Greg Irwin  0:00  

Hi I'm Greg Irwin, I get to moderate these sessions. And today, we're here with Orca Security. And I think they're one of the best platforms for cloud visibility and monitoring. So we're here with Deborah Galea, we're going to be talking about, well, the best practices, share some more stories, learn a bit, a little bit about what other people are doing. And to the extent y'all want to go deep into Orca’s offering, I'm sure that we can certainly do that. We'll take it, we'll play it by the wants and needs of the group. 

These are typically pretty interactive, like, that's the way we like it. We'll go around and share some stories, the chat window works really well in these forums. So it's a great place to kind of do your sidebar, questions, comments, we'll keep it keep it interactive. 

Of course, if you want to go deeper with Orca, like not going to hide the lead, that's what they want. They're here to drive awareness. If you want to go deeper on what they're they're doing, or get feedback on different approaches to cloud security and visibility across all the big cloud platforms. That's what they do. These guys are, you know, the true gurus around cloud security and and a unicorn in their own right. I don't know how many hundreds of millions you all have raised to support the the build out of your, your platform, but it's, you're not you're not a little startup. 

Anyway, Deborah, let me turn it to you. Do us a favor, give a quick intro on yourself a real quick intro on Orca Security, and then let's talk about some of the things you're seeing there around cloud security. And as we get that going, I'm going to bring the whole group in and drive an interactive group discussion. Deborah, you've got you've got the forum.

Deborah Galea  2:14  

Okay. Well, thanks, Greg. Very happy to be here today. And so I am Product Marketing Director at Orca Security. And I'm based in Boulder, Colorado, originally from the Netherlands, as you may be able to detect from my accent. I've been in cybersecurity for more than 20 years now. Started in anti-spam, antivirus, I co-founded an email security company that was acquired, and I joined Orca Security a bit over a year ago. And it's been really exciting because Orca's really revolutionising cloud security. It was the first company to release agentless cloud security. And that basically looks not only at workloads, but also configurations. So it does that in a single platform. 

And, you know, as I see it, this has really three major advantages. So firstly, having no agents means you can deploy very quickly. So Orca, you know, it's about 15 minutes, you can onboard, you can just enter your account details, and Orca will start scanning all your assets. Secondly, Orca gives you that 100% visibility that you can never get with an agent based solution. So it basically helps you sleep at night that you know, all assets are covered and I'm not going to miss anything. And also, when new assets are added, they are automatically included as well. So it's a bit like set it and forget it. Once you install Orca, you know, you're going to be covered for every asset that you have in the cloud. And then the third advantage of the fact that Orca was actually purpose built for the cloud is that it combines the cloud workload information with the cloud configurations in a single unified data model. And that allows Orca to see the context of risk the full context and understand how certain risks can be combined to create dangerous attack paths to your crown jewels. And that allows you to effectively prioritize risk. So security teams know which risks they need to focus on. So that's in short about work.

Greg Irwin  5:02  

So can you tell us about let's go to one customer story, Deborah. And as we do, as Deborah goes through a, you know, one case study, I'm going to ask everybody here to drop in a comment in the chat. It could be a question about Orca, it can be a question about just, you know, cloud security technology or process for either Orca or others across the group, I am absolutely going to go to others here. So get ready, I'm going to, you know how I do this, I'll call out some people do me a favor, I'm gonna ask everybody go into the chat window, and drop in one thing that you'd like to hear about to make sure that this is a productive session for you specifically. And while we're doing that, Deborah, do us a favor. Tell us a little bit about one case study for Orca Security, please.

Deborah Galea  5:53  

Okay, so one of our customers is a company called Databricks. So I don't know if you've heard of them. They are a data analytics and machine learning company. And they have more than 5000 customers, including Fortune 500 companies. They use three cloud providers, you know, the big three AWS, Google Cloud, Azure. And, really, they were having trouble unifying security cloth across their cloud providers. And one other thing about Databricks is that security is really high priority for them. Because, you know, providing the service depends that they cannot provide the service if their customers do not fully trust them with their data. So it was really very top priority for them. So they were realizing that they were having some some, you know, unresolved issues with their cloud security, they realized they were not getting 100% visibility. They had the issue of not being able to unify controls across cloud platforms. And another thing was, they really did not want cloud security to hamper their developers, because this is also a big differentiator for Databricks their ability to quickly improve the platform. So they started looking at Orca. So they noticed, they understood immediately the value that you get 100% visibility, there are no agents, so there's no slowing down of the development process. And it's multi cloud, so they could just set one policy and that can be the same policy across all the cloud providers. And also the fact that Orca was able to prioritize risks, give recommended remediation instructions and make it very actionable for their teams. And their VP of information security called Caleb Sima, he summed up Orca, and he said, It was simple and brilliant. So it has something something we're very proud of it Orca.

Greg Irwin  8:33  

Yeah. Excellent. Excellent. Deborah, we've got a number of questions in here. There's one that we teed up in conversations before about alert fatigue. So before we get to questions about log for Jay, Sam, question here on DLP. Question is log how, what? Talk to us about the issues around alert fatigue from your accounts, and how people are working through it, managing it, and basically being able to identify and consolidate alerts.

Deborah Galea  9:15  

So we did actually a survey a couple of months ago. And if you're interested in downloading it, you can find it at go.Orca.security/alerts. And yeah, we found that alert fatigue is a major problem in cloud security. You know, we had more than 60% are saying that alert fatigue was contributing to turnover. It was increasing organizational friction. And also shockingly 55% said that actually alert fatigue had caused missed critical alerts and a lot of them on a weekly basis, but some even on a daily basis, that critical alerts were being missed. So at Orca, this has always been one of our differentiators. Because we have that unified data model, we're able to see the full context. We just we don't look at alerts or risks like in silo. But we look at how different risks can be combined as an attack path to your crown jewels. And our platform also actually scores these attack bots. So in addition to just looking at alerts individually, our platform also lists attack paths, and it scores them. So they will be prioritized. And of course, the scoring is depends on how easy these risks are, can be exploited. So how easy is vulnerability to exploit or to find maybe a secret or a key? And also, how close is it to your crown jewels. And that means that teams don't have to look at hundreds of alerts, because we saw like majority said, teams have at least 500 alerts a day. And most of the more but now you look at attack paths, which are much less than all these hundreds of alerts. And it allows you to not waste time looking at maybe issues that, okay, they need to be fixed, but they're not in immediate risk. And you're forgetting about the ones that actually do need to be fixed right away. So that's how Orca deals with the helps teams overcome this alert fatigue problem.

Greg Irwin  11:59  

Is it is Orca typically falling under the vulnerability team? Who typically is in front of the console and runs runs it? I mean, smaller organization is one thing but for a large organization. 

Deborah Galea  12:14  

Yeah, well, actually. So it can span a number of different teams. So we've also introduced ship lift functionalities. So now it's also DevOps, Dev SEC ops, security, just security teams in general. And, and also, sock teams, and IR teams. Actually, that's something we are going to be announcing next week, we have a little bit of a preview, but we're going to be adding more functionality on that side as well. 

So because Orca really is a platform, and you know, we're adding more and more functionality, that Orca is meant to be a platform for really all security teams to be used together. Which also reduces again, the friction, because if you have developers and even developers actually, developers can also use Orca, and then they can work together with security teams, instead of there being friction, and you know, they're not seeing the same thing. They can use the same platform.

Greg Irwin  13:27  

So I'm sorry, I'm Deborah, I'm gonna ask you to. That was that's a huge point. And folks, it's not it's to be released. But Deborah, I know that we're going to package this recording for broad public quotation. Next week after the release. Can you tell the group give the group a little bit of a of a sneak peek of what the kinds of things they might expect the next week's release?

Deborah Galea  13:51  

Yeah, so basically, we're going to be announcing cloud detection response capabilities in Orca. And so previously, the platform was focused on preventive. You're preventing risk by hardening your cloud security posture. But now we're actually adding also detecting ongoing attacks and how to intercept and block those. 

And then again, the big advantage of Orca is that we are now combining all this information to the workload for good configurations. We've got feeds coming in from cloud providers, we know what's going on. You know, right now in the environment, we've got identities we can see someone is using over privileged roles or and all that information now is used to determine whether there is malicious activity or whether this is actually normal behavior that is probably not malicious. So that's definitely something that what we are announcing next week that, you know, we can see actively what's going on. And that definitely uses, you know, AI and machine learning to do very fast analysis of anomalies. When you say, talk about dev SEC ops, org also does lot of integrations. We have over 20 integrations. So also with development tools, so that they can actually be using are seeing Orca’s data within the tools they're already using. So we that's something we really focus on, because we understand that if you don't fit into the current workflows, that, you know, it's difficult to implement a security solution, even though it might be great. If you don't use it, then obviously, it's not going to be much use. So that's something we we have a lot for in our platform seam. We do have technical integrations with SIEM solutions, like Splunk sumo logic, IBM QRadar, so that you could basically, you know, integrate, org Orca’s information into your SIEM solution. And you can use that for analysis. And I'm not quite, I didn't quite understand your question about agnostic policy analysis. Agnostic In which sense?

Deborah Galea  16:51  

Okay, so we don't, we don't use any other tools. And we do have, you know, functionality for all three providers. Now, of course, some things may be slightly different. Or maybe something only exists in Azure, which doesn't exist to AWS. So it's not, you know, completely uniform. But yeah, we provide support for all three providers. And you do not, so it's not limited to certain functionality in AWS or Azure, we support all three providers, and we're adding more as well. So. 

Greg Irwin  17:47  

I guess we can go deeper in terms of which specific part what specific types of policy analysis you're you're looking for. But appreciate the questions, James. I hope that I hope that's helpful. Let's, let's keep going. Our question is, does Orca provide DLP solutions related to healthcare data and information? Deborah do you have any any aspects that that overlap with DLP?

Deborah Galea  18:17  

Um, well, maybe not specifically DLP, but by protecting sensitive data. So, Orca allows you to, first of all, the platform detects sensitive data, or it can find out when an asset contains PII or financial information, or health information. And so then that would be classified as a crown jewel, and any risks that endanger that crown jewel would be prioritized. But it does not detect. In addition, of course, when we do reach a cloud detection response, that would be you know, in an indirect way also DLP because we would be detecting an attacker that's trying to access PII. So, but that may not be the, you know, the official definition of DLP. But it definitely helps with that.

Greg Irwin  19:28  

I got another question from a listener. Do you follow set security standards and controls? Such as critical CIS critical security controls and other standards of that sort?

Deborah Galea  19:43  

Yeah, we actually support over 40 frameworks and CIS benchmarks. So you know, all the cloud providers, CIS benchmarks and frameworks like HIPAA, sock to GDP. are, you know, we're continually adding more frameworks? You know, we get customers who ask us for certain framework. So we're we're adding on all the time. And those all come with standard controls, which you can also customize if you want.

Greg Irwin  20:21  

Folks, you can raise a hand jump in share a story, I'm going to keep going around with the questions and maybe dig in a little bit. There's a question here on containers. What aspects of cloud services is Orca focused on? Are there capabilities around container security? Thank you, Jenna for that one. Deborah, tell us a little bit. And maybe we should talk about the various types of cloud services that you're setting policy.

Deborah Galea  20:47  

Orca does include any, any assets that you have any resource that you have in your cloud environment. So that includes containers, serverless, Kubernetes, VMs, you know, every everything you have. So for Orca it doesn't really matter whether it's a container or VM or it just covers it covers everything.

Greg Irwin  21:12  

Is that because you're tracking the policy and the configuration of the of the service? 

Deborah Galea  21:19  

Yeah, but we also cover the workload. But it's the way it's the way Orca work. So you don't need to install an agent. Orca reads the data from the runtime block storage. And it basically creates an image of that. And then it scans the image. So there is absolutely no performance impact. And everything is included. And that's why it also includes containers serverless, even those cloud native services where you cannot install an agent. It's all included.

Greg Irwin  22:02  

With with a couple others here. Let me, let's stay on  the track of covering people's questions. And then Deborah, you and I have some preset questions as well. Sunil, you asked the question about logging for J. How did Orca manage log for J vulnerability in real time? Deborah, can you tell us a little bit about it?

Deborah Galea  22:22  

Yeah, so well, the first thing when log for J was discovered. There was no remediation yet there was no patch. So at that point, Orca customers could already because we have also a very extensive query function. So you could basically look for where which of my assets have logged for J. And then you can decide, well, is this you know, critical, should we maybe, you know, block internet access, or, you know, do some kind of mitigation at least to protect against this risk? Once the patch was available, and then, of course, Orca very quickly created an alert to find this vulnerability, the log for shell, so that you would automatically get an alert as well. And yeah, we found that actually, a lot of our customers started adding lots more assets than they had originally, because they realized suddenly, oh, no, we, we still have an account or something that we don't have any visibility to. So they started adding all these accounts. And yeah, we got really good feedback, including one of our customers gave us a great quote, we're very happy with a Russian bank, international, large bank. And they they said, you know that they were, yeah, that Orca saved them in log for J really. Okay, so for the CDR for the cloud detection response capabilities. We access cloud provider feeds, and threat intelligence feeds. So like you said, your blacklist IP addresses, malware, things like that. For the risks within the environment, more or less, say static risks, that we read the runtime block storage, from the cloud provider for the workloads. And then we also use API from the cloud providers to get their cloud configurations.

Greg Irwin  24:50  

You know, there's a couple of questions here about your competitors. Deborah, who do you view as your closest competitor?

Deborah Galea  25:00  

I would say our biggest competitor is Palo Alto Networks. Yeah, of course, they have a large customer base, they've been around for some time, we've noticed some of our competitors are also trying to move into the agentless space, because I think everyone is now seeing that, you know, the future is agentless cloud security. But the problem that they're having is that they did not set out as agentless. So they are trying to now add on an option, so they are agent, they are agent based, but they also want to give you the option to do agentless. Then, of course, they're only just starting out. So Orca has already been doing this for more than two years. So all the, you know, little initial problems have been ironed out, which you always get when you start some new, completely new technology. And this basically agentless yeah, that's, that's not so easy to build. So, we are hearing in the grapevine that, you know, some of them have limitations, how many assets you can scan, you know, things are not as seamless as they should be. And also, you get these bolted on tools, and you don't get that central unified data platform that provides all that the benefit of contextual risks and risk prioritization. So yeah, we have integrations with source solutions. You know, Torque, Brinker, for instance. And we are also adding capabilities to the platform. For instance, things like patch management or you know, running other scripts to resolve issues, that is something that we are working on adding to the platform. So we do have we recently released to shift left security. And so there is Orca has a capability to scan infrastructures, code templates, and container images. And also the differentiator here with Orca. And other tools is that Orca not only looks at your, you know, what you have in your templates, but it also looks at if we would deploy this template, how is it going to interact with the other risks that are any environment is this maybe going to open up a door or another attack path. So it adds information from the production environment, to the development environment, and then it does allow the developer to basically fix the risk. And then it will be reported to the security team on the right side that this has been resolved. So then the developers and the security teams can be using the same platforms, Orca does does discover PII and other confidential information. It also allows customers to mark an asset as a crown jewel. So it has either, you know, proprietary information or financial information, anything. So it's done automatically via the platform and cannot be done by a customer manually, so that you do know where your crown jewels are. And that is what we then use to prioritize risk.

Greg Irwin  29:10  

One thing we didn't talk about, we didn't talk about Wegmans. What else? Why don't why don't we cover that real quick? Because that was what what happened with Wegmans? And, you know, what's the what's the pitfall to avoid there?

Deborah Galea  29:26  

Yeah, so, it was recently in the news that Wegmans was fined $1,000. And for basically being negligent, they have left PII of 3 million of their customers in unsecured as your blob storage containers. And they have left it actually for three years. Completely, publicly exposed. So, yeah, and really by this is such a pity because it's so easy, really to to rectify that. And you know, I've had used a solution like Orca, they would have been alerted to the fact that not only is storage container publicly exposed, which you never want to do anyway or usually you don't. But also it has PII. So yeah, that would have been at the top of alerts in order to fix. 

Greg Irwin  30:40  

Would you have to set policies for specific data set data, PII data sets? Or what would what would have had to have happened in terms of setting up your configuration and policies, so that that kind of situation would have would have been flagged and alerted?

Deborah Galea  30:57  

Actually, nothing you would only use need to set up Orca. Because that's all in the standard, standard policies. Okay. And it would also automatically discover that PII, so we would know this asset has PII. So that's all automatic.

Greg Irwin  31:17  

Deborah, this is a great comment, your multichain environment, you have lots of monitoring tools going on. How are how do you turn off the alerts from those other systems, if you're relying on something like Orca to do the aggregation and alerting for you?

Deborah Galea  31:34  

Yeah, so Orca really replaces a lot of these point solutions, vulnerability management, or maybe some cloud native tools, especially when you have when you have multiple cloud providers, you're going to have to for every platform, you're going to have to have vulnerability management, you're going to have to have CSPM, GWP. All these solutions, and Orca combines all that in one platform. So that's one way it just reduces complexity. But another very important way that Orca helps is by looking at the tech path instead of just alerts. So instead of 100, a couple of 100 alerts every day, you now actually get maybe 20 Attack paths to look at which have been prioritized where you know, okay, these are the five attack paths that today I need to focus on. And then it becomes much more manageable. And also, you make sure that the critical ones are the ones you deal with first. And you don't have to sift through hundreds of alerts to try and find out which ones are critical, which ones are not, and you haven't even started remediation yet.

Greg Irwin  32:55  

Interesting, is there a way to trial it? I mean, maybe it would be risky and concerning to be able to say, “Fine, I'm just gonna turn off my Azure monitoring.” How do you, how do you test it so that you can actually see, here's the alerting, coming from, you know, my existing cloud providers? Now, here's how it's represented from work?

Deborah Galea  33:16  

So we do have the possibility to do a free risk assessment. So it's basically like a trial. But it's a bit more because we actually provide you with report. And we can show you look, these are the risks that you you may have missed, because, and we get out very often when we do these risk assessments that the, you know, security teams were not aware of the risks because we have prioritized them. And maybe they were not prioritized in other tools. And, or maybe they only using a cloud workload to, but they're not using a CSPM tool. So they're not seeing all the risks. So and also, it's possible to have both tools running together, and you can compare them and see what the difference is.

Greg Irwin  34:11  

We love the follow up and for everybody. Obviously, it gets a lot, a lot more interesting if we can get into a specific ad dad and talk about your specific environment. So I'd welcome making that connection. Let me thank you all for joining. Let me know also, maybe it's like Johnny wanting to talk about something adjacent. Nicolas, I'm not getting to your questions on WAF. And some of the other capabilities in private cloud outside of outside of public, but I'm sure we can cover those offline as well. Deborah, thank you so much for going through this with us and and teaching us a lot about Orca Security very much. Appreciate it. 

Deborah Galea  34:52

Thank you. Okay. 

Greg Irwin  34:54

All right, everybody. Let's wrap it up. Thank you all thanks for your time, and I look forward to speaking with everybody. Have a great day.