Greg Irwin  0:18  

I'm with John Alexander today, over at Orca Security, we're talking cloud security policies, procedures, best practices, and also just talk me as a group in terms of the experiences that people are seeing what they're pursuing, or questions they have. And basically drive it like a, like a discussion group. You know, some of you have been on my calls before. And the way I like to do it is a mix, not a sales pitch, just a conversation about, you know, how people approach it and think about it. And with the key of, you know, let's, let's build a community. Let's build some contacts, learn from each other's real experiences, and kind of grow from there. So with that, I'll say it on all of my calls, please take the opportunity to connect with others here across the group. Either go directly, or come through us here at BWG. And we'll be happy to help. With this, let's go right over to John, John, you and I spoke just a couple of weeks ago, I'm going to share your your slide here and just kind of your intro. But as we do that, I'm going to ask you to do us a favor, please introduce yourself and Orca Security. Alright, sounds

John Alexander  1:40  

good. And I promise not to spend more than a minute and a half, I'll hate these long ones. So my name is John Alexander. I'm the Senior Director of Technical Product Marketing. And I'll give you the quick, quick down and dirty on Orca. Orca is basically we do two things computer security and compliance. And we have an innovative approach that we'll talk a little bit of called agentless. But we we typically use a lot of terms about how fast and how quickly you can onboard. So we are going to say instant on. And we support all of the three major CSPs. And we're adding more but Google Cloud, Azure and AWS, of course, in a single pane of glass. So what we do within that we're a platform, we do vulnerability management, configuration management. We do actually we do malware detection, which is really interesting, not not a lot of cloud security, companies do malware. And then things like data leak prevention be to a limited sense, the detection of sensitive data, we're not at DLP company. But we do that we do, we do. And we do a couple other things like file integrity monitoring, and some other things that are very specific to the cloud. And we have this unique view of doing it that accomplishes two road major benefits. One is what we call you typically call 100%. Visibility, again, the technology that we use, which was enabled by the CSPs, a couple of years ago, a lot of companies that are pre roughly 2018 don't have this technology, because the technology needed to have something from from AWS and the other vendors, which which happened around that timeframe. And that's an our ability to do what we call side scanning, but a basically agentless scanning. The whole, the big benefit of that is twofold, we don't miss anything. And it's easy to use, it's easy to you don't have to mess with maintenance and the time consuming aspect of maintaining agents. And when you deploy, you actually see everything. Because basically when you deal with AWS, they have a copy of everything, you know, all your workloads, all your your cloud infrastructure plan, we see it all we have that visibility. And that's pretty much it. These little four little bullets kind of cover a little bit about what I talked about. And if anybody has any questions, we

Greg Irwin  3:54  

move on the intro, you know, you miss the basics, which is when I when I got to know work, I didn't realise that you guys are our unicorn, your your your startup, but you're a fast growing startup. Tell us just a little bit about the work. Yeah, so the Orca has

John Alexander  4:14  

grown pretty pretty quickly. We, when I first started this company, we're in the 50 to 60 person range, which was a little over a year ago. And now we're getting into that 300 person range. So pretty as far as personnel goes, That's pretty, pretty astronomical. It literally has happened there. There's that there's that innovation, with his agentless technology, what we'll do, we'll talk a little bit more. And again, we're a little bit going to key in a little bit in Kubernetes and containers and stuff because that's the topic of this thing and how we work there, but it kind of works across the board and that's kind of what spurred our growth.

Greg Irwin  4:49  

You know, we've got people from lots of different company sizes here, your clients, I dogwalk. You're starting you're starting young. But when if I Looking at your client roster, do you have the fortune 500 reference accounts in there or there's a lot of mid market where you know, where you

John Alexander  5:08  

got, it's mostly small to mid market. Now we do have a few big accounts, we do scale, it's just, you know, the, it's like almost any startup getting the big ones is it takes a little bit of time, and you have to be a little bit cloud forward. But um, the men, the med stuff, definitely got it handled. We went through that scalability exercise late last year, we're very scalable, we actually have some really, we have several million dollar plus accounts. So to give you an idea, we do scale, so and then we're regrowing. As we get our name out there, we've been getting more and more

Greg Irwin  5:44  

business, I think you're being a little bit humble, you guys are crushing it because because we're the interface, we're a bunch of your, your clients, so we see it firsthand. Alright, let's get rid of the slides. Thank you for that. We don't always, but it's nice to, to do a basic. Alright, you know, I always like customer stories. So I'm going to ask you, if you could start with us with a with a customer story, specifically here about one of the challenges around managing, you know, securing a Kubernetes environment or a containerized environment. And, you know, let's start there, let's start with, okay, what sounds good, and then we can take it, I'm going to use one of our,

John Alexander  6:30  

you know, one of my favorite stories, and they, they blend a lot of things, but I'm gonna use the beyond trust as the example here. They have an environment where the it's very complicated, they have to support all kinds of different things. And one of the things that you'll run across, you know, Kubernetes itself is super complicated. But once you start dealing with container environments, you know, it even adds more complexity. And a lot of it is supporting like different container types. Not everybody runs Docker, not everybody's doing standardizing, the trust runs some nonstandardized container types. And again, the beauty of Orca is kind of nice, because we do have this ability to do size scanning and read the runtime block storage for CSP and gather all that data without having agency support it, we basically inherently support any almost anything, any container type on Linux, or Windows, we support pretty much I don't think we've run across anything we don't support. So that's one of the beauties that some of the container companies have that problem like, because the agent has to run on a on a container, it has to run on the on the hypervisor part of the guest OS, if you want to call it if you don't do that you can't monitor that specific, you know, Kubernetes calls and pods or whatever you want to call them. You can't you don't have visibility, that thing, but the beauty of our agentless approach is we we don't have that problem that agents have.

Greg Irwin  7:50  

Got it. So So visibility of containers is is a pain point. How do you ensure that you're seeing all the containers that are getting created or or ultimately torn down? Right now,

John Alexander  8:07  

the ones that there's one issue with containers that no one's quite solved, the fact that containers are there, you know, they sometimes get spawned up pretty quickly and spawned down. So if you don't have a scan cycle that's attacking them or not, then you were, then you're gonna have a problem, although I would argue, then you'd have an architecture something correctly, because the typical way of handling containers is you need to be able to scan them in the registry is the images that create the containers is kind of like where you should be, he should definitely never spot a container unless you, you've looked at the images beforehand. And we do support container scanning and registries, which is kind of vital on that end. And so, but the other thing is, like I said, it's kind of without getting into technical details, the way side scanning works, is able to pick up things it doesn't have to it doesn't have to run. I mean, like like agents, agents can watch the containers, if they run on the on device, they don't have a problem with containers. The fact is, we don't have to run on a guest OS or a container to work. And that's always the little the angst with the agent part. So so that's where we get the visibility. Awesome. Well, hey, we're gonna go around talk, talk some stories here.

Greg Irwin  9:20  

I'm gonna go next over to Brian herd talk a little bit about the environment. But what we have this chat window, which works incredibly well, but so long as people participate, so I'm gonna ask for everybody to get involved here for a second and do me a favor in the chat window. Please, everybody, just share with us the one thing you're most interested in. With regards to cloud security. It could be coming about AWS, it could be how do you secure multi, multi cloud environment? It could be it could be anything, but I'd like everyone to do us a favor. are dropping him dropping a note about what you're most interested in with regards to cloud security. And that way that'll give us a mile markers of what to make sure we cover in the conversation. John, I'm turning to you, man, what? Sounds good. What's the reality of at least your ability or of the overall security capabilities of the of GCP in the system? And

John Alexander  10:26  

first of all, I say, that's completely right. There's, the parity is a little bit uneven, right? It goes a little bit by the market. But one good thing about Oregon, what we believe in one of our big mantras and tenants is multicloud. In fact, you know, I used to be a security practitioner a long time ago, I haven't done in a while. But if I was going to do the cloud, now, I'd want to do, I'd be like, 8020, right, I'd be at something and then 20. And I'd be in one of those three of the big clouds, I'd be doing two of them, right. And to do that I wrote, We firmly believe that you have to have tool parity, right. And we're, we're pretty close, I'll say we do support AWS a little bit, I'm not going to butter it up. But in general, we are we track very closely, because I feel when we say we're multi cloud, we're multi cloud. And I think that's what helps a lot, right? If you can get a lot of multi cloud tools, then it's like you're using the same tools. And you can do both, it does simplify things quite a bit. Last little statement I will make is, you know, and as these clouds, bro, it will be better, right? I think, I think Microsoft Azure and Google Cloud have done a good job of growing, right. It's always been under the shadow of the big giant, but these these Google and you know, they're they're growing. They're, they're there. And they're both viable, great choices, right. And so the last thing is, when we're iterate, you know, look at multi cloud solutions would be my final

Greg Irwin  11:50  

thing that I would say. If you had to give a score, for the security posture that's able to be achieved on GCP, relative to AWS or Azure. I think you could achieve the same. It's just more

John Alexander  12:11  

work. It's I would give, you have to do a little bit less work with AWS, that's it's not that that's the same security can't

Greg Irwin  12:18  

be achieved. Got it? Got it. And so you can't you can you give an example of like, where it gets tough.

John Alexander  12:31  

I actually cannot other than the fact that I would say there's just there's less tools, like Ben said, there's just less things to support. So you're unlikely to find maybe a good monitoring tool, or if you want to do something, it's more of that. And I will find it's always interesting, if you know, we always know lamda is AWS is serverless, their name for their serverless stuff, right? Well, you know, Azure calls on functions right there. They all have, you know, they all follow each other, there's parity, and I would even I'm not a Google Cloud expert, but there's probably things that Google Cloud is, is better than AWS. So it's, you know, it's a, it's not a one, let's go with AD obviously, they're definitely better. It's not that way. You know, it's a little it's a lot more complicated than that. But, but yeah, I would just I would just say you've got to do your analysis and choose carefully. And it also depends on what you're on. If you're a little bit more of a Windows shop, you know, your second choice, you're one of your clouds is probably going to be better off being Azure. But then if you're more of a Linux shop, probably your second choice might be a better one to be on the Google side, you know, but,

Greg Irwin  13:36  

John, this is one of the I see the question here in the chat was surely managing a multiple in multiple environments. All right. So the mandate is, let's do both GCP and AWS. How much of maybe from a process perspective or tooling perspective? How seamless is it to manage, you know, environments across multiple clouds?

John Alexander  14:06  

I think from the visibility perspective, it's, it's it's not much extra work, I think we're the problem you can do is when you start mitigating and remediating things, you know, the, the challenge that I always have is that their terminology is different. And it's not that different, but it's enough different that like, Google will do something and you've got to go slightly different and you've got to go research how to do it, right. So there's, there's a implementation complexity because of the differences in terminology and technology. That's all there but it's just a matter. It's not the same, you know, you can't just learn how to do it one way in AWS and then it's immediately you know how to do it just a little bit. So little, I think somebody else it's a practitioner can probably comment better than I can, but there's a little bit of extra work there.

Greg Irwin  14:51  

Got it. I'd love to hear from from others here really, where the pain point is in and trying to, you know, make sure your configurations are right, managing your configurations, you know, keep maintaining consistent policies across multiple clouds. I want to open that up to others in terms of how do you have confidence that the configurations and settings that you're, you're driving to a right for you and where you have flexibility? Or where you doubt. John, can you shed some light in terms of how to have confidence? Yeah. And then

John Alexander  15:29  

a certain extent of 80% of give 80% confidence. So so for me a lot of the deal about configurations. And, you know, there's a wonderful organization I've worked for with them throughout my career, but the Centre for Internet security, right, you know, they have a lot of, you know, their their benchmarks or goal that the low level their low level frameworks, right. And then you have like, surely talked about high trust and HIPAA and things like that at a higher level. So what they give you for, especially like, for containers, and Kubernetes, is there is a, and for the multi cloud, there is an Azure CIS framework, you know, they're for basically looking at all the cloud infrastructure plane and certain workload aspects. There's a, there's a Google Cloud one, there's only one for AWS, you have those frameworks, which are pretty good. That's the 80%. The problem with some of these frameworks is that there's a lot of a human element, some of these things are like, okay, definitely, we want this thing to be set a certain way, right? Or this needs to be not, but then, but if you look at all these benchmarks, there's always like that 20% that are kind of, well, it could go either way. And you have to really decide what your policies are. So I would add that you when you ever use these frameworks, you do have to go through and decide on that 20% What, how you want to deal with that. 20% and lock it down with your company policies. That's the that's the fuzzy part. But for the most part, the nice thing is 80% is

Greg Irwin  16:52  

that's that's the whole story, right? It's right? How much time do you want to spend to debate to figure out and ultimately decide this is the right place to

John Alexander  17:02  

bake? Yeah, I don't have the right answer for that, it's unfortunately, you have to spend a lot more of your time on that. 20% Because the other stuff, CIS, a lot of experts have already thought about it that 80% is locked down, or you just need to, it's more, it becomes more of a compliance effort, if that 80% that are that 20% that you have to spend a lot of time with and figure out, you know, how do you really want you know, what, what is the company policy? And then and then marry it, like Charlie said, Marry it to your hire policies. You know, the, the CIS benchmarks will kind of fit somewhere modules. Can you benchmark through work and security? Well, yes, we support 40. Plus frameworks and benchmarks. Most of them are cis benchmarks, I think something like 25 plus of them are CS. And then the cool thing is we kind of did at some other company, we're not unique in this way. But it is not rare. Many companies do this. We actually took we don't we we actually support high trust and HIPAA, for example, to use the medical exam. We took the HIPAA standard and anything that was low level, we kind of looked at CIS benchmarks and we looked at other we built like tests to have fairly good coverage, you can't have perfect because, again, HIPAA is like a high level framework, but we actually did a lot any thing that we thought would be a good low level check or something that fit into that framework, we numbered them and kind of created our own HIPAA, you know, you're not going to use it with an auditor. But it's a, you're going to use it with an auditor, but it's not it doesn't function on its own right. You still have that human element, but it helps you quite a bit, you know, to comply to these benchmarks. But yeah, not not too many companies of our size would say, you know, you we support over 40 benchmarks and frameworks. So and that's, that's the kind of the value we bring to the cloud. And for every, you know, we support multi cloud in that in that end as well.

Greg Irwin  18:53  

Right? Yeah. Yeah. Oh, great stuff. All right, John, thank you. Let's a number of good points. First, you migrate legacy environment to cloud, how do you make How do you ensure that you have the same level of security posture on those workloads to if you put if you deploy your policy manager on AWS, your policy manager on on Azure and multiple environments? How do you automate when you have multiple, multiple instances? Can you can you maybe expand upon some of the some shrugs observations here?

John Alexander  19:30  

Yeah, a little bit. That's there's kind of address on some of the the tool spaces there's kind of been the there's the shift left, companies have been shifting a little bit more to the right. And then there's vendors like us that are kind of like in the middle, you know, the that are shifting over to the left, and we're actually going to be launching some shift left stuff coming up within the next couple of months. And the the main way we kind of handle it in two different ways. Is we are I'm coming up with more like a, we're actually coming up with a scripting tool that allows us to, it's not really an agent, but it's that it's a way of being able to automate things from the Oracle perspective to be able to look at things in a pre production environment and just have more points to go and look at things. And then and then the other more obvious way we're supporting shift left is we're going to be supporting infrastructure scanning, a lot getting a lot better at supporting difference, our registry styles for doing, you know, big key of of supporting the CD, the CI CD pipeline is being able to look at different images and different registries and that that kind of that kind of scanning make it easier for people. So two, two pronged effort on supporting the left, it is complicated, like Sherlock said, it's like, a lot of it is just, it's the meeting of the the shift, you know, of the little shift left companies and working with them. And you know, and it's a lot of customization automation, right now, we're getting better, you know, there's there's the meeting of the two. But yeah, there's, it's a complicated deal right now. But anyways, those are the two ways Orca’s trying to help solve the problem on our end.

Greg Irwin  21:13  

John, let me come back to you here for a minute and talk about looking ahead. And we'll go another five minutes here. As we what are your thoughts on the next year or two? The priorities? And basically how teams are gonna get their arms around this? Or maybe this is, you know, and how, how teams are gonna get their arms around, making sure and ensuring for their team for their organizations that their cloud environments are, are secure. Right?

John Alexander  21:46  

I think, to me, the key is it an Orca is kind of moving a little bit on towards the shift left and the shift, right as we add capabilities. But there's another prong that we're actually doing, it's quite, you know, we're realizing is really important, as we, as we grow and get bigger. And that's actually to make security easier to use. And I forget who mentioned him about the context now. But like, one of the things that we're starting to do is we're starting to work on more dashboards and more reporting and things. And so it's good to have, we're really good about having all this detail, and you can click on things and look at things but then a lot of cases it has to be tied to make security easier for for a larger group, because you might you might be working on a security team, where you have two veterans that are experts, and then eight people that have been around, you know, haven't been around as long, maybe a few junior people, you know, and how do you make that security approachable. And then and one of the things that always stays, as I always call it actionable, or sometimes we use the word consumable at work, as like, when you look at an alert, the more data where you can say, Aha, yeah, I've got it, this is why I need to do this. Because it everything gets tied in with a we have an attack map, that path that shows you know, all this contextual data that we kind of show kind of gives you an idea of like, okay, this is what we need, why we need to do it, rather than just, Okay, we just got to fix this vulnerability, though, you know, we've got, okay, this asset has got secrets, right. It's a, an AWS bucket with, you know, with with permissions, you know, it's public facing in the cloud. And there's a couple secrets on it, you know, that's, that's visible. Within Orca were a lot of cases you don't see those three things aren't kind of tied together, where we tie, we usually use the word universal or unified data model to kind of represent that we actually, all of our data actually resides in one data store. And we and we tie a lot of these, these things together. And we just came out with something we launched, even today, something called attack path analysis, where we add certain kinds of things, we take threat data, and we tie them together to using like the miter attack framework. And you actually can see that chain and the cert all these different vulnerabilities or, or misconfigurations, are kind of tied together and, and they kind of lead to the crown jewels, right? Or what you know, whatever it is, and you can actually see that, and then you can click on something, you know, helps you break the chain.

Greg Irwin  24:09  

Right manual right now, no

John Alexander  24:10  

automated response. It's all manual, but pretty, pretty interesting feature.

Greg Irwin  24:15  

Yeah. What I'm thinking about here is I'm I'm 80% AWS, I'm, I'm deploying AWS cloud security services. Why do I need an incremental service on top? Joe had a question for you, John. Like well, okay, what's in terms of having an overview? Right. I think I think

John Alexander  24:42  

anybody has been more of a cloud practitioner might be I'll give my answer. But, you know, the other probably better answers in mind. You know, my view is I don't like to be holding the one company right? That's my view. So it's extra work support to cloud believe me that two clouds to spriters I wouldn't do 5050 It'd be like more like 8020. But it is to have something, build that expertise and have something in your back pocket, right? In case you need this, flip that switch and that 8020 becomes 2080. Right or whatever. Right? That's, that's my whole reason for both being multicloud. And then the other good

Greg Irwin  25:18  

reason is talking about Orca Security, in addition to AWS native, oh, the

John Alexander  25:24  

whole native tool versus Orca Security? Yeah. Sounds good. There's, there's almost three answers depending upon the cloud security provider. But if you actually study the tools, Microsoft Azure takes security the most seriously as far as native goes. So they probably have the best solution on their own native, and then AWS, and then Google. But the problem is, is that they still don't, you know, they only have their market, like a company like Orca is getting, you know, that's multicloud we're selling that we can leverage all three markets, you're and plus, you're never gonna get, believe me, like, right now, there's a little bit than us, Microsoft is actually saying they support Azure and Google Cloud with their tools, believe me, do you really believe that their tools are going to be up parity between the three, and if anybody can say, actually, they actually, you know, think that that's actually true, they'll, they can support stuff, and it will never be as good, there's not going to have that level of parody account, you're not gonna have multicloud from any of the three CSPs. So if you want multicloud, you're gonna have to go elsewhere, right?

Greg Irwin  26:30  

Like a company like workout? Right? Is there a greater visibility for automation? Automation is the one thing that I've been talking about over and over, because everybody's too busy. There's too much too, you can't find resources, resource,

John Alexander  26:46  

greater visibility, because none of the cloud service providers actually use agentless. Right now. So they if you were using if you're using any of the three, you're gonna use agents now, Amazon and Azure, I think Google has actually done this as well as there's a, I forget what it's called. But there's a way of there's an agent, a dormant agent now, and a lot of images now that you spotted, and it's fairly easy to turn on. So you kind of you get there getting there some other solutions, but you're still getting, you're still gonna have a visibility problem, because not all images have that doorman agent, you're still there, you're still back to this 80 80% Visibility 20% Nod. And it's a hard one to solve. And then the other thing is, it's just effort, like we're completely devoted to security for Amazon or any of these companies. It's not their number one priority. It's operations, you know, and they've done a great job. And they all have pretty decent security solutions. But if you compare them, it's never we're almost like an Orca, like, how do we work together? How do you leverage somebody who's using Amazon? There are a few things that that like, like Cloud Trail is a good example. There's, there's some things that we actually read cloud trail logs now. But Cloud Trail is a good example that we don't we don't do cloud trail, but we can now it's actually we benefit from partnering with if you have cloud trail now, and Orca together, you'd have something that AWS does that we didn't do. And now then all this other stuff that we do that that AWS doesn't, right. Oh,

Greg Irwin  28:15  

excellent. Well, John, I enjoyed it. Thank you very much for taking the time and in Co hosting with me today. And Tom. Great. Thanks,

John Alexander  28:23  

Greg. And I appreciate everybody. Brian, you know, surely everybody here. It's been a great conversation. Thank you.

Greg Irwin  28:31  

I agree, folks, if I've, if you have some follow up, if I can help connect people anywhere across the grid, you please let me know. The well and I look forward to speaking with everybody on the future.