azure or for OpenStack or for VMware. And all of those tools are different and that leads to an ad hoc approach. The same problems exist in each of the different environments. The same risks exist, the same kinds of vulnerabilities exist, but you have a different tool and a different way of dooming with them.
And this leads to ad hoc array. Now, one of the solutions to this is what I would call cloud acronym soup.
The, the vendors of cloud security tools recognized that there were holes and so they came up with solutions. So you have cloud infrastructure entitlement management or cmm, which is to do with controlling cloud infrastructure entitlements. You have cloud workload protection platforms that are looking at controlling the vulnerabilities in the virtual services, including containers, kubernetes and servers. And those cover those things.
Then you have cloud extended detection and response looking at threats and how to detect them when they are working their way through your cloud services, how to block them, how to remediate them, and how to respond to them as well as helping you to improve security hygiene. And finally, there was this thing called cloud security posture management, which was going to give you a kind of governance and risk reporting for your use of the cloud.
So what, whilst you just wanted one solution, what you got was many. And each of these are not integrated.
They all, if then, then they're from different vendors could have different user interfaces and different ways of working. What in fact is needed is a consistent single platform that covers all across the multi-cloud environment, including all of the different kinds of functionalities that you need, like including things like data security as well as Kubernetes posture management. And so that is what we believe is needed. So this cloud security platform that we are talking about should help a set of capabilities.
And, and our view as Analysts is that the fundamental capabilities that these things these should provide is that they should have some form of inventory that allows you to see what needs to be secured. And this is important because cloud environments are incredibly dynamic with, with services and servers being instantiated and destroyed within milliseconds, you can only secure what you know you have. They need to have, they need to provide visibility of what the risks are and what the threats are to those different virtual resources.
Now the, since these virtual resources are dynamic and created as required in milliseconds, you, you can't, how you don't have time in the cloud to implement security by post instantiation scanning, you have to have some kind of guardrail that prevents you from actually getting vulnerabilities exposed in the first place. And so this effectively means policy-based controls that prevent the creation of resources with vulnerabilities that you don't want. And it should have integrated coverage of all of the areas.
And so this picture that you can see is an example of the kind of assessment that we have made in the reports that we write about this subject. So I'm going to look at some of these different areas in a little bit more detail.
Now, these tools that we are talking about need to be aligned with the risks and the tools have to help you to find, to identify, to find and remediate the risks. And in terms of cloud entitlements, the most important risk is excessive privileges that time.
And again, developers will create resources that have all the privileges they might need rather than just the privileges that they do need. And that provides a scope for hackers and attackers to get in and to do things. They need to have strong authentication to protect against cloud takeover of takeover of your, of, of, of your infrastructure elements or of your infrastructure administration. And remember that in the cloud and in a virtual environment, infrastructure as code has entitlements and these need to be managed as well as the entitlements of users.
The cloud network itself is at risk. The cloud network is a virtual network, a software defined network, and it is subject to all of the kinds of risks that the old fashioned networks that you are used to that do you know what the topology is? Because you can be sure that one of the things that the hackers are going to do is to use their network discovery tools to find out what you have and where it is. Can your topology, do you have a, a common way of configuring this across the different cloud services? The in-cloud network within the different environments is often different.
And how can you manage routing? How can you be sure that only the protocols that you want can get through? And how can you implement a zero trust? And that leads you on to understanding zero trust leads you onto understanding who and what is making access when and from where. And that in many cases relates back to certificates. And certificates are notorious for being badly managed.
I in, in a, in a problem, how many cell sign certificates do you have in your environment? How many contain weak encryptions or you can you trust the certificate route? So all of those things lead to risks and all of those things need to be managed. The compute services and so forth contain all the risks that you used to have.
They, you can have missing patches which lead to vulnerabilities. You can have misconfigurations with known common vulnerabilities and exposures. You can have root account exposed. And in terms of the fact that these are virtual resources, you can have the virtual resources which themselves post problems because they may have excessive privileges, they may be dormant and you don't know you have them and they may actually exist but don't have a physical owner, which means nobody's going to look after them. And that needs to be treated.
And those risks exist whichever cloud environment you're in, the Kubernetes or the software development environments themselves have problems. And these problems are related to registries. Do you know what registries you have and how are you managing them? Are you managing the images and are you scanning those images for vulnerabilities? And what about third party packages? Do you have drift of containers? Are they not being patched properly or are they regressing to pre-packed levels?
And how do you know and are you able to detect whether or not when your images are running, whether they are behaving strangely? And how can you detect risks and threat threats from behavior analysis? And finally, you really need to have a way of being able to understand where your risk is and not just a million risks because everything has some kind of vulnerabilities, but you need to be able to understand what are the most important risks. Can you understand your risks in terms of the impact they would have on your business?
Can you understand them and categorize them in terms of some kind of risk score or in terms of of level, level so that you can prioritize what you want to do. Can you understand from this, these tools how well you are complying with the laws and regulations under which your organization is obliged to to operate? Can you see how well you are performing against frameworks and best practices? And all of this functionality should be available inside and in a consistent way with a single pane of glass across all of the tools.
So that is what is leading us from C S P M to cloud native application protection platforms, giving security and compliance for the multiple cloud. So the summary of what I Pete say is that digitalization is increasing the business risks, especially of business continuity because as you become more dependent upon it, the the impact of an attack becomes greater. And the more that businesses depend upon the cloud, the more they are exposed to these attacks.
The, the cloud and virtual services bring with them additional responsibilities as additional challenges as well as all the regular ones that you were used to. The challenges of understanding shared responsibility of the dynamic resources and the fact that each cloud provides its own set of tools that have different looks and feels and user interfaces and are different from whatever you had on premises. This led to this cloud acronym, super multiple individual siloed applications, all of which were different.
And what is actually needed is a single cloud security platform which provides a complete and comprehensive approach with dynamic guardrails to prevent you from going wrong with a threat detection to help you to know when you're under attack and which supports best practices and compliance. So now we're going to have the second poll and this is going to ask you which identity and access management challenges do you find most pressing in the current landscape? Is it maintaining an accurate and up-to-date lifecycle of users identities? Is it balancing security with user experience?
Is it integrating your IMM solutions across cloud and non-cloud? Is it about keeping up with the rapidly changing regulations and compliance requirements? And while you are filling this over, I'm now going to hand over to my colleague Andre Rail from who is the director of cloud security and compliance at Upticks. So over to you Andre. Thank you. As mentioned by Mike, my name is Andre Roll. I oversee threat research here at Optics.
You know, we look at attacks on clouds, how the cloud is being exploited, manipulated, we reverse engineer that and we bake those into our products so our customers can benefit from detecting threat actor behavior. So let's get into it. So what I wanted to start off with was just a little bit about the growth of the cloud. We know the cloud is is very prominent. We know a lot of companies are using it and I'm not gonna go over every single tile you see here, but I'm gonna highlight a couple. The very first one is the bottom right. So by 2026 the cloud market is expected to get to 947 billion.
Just for reference, that number in 2021 was around 450 billion. So that's a $500 billion growth within a five year period astronomical. The second number is the bottom middle tile. It's an estimated 175 zetabytes of stored data will be in the cloud. And for those of you googling what a zettabyte is, lemme save you some time. One zettabyte is 1 billion terabytes.
So, you know, to go off what Mike was saying about moving to the cloud, digitalization data is going into the cloud at an exorbitant rate. Everything we do today, there's some aspect of our lives that touches data and being stored within the cloud. But with that, so are the attacks. So threat actors know the cloud is a haven for nefarious behavior.
You know, they are cloud security experts whether we want to believe it or not, but the cloud is essentially their playground. They get to play in the cloud attack it exploited on a daily basis. They only need to be right one time, right? As defenders, as legitimate businesses out there, we have to be correct and defend all the time. So they just need that one crack to, to be able to exploit a a business. Some of the numbers here, the one that really stands out to me is the middle one. I found a report by a TELUS cloud security report.
You can go and find it online, but when they polled it was thousands and thousands of users across different roles, different verticals, business units, and 19% said that they don't know, or excuse me, they know where all their data is stored, said differently. 81% said they don't know where all their data is stored. So it's becoming a very big problem to keep tabs on, you know, data cloud infrastructure, the ephemeral nature of the cloud and the growth that a lot of these companies are experiencing.
When I talk to companies and I present webinars and consult, the one thing I emphasize is you have to assume breach. And what do I mean by that is assume your environment is going to be breached. It's not a matter of if, but it's a matter of when. And as you deploy design architect around, you know, grow in your in the cloud environment, keep that mindset as you can see just from articles throughout this year, we're seeing that the cloud is becoming more and more of an emphasis. Attackers are targeting the cloud more and more.
Even cybercrime groups are offering six figure salaries, bonuses, pay time off. That's how lucrative the cyber crime is becoming. And a lot of that cyber crime is shifting towards the, towards the cloud. So switching gears a little bit, getting into C S P M, you know, so what outcome does c SS p M actually deliver?
You know, in a very high level analysis, you know, you have asset discovery that'll tell you configurations for those assets, you'll be able to secure your posture and then you'll have compliance, right? You'll get a compliance audit, be able to see where you stand in terms of your compliance checks. But I like to categorize C S P M as your risk assessment.
So having a C S P M in a cloud environment, you know, several years ago was great, but as the landscape has shifted and as more companies are moving to the cloud, and as the cloud itself is growing, we're seeing that a c SS p m is not enough. You need a holistic view across these technologies, some of them that Mike already outlined, but you know, threat actors as an example, they don't think in silos, right?
So they're not just gonna go look at a particular service and its configuration, they're gonna look at everything in your environment and they're gonna try and attack you in a way to achieve their outcome or to, you know, attack or approach their targets. Excuse me, the landscape has, has expanded. And what do we mean by that?
That, you know, configuration vulnerabilities are not just the only threat out there, right? What about runtime threats? How do you ensure that your posture management solution and your workload protection and your identity security all coexist? Right? The cloud is a very interconnected, intertwined set of technologies. You can't be effective in the cloud without using one or more this, these intertwined technologies. And that's why we firmly believe that having something like a cloud native protection platform, c n a is becoming the standard.
We're seeing it more and more the industry is going that way. Consumers are are wanting a c a, you know, most ciso, we CISOs we speak to, they're in a position now where they've got security tools, sprawl, they've got all these security tools, they don't have the right resources, the right skills to educate their team on how to use all of these tools. So they're trying to consolidate. And as consolidation play is going right towards a C N A P by not having a C N A P.
As you can see in my graphic, you're having blind spots, you're leaving blind spots to yourself and your company because A C S P M gives you a, as very, very specific view, but it, it doesn't give you the peripheral view that you need within an environment. So what is c a P?
You know, Mike touched on this a little bit, but I know there's a lot of acronyms being thrown around. I like to look at it as more of a what are some of the problems or what are some of the tasks that a synap can can help with, right? So here we have C S P M for risk assessment. If you have identity or you need identity, That's going to be your, your Kim and then response and then workload security, right? C W P P. So we see this as some of the founding pillars of what makes up A a C, but we firmly believe that endpoint X D R has to be included within C N A P. Why?
If you look back at this year, and you look at some of the breaches that have occurred across several industries, most of them have occurred because the developer's laptop was targeted, right? Either they downloaded malware, it created a reverse shell, or they were breached because they had a third party music player. It wasn't patched. They got in, they mined credentials. Use those credentials to move laterally into a customer, into the company's environment. And then from there, moving to the customer's environment essentially.
So a synap is exceptionally important for if you're in the cloud or you're thinking about moving to the cloud, because as you can see, it eliminates a lot of those blind spots that will be present without a single platform. The other benefit of a synap is, again, it's a single platform. So if you have a a set of engineers, security engineers, you have to go and give training on a one particular platform.
You don't have to have them context switch between multiple platforms and really, you know, lose sight of what the end objective is, which is protecting the environment versus trying to learn how to use a tool. As mentioned developers, we see a time and time again, the industry is seeing it. The developer laptop is being targeted. So I have a very basic illustration here that how threat actor will be able to have the user download malware onto a developer laptop. The threat actor gains access to developer laptop.
They are able to look for, you know, personal access token trying to access Okta. They can look for a ways to access GitHub. GitHub is very important because they can clone repositories, they can access repositories to find credentials. And then once they have credentials, you know, they can move laterally into a w s. And then once they're in a w s, if they have the right permissions and credentials, they can actually exfiltrate data within that, within that environment.
But again, the developer laptop is a critical starting point for threat actors. Now, for audience members, you may be thinking, well I don't have developers, you know, I'm safe. Well insert name of employee who works remotely using a laptop or a desktop. They will be in scope or a attack by threat actors at upx. As mentioned, we believe that X D R should firmly be within the SYNAP pillar of technologies because it'll give you an early warning system. So if a threat actor accesses a laptop and they attempt to access Okta or attempt to make a suspicious GIT call, we will be able to detect that.
We will alert you. So before they even get into the cloud environment, you have to have this early warning system.
And again, this starts off by using a solution like X D R on employee or developer's laptop. Yeah, we have an example of a suspicious GIT event called Impossible Travel. So for those of you who are not familiar with the term Impossible Travel is a single credential making a change or update from two geographically dispersed locations, meaning there is no way humanly possible that someone could have made the call in India and made the call in the United States within a couple of seconds apart.
So we have detected this, we can alert you to say that someone's credentials were used to clone a git, a repository, you need to take some action on this. But again, these are all those early warning systems that you need to look for prior to getting into your actual cloud environment.
You know, everyone looks at the cloud environment and thinks, well I just need to protect that and I'll be safe. But peripherally around that, look what else has access to that cloud environment. And that's where you're gonna focus your efforts and that's where Cena will help you tremendously. So let's get into some of the pillars that make up Cena. So as mentioned here, we have the C S P M.
And again, some of the examples I'm gonna go off here are very simple, but they, they should get the point across. And these are just some of the tip of the icebergs in terms of what we can actually detect for as you use the Cena platform. Example one, right? You have assets, we discover assets, we visualize those assets for you, and we can let you know which of your assets are open to the internet. Now you are wondering why is that a problem? Or if it's open to the internet, all I need is an internet connection to target your particular asset.
Example two, do you have a root account access Key is, does that exist? Hopefully not because that should never ever happen. Root account should be used to create your other other accounts and then you should, you know, essentially lock and encrypt the credentials for that root account password so that no one can get in there and use that account for anything.
Yeah, we have sim, right? Cloud identity Entitlement manager security. So some of the warnings or alerts we can generate.
You know, you have several users within your environment. We can very quickly identify which ones have a, for example, full administrative permissions. We can also show you if there are several users and they have a very long set of permissions, we will go in and show you, you know, Joe and Mary have got all of these permissions in the last 90 days, they've only used a subset. We'll show you what that subset is and then we'll recommend to say, remove the additional permissions. Why is that important?
Well, if Joe or Mary's credentials get compromised, the threat actor now has the ability for all of those excessive permissions. And you just may find that those excessive permissions may be the catalyst that allows for data exfiltration, that allows for ransomware. K S P M. So if you need Kubernetes, contain security, right? We're seeing a big shift of companies using Kubernetes containers and it makes a lot of sense because as you take those applications from on-prem, you create microservices containers is a great way to shift it from on-prem into the cloud.
But Kubernetes containers has been around for a couple of decades, but it's still a little bit nuanced in terms of the deep security knowledge required to securely scale Kubernetes. So an example of what we can detect for, right? We can find container escape to the host system. So essentially what we're saying here that Kubernetes container successfully exploited, so it's permissions to access the host file system and resources. What this will allow them to do is view the critical configuration files on the Kubernetes node node as a configuration.
And just with that they're able to interact with, you know, the control potentially take over the entire cluster. The second one, default service account, lateral movement. So you know, we find time and time again that default service accounts and Kubernetes are set up with excessive permissions and this presents a very big security risk. Why? Because should these accounts be compromised, authorized users can gain access to the entire cluster, allowing 'em to move laterally to some of the susceptible pods.
So it's very important to have eyes and ears on these types of nuances so that you know, you can understand your, your security risk posture as it relates to Kubernetes. Next we have C W P P cloud workload protection platform. So really what this means in a very simple way, do you have applications or workloads running on an e c two instance, on a vm, on a compute machine? What we're gonna do is, you know, we're able to scan those instances and really tell you your posture for that. So what are the vulnerabilities? Do you have any compliance issues?
Do you have any secrets on those, on those instances? And the great thing about upticks is we can do agentless and agent. So just like the agent we install on the laptop, that helps for that early warning system, we can install an agent on the instances we have customers who do both, right? So maybe in a production environment they want an agent in a non-production environment, they want agentless. But going into some of the examples here, you know, we can detect reverse shell. So someone downloaded malware, that malware is a reverse.
Shell allows a threat actor to connect back to the instance, we can detect it and block it as your early warning system. We can also detect for s s H keys. So if you ss s h into a laptop, into an S, excuse me, into an instance from a laptop, we can see those keys and we can tell you proactively, hey Joe laptop has s s h keys. If his laptop were to get breached, someone could s s H into a e c two instance. That e c two instance has an administrator role. That administrator role gives them the keys to the kingdom.
We visualize that for you, enabling you to see very clear and in layman's terms what your security threat is that you need to address, as well as giving you remediation guidance on how to remediate that. And yeah, we have C D R, right? Cloud detection and response. This is really behavioral activity. And what do we mean by that?
Well, we have two types of behavioral activity. We have pattern based and we have anomaly based on the pattern based. A threat actor is, is when they steal credentials and they get into an environment they need to perform reconnaissance to find their way around to understand where they are, what they have access to, and what they can do. Those are patterns. We know the patterns that they will follow, right? There's tools out there. We have researched a lot of this. We've collected a good amount of pattern based detections that we've built into our product.
So for example, if someone were to go and use a tool exploitation framework tool called paku, widely used by threat actors, if they were to use that in your environment, we'll be able to detect it, present it to you, show you in layman's terms what they did, how they did it, and then give you guidance on how to remediate that. Either manually step by step or we'll give you the one click ability to go and remediate and then anomaly based, right?
One of the biggest challenges cloud teams have today, defenders soc Analysts, is being able to differentiate between legitimate and illegitimate behavior. As mentioned in the beginning of this talk, a a threat actor needs to be right one time. So how do you find that one act A p? I call that one action out of a, you know, bucket full of a P I calls. That's where our normally detection comes in. So if you have Joe or Mary, lemme pick up Mary for a little bit.
If Mary has called SS three all the time and now all of a sudden she's trying to run instance, or she's trying to create user create access key, our anomaly detection system will detect that, it'll flag it and say, here is Mary's baseline behavior, but here is the abnormal behavior that she's creating. Look at this, make sure this is okay.
You know, is Mary's credentials, have they been compromised or has her roles and responsibilities within the company actually changed? Finally, just to sum it all off, you know, threat actors are cloud security experts. As mentioned, the cloud is their playground at best. We as security, you know, minded folks, we're always at best one step behind the cloud.
Secur, excuse me, threat actors. If you think about A C S P M, it's important, but on its own you're gonna have blind spots. So don't just employ a C S P M, find additional tools, find a CENA platform that has all of these abilities to mitigate a lot of those blind spots. You need to focus on multiple attack surfaces. So not just the cloud environment that you're in, but look peripherally. What has access, what other attack surfaces could a threat actor use to move laterally into your cloud environment?
And then finally, you know, again, keeping yourself secure by using A C N A P, you'll get complete coverage. But also the benefits are, you know, you have fewer tools to go and train your team on. So your team, instead of going, you know, I like the analogy of six, six miles wide, half a mile deep, you can go a mile wide and six mile deep in one particular tool. That's it.
Mike, thank you. Back over to you. We now have a, another pole, which is how would you describe your organization's current stage of C N A P adoption? And so the questions are, are you fully adopted or are you impartial adoption or still thinking about it or not even considering it. And so you should now see this poll on your screen if, if I'm correct.
So, so while you are answering that, I'm going to now pull, put, put us back onto, onto Andre and I and we will have, have a conversation. So I've just got to find the appropriate bit of, sorry. So we're going to move on to questions and I've got to go back to the zoom meeting. Lovely. Okay. So thank you Andre very much for that.
Well, you finished off with talking about thinking like a threat actor. Would you like to expand on what you really mean by that?
Yeah, definitely. And we get this question quite a lot, but you know, if you can employ the mindset of a threat actor, it, it puts you in a position where you're able to understand how threat actors think. It's a very un unique way in how they think and how they approach attacking a entity, a cloud environment. So when I say think like a threat actor, you know, if you have blue team members on your team, if you have a security team, they're always almost focused on how to defend, how to threat times, how to look for that nefarious behavior.
But our employee companies, to flip that around a little bit, teach them how to be a red team, teach 'em how to attack, how to think like a threat actor, go and write, excuse me, go and learn some of the tools that threat actors use. You know, I wrote a blog several weeks ago just highlighting some of the tools that threat actors will use and what's the benefit? But once you understand the outcome that tool delivers, you will very quickly realize why that's important. And then you'll realize, oh, if my environment is that present, should I build that? Should I mitigate that?
Should I remove that? And then further along, as companies mature, as they start planning and building and and configuring the environments, you know, that'll be one of the questions that comes to mind is, hey, how do I think like a threat actor? And if a threat actor were to get hold of this or breach this, what would the blast rate e s be? So that's what thinking like a threat actor means. Yeah.
So, so in a sense it's not, not thinking about how well defended you are, but thinking about how the threat actor will find the easy way in. And this is, this is the challenge that they usually get in. They don't actually have to do the impossible. They don't have to decrypt the most complex encryption algorithm. They find a hole in the system, which means they don't have to do it. It correct. And yeah. And this is it the simple way in that you never thought of Yeah, Yeah, exactly.
It's very, you know, finding the cracks, right? So yeah, there are many cracks in cloud environments.
You know, when I was at a W Ss overseeing their account, Tokyo division, we had customers, you know, fortune 100 companies come back to us after we detected a breach in their accounts. And it was just mind blowing how little awareness they had around that particular exploit.
So yeah, there are many tools that find the cracks. So for teams to go and learn those tools, it'll quickly surface what cracks you have in your strategy. Yeah. So it's an interesting thought that, that you go away and learn the, the tools and techniques that the threat, threat actors are using as a way of being better at defending yourself.
That's, that's good. Hold on. That's good. Now it's interesting because I, I'm, I, I don't see any questions from the audience, but if, if there are any please, can I ask you to put them into the q and a poll and we'll look at them now. I'm interested because I was looking at the polls and it's always useful to talk about what the polls were, and the first poll was talking about the biggest challenge. And the interesting thing about this is that the top of this was complexity. Now I don't know what, what's your take on this, Andre?
Okay, so the poll question just came up. Let's see.
Yeah, so you know, what I see a lot of is you have folks, companies who have a very robust on-prem strategy, security strategy, and they've been doing it for years, and they're try and shift over to the cloud. And time and time again, they'll bring their security strategy over to the cloud. And that's like mixing oil and water. They don't mix. So what I find is they're trying to take their understanding and their biases from on-prem and squeeze it into the cloud and try and figure it out.
It, the cloud in itself is exceptionally complex. So if you take someone who is well versed in cloud, you can ask them how complex it is on its own. Now you are adding an on-prem to connect, to communicate with each other.
And again, these biases tend to get in the way of being able to achieve an outcome. But it is very, very difficult to try and get on-prem hybrid cloud environments to, to connect to each other. And a big part of this is, again, I think you have a lack of skills. You have lack of knowledge. Folks who have done this time and time again, folks who understand it, folks who have, you know, experienced on-prem, who try and do the cloud, have experienced the cloud. They try to do the, the on-prem thing. To have that mindset shift change is also very challenging for folks to do.
So it, it's interesting because there was a, another set of surveys done by another vendor, which basically said that the biggest friend of being hacked is being too complex. So simplicity is your biggest trend for improving security. And I think one of the areas that we have both been talking about is that the more complex, we have a complex environment, which is made worse by complex tools, and having a single simplified set of tools, a com common user interface, a common way of doing things across this multiple environment must be an improvement.
Yeah, definitely. You know, the challenge you also have is in the cloud you have identities for users, identities for machines, identities for software on-prem, you don't have all of these identities. So it's trying to correlate and match identities across on-prem, across the cloud. The other piece of the cloud, it's very ephemeral, it's always changing. It's also complex, you know, from day one when you create a cloud account, you have thousands of APIs, thousands of permissions that you have to navigate on-prem, you don't have that.
So to your point, Mike, yeah, having this complexity is very, very prevalent. That's why even more so having a C A P is exceptionally important because what A C N A P does, it almost has an abstraction layer that allows the end user to gain a simplified view and understanding of their complexity.
You know, they don't have to be a cloud security expert, they don't have to be an on-prem expert expert, but a C A P will provide a great user experience that allows them to feel like there's a simplified approach to managing those environments. Yeah.
So taking the point you were making about identities that there's an interesting result from the second poll, and I don't know, Oscar, if you could display the results there, because the, the biggest challenge from the second poll, which was maintaining an accurate, well, it was actually integrating i a m solutions across heterogeneous cloud and on-premises environments was one of the biggest challenges that, that the, the people had, and this is precisely what you were talking about before, and it's to do with identity.
And as you have previously said, identity is the new frontier that getting into the identity of any of the cloud elements or any of the cloud administrators is a major threat. Yeah, yeah. Identity is a new perimeter.
You know, on-prem world, your perimeter is a firewall in the cloud world, your perimeter is an identity, you know, identity I like to say is like the, the nervous system, right? If you have a weakened or lack of n you know, weakened nervous system, you're gonna be vulnerable and you're gonna be open to attacks. So it's very important to focus on, on identity, you know, the, the, the top answer response here.
Yeah, integrating Im solutions across heterogeneous cloud and on-prem, very challenging because of the complexity and because of how nuanced identity can be, it is very hard to get this right. And a big reason we see why this is one of the reasons we see lending itself to this is we almost prefer to give more permissions as humans, right? We don't wanna restrict people, even in principle of least privilege, oh, just have a couple more permissions because I don't wanna steer from you and constantly bother me to say, Hey, I can't access it, I can't access it.
So we'll say, okay, there's more permissions, let me know when you're done. They maybe go and access it, they get sidetracked, they forget to tell them they're done. Those permissions now live there. So identity and integrating it are definitely resonate with us. And that it's, it's very complex and very difficult to get right.
So can, can you sort of say in a nutshell how your solution helps with that area? Yeah, what we do is we will put a spotlight on your identity. So what do I mean by that is we will visualize your identity for you. Because conceptually trying to identify or see what identity means or is is very difficult. But once you visualize and understand what a user is, what their permissions are, what they can access, it becomes a little bit easier. So we will go and find your identities, the entitlements, without you having to tell us. That's another thing, right?
Is that we have identity creep, we have users, roles, permissions, people dunno why they were created, who used it, lost what they accessed. We can answer those questions for you. So we can help you understand what is your identity risk in any of your cloud environments. Yeah.
And, and identity risk is probably the major area. And the problem is, as you say, it's, there's all this stuff out there and you don't, it's not visible. And so you need to get visibility in terms of what is really a risk. And that's the critical thing. And the other piece to that is, is the ephemeral nature, like I mentioned, right?
It, it's not a static look at it once, forget about it, it's constantly changing. You know, again, in the cloud you have multiple identities, right? Machine user software, how do you keep track of that? How do you know what's interacting with each other? What's spinning up, what's going down? What's being created, not created? It becomes very complex very quickly. So that's where we can help you. Yeah.
And, and that's what I was starting off talking about at the very beginning, that the static approach that was traditional to the on-premises, traditional security where things changed slowly and environments were very much under control, is not the right approach for the dynamic and ephemeral nature of the cloud. So the final poll, which is interesting, which is to do with how well or how far are you along with adoption? And so perhaps you, you would like to just finish off by giving your advice and what you think the organizations that are using the cloud should be doing in the area of C now?
Yeah, I would definitely first of all ensure you understand your business, right? Ensure you understand which services you're using, understand your, your, you know, what your outcomes need to be within your business. Once you have that, it becomes easier to integrate and evaluate a C A P, because then what you're gonna focus on is as a C N A, does it give me the visibility and does it help me become compliant? Does it gimme the visibility on identity on Kubernetes?
You know, you may have companies who don't ever use Kubernetes, but you C n A has K S P M, well it's, it's not gonna be of use to you. But I would say as you go through this, look at your use cases, look at your infrastructure and see how much of a risk it's presenting to you, how much of a risk it's surfacing. You know, hopefully the cenaps as you begin adopting these, they'll uncover risk that you had no idea even existed. Then you know, you're on the, on the right path to integrating the right synap.
But also as your business scales and as you grow and evolve, you know, your business may require, for example, Kubernetes at that point, having the CENA already integrated is very easy because then you just activate the K S P NM pillar and now you have visibility into that. So overall great to see that partial adoption versus not considering or sort of evaluating.
But yeah, Cena is, at first, I think, a little tricky for folks to kind of navigate, but once you see the value that it offers, it becomes a no-brainer to continue with that c n A platform. Yeah. Thank you. So we're now coming to the end. So I think the message from today is that nearly every organization is now using the cloud and you cannot just rely on your traditional on-premises security approaches. You have to take a different approach because of the complexity. So would you like to just say a final word, a final piece of advice before we finish Andre?
Yeah, just to say, you know, thanks for listening everyone. Definitely as you move towards the cloud, it's, it's, it's a journey.
It's, it's gonna get very complex, it's gonna be very scary at times. But I think if you take some of the advice that I've g given, you'll be in a good position.
You know, finding cloud security experts to hire into your team is a must. I know that's difficult.
You know, I know they're few and far between. I know they're expensive. If you can't hire the right experts into your team, find a security vendor who has those experts because they will guide you and help be your eyes and ears. They've learned the lessons, they've uncovered some of the exploits and nuances that are problematic for, for entities.
Okay, thank you very much. Thank you very much Andre, for your contribution to this and thank you very much to all the participants for taking the time to listen and to be involved in this call. Thank you very much everyone, and good afternoon. Thanks Everyone. Thanks Mike. Bye bye-Bye.