Oh Crap, Do I Need a CNAPP?

e

e e

a unified security platform that comines multiple Security Solutions perform corelated management plan offering Advanced protection for cloud resour again my translation not a sing it's the culmination of multiple security products all working together and so my holistic definition is a comprehensive platform that brings together various security tools in one route them to work in harmony provide complete protection environment okay so Gartner has their version I'm not going to spend too much time on this just some good info for you they kind of split it into two like you have data plane operations and control plane within data plane you're really concerned about code that you're writing and that you're developing where you're uh like shipping

it your infrastructure is code you're actual run time so that's all the data plane and then control plane is looking at security of your coud environment itself security of your group your identity the way I like to lay it out is like this this is the basics of a okay so first inventory you can't really protect your coud native environments unless you have inventory so it starts all with that that's kind of and then the major ones here are cspm dspm and I'll explain a second Cloud infrastructure entitlement management or as it's soon going to be called infrastructure or excuse me identity security cost man Cloud workload protection there's aspm or appc application security or app code

security and then there's some other post man and I'll go into detail about what these are and again how can you guys look through these I'm not again for those coming I'm not talking vendors today it's not the goal here the goal is to instruct and educate if you're being instructed to use these vendors or you're being instructed to find a scene app or someone's pitching you a scen app how can you spot the BS how can you understand what's really important what not that's the goal here um and I'll explain each of these core components but in my opinion scap is useless unless we can do something what can we detect what can we respond to what's for a long

time we've had tools telling us here's everything wrong with your environment there's everything going on in your workloads well what do I do with that long time we've had that so the goal of a modern synapse to say here's what we know and then here's what we can so CDR Cloud detection response should always be a b of any tool that you use so you may be thinking this doesn't really sound new it's not you need PA no okay uh this doesn't sound new it's not and it also doesn't really sound unique trust me I know every company says have a seap um the bar at the bottom is to represent where I normally in an

executive presentation would talk about vendage again not doing that today just letting you know there's a ton of people in this space how can you spot the BS how can you find what really matters to you guys uh and your business again as practitioners trying to enable you to find what's the right tool of your business if you're being passed to do so so first I want to kind of step back and where did scap come from like what's the evolution here so there were really two camps one was posture management posture management and the other was runtime secur posture management was all about the agentless phze 2017 2018 2019 everyone was well we're agentless we're

agent uh which was good we needed that it was great it served its purpose and it's still serving your purpose but really what that gave us was full inventory of our prod and so we also started to introduce um identity posture so looking at our identities so not only not only are we looking at our CL resources but also the identities within those resources and then more recently about 2021 uh we started the introduction of data security posture management and the key insights you might get from looking at data help prioritize understand what's our most critical so that's posst management that's very simply is we're just going to look at how everything's configured and try to spot issues we're

not even caring about runtime we're just trying to spot issues as configured runtime defense this was the agent basic apprach um workload agents and I'm going to make a quick distinction this is not necessarily EDR endpoint detection response this is not okay I'll violate I'll talk about this one second it's not crowd strike or Defender or silence or all those things EDR is a different beast and I'll talk about that here in a minute but the workload agents were meant for cloud workloads cloud data workloads okay uh which is a very different threat than a user work switching that might require EDR ND whatever those AC are um um this is where you're going to get like

kubernetes and containers uh supports uh also bleeding into application and code security so we're looking at what's going on in our runtime and how do we detect stop threats and things like that um and along the way we kind of realize we need both to for to get a holistic picture of our Cloud native security we really need both and so then that kind of merges merges into this modern scap which is the intersection of posture and run time uh the goal here is to make all of our findings contextually aware understand what are our response capabilities and then also how do we focus our response and Remediation efforts properly because again for a long time you've been told here's

everything wrong with your thought here's everything wrong with your you know IM configurations here's everything wrong with your S3 bucket configuration we've been told that for a long time but what do we fix and then which ones do we fix first um and so the modern scap kind of brings all those together so so that's kind of where we were and where we're moving to and again all of this has a fundamental uh output of what do we respond to how F detecting response so I mentioned there were like you know six or seven different like core components I would say that make up what a scen that would be these are the four that I think are absolute

Necessities table Stakes if you're looking at and again this is generalities there may be instances where one might be l together but for a broad spectrum these are what I think you should be looking at in uh for a successful scap ofation and then what might differentiate the scap from other providers from one another so again the definition of scaps on the left uh intersection of potion runtime tally aware we'll talk about that um the four components I'm going to talk about them individually and then I'll talk about them so individually cspm simple agentless on boarding account visibility want to look at our static configuration of our Cod assets uh there's a ton more to cspm but that's kind of the basics a

big one that I I like to add in there the streaming log changes uh streaming audit log so if you AWS get your audit log or call as they call the audit log but you're watching that for specific changes that are being made and you can respond faster so that's a key key part to more of that real time quotequote cspn um um but that's really what a cloud security posture management tool should do on its own just should be able to full inventory and look at all of your configurations within your prod um and be able to spot big issues you know critical issues that on their own hey we need to take care um how does that feed

into everything else again glad you asked we talk about that dspm very similar asset Discovery inventory we need to be able to sample our data so got find where our data is and Sample it what is it Di information confid confidential information research data whatever how do we uh find it classify it and then continuously find and classify and then use those findings to provide risk assessments and prioritization purposes a lot of companies that I talk to um data exposure is their number one word where I don't care if you know uh a finding is vulnerable to the you know the cve but I do care if it's vulnerable to the cve or at least it's higher

importance if it's also got some type of data so that's usually a key criteria that people are looking for so good dspm that's really basic but there have a whole lot more that you can go into just for the purpos of the this is what it's key insights be Cloud infrastructure entitlement management more broadly as it will be known it's a new thing that um I've met my paycheck within the next two years and called ispm identity security uh so ispm would kind of roll up identity governance uh Cod infrastructure pement management arbach rolls and permissions all that would kind of roll up under yes yeah it it's we call it I call it Kim instead of using the the S sound

so if that's a problem so yeah isbm just makes more sense in my opinion but here what we're doing is we're looking for human non-human identities again inventory looking for inventory continuous Discovery are we connecting to our idps to understand who are these users are they you know if um and then we want to map all of those users and the rules and their permissions across all of our different clouds and understand our entire Cloud estate who's who and what are they doing what do they have access to and again like to the others there's so much more that it should do it's red now um there's so much more that an identity tool should do but one big one con seap

is looking for over provision steps so for example um can we see like hey this app uh service account has more permissions than it actually ends up using in your Cate State well there's you know a bigger blast radius if potentially conf so from an identity perspective that's basically what we should do uh again from CF there's so much more should and can do but in a cnap conversation us it kind of like the basics of table St Cloud workload protection again this is not EDR um the way I like to describe it to Executives like pretty Pi is uh EDR really should be for user AC EDR should be for the workstation where you have to assume that user is actively

trying to destroy that computer and destroy your business right so the threats there are just so so much different than a threat on a Cod workload Cod workloads would be things that are have like predefined actions web server you interact over a network or it's a container or it's a serverless function has a predefined action a predefined output that's really what cloud workloads are and those threats are just different than us so that's why I make the distinction this is not EDR they have some overlap you may even see some vendors that are traditionally EDR vendor talk but everybody in the crowd should understand who I'm talking about they are EDR and they say they also have

Cal protection and they kind of do so there's a little bit over that but from a codw workl perspective needs to be super super lightwe that automatically qualifies out most

yeah I mean you could qualify under identity security potion management so uh Pam and Pim are going to be part of a your broader like identity governance program um which can roll up under ispn but the focus of all of these tools is not to feed our Cloud security tool our identity security governance program our data security program um there are some vendors who have that program approach and can do it pretty well um but for a scap we don't need most of the holistic program yeah him and Pam would be part of your

PR yeah so those would hook into things like think like sale Point Sale points like an

IDE yeah so pay and Pam those are part of a broader U I use the word program that's the best way to describe it initiative of usually the SE suite and directors um so not excluded from here but I wouldn't call it a core like if you don't have this L you're G be able to see that then you're going to be workload protection again lightweight so that qualifies thatr soltion make that decision system level visibility we want to everything that's going on in that system TCP calls file opens everything so Linux kernel usually Linux is the primary target for cloud most Cloud workloads are Linux um Windows does now have support for evf CR is actually moving into that

which is good be much faster but anyway that's not the point of this conversation in memory catalog and this is huge so what's actually going on in memory looking at what binar libraries is actually being loaded in the M that provides some key Concepts uh kubernetes support container support um this is where we want that uh and then ultimately cloudware Cod protection is usually where CDR responses use that agent actually do something close that network connection delete a file whatever you know that's that's the CDR is going be lever the C so all of those IND individually good products they probably are products you probably heard of if you were to buy them off the check but

problem is they're not talking to one another and informing one another of their findings so the point of a scap is to bring them all in under one group and understand that your cspm findings on their own might not be that important or how do I rank the importance of a cspm finding let's say the cspm provider says oh this is critical and a cwpp says oh this is is critical and the identity says this is critical well how do we say of all the criticals which ones are critical one critical two critical three critical four we don't know unless all of them are analyzed together in the context of the whole cloud of state so

that's what I mean by full context they all have to roll up under the scap platform and inform one another of what's actually going I'm going to give you some examples a good example here um let's say your cspm provider maybe it's one tool or maybe you have four different tools your cspm provider says uh hey you've got this Cloud workload and the network interface has any any okay so it's open to the internet he what we do is it supposed to don't know you know unless I actually go track down that owner and that's usually the response is you get a finding you get an alert and slack or jir ticket or snow and you go oh crap I got to go find the

owner of that machine if it's even tag properly most and hey is it supposed to be open to the internet yes okay well now I just wasted money your identity security posture management may show like hey that workload that's open to the internet has this role attached to it okay is it supposed to have that role with those permissions I don't know I got to go find that person and talk to them like what is this role supposed to be doing um your workload protection may be able to tell you or should be able to tell you here's what's running in memory and that binary has a vulnerability on okay that's important we probably need

fix that but is it really a problem is it exploitable part of being exploitable might need to be is it reachable from the internet so is it really important I don't know and and dspm provides a a a huge enrichment opportunity to say hey um this data bucket has private all of those findings are four separate responses that four different teams likely will have to make multiple teams probably done instead a scap says hey that machine we know it's open to the internet we also know that vulnerability now is exploitable because it meets all the criteria and we know it's running in memory so we know it's easily exploited and we know if that machine is exploited or that workload I

should be more specific if that workload is exploited they can assume this privileged role that lives on that workload that privileged role also has access to this data security for this bucket that has C now we have a holistic picture of the actual problem where we need to respond to one problem now there there's still four things that need to be fixed but it is one single problem that we can focus on and that's that's like your best case scenario is that four four different responses with one actual find but the idea here is we're taking all of our findings and they're cross-correlated together and they're informed by one another to provide a new level of risk you've never been able to

have um so anyway about halfway through question would a CF like track all that in a or network type relationship and then how would it calculate the risk yeah so um without mentioning vendors yes they there's a a novel approach to doing this called graph Theory and you create I don't know if you know what a graph database is uh but basically you can create complex Rel find complex relationships between assets so you can say well this Cloud workload has a relationship to this uh S3 bucket by way of a vulnerability or whatever or an identity in between that if you go from this machine you assume this identity you go to that button so it creates this

relationship it's called graph graph table and graph Theory um what was the second part of your question calcul risk that's usually um Data Insights is probably the number one reason number one way to escalate risk because if it there's some path to sens it immediately get put up um so that's usually the vendor SE sauce quite honest like how are they prioritizing things uh the really good ones um I you can usually just trust like hey if it's critical they're telling you there's a critical problem it's it's critical because they're really good at that and what they're looking for are combinations of problems that lead to some type of exposure data exposure an identity exposure

uh something like that but usually data will Top all of them because again what's the point if someone packs a machine but can't get anything that's going to be lower than someone hacks a machine and that's usually

one yeah to be quite honest you'd get that with just cspm tool because uh most compliance metrics and again as engineers and practitioners you probably know this clients doesn't really care about real problems they're they just care about checking the box and so cspm can do that really easily because it has full access to your Cloud State and scan all the configuration and it can find all the violations according to this or fedramp or whatever because fed ramps is only looking at the static configuration how things how things are being set up um so any good CS provider technically gets but that doesn't really help and that's why compliance Frameworks broadly in the industry are kind of seen as a

necessary evil like we got to do it because our status as a company requires this but I mean I've worked for companies that had several compliance metrics and their security was awful because when you look at the whole cloud of State the whole identity of state and all that you see well I pass but but there's still ways

in yeah so a lot of the like paid Enterprise ones that's basically what basically they kind of graph thing that they're

looking um so there's a uh there's some open source tools the best open source um cspm is called Prowler uh I actually know some Enterprise vendors who are just using this on the back end but uh Prowler actually will just spit out their predefined list of you know Cloud checks that they're looking for and yeah you just spit it out of the database table it's kind of up to you to build that relationship and that's what's really hard that's what not a lot of doing fact only one where right now it's doing well there's others that are trying to replicate that and so that's the so there's not really anything open source out there have to

build itself NE yeah yeah Neo database and build I wouldn't recommend it it's very yeah so the whole point of C up again take all these findings bring them together understand what's our actual problems not just things that are violating Bud uh I talked about some other uh SPM so ASM this big one also like um data security class management which tells us about exposure risk ASM can can be a really great insight to understand like hey we know it's actually running in memory so now we can tell our developers fix this problem first and we so the aspm tools are really helpful helping us analyze a code understanding like where to this problem come from

from the actual like execut code s security posture management this is more looking at like configuration of the tool itself like SharePoint box all that kind of stuff good insights to have that can help enrich your findings aisn this is a really new one I hate the term but necessary term understanding what's the posture of our AI data sets how are you trained what are the data access to access to sensitive data that kind of stuff are people running unapproved AI workloads in our environment maybe everything has to run through particular vendor particular gate lers something like that kubernetes security caution management also big U much like cspm kspm is looking at configuration of the

cluster itself not just the work that's CW but we want to look at well how is the kubernetes cetes by the way it's just a big API and so we want to look at how's that API configur configur practi that so those are the other posture management tools that you might find helpful it just depends on your business and like what's important to you and I'll go through an example of what that means but um everyone says they have a Cena like I said this doesn't really sound unique really sound new everyone says they have one so how do you again spots how do you find out what's really important and how do you valuate these

vors in in your business there's three things I like to talk about um I'll explain each of these number one vendors they see scap as a new product not is process that's a big one I'll that here in a second um a wider n does equal wider protection sometimes I'll explain here and the novelty versus ethics so first product of a process when a company um says like hey we have cspn hey we have DN they have let's say they have all four of the things that I say are absolutely crial yeah we got it we're good but they're not all correlated together this means my responses like I gave before with the you know exposed machines to the

internet exposed workload to the internet vulnerability running and runtime that's exploitable with an identity that allows them to Pivot the Sens of dat right okay four different responses four different teams and no context of which one's most important which one actually stops the holistic problem well actually we don't know the holistic problem because these findings aren't cor so the goal is to say hey instead of having four different responses from four different teams potentially that have varying levels of workload and capabilities instead make it a process our process is to take all of these insights correlate them do everything I've been talked about the last coule minutes and say Here's your actual problem here's your response

again that response might still be for changes to your Cloud environment that's okay but we are going after one problem one effort to fix this one problem again that might be multiple steps in or it could just be like hey take out this publicly exposure part The Dominoes can't can no longer fall or you know the Jenga you pull this one part out the whole thing falls apart and so that's what we want to do and so we're going to highlight the most critical problem first to eliminate the overall problem and then we can come back later and up all the other stuff that on their own they're just mediums lows so that's what I mean by they treat

it like it's just the products well no treat it like a process you got to process all of these findings together and make it part of you know like your ethos as a company is we're going to take all these insights and there's some vendors I'm happy to talk to you guys after um that I think don't do this well they treat all and they do it by acquisition where they do it by we're just going to build a new part of our tool and they don't bother to say okay we've built that part of the tool we've get all the findings now let going analyze all the others together cross uh second a wider net equals

better so let's go with the fishing idea you have a wider net excuse me you have a net you got your cspm great and I want add more capabilities uh so I you know buy or develop my you know identity security posture man that's another net the other side of the boat and then I I need to keep up with the time data security process then CW work I have four different Nets I'm pulling on that so when I have a problem in one it's not you know problems in another aren't influencing and I got to pull four different ways again going back for instead of more Nets I want a wider net so that all of my efforts are in One

Direction I pull everything all out I go after problem Lis so we do want wider coverage but we want it the right way not just hey we're gonna buy a company that does csbn hey we're gonna buy a company that does work and not bothering integrated and then third novelty versus efficacy so um if you remember back I said we were primarily a posh minute at run time cross over they realize hey the modern scap is um you you see vendors though go hey we got to up times and they're going to add these products they're position or develop a new house open source tools add it to their platform and it starts to go like hey where a

scena and you go are you really like what are you really good at and so you take a step back go to their origin story where do they start that's usually what they still do everything else is just kind of not going to I'll give them the benefit of the doubt they truly do want it to be part of their a good part of their product it's not like they're going to half fake it and intentionally make it bad they're trying to make it good um and so they go a kubernetes security vendor hey we've got to keep up the times we've got to have insights by cspm cspm is going to provide great insights to our workload protection help

prioritize what actually needs things and so they build that out and they integrate it that let's say they go all the and it's great but that is not their focus their focus is still you can you can kind of tell with certain companies like what's their focus what did they build as like a necessary evil to make their product better what did they build as a part of their product want who they fundamentally want to be that will really tell you when you're selecting and trying to evaluate products who's going to be a good partner along term because they're making this who they are not just adding into their of their line C on the flip side if it's a cspm vendor

that's where they started and they go we got to keep up your time we got to add in an agent and they do that to provide valuable insights well you can kind of tell it's again give the benefit doubt they really put their effort into it but it's not who they are as a business it's not what they say they do um then you're going to spot like no maybe their Innovation on the worklow protection isn't going to be as sucess as vendor who that's what they do that's what they say and so that's their novel approach to securing your Cloud environment versus they're trying to be the most effective platform for everyone that's their novelty that they're going

for um uh I do want to close with some resources uh so number one James batti uh leotech that's his company he uh just started recent lacio Tech um he's got a lot of great resources he and actually Francis Odum while I was making this presentation they released an article a joint article together talking about scap in the future and and the Enterprise and a lot of what he had to say is in his presentation so I felt very good that like hey this is where other people in the industry are moving as well so James miti Francis Odum he's an instructor from Maven he's a sock uh a cyber security analyst by trade U two great people uh to follow

great resources they're very well spoken very well connected so they have resources both AC okay so we got 10 minutes left I thankfully right at the end of my presentation uh really appreciate the time to talk uh and I do want to open questions and again my point is to not talk vendors but if you have questions about vendors yeah so

right yeah identity security posture I'll give you a great example again I'll break my rule uh crowd strike EDR they kind of push in the cwpp at least they do uh they're doing a legacy way of doing it with like containers and kubernetes they actually have a great identity security platform identity government it's really good csbm so much now if you're a crow customer and you use their identity stuff their Cloud insights will actually probably be pretty valuable but you can if you're trying to buy a CSP tool one that's really strong in there let's say like compliance is our life blug we've got to be good at compliance in order to stay alive well buying someone who's not

cspm Centric or focused probably not going to be the best longterm you may have to have cr over here under over there

to that's a great question um normally I'm talking to like cesos half budget and I'm trying to appeal to their way of thinking which is time to Value um so how quickly can we reduce the most critical problems again every tool is going to tell you what's critical the proper scap hopefully giving you the best insight to what's critical

um so yeah time for Value um I was going um but yeah I'm trying to I'm trying to speak their language trying to help them understand oh I was talking about risk priorization so if you're getting a good risk priorization that's really going to help you understand where the most re are focus our teams on that uh again usually C people who have budget uh compliance because it's an important thing to them you got to have that and so we're speaking to that but we're also looking at like hey I don't want to just talk to you about a product that you will use for your product security team I want to talk to you about a product

that the term we like to use is democratized prodct so a big selling point and a value propit we help is saying like hey you're G to buy this let's say you have budget board but not it's going to be so good at helping people understand what risks really are your devops are going to want to in on it your vulnerability management team's going to want in on it your sock team's going to get value from it I mean there's a there's dedicated you know usually portals or platforms or dashb excuse me in these that are tailored to these different teams to say like hey you're a stock analyst this will probably be most useful to prob response

that kind of stuff and so the democratization of a platform is really going to be another selling point because that's really what they want to know is this going to be a tool I have to force people to use or is it going to be a tool that's actually going to be helpful to the organization that they're actually going to want to use they're be asking so that's a good way to

build yeah yeah so we call it a shared responsibility model and a consumption strategy so shared responsibility is who is going to be responsible for the findings with within the platform and again because we wanted this they're going to have some responsibility devops vulnerability your your server team because they're deploying Windows servers or whatever or Linux servers so yes part of a POV POC and evaluating is getting these people in on it um and then so we have the U uh democratization shared responsibility and the consumption strategy now with the actual findings how do we consume that what Integrations do we make so that's another thing we look at do you have a healthy ecosystem Integrations

with VR tools with sore and Sim Integrations and things like that I I do think it's helpful to have them in on it on the uh POV or PC or at least evaluating because they should have a hand in it instead of you buy the product then force it on those team because that's Sor I'll come back

yeah yes that's a great question um I think that's why I had that definition of cloud native is it's a Data Center and you're using their offerings then that technically applies to tanic all that stuff you're using the offering provided by that platform who cares that it's not a public file I'm using esxi so for example um CW protection that's a great one that's usually the agent uh that can absolutely be installed on our Linux machine on our kubernetes clusters hosted on PR I believe that was part of CED because CED again it it's why I like to Define it you're using the offerings provided by whatever data center you're using CSP esxi you had a question over here I

thought I saw my bad okay

absolutely yeah strike while the air it's hot see see what you get out of it we have we did see some of that uh that was also a chance again we're vendor agnostic reseller we sell a lot of different plock fors and we consult and provide services for a lot of different platforms that was a huge opportunity for us to say like hey were you already not happy with that M was there something maybe you didn't like maybe their price was too expensive and that was a great way for us to say like hey we'd like to introduce you to this other option so yeah we definitely capitalize on that so that's a great Point um but

yeah uh do the same thing with cnap with your providers constantly be evaluating this space is changing so rapidly uh the future of cnap is going to be CDR detection and response for years we've had tools tell us WR now we need help with and with the introduction of generative Ai and all of these agents to help now we can actually automate a lot of this stuff break my rule again sorry ties toward all these really great companies that have free offerings that companies can use help automate our respons in the automate our Cloud fixes and changes important so any other questions I'll take one more if you got it no all right well thank you all

appreciate

it hey thanks all for coming thank you Kenny thank you for speaking really appreciate it if you haven't already go to the front of desk go to registration check in

everyone the 1130 talk on track is change Brandon Crow is going to be talking about threat modeling and secure architecture design man how are you good how are you