How Cloud Detection & Response Can Help Organizations Intercept Cloud Attacks

Aug 17, 2022 3:00 PM4:00 PM EDT

Request The Full Recording

Key Discussion Takeaways

The use of public cloud services has grown tremendously in the past decade. Most organizations today have moved the majority of their business systems to the cloud. The cloud is expansive, and so are security threats. So how can businesses stay one step ahead in protecting their data in this space?

According to some experts, companies should start thinking like attackers. They must establish their most critical areas, constantly assess how to best protect these vulnerabilities, and expand their security programs. Cloud Detection and Response (CDR) gives organizations visibility into their cloud infrastructures so they can make changes to their workflows and proactively monitor security risks. 

In this virtual event, Greg Irwin is joined by Ty Murphy, the Director of Product Marketing at Orca Security, to discuss how Cloud Detection and Response (CDR) can help organizations intercept cloud attacks. Ty talks about Orca’s newly launched CDR messaging capabilities, why having an agentless CDR is very valuable, and why it’s important to have a huge ecosystem of other security tools.

Here’s a glimpse of what you’ll learn:

  • What is Cloud Detection and Response (CDR)?
  • Ty talks about Orca’s new CDR messaging capabilities
  • How does Orca’s CDR score and rank threats?
  • Ty shares how Orca’s CDR benefits customers 
  • How is Orca’s CDR different from competitors?
  • CDR cost estimates 
  • Ty reveals Orca’s plans for expansion
Request The Full Recording

Event Partners

Orca Security

Orca Security provides instant-on security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents. Simplify security operations with a single SaaS-based cloud security platform for workload and data protection, cloud security posture management, vulnerability management, and compliance management.

Connect with Orca Security

Guest Speakers

Ty Murphy

Director, Product Marketing at Orca Security

Ty Murphy is the Director of Product Marketing at Orca Security, a company that revolutionizes cloud security through an agentless platform that detects and prioritizes security risks with 100% visibility. In this role, Ty brings the platform to market by designing, implementing, and managing effective marketing strategies. He has almost 12 years of experience in product, partner, and solution-based marketing.

Ty is also a Marketing Consultant for DDM Global and previously held executive marketing positions at DisruptOps, BackBox, and Fishtech. He earned a degree in advertising and marketing from Kansas State University.

Greg Irwin LinkedIn

COO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Event Moderator

Ty Murphy

Director, Product Marketing at Orca Security

Ty Murphy is the Director of Product Marketing at Orca Security, a company that revolutionizes cloud security through an agentless platform that detects and prioritizes security risks with 100% visibility. In this role, Ty brings the platform to market by designing, implementing, and managing effective marketing strategies. He has almost 12 years of experience in product, partner, and solution-based marketing.

Ty is also a Marketing Consultant for DDM Global and previously held executive marketing positions at DisruptOps, BackBox, and Fishtech. He earned a degree in advertising and marketing from Kansas State University.

Greg Irwin LinkedIn

COO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Request the Full Recording

Please enter your information to request a copy of the post-event written summary or recording!

Need help with something else?

Aaron Conant

Co-Founder & Managing Director at BWG Connect


BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution.

Co-Founder & Managing Director Aaron Conant runs the group & connects with dozens of brand executives every week, always for free.


Schedule a free consultation call

Discussion Transcription

Greg Irwin  0:18

Good afternoon. It's nice to speak with everybody. I'm Greg, when I'm one of the partners that BWG. And I've been moderating a lot of our security sessions over the years, we're running a series with Orca Security, we're talking about all aspects of cloud security. And today, we're going to be highlighting it around cloud detection response, CDR, talking about what that means, talking about use cases, talk about, you know, deployments, and I always love stories. So we're going to talk about some stories. And we're going to basically go around the group and I'm going to be, you know, asking, asking everybody here some targeted questions about where's the need, and where, where's the pain and where are things you know, in reasonably good stead? Let's use our chat throughout this call. So it works really well is kind of a sidebar. So I'm going to encourage everybody to jump comments and to respond to others. The more active it is, I typically find the more engaging and more fun the sessions, use this group for networking, I'm always happy to help people connect, of course, look, Orca is doing this for awareness. So you want to go follow up with Ty or, or anybody on his team, by all means, I'm always happy to chat with people. But I think more interesting would be making connections across this group. So as I, as I always offer, and as I always suggest, make an effort to connect with one of your peers through LinkedIn, or come through us here at BWG. Build your personal network, and you'll be better off for it. I promise. Ty, do me a favor, give give a little intro to the group.

 

Ty Murphy  2:07

Sure. So I think this is actually my second time with you guys. I was on maybe in April or the first quarter. So if you if you were on and and was a part of that group. It's good to be with you guys. Again. For those of you that don't know me, my name is Ty Murphy. I'm the Director of Product Marketing here at Orca Security. I have been here I think since October. So I don't know the the the math on the number of months that is but in cloud years, that's a long time. So coming up on a year, before Orca, I was at a another cloud security platform that got acquired by a company called FireMon and worked there for just a few months and then found Orca and came over here. I've been in the industry now for probably close to a dozen years, on all aspects of it primarily focused on the product side and the solution side of it. Although I did spend two to three years helping Fishtec Group, which is a bar or a channel provider, who actually just got acquired by Herjavec, that group and now called Cyderes. So I've been on the partner side on the product side, but most most recently been on the cloud product side. So really enjoy, you know, watching the cloud kind of evolve in the products and capabilities that could come out to to help folks that are transitioning to the cloud.

 

Greg Irwin  3:34

Got it. Well, look there, I think there's some news here, tell us a little bit about CDR, and what CDR is and what it means in real terms, in terms of, you know, an Orca Security, an Orca Security service.

 

Ty Murphy  3:49

Sure. So I think that CDR, and Greg and I kind of joked about this word, but it got on but it's kind of just another it's another algorithm or acronym. And way to, to basically explain the capability. And I like to talk about, you know, before CDR, a lot of what type of security you would do in the cloud was kind of proactive security. So you had CSPM, or cloud security posture managers monitors, whatever you want to use him there, you had CW PP, which was kind of your cloud workload protection. And that was all kind of giving you visibility into your infrastructure and basically what you have running so you can kind of monitor it and make changes in terms of configurations or what's happening down the workload level, to kind of be proactive in tightening your security. When we talk about CDR cloud detection response, we're really starting to talk now about threat and activities and kind of more real time incidents. So this would be more retroactive. You know, how do we respond the type of IR stuff. And so basically, the same principles that apply from being proactive to reactive can still apply here at Orca. And that's kind of what we've been, we rolled out our new CDR messaging capabilities about a month ago. And basically what we're helping do is depending on what side of the organization, you sit on our how, you know, your policy set or inside your cloud, if you're more of a proactive approach versus a reactive approach. You know, you could use Orca Security in order to do either one of those. So in terms of, you know, cloud detection and response, you know, a lot of people what they're looking for, as off, obviously, full visibility until all of those threats, and we're talking about just the cloud, right? We're not talking about endpoints, or networker, which would be your EDR and DR stuff. But getting that full visibility, that full context so that, you know, when a threat happens, how do we prioritize and validate that maybe that fret was, you know, either successful or not successful. So CDR is kind of been a big, a new big term, big buzzword, as you know, it was just in the, you know, some of the legacy on prem stuff with network and invoice and that kind of stuff.

 

Greg Irwin  6:09

Got it? So now, was this part of a recent release? Or is this been part of the platform now for a while.

 

Ty Murphy  6:16

So by default, we're actually part it's been part of the platform for a while. The way in which you can use the platform is, is in a variety of different ways. And unfortunately, you know, to speak to the buyers or the end users of our platform, or any platform like ours, right, you kind of have to speak their language. And some people want to say, Listen, I know I need this DSP, because I gotta monitor all my configurations in the cloud, I got that. So that's what I'm looking forward to CP cspm, to a lot of other people that sit in the sock or maybe are on the IR team sand, we need cloud detection response, right? We handle the more retroactive stuff. So how can we use a product like yours to do that? And that's kind of what we've done is compiled our capabilities on how you would use it proactively, and then also use that retro actively to track those threats.

 

Greg Irwin  7:06

Got it? All right. So what's the real difference? Because there are a number of detect response tools and point network, is this tie in with them? How does this How does this work? And is it going into like, Well, tell me how it fits with the other XDR and NDR type solutions that are probably, you know, existing in some form or passionate ad companies?

 

Ty Murphy  7:30

Sure. So. So this would be this would be separate than specific for the cloud. Right? So your EDR MDR, if you still have some, you know, legacy or on prem situations, you know, where you need that kind of stuff. You know, you could certainly certainly would need it and still use it. For those folks that have been born in the cloud or make has fully made that digital transformation to the cloud. You know, CDR becomes much more valuable to those folks. When you start talking about XDR if I'm not mistaken, I think XDR was kind of a coin from Palo Alto, and SCR kind of encompasses all of them. Right?

 

I'm not a firm believer that XDR is, is ideally a thing, I think if you wanted to pull them all under the same logo or umbrella, you could do that. But ultimately, each tool is very siloed in individual because it's got its own set of capabilities and Palau altos instance, right, they've acquired all these so they've remained silo is brought it under the umbrella of the palapa logo. So where you could have an SDR solution, each product within EDR and MDR, even TDR, like the threat detection response, and their CDR product, right, they're all going to be individual as well. So you're still gonna have to bop in and out of UIs. And you're still not going to have that overlay kind of risk prioritization in some form of unified model. Right. So with Oracle, CDR, what we're kind of doing is just focusing on on the cloud and CDR stuff, we don't really handle anything in the Prem. But thanks to the cloud, and the way that, you know, the cloud has kind of been built. You know, we're able to do some things with CDR that you normally wouldn't be able to do with an EDR MDR solution, right on prem, everything kind of stays silo in the cloud, we're able to actually collect all that data and house it into one uniform data model, where then we have this really, really rich context and layer data and information intelligence that can tell us, you know, what's more important than others, right? So a little bit more alert, risk prioritization. You know, that's, that's the one thing that we kind of pride ourselves on is one of the biggest things in cloud or even in security as a whole is everybody's challenges, obviously, alert fatigue. And if everybody's sounding the same alarm at 10. And nobody really knows then you know, we've got 1000 alerts at 10. And it's hard to get through all those but if we could say, Listen, yet in this area, it It might be a 10. But if it's not public facing or if it's not accessible, or maybe this other one has, you know, sensitive data or attached to it or some sort of lateral movement or privilege escalation risk? Well, that one would be if we had a 12, we would move that one up, right? So being able to house all that in the cloud in a unified data model allows us to give that extra layer of filtration and validation past, you know, false false alarms and false positives and that sort of stuff.

 

Greg Irwin  10:28

How do you do the score?

 

Ty Murphy  10:30

So we actually kind of group them down into three different categories. We kind of do, I think it's compromise, intimate compromise, and then hazardous. So your compromise would be things that, you know, are mission critical, right, we've found malware, that's a clear sign that something's been hacked or leaked. And as a top priority, we also in order to get into that, that compromised bucket to we also prioritize things. So actually, sorry, the intimate compromised bucket, we prioritize things based on business impact. So to move something from a hazardous alert up to an imminent compromise, we are showing signs that this let's call it for AWS instances, like an s3 bucket that's housing your, your your PII or your customers information that we scan, and we identify that that sensitive information has a series of attack paths to it, that could lead to a compromise, right, so we bump those up. Now, not every alert would be an intimate compromise. But chained together, they could be very, very toxic, right? And then everything else, you know, we kind of layer down in the hazardous. So for you mostly get scores, one to 10, one to five, and a lot of platforms, we can still deliver some of that CBSs scoring. But we'd like to, we'd like to kind of flip it on its head and have people start thinking like attackers, and how can I protect my my most mission critical areas, and then I can expand my program and my security program

 

Greg Irwin  11:59

from there. Got this, it's really interesting. Now, how does how does this work? You know, do you have to tune it? Or is this just like, you know, you turn it on, and then API service starts? What does it take to get this thing up and running? Yeah.

 

Ty Murphy  12:17

So that's another benefit that, you know, like, if you're, if you're using any EDR, MDR solution that CDR brings, especially with Orca is that it's agentless. Right? So we're not going to have to install and deploy a bunch of little scripts of code or agents. In all your workloads. It's, it's just like you said, it's an API, we created a couple of Iam user roles. It usually takes anywhere from 10 to 15 minutes to get yourself connected to your cloud estate, whether that's AWS, Google Cloud, or Microsoft Azure, and then in about 24 hours or so you're going to have a full scan full visibility of not only all your assets, but every risk that might be lurking in those in that cloud state, right? And we're talking about risks. We're talking about vulnerabilities. unpatched OSS, right? We're talking about lateral movement, privilege escalation. We're talking about malware, right? If that's potential, many other types of threat, Intel activity that we could pull out of the cloud, or you need the cloud service providers, and either native security tools that you've got turned on, we can digest those as well. And then we're able to layer all that telemetry together to tell you, you know, hey, you've got 10,000 alerts, here's 10, that would significantly increase your security outcomes. If you just eliminated, you know, these 10 risks, basically. Right.

 

Greg Irwin  13:46

Let me pause. I think this is interesting. I want to go into a customer story. But before we do, let me put it to the group from Nick said, Rob, Sam, Rob, Joel, and everybody here, do me a favor. Drop in here. One thing you'd like to hear about related, not just CDR, but cloud security in general, let's make sure that we're covering the topics that you all care about. So do me a favor, go into the chat. One thing you'd like to hear about not just for markup, maybe it's from your peers. But let's, let's focus here a little bit. And with that, I'm going to transition us in to to a customer story. All right. So Ty, tell us about one organization that's turning this on, what kind of in particularly what kind of incidents they've been able to identify, excuse me identify?

 

Ty Murphy  14:42

Sure. So like probably the, I mean, the biggest kind of threat detector out there, if you're in AWS would be their native guard duty tool, right. So AWS guard duty does a lot of your your threat detections and entails and they'll do everything you know, from, you know, brute force attacks to what have you, and all that stuff's logged, well, since we're have access to the cloud, and all of AWS, right, we're able to pull those logs and pull book guard duty data as well. So a lot of times what a lot of customers come and say like, well, if I've got AWS guard duty, what do I need to work for? And for one customer that, I don't know, if you've heard of them, they are probably the number one website builder platform, I think out there. They, they kind of pose that same question. And we're like, well, let's do a trial. And we'll turn it on, right. They're now a customer. But one of the things that we found was that AWS was really great, like Gartner is really great at detecting brute force attempts. But that's basically all they told you in the UI wasn't very pretty. But if we took their threat into their cloud detection data and pulled it in with our unified data model, and knowing the complete configuration of their cloud, a state, we could layer on additional telemetry that would tell them, you know, listen, here's your, like I said, Here's your 1000, guard duty brute force attempts, once you want to be nice to know if any of these were successful, right? So they use our tool and the response and saying, okay, yes, we have seen, you know, an uptick of brute force on these instances. We can go in and scan them and see if they've got malware, right, all from purple orchid does it natively, but just go into seed or clip, you know, did they find any malware placed in there was any other suspicious activity. And on top of that, what they also like to do, or what Orca does with the guard duty partnership is that we can also tell them that if this brute force attempt was actually on an instance, that had potential lateral movement risk. So again, so you have, you know, 500 or so brute force attempts on all throughout the cloud, right, we could pull out which ones were probably be more critical to go in and investigate and respond to versus the other ones that might be on a, you know, an s3 bucket doesn't have anything in it, or, you know, so. So that's kind of the the way that we've helped not only do the kinds of cloud detection and pull that into our platform, but really help with the contextual understanding of what is this threat capable of, and how potent could it possibly be right? And lit and surfacing those ones up to the top and then helping you with your response remediation. So whether that's taking that that full alert with our supplied context and sending that to Slack, Ms teams, if you've got a source solution, right, and orchestration and response tool, we can send all that data there, if you work at a JIRA, we kind of facilitate that ticket creation as well and assign them. So we have a lot of automation capabilities, when it comes to response piece that we can get it back into the workflows that companies are usually, you know, comfortable working with. Alright,

 

Greg Irwin  17:48

so time, one of the big challenges I think we all know, know about is just lack of resources. What, how is it typically managed, in terms of your sock or your IR team? Yeah. How much? How do you see teams making good use of this and making sure that they're, they're able to track the information? And, you know, and, and investigate the information that's coming from the service?

 

Ty Murphy  18:17

Sure. Yeah. So I would say most of our customers are using orkut in house, right? So they have their own in house security teams, they may have IR teams, or cloud teams, right, I'll pop in here compliance, personnel, that all pop it and use the platform a little bit differently. And but we also have customers that, you know, put it in the sock and especially when you talk about cloud detection response, we're talking a little bit more about immediate needs, and something that's actually occurring right now. Right, it needs attention, because it's a it's a posing threat, and it has the potential to possibly do something bad. And that's why a lot of SOC and IR teams really like it is for that instant understanding of what's going on. And so that, yeah, they we have a lot of MSSP customers and, and depending on you know, the customer, if they do all their stuff internal or if they engage with an MSP that they outsource all their security to, it really kind of depends on the size of the organization. But yeah, we're able to be used both by you know, cloud security engineers, cloud compliance, auditors, right? Internal on the inside of a company, but also, by video platforms us from large mssps that are selling cloud security services by using our software. what's your what's your starting to learn in the cloud space to if you're in the club, if you're shopping Cloud products, right, is that you'll find that like, if you have the agentless capabilities, all CSPs are agentless because they're just kind of tapping into Cloud metadata, which I think is why that market became so commoditized so quickly, right? The thing that differentiates Orca is that we're also agentless in the way that we scan the workload protection stuff, too. So not only is your configurations being being taken care of, but also everything that's running inside the VMs, we've got visibility on as well. And when you start to emerge that, that telemetry, then you start to see a lot of value, because it's not, it's not siloed, right, and you're not having to do a whole lot of headaches with maintaining the agents inside those VMs. And then what's nice is that the cloud and the way that they share data and distribute data throughout all of them the call this cloud service providers, right, it's, it's very open. So if you're using any type of threading tools, or any any other security products, right, it's it's very easy to get a lot of products to communicate and start to pass and share data back and forth. We've got a huge ecosystem of other security tools that we're sending data to, and they're sending data to us. And it's just, it's valuable. It's, it's increasing the value of everybody's product. And solution, because ultimately, if we're all passing and sharing data, all of our tools are becoming more intelligent. And we're able to provide that smart intelligence or automation back to the end users, so they can make better decisions quicker. I've given a presentation on this once at data connectors, but it seems I mean, I've heard your story A hundreds of times, right? And what and you're not, you're not wrong in the same approach that others have taken, but a lot of you're just like you said, try to apply that on prem way of doing security in the cloud, and it just does not work that way. Because the cloud is so expansive. And so quickly to spin up like you said, your DevOps guys could do it. So it's got to be done a different way, right? If we're going to try and do take advantage of the cloud, right, and we can't do security the same way we did on prem. And, and that's really going agentless. And not only does the agentless help you from not having to maintain all those?

 

Oh, what do we call them? Not having to maintain all those agents on those VMs? Right? Yeah, because what they're gonna do is they're, they're all isolated, and it's there. So they don't know the connectivity between agent to agent, right? So you're missing all of that visibility. But the other benefit of agentless to is, is, is if your DevOps folks go and spin up another Cloud account, without you knowing about it, Orca automatically pulls that right in. So if there's new assets that are in the inventory that you were unaware of, it's automatically getting covered, because we've already got connectivity to the cloud provider. So that's the main thing is the visibility. And then like that context, like you said, between the different alerts and that sort of thing, and it just won't work. If you tried to try to take from on prem to the cloud, and scale in the cloud with your on prem traditional approaches of installing agents, you might get by in the short term, but eventually, that clouded stage just gets too big, too overwhelming, and you're spending more time plumbing together the agents than you really are prioritizing the risks and solving the problems, you know. And if you're doing it differently, if we're not using one platform, right, then you're going to have this kind of push and shove, you know, just organizational friction, because I've got to go between two different tools to get what I'm looking for, which is just one single pane of glass, right? Because you're right, the agents won't cover some things that the CSPs cover the CSPs won't cover some things that the agents cover. So I'm going to have all these alerts. And I'm have to figure out, which one should I pay more attention to, because I can't, obviously, we can't get to all of them. I think that's why CDR comes into play too, is right, I think it's a, I'm going to be as proactive as I can but understand that I can't get to everything, just due to the sheer size of the cloud, and you know, our security budget or our resources, whatever it may be. So then CDR has to get some attention, because I know that there's going to be cracks. And so I have to have some visibility that if things get shipped to the crack, it raises a different type of threat or alarm for us. Yeah, that's it's funny. Because Greg, you asked about how we prioritize alerts, right, and Rob's kind of talking about all these different types of risks. He's trying to get visibility and, you know, centralized management around, right. And I was at AWS reinforced in Boston, I think two weeks ago, and I don't get to spend a lot of time on the floor. But I was there just trying to talk with customers, because I like to understand, what are you guys going through? How are you approaching certain certain subjects, you know, what's working, what's not working? You know, because I use that information. I, I advise other customers the same way and say you've heard these types of things. But getting back to the showroom floor, I was on a computer once and a customer walked up to me and I was having to give him a demo. And you know, I don't even look at the long alert feeds anymore. I don't even go to the compliance frameworks really. Because like you said, you want to know everything. Well, I mean, it's going to be an endless Scroll of everything. Right? So what I love that Orca released I think it was q2 of this year is what we call our Attack Path Analysis which is in the cloud and basically what it Same exactly like Rob said, it's like, I haven't I haven't OS, you know, maybe unpatched OS or neglected neglected asset that's got a vulnerability on it. And there's some private keys that that reside there that have root access to this other server or this other VM, which then could give privilege escalation or lateral movement over to this s3 bucket that's got all this thing. Right. So now I've got, I've got 12 risks that would be buried in a list of 1000. And I can actually visualize and streamline like, Listen, if an attacker is going to expose this s3 bucket or this DC, two instance, whatever it might be, this is going to be how it's going to be done. It's gonna be layered between one of these 10 different risks that you have unpatched, right? So what's great about that is I can go in and say, what's the easiest thing to patch? Is it the OS because that might that might break something, or all I have to do is maybe rotate or downgrade these root access keys, right? Or do something different. So now the control comes back to me that I can kill this attack chain and make my environment much more safer. by just doing one out of the 10 things that you're giving me that is, is layered together in a chain that would expose this incident.

 

Greg Irwin  26:07

There are a couple places to go. I mean, we've talked about CDR, I think that we've talked about our customer, what about differentiation? Because there are a number of CSPs out there, including agentless cspn. So when somebody is looking at a lacework on lace works, or a wiz and trying to understand how is Orca differentiated? Or, you know, how do I make make heads or tails of these various services, including Paolo and others? What, you know, what should? What criteria should somebody use in terms of evaluating your closer? Your closest competitors?

 

Ty Murphy  26:47

Yeah, good question. So I think I think the primary thing that you want to try and achieve if you're making the migration to the cloud, right, is tool consolidation. Right? We have the ability in the cloud to really, you know, partner with one solution that can give us all the visibility and context we need, because that's what we need, we need visibility, we need context. And the only way you can get both, right is if you kind of have that cspm capability with that cloud workload protection, ability as well. Why are we differentiate, right? So let's we'll start with lace works. Lace Works has the cspm capability. And they will say claim they do agentless security. But the only agentless part is the cspm. So they still require you to put agents on all your workloads, if you want that type of visibility. So you'll have different different pricing, different licensing there. And then, you know, not to mention all of the headaches that comes along with maintaining those agents. And then, so that's kind of the biggest differentiator between us and them is we just don't use agents, right. And then if you're I think Palo Alto is the other one, you mentioned, Palo Alto, as you know, we see them almost all the time, just because they're the 800 pound gorilla in the marketplace, they've been around the longest, they're probably the largest in terms of revenue in size. However, their motivation and route of growth has been through acquisition. So each one of their products that they bought to play in a different space, their cspm product, their workload protection product, even their XDR product have all been purchased, and none of them have been seamlessly integrated. So while you may have one login, you're gonna have to go dive into three or four different UIs to get the full capability of everything that Orca could do. And then you'll also lose the context between those three to four different tools. They're just very siloed in the way they do it. And from what we've heard is, it's hard to contextualize any type of alert and you're just trapped with a lot of type of alert fatigue. Yeah, it ends up back, I think in Prisma, I think they're trying to put it all under or maybe it's cortex. I don't know for sure. But the the workflow protection tool they bought was a was an agent based one, there really hasn't been an a full agentless solution in the cloud, with between us. And with basically the only two out there. We got a little bit of a head start on on wiz because of our patented side scanning approach to doing our agentless cloud workload protection. So our our founder, Avi came up with this idea of taking all of those VM instances and doing kind of screenshots and pulling those into side cars, screenshots, rebuilding them all, taking a snapshot of it and then pulling all that security data over into Orca, and then provide that with that central visibility or that central unified data model. Right. And whizzes you know, obviously, you come out with some an approach like that, and then they They've come out and done. Basically the same thing. Where we're a little bit different, I think is we're pushing, we're pushing a little bit further and faster in terms of our other capabilities. We've got some shift left capabilities, a lot of API security that's coming out on the roadmap, and this quarter, obviously, the cloud detection response stuff, I think, you know, they'll probably, if you ask them, they're probably said they do the same stuff. And everything that we can, from what I've heard from many customers that have been with them and switched us or, as our testing out both, is that Orca seems to have a little bit more data and telemetry than they have. So we actually, I think, consume and provide back to the to the end users a lot more data a lot more depth than they have. If you're looking at it from the surface, you probably wouldn't tell him much. But if you started dive down into the different types of each alert, or risks that we could identify, you might see some things that we could probably uncover that they would

 

Greg Irwin  31:01

what is this ended up costing? I mean, I know it's probably varies based on the size of the environment, the complexity, but generally, so somebody can think about it within a budget from a reasonable sized company, a couple 1000 employees, you know, historically, probably 1000s of VMs. You know, maybe I'm in multi cloud, I mean, AWS, for some Dev, I have some application sitting in Azure. Yeah, what does this cost me?

 

Ty Murphy  31:32

So the very nice thing is that because we are we're a one license shop, right? So if you buy a license to Orca, you get everything get a tech pass, you get the asset inventory, you get all of your compliance frameworks, I mean, everything we have in the product, we we give it in one license, so you really only have to buy a one license type. And then we licensed it based off of VMs. So and then we also do an aggravated, right, Rob said, you know, you're always standing up and tearing down VMs in the cloud. So it doesn't abrogate throughout the 30 days of the monthly, the monthly usage of it. But that also means that you know, all your services, serverless capabilities, all that that's all free, we don't charge for that. So it's just very simple thing. Containers are, I believe, are treated like VMs. I'll have to well, actually, I don't think so. So if you had like a several containers on a VM, I think it's just one VM. So yeah, it's by Vm.

 

Greg Irwin  32:31

There's your default? Are you able to give a ballpark? I understand there could be a very intense environment. That's Oh, 1000s 1000s of containers. And there may be one that's really boring and slow and static and not doing much. But, you know, is this a $50,000? Project? Or is this a $500,000? Project?

 

Ty Murphy  32:52

Yeah, we have customers everywhere from SAP, that's $2 million projects, right down to your mom and pop shops that got a couple of VMs. And I think it's $3,000. Right? There's no, there's really no difference in terms of who uses this, I think everybody to be honest with you needs kind of one solution when they're looking at at the cloud security deal, right. And we can solve that, whether you're just getting started. And you want this full visibility across a couple of VMs. Because usually those folks that have a couple of VMs only also have a couple people in security working for them. So they're already drowning, just trying to keep up with all the different types of risks even on very small environment. Whereas the big guys, you know, they have super complex environments and still don't have enough resources to to monitor them all. They have to have a tool so we fit both. I know there's price breaks at every I think couple 500 or 1000, VMs. In terms of our list price. Galli you'd have to ask a sales guy just because I know there's, there's a list price, then there's just discounts a plenty. So I think it's anywhere from 1500 to $1,000. A VM. Don't quote me on that, I think it gets significantly slashed. The more VMs you have, the more environments you have, but like I said, it is the nice thing it is, you know, if you're going through procurement or anything like that, it's a one license type deal. You're getting everything with it, right? We're not going to nickel and dime you and we're only going to charge for what you use based on that percentage in that month.

 

Greg Irwin  34:24

I'm only got one more question. It's really Where are you heading? In? We all know you guys were you guys are only three or something years old. It's pretty wild. You know, you went from zero to unicorn status like that. And now I think you're, you're hundreds of employees and, you know, hundreds of millions of dollars raised and you know, supporting SAP and, and, you know, 1000s of customers globally. So what's the vision? Like, what should you expect from Orca here over the next couple of years?

 

Ty Murphy  34:57

I think what we're doing is kind of like how you had it in the on prem stuff, right? If I wanted to look at my firewalls headed by a firewall management tool, I want to check my endpoints and by an endpoint tool, and as a network build, you have to buy more tools to do more things. In the cloud, it's a lot different, the data is already there. And so the more things that we bring in using the cloud and more visibility one, we won the cloud, it's there for the taking. So as we continue to increase our consumption of the cloud, and what we integrate, use the cloud for, you know, I like to say orcas got sticky fingers, and we're going to start getting ourselves in those areas. Because we can, we can provide more value added capabilities back to our users, I think our ultimate goal is to be that one, stop shop single visibility across all of your cloud assets, all of your risk types, whether that's even talking about API security, and some of the other you know, security tools you're using in the cloud, or even as folks are shifting left and scanning telephone form templates and CloudFormation templates to make sure they don't have any security flaws for when they get deployed. I think it depends on how folks using the cloud and where we're going with them. And we'll we'll be following

 

Greg Irwin  36:08

shortly behind. That's excellent. I don't have any more questions. I'll leave it to the group people want to jump in with, with more questions. Certainly, you know, Orca is here for awareness. And I'd be more than happy to help connect people and figure out, you know, how they might be able to address your your environments. But maybe we'll do one last wrap up your Ty, and then let everyone get back to their day end. Yeah, any closing comments for the group?

 

Ty Murphy  36:39

Just so everybody knows, I'm not on commission. I don't have a number. So I'm not trying to sell you anything. But I'd love to talk about cloud security, because to be honest with you, your guys’ experiences where we learn the most and, you know, who knows somebody could share something that I could take back to the product team. And you know, we could put on a roadmap and couple quarters and I'll say it came from the BWG Strategy

 

Greg Irwin  36:59

call. Well, last shot here said Joel, Gina, Rob, Tim, any any closing questions or comments for or retire for the group? All right. Silence has it. Hey, Ty, thank you so much for taking time with us. Talking through CDR and talking about the outlook for work. Great stuff. Congratulations.

 

Ty Murphy  37:21

Thank you for having me. I enjoyed talking to everybody. Thanks for coming. Hopefully I'll see you guys here in a few months, and we'll do it again.

 

Greg Irwin  37:28

Sounds great. Sounds great. Thank you, Ty. Thanks, everybody. Thanks, guys.

Read More
Read Less

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.
envelopephone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram