CNAPP: The Future of Cloud Security

Mar 22, 2022 3:00 PM4:00 PM EST

Request The Full Recording

Key Discussion Takeaways

Many companies have already transitioned to the cloud, but they want to ensure that top security measures are in place. So how can your organization optimize specific tools, efficiently manage data, and find the best security solutions?

There are many options to weigh in regards to your cloud management platform. Whether you use cloud-native tools or a third-party solution, one key component is a must for your security service: visibility. Greater visibility allows your company to distinguish any errors, prioritize risk, and resolve issues quickly. What other security measures are necessary for the cloud?

In this virtual event, Greg Irwin is joined by John Alexander, Senior Director of Technical Product Marketing at Orca Security. John discusses the advantages of using an agentless platform like Orca, compares cloud-native tools to third-party platforms, and talks about common security threats and the best ways to prevent (and solve) these issues.

Here’s a glimpse of what you’ll learn:

 

  • John Alexander discusses the common threats that Orca Security protects against
  • The BeyondTrust case study: how they utilized Orca Security’s services
  • How can you leverage cloud-native security tools so they are more usable?
  • Do cloud-native tools provide good enough solutions compared to third-party platforms?
  • John describes the best ways to manage permissions and what happens when someone audits permissions
  • John talks about what’s changed with the cloud and how it compares to on-premise software
  • When to move beyond CSPM into CIEM
  • How Orca Security’s clients measure improved security posture
Request The Full Recording

Event Partners

Orca Security

Orca Security provides instant-on security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents. Simplify security operations with a single SaaS-based cloud security platform for workload and data protection, cloud security posture management, vulnerability management, and compliance management.

Guest Speaker

John Alexander

Senior Director of Technical Product Marketing at Orca Security

John Alexander is the Senior Director of Technical Product Marketing at Orca Security. Orca Security is a company that is revolutionizing cloud security through an agentless platform that detects and prioritizes security risks with 100% visibility. Before joining Orca Security, John was the Principal Product Marketing Manager at Kenna Security, the Director of Product Marketing at OPSWAT, and the Senior Product Manager for CloudPassage.

Greg Irwin LinkedIn

Co-Founder, Co-CEO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Event Moderator

John Alexander

Senior Director of Technical Product Marketing at Orca Security

John Alexander is the Senior Director of Technical Product Marketing at Orca Security. Orca Security is a company that is revolutionizing cloud security through an agentless platform that detects and prioritizes security risks with 100% visibility. Before joining Orca Security, John was the Principal Product Marketing Manager at Kenna Security, the Director of Product Marketing at OPSWAT, and the Senior Product Manager for CloudPassage.

Greg Irwin LinkedIn

Co-Founder, Co-CEO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Request the Full Recording

Please enter your information to request a copy of the post-event written summary or recording!

Need help with something else?

Tiffany Serbus-Gustaveson

Senior Digital Strategist at BWG Connect


BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution.

Senior Digital Strategist Tiffany Serbus-Gustaveson runs the group & connects with dozens of brand executives every week, always for free.


Schedule a free consultation call

Discussion Transcription

This is a series that we've been doing with Orca Security. We are here partnered with John Alexander. He's from Orca. I'm from BWG, I know, some of you through our research calls, many of you I know are joining for the first time. Let me just say thanks for joining us. And so nice to meet you all, there are a couple of very basic rules for these forums. You know, I don't think we're the most unique thing in the world, but a little different from a typical webinar. We're really big on group participation. So as the MC, I'm going to go around the group and best we can kind of learn a little bit about what other organizations are doing. By the way, I typically find that most interesting for everyone, y'all, like, you know, people like to hear what other companies are doing more so than a consultancy or a vendor. So as best I can, I'm going to invite people to share some comments, share what you can, obviously nothing confidential, please. We have a chat window. It's awesome as we go, and as the conversations going, drop in your questions. And please use it not just to communicate with me or John, but to communicate with each other. So you hear an interesting question. It's all fair game, add your comments, say, Hey, I tried that didn't work, or, Hey, have you thought of this, I promise, some of the best ideas are going to come from just others across this group. And then lastly, probably most important, you all have taken the time to come and join this. Probably the best single thing you can do to takeaway outside of learning what others are doing around cloud security, is to make one new connection across this group, again, doesn't have to be Orca, or BWG. So I'm going to ask everybody to please kind of make a make a personal goal for this one hour to meet one new contact across the industry. One one person you can come over to DW Jay will help you connect, or LinkedIn is brilliant. You know, please use it and feel free. One last thing. Everyone's here, it's going to be a great conversation. But let's make it let's make it fun. Let's let's do this. At the end of the call, we're going to spin a wheel and 200 250 bucks for the winner of the of the spin the wheel, you know, let's let's change it up a little bit. And, you know, nothing better than then the big wheel of money. So we'll run that here at the end of the call. Okay, so I'm Greg Irwin, I'm with BWG, I do moderated sessions a lot in cyber, every day. That's my intro. Let me turn it over to John. John, do us a favor, please introduce yourself. And please introduce Orca Security for those who aren't familiar with your business.

John Alexander  3:16  

Alright, great. Thanks, Greg. And I love the conversational style these and I'm gonna also keep the short. So my name is John Alexander, I'm the Senior Director of Technical Product Marketing. I think the technical just means I'm technical. So to give you a kind of a little bit, it's gonna be really brief. At the at the end of the day, cloud. Orca is a cloud security company, we, and we do compliance, right, and we do it, we're multi cloud, we support AWS, Google Cloud and Microsoft Azure. We specialize in this thing that's called agentless, which drives a variety of benefits. It's more about the benefits and the fact that we're agentless. But it ultimately the benefits of agentless are that we were basically 100% visibility, because with an agent, if you have an agent, you don't have an agent on a machine, you don't have visibility on the machine. So by being agentless, you have 100% visibility. And the other big benefit is reducing fatigue in a variety of ways. We have a universal data model, just the fact of us being kind of a new company, we decided to do that from the get go and haven't acquired anyone. So we have the advantage of how once you start acquiring companies, you lose your universal data model that goes out the window, but because of that, we're able to leverage everything leverages everything else as far as informing stuff. So when we do vo management, will that will detection, our misconfiguration stuff to tie it tie into each other so everything knows about each other. So we have more like complex kind of alerts, not just your typical, okay, we found the CVE on the phone side, but we can kind of say, Oh, you've got lateral movement because you've got a private key here and the public key that gets a lot Oct is over here and your crown jewels are over here. So we kind of make those kinds of things to some extent. And that's our what we call, we just call it as privatization as a real because of that universal data model. And then lastly is want to say we're ultimately there about solving customer problems. And I have a lot of customer stories to talk about, we can kind of put that into perspective, and work out how work solves things, you know, based on the technologies and product features that we have. So I'll hand it back over to you, Greg.

Greg Irwin  5:33  

Well, let's level set on what this really means. I mean, we've got some people that are very deep. In terms of security architecture, we've got some people who are it generalists? Technical, probably, mostly across this group? Not entirely, but can you just kind of lay it out? What's the what's the threat vector that you're most focused on? Like, if, if I were to go today and deploy it perfectly? How does or what's what are the threats that Orca Security is protecting against? Right?

John Alexander  6:04  

So when it comes down to the ultimate threats, there's about like, five things that we kind of protect against, right, we're a pretty comprehensive platform vulnerability is bread and butter, right? If you can't do well, you know, everybody wants vulnerability management at some extent. misconfigurations, you know, both on the workloads and in your cloud accounts, we actually do malware, and in a very robust way, because we're agentless a lot of agent based solutions can't do malware, the way we do it. We actually do can detect a variety of types of sensitive data, both in workloads and, and in the cloud accounts. And then we do a couple other little things that are just to fill out the space on the compliance front, like File Integrity Monitoring, we do to some extent, we do ladder, we detect lateral movement risks, to some extent, which is kind of a hard thing to do. So those are the kind of the things that we're doing pretty, we don't do everything, because you have to have multiple products, we try to be very inclusive about what we do and what we can handle.

Greg Irwin  7:06  

Cool. So tell us about a customer, if you can share their name, brilliant. If you can't, that's fine. Call me I can share their retail or

John Alexander  7:14  

rank or whatever. Yeah, right now I can share names, these are public, about 20 case studies that are actually on our website. So okay, which is kind of cool. We have 20 customers, and they're great case studies. The one I'll talk about first is beyond trust. They're a computer security company, and they do a variety of things kind of I don't want to get into what they do. But one of the interesting things that they do is they have a lot of different types of workloads, non standard workload, so it's not just your okay, you know, we're supporting Ubuntu or, or Red Hat, right enterprise or, or we're doing we're supporting Windows Server 2016. But they've got like, some weird not supported version of Linux is running a few weird machine, they have a lot of non standard things. And guess what, because we're agentless. We don't we can read. We don't have to have like an agent that runs on your machine that was customized to run your machine, which a lot of companies would just say, well, sorry, we can't support you. You've got these weird Nesh versions of Linux or whatever. But guess what, Orca reads, everything. It's Linux, it doesn't matter. It doesn't matter if it was some old version that was since been retired, or it's a or some little new next version, guess what we can handle linux in a generic front. So it's a unique problem that we solved, that they love, and they'll they'll talk great things about us for a lot of other reasons. But the other the other thing that they they really liked about us is the compliance front. For for a small company, we support over 40 frameworks and benchmarks. So a lot of a lot of the CIS stuff that you would consider the the gold standard for compliance, but then, but what the one of the cool things is we did is we took a lot look at some of the higher level standards, and they're not official, you know, we we take HIPAA, and we actually did the mapping to a lot of low level stuff. So we cover stuff automatically, your you know, there's a lot of you still have to meant it was kind of a manual, standard higher level standard, but you've got a lot of artifacts that will support your HIPAA compliance. And that that was pretty cool. And beyond trust loves that as a company. So probably the two two things that they really, that they really cared about.

Greg Irwin  9:26  

i Let's do this. We're all going to keep going here. I want to John, I've got a couple more questions for ya, folks. By the way, there are lots of tools here in zoom, you can raise a hand, you can give a happy expression, you can give a sad expression, you can do whatever you want. If you have questions, just jump in. I you know, people probably need to get sick and tired of hearing me ask questions, and it's more fun to hear yours. So please, take that opening. Seriously. Also, chat is serious. So it's yours chats very functional. So let's try it. Do me a favor, everybody in the chat, give me one question or concern or maybe it's a project or maybe it's something you tried around cloud security, it could be cloud native, it could be through a third party, it could be embedded, something you've tried or something that you're you're curious about with cloud security, that'll help us enrich this conversation and make sure we make it very specific to you and your interests. Because the worst thing you can have here is to waste an hour talking about something that really doesn't pertain to your business. So let's try it Do me a favor, I'm going to ask everyone to take a moment, put it in there. The one thing about cloud security that you care most about. And we'll do our best. And hopefully, it'll make this call this call more specific to everybody. I'm John, let me ask you about the deployment over BeyondTrust. Um, how long did it take? From Hey, we want to tighten up to hey, we're live.

John Alexander  11:04  

Right, right. So I can't answer exactly for BeyondTrust. Because I don't know, I'd be like, you know, saying, but I can tell you the general use case, it really depends on how many accounts, you have a cloud service provider account. So let's say you have one cloud service account, you can initially do the setup, and do everything that you're required, your the scan will require a little bit of more time on the backend to complete. But you can complete that process, if you don't know how to do it. But you know, AWS, it might take you half an hour. If you know, AWS, you're literally looking at 1515 minutes to set up, you know, one cloud account and then we have multi cloud is a little more complicated you need to study but you we have we automate that. So you can literally you can do multi account setup in less than an hour. And we'll guide we we guide you through that we have our CSCs. We don't let anybody we don't leave anybody hanging on the multicloud we walk you through it the first time, so you can do it. But it's literally a half hour effort for a single account, less than an hour for multi account. So

Greg Irwin  12:10  

what about for an enterprise, we've got some large businesses here somewhere this

John Alexander  12:14  

is skeleton more complex, you really, you know, you really want to, you know, figure out stuff before you turn everything on, but you literally could, you know, do all your planning and everything and be completely set up. This is more more about the planning for you pull the trigger. You can be set up in days, days, not weeks, not months. days. Right for for a very large company.

Greg Irwin  12:35  

I got it. I got it. Alright. By the way, Shelly, Jason, Paul, Matt. Jim. Jay, nice work everybody you get in gold stars. Okay, Jim, let's pick up your question. Cool. AWS, cloud security seems to be 10 years behind other products. How are you able to leverage cloud native security tools? So they are more usable? Alright, John, I'm sure that question comes up a lot, how to make good use of what's available in the cloud platforms as this.

John Alexander  13:08  

Right. Right. And I'll give you some of this is a little bit of my opinion, feel Pete, this is good. Like Greg said, chime in, you know, this is everybody can give a little bit of their opinion. Yeah, you know, I've worked a lot with AWS grey company, they are in some, in some ways, they're really a hat, right? But in cloud security, they're not right, we let's be honest, they're not right. And they don't, they don't really, the reason is, they don't really consider it a prime part of their business. They in some ways, they don't, they don't, they don't, they don't feel like they need to be good. They've got a lot of companies like work that, you know, they, they want to focus on what they do best, right? And that's getting off spent spinning up these API's and things right, and operationalizing your workloads. So if you look at their tools, right, you know, they have like guard duty, you can get inspector, whatever you want up there, they're they're, they're good tools, but they're not great tools. And they were never designed to be their point solutions. But that minimum has to be there because some people expect to buy from from, from that it's just the easiest choice to go. Okay, we're gonna What have you got Amazon, okay, we don't really care about security that much. Really, you know, we just need some compliance, you know, give us what you got. But then once everybody does the analysis, you know, on things like guard duty inspector, you just see that a specialized company that can leverage their investment over many, many vendors can produce much better tools, right? And that's, that's what you kind of see, you know, and it's not just Orca. It's like almost any, any good, you know, vendor that's really in it. Well, you'll see that you'll see that difference easily.

Greg Irwin  14:43  

Tell us a little bit about how you manage permissions and ensure you've got the right ones assigned.

John Alexander  14:48  

Yeah. So for I think most of you know that cloud security is kind of moving this, the scene app term that Gartner's phrase, you know, cloud native application protection platform. A lot The company's officially done more workloads and cloud security on the account have moved more into the CI M and have started adding CI M, pod identities and titles management exercising its cloud infrastructure, and entitles management. So we do principle of least privilege and a variety of other things. And we have a dashboard that kind of gives you gives you a, we've kind of rate something like a roll on, on on if it's got too much privileges or not. So you can visually go in and, and check things. And then we also look at at deti risks in a more complicated way, identify a lot of your more, more critical risks, and we prioritize them so you can look at your most critical identity risks first, and then go and going to see. And any risks are always tricky, too, because they're not so hard and fast, like a, like a voelen. You got it or not, you have to prioritize it how, but identities are always like, okay, yeah, we're not using best practices. But is this okay? Or Oh, are we definitely need to fix this, this is a problem. So a little bit more of a grey area. But we do have pretty good identity identity capabilities built into worker,

Greg Irwin  16:06  

got, have you ever when somebody audits, their permissions?

John Alexander  16:13  

What do they find? Find a lot of stuff. I could go probably around this room. But I mean, a lot of the cases, it's usually things that like, you know, you've got some, a lot of cases that entitlements management about services, but you have some service that somehow was granted 30 permissions, like when they only need three, right? That kind of thing? It's very common, right? principle of least privilege, right? And then the other other things is that you have you find stuff that where someone was granted a real high level permission, like an admin permission, like, why is that going on? Right? Things like that. It's the common things. But it's amazing. One cool thing about CI M is it quickly allows you to see a lot of the really, the really nasty stuff gets filtered out really early, and it like you spent a little bit of time on it you can get you can lower and reduce your attack surface fairly quickly.

Greg Irwin  17:05  

Cool, and have the same question, how long of a project is it to basically put those policies, those role based access rules in place for an organization that's fairly new to this?

John Alexander  17:22  

The you're gonna you're gonna get everything like at the beginning, right, we're gonna we, it's more about like, like, I wouldn't say like, within a few days, like a big organization to tackle that the top stuff. I mean, the whole idea is prioritize what you look at, right. And some things like anything, can be really simple to fix, you know, fix it in five minutes. But unfortunately, some issues, just the fixing of it, they could be a multiple day extra to fix something right, depending on the complexity, so they can vary. It's hard for me to really say, but the cool thing is we prioritize you know, we were clear rank, your identity risk, right, so that you have worked on the most important things first.

Greg Irwin  18:04  

Okay, our cool part, I've been asking a lot of questions, you guys, you know, put in some really good questions. And let's keep it going. And people can weigh ahead, raise a hand, unmute, jump right in, I promise, it'll make it more fun. The the one thing for people who just joined in fairness, I wasn't going to tell you, but we're going to spend a wheel at the end. It's really a shameless way to keep you on for the entire hour. But I won't tell you that. And 50 bucks for for the winner. So there's multiple reasons to stay on. And please, I'm entirely serious about using this as a networking opportunity. Got some some phenomenal people here. So use it as an opportunity to make some new contacts across your peers, go through LinkedIn or reply to us here at BWG and mobile, we'll be happy to make interest. And then look, I will our mantra is also no sales pitches. That's why John isn't here giving you the hard sell on Orca Security. But in fairness, the reason we're doing this series with them is to basically demonstrate these guys are the leaders in cloud security and to drive that awareness. So obviously, you want to learn more, you know, which way checkpoint that way for John? Simple question hard, probably a pretty hard answer. But John, I'm going to I'm going to come to you first and I would welcome somebody else who's gone through this trying to secure you know, a multi tenant or multiple stove pipe, cloud environment, if the pair how the paradigms change. John first shot the issue.

John Alexander  19:55  

One thing that's the easier is visibility. Basically that you know, you're Are you starting to hear about some agentless vendors and cloud security. And there's a lot of advantage, more advantages and disadvantages of agentless technology. But that technology exists because AWS created that technology to allow it back in around 2018 timeframe. So guess what, you're going to start seeing more agentless computing companies come out the end that what you get there is the visibility, right, you get 100% visibility, that's, that's always to me the challenge about on prem, it's not a very homogeneous environment, right? You know, it's all over the place, you've got different kinds of machines, it's not homogeneous. That's the one cool thing, right? He complicated with multi cloud. But ultimately, if you got single cloud, you really, you know, AWS is pretty complex beast in its own, but it's a simplified structure that way, the hard part is that is kind of like related, the cloud is nebulous. So you'd have to protect the cloud differently, right? You're, you know, you're, you're not really using your firewalls and your other tools, you have to do different things, but it's, in general, I actually would argue that cloud has a better future, you know, just because of, of that homogeneous aspect of it, that will allow things that make that make on premise difficult. And, and I'm also kind of a big believer in down the road, you know, at some point there needs to be a transition is hybrid is going to be around for a long time. Right. So, but as people move into the cloud, you know, there's there's advantages of the cloud.

Greg Irwin  21:28  

You didn't mention that zero trust Sase. You know, any of the any of the Miss Miss frameworks? Are those just carryovers of the same security paradigms on prem? I don't know if that questions for me,

John Alexander  21:45  

I would classify those as carryovers. They, to me, they haven't really, the cloud frameworks are kind of nascent, they haven't really embraced the cloud, they're just you, right? You take on premise, you kind of and then you try to codify it a little bit. It's still, it's still not really cloud yet. Right? I think they need work.

I would add that cspm You're right. It's, it's really, it really is 70 80% about compliance because of misconfigurations. and stuff. But we're we've seen the growth, it's, it's, it's the CI M acronym that we add to cspm. The big thing on cloud accounts. Now not not the workloads is on identity is there's a lot of room around identity management that that needs to be added to the cspm space. So two different acronyms, but they really cover the Cloud account in a kind of a cohesive way. So that's where I would look, if I were you, if you want to jump beyond cspm. Start looking at CI M for the cloud accounts.

Greg Irwin  22:52  

Security so interesting, like, it's really hard to get an ROI. And to do an analysis of how much has this really improved my posture outside of, you know, I have I've been breached. How do your clients measure improve security posture of putting this layer of cloud security in place?

John Alexander  23:16  

Yeah, that's always it is a very difficult question in cloud security in general, right. And you have to it's like a lot of metrics kind of vary across the way, I think a lot of people track. I don't know so much about ROI, but they track, you have to be able to track how well you're doing over time. As far as ROI goes. Usually the easiest ways to measure the way we do it, and kind of the easiest way is if you are able to prioritize risk, you can measure the fact that like, let's say, for example, if one company has to pass to solve 100 problems at a certain point, and if you can prioritise where you only have to solve 20 issues, there's, there's a lot of time saving, it's a little bit loosey goosey because you can't quantify that exactly, but you can you can put numbers around it, and you can track progress over time. Right, that how risk participation is helping you. And then like, that equates to time so that's that's always a good one. But you're right, in general, tracking things is very, very difficult in cloud security, and security, and

Greg Irwin  24:22  

I don't mean this to be a meatball question, but like, you know, do you have a measure of you know, how much it's improved kind of the efficiency of putting these you know, configuration controls in place Yeah, the I think

John Alexander  24:40  

I think that one it's always hard to measure because everything has a different benefit right if you if you fix a configuration you really no really how that benefited you right? There's no quantitative way we can actually measure time saved by risk prioritization, right we have a risk calculator that's on our website and we We can do loose calculations. I'll be honest, they're pretty loose, but you can get an idea. And that's how we we we handle the ROI problem is, is by handling this. How much work? How much time is saved by doing risk prioritization. That's kind of the big way we do it that aren't Hey,

Greg Irwin  25:21  

thanks, John, our job. I do us a favor. Let me let me turn to you for a wrap up. And then again, we'll spin the wheel, I can do a screen share. And and we'll wish everyone well will share with us a closing comment for the group here.

John Alexander  25:38  

Okay, yeah, and I'm gonna keep this really short. To me. Cloud security is all about, you know, there's a compliance aspect, but a lot of it's about visibility, right? Because if you can't see everything, you can't comply, you can't secure everything. So that's my, my last little quick closing thought.

Greg Irwin  25:54  

And, look, let's also be declared, you know, Orca Security. These guys are a unicorn. I don't know if we're still calling them unicorns. But these guys are a security unicorn, because they do take that broad view around cloud security. I'm a big fan of them. I think we have the luxury of picking the partners that we want to work with. These guys are top of the list. So really happy to have him here. Thank you so much for this, John. And folks, and we can help with intros here. That's that. That would be wonderful, folks. Hey, thank you all for joining. Again, take me up on the connections across the group. Big thanks to Orca, and everybody have a great day.

Read More
Read Less

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.
envelopephone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram