SlideShare a Scribd company logo

Container Workload Security Solution Ideas by Mandy Sidana.pptx

Download as PPTX, PDF
Mandy Sidana
Mandy Sidana

Case study for coming up with good candidate ideas for a new entrant in the CNAPP market (Cloud Native Application Protection) The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product manager exploring the solution space for an MVP.

Technology
1 of 34
Securing Container Workloads Mandy Sidana Dec 2022
Audience and Intent This presentation was prepared as a part of case study for coming up with good candidate ideas for a new entrant in the CNAPP market (Cloud Native Application Protection) The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product manager exploring the solution space for an MVP.
Where we play Custom Code Applications Cloud Application Security Infrastructure APIs Workloads Innersource 3rd party OSS Containers Serverless functions Virtual Machines PaaS Identity and permissions IaaS Networking Container Workload Protection (CWPP) AppSec and composition analysis products Cloud Security Posture Mgmt. (CSPM)
Challenges For Cloud Security Professionals
Rapidly changing and ephemeral workloads - More than 70% of containers live less than 5 mins - Many containers only need to execute a function and terminate once complete - Companies are becoming more efficient in cloud resource utilization - Because they can be spun up, used, and discarded quickly, it can be difficult to get insights into their usage and security posture. - Multiple containers are typically running on a single host also increases the difficulty of tracking individual containers' activities. Lifespan of years Physical Server Months to Years Virtual Machines Minutes to Days Containers Seconds to Minutes Serverless
Complete visibility into host and container activity Getting visibility into dynamic containers is challenging due to their short-lived behaviors, and even more difficult to understand the container security impact. While a number of approaches exist in getting visibility into containers / workloads each comes with its own set of unique challenges Agents based scanners Agentless scanners - Take time to install and scan which can be too long for ephemeral workloads - Require the installation of agents on individual container hosts, which can be tedious and resource-intensive. - Rely on network or log data which can potentially be incomplete or inaccurate - May not be able to detect certain types of malicious activity such as lateral movement or privilege escalation.
Preventing misconfigurations, container drift - Challenges - 27% of a survey respondents reported a public cloud security incident. Of those incidents, 23% resulted from misconfigurations. - Human error is a common factor in many security incidents today. Manual processes leave room for typos, misconfigurations, and oversight that can lead to a breach. While IPS, IDS, and firewalling can help reduce risk after these misconfigurations occur, they don’t go far enough. - In an analysis run by Datadog on tens of thousands of customers, 40 percent of clusters being used by still use lax privileges, which presents a security risk. - Containers don't contain - If an attacker is able to exploit a vulnerability in OS components, they can compromise one or more workloads.
Threat detection is resource intensive and noisy - Treats investigations take too long — often 20+ minutes per alert — and with hundreds of alerts per day, potential security threats go unexamined. - Requires installation of agents or other side containers to detect and analyze threats in the first place. - It’s cumbersome and frustrating to maintain rules to detect threats, and it’s impossible to keep up with ever- changing attack profiles. - Signature-based tools create a lot of noise. - Lack of actionable and easy to configure reporting of suspicious activities further alleviates the problem for alert- fatigued cloud security world
Lack of cloud security professionals Based on a survey of 775 security professionals in 2022, Forty-five percent (45%) of respondents cited lack of qualified staff as their biggest day-to-day headache trying to protect cloud workloads. Interestingly, Followed by compliance (39%) and lack of visibility into infrastructure security (35%) as mentioned earlier. According to one study, there were roughly 715,000 unfilled cybersecurity positions in the U.S. in 2021. There are few IT organizations that aren't suffering from a lack of skilled security personnel which means security teams are over-worked, understaffed and always have too many priorities on their plate.
Emerging Trends Trends for container workload security
Convergence of CWPP, CPSM into CNAPP - Most organizations have stitched together devsecops pipeline often with 10 or more disparate security tools - old and new - each with a siloed responsibility and limited view of risk - Most commonly cited method in a Gartner survey for integrating different security tools is manual ingestion - which is error prone and tedious - Investment in DevOps security has increased recently due to the need for shift-left security to inject security in the early stage of the software development life cycle. - Cloud infrastructure entitlement management (CIEM) and cloud network security are in wide use among early cloud adopters that used cloud-native solutions from their cloud service providers. - Companies are increasingly leveraging artificial intelligence/machine learning (AI/ML) capabilities to better manage risks. CNAPP solutions will have to shift left into the earliest stages of code development to create better insights into the workload/application behavior and how it interacts within the cloud infrastructure in order to increase the automated threat detection and response capabilities. Eg: Lacework
Cloud native application protection platform capabilities Runtime Protection Application Monitoring Network Segmentation Container Workload Protection (CWPP) Exposure Scanning Artifact Scanning SAST/DAST API Scanning SCA CVEs Attack path Analysis Cloud Configuration IaC Scanning Cloud intra entitlements mgmt Kubernetes Security Posture Management Require CNAPP tools to shift-left into development Use AI/ML to prioritize threats, alerts and make reports actionable Use of open common standards for metrics, risk
Market Analysis
Market Size Cloud workload protection market Gartner estimates workload protection market to be $1.69B in 2021 growing at 18.1% YoY (Source: Gartner https://www.gartner.com/en/documents/3945611) In 2022 - Overall, the market for cloud workload security grew 36%. - The complexity of protecting cloud workloads increased as applications move from monolithic to microservices based, linking hundreds or even thousands of loosely coupled services that are dynamic, ephemeral, and highly distributed. - Security vendors offered new and innovative approaches to protecting those workloads such as leveraging eBPF or block storage. IDC pegged the worldwide CWPP market at $2.2B in 2022
Competitive landscape - CWPP Most companies have been growing at an average of 35% YoY with Lacework, Crowdstrike and Sysdig growing the fastest (200%, 100%, 60% from 2020 to 21) Source: IDC market share 2021 https://www.trendmicro.com/explore/idc- cloud-workload-security/01586-c1-en-rpt
Positioning Change CNAPP Traditional CWPP Vendors - Aqua security - Crowdstrike - Lacework - Palo Alto - Sophos - Sysdig Traditional CSPM Vendors - Checkpoint - Orca Security - Radware - Rapid 7 - Wiz Building / Acquiring CSPM capabilities Building / Acquiring CWPP capabilities
Market Size - CNAPP The global CNAPP market recorded revenue of $1.7B in 2021, representing year-over-year growth of 48.8%. Frost & Sullivan projects that momentum to continue at a compound annual growth rate of 25.7% from 2021 to 2026, with revenue reaching $5.4B in 2026 Growth is drive by increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle. TrendMicro PaloAlto Crowdstrike Lacework Sysdig Aqua security Checkpoint Orca Wiz Sophos Lacework Report
Looking at Sysdig and Aqua Based on Gartner vendor assessment - as rated by customers Sysdig Aqua Security California, CA Burlington, MA # employees 500-100 250-500 Linkedin employees 847 615 Open Roles 113 27 Funding $730M $265M Revenue $200M $50M Capability Sysdig Aqua Security Hardening, configuration and vuln management Workload segmentation, traffic visibility and optional network traffic encryption System integrity assurance Application controlling / whitelisting Exploit prevention / memory protection
Strategy Map (CNAPP)
Competitor Positioning Capability Sysdig Aqua Security Strengths - Container scanning, configuration drift detection, and orchestration platform protections - Strong features in CIEM, CWPP / container protection, reporting and scalability. - Positioned strongly as a CNAPP vendor with strong capabilities in CWP, CIEM - Great partner management metrics and processes Weaknesses - Lacks in CSPM - High-availability explicit setup, - Configuration for data protection, - Configuring the use of third-party reputation services - Explicit configuration of data sovereignty; - Patching, remediation, and built-in compliance policies in CWP - Memory integrity protection and application binary control are behind Feature strengths Malware and cryptomining detection with threat intelligence Digs directly into compromised or suspicious containers Automates scanning locally in continuous integration and continuous deployment (CI/CD) pipelines and registries Visualizes network communication between pods, services, and applications inside Kubernetes Conducts incident response using granular data with Kubernetes Continuously validates cloud security posture Kubernetes Security Posture Management (KSPM) and Kubernetes runtime protection provide policy-driven life cycle protection Real-time visibility into namespaces, deployments, nodes (hosts), containers and the images they came from Discover malware hidden in open source packages and third-party images, preventing attacks on container-based applications Analyzes images before they arrive in a secure isolated sandboxed environment, examining and tracing behavioral anomalies Static and dynamic scanning to create flexible image assurance policies Future capabilities plan - Use real time analysis to inspect virtual machines - Create a unified model of runtime and posture policies - Improve remediation in all CWS areas - CPSM - plans to expand it security posture and container protection offerings - collect events and correlate them across the stack to identify attacks - build out an automatic deployment of agents based on risk.
Problem Space Finding the right problem to solve
Target Segments Revenue Employee Size ACV # of estimated companies TAM Large Enterprise >$1B >5000 $100K 3,000 $300M Medium enterprise $100M TO $1B 1000 to 5000 $25K 20,000 $500M Mid Market $50 to $100M 100 to 5000 $10K 80,000 $800M Small and medium businesses >$50M Less than 100 $3K 150,000 $450M Mid - market focus - Large enterprise have compliance, scalability, integration and reporting needs - While enterprise have a patchwork of security tools (CIEM, CWPP, CSPM), less mature organizations have the change to implement a single integrated CNAPP platform
Orgs use multiple IaaS provides, some more popular - Based on a survey of 700+ security professionals in 2022, most organizations are using multiple vendors to deploy their containers, with Azure and AWS being the most popular - The initial MVP can be scoped to cover as the most popular IaaS vendors
MVP Scope To limit the scope for the MVP from the vast majority of CNAPP capabilities, we can use the following criteria ● Deliver a minimal cloud workload security solution for mid-market segment. ● The MVP should be scalable and can be matured into a CNAPP platform over time. ○ As these companies grow and expand, we would want the product to mature into complete CNAPP platform over time ● The scope of the MVP can be limited to most popular IaaS vendors (AWS, Azure) ● The proposed solution should be easy to implement assuming customers at different levels of devsecops maturity ● Time to value realization must be low ideally minutes not days ● Proposed features should not be large in terms of effort involved. This will help move fast and learn fast.
MVP Strategy - Where we play Runtime protection needs Assuming prescanning, the core runtime protection needs — such as segmentation, network monitoring and behavioral monitoring — may be delivered outside the workload. In serverless PaaS environments, agents and privileged containers/sidecars will not work. Some CWPP vendors are focusing only on the threat detection/response (sometimes referred to as workload detection and response). Users can choose to use these tools if the capability is required. Workload segmentation orchestration Segmentation orchestration is increasingly using the built-in capabilities of the underlying cloud platform. Many enterprises prefer using the built-in segmentation capabilities of the underlying cloud fabric (for example, Azure network security groups) Customers expect CWPP vendors to have CSPM capabilities as well
MVP Goals Zero Trust in Runtime Protection It is not possible to defend against outside threats using modern firewalls or to get meaningful data from log files in order to distinguish between good and bad events. Additionally, attempts to predict the permutations of authorized access in distributed computing have been unsuccessful. As a result, we assume that effectively preventing intrusions is an impractical idea. Immutable workloads Typically drift is introduced from 2 sources - Changes introduced by external actors - either humans or machines (scripts) - Dependency of your resources on external data sources that change Drift prevention is the cloud native answer to malware, worms and zero-day exploits.
Solution Space Candidates for CNAPP Solution MVP
Run-time in-memory drift detection and remediation Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. Proposed feature - Enable workloads memory drift detection / protection which prevents execution of executable files added after a container is deployed into production - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - Remediate container state automatically to the approved container state by re-deploying the original image Notify users of in-memory drift detection and remediation Benefits? - Less reliance on runtime threat detection and mitigation. - Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud- native. Containers and serverless functions should be scanned for vuln and configuration pre-deployment - Reduces the effort required to manually create and update image profiles
Continuous API discovery and drift control Problem To ensure multi-cloud environments are properly monitored and secured with regard to their APIs, comprehensive visibility and continual API discovery is necessary. Traditional solutions that protect web traffic and APIs usually rely on agent- or network-based measures to obtain detailed visibility, leading to high maintenance fees, incomplete surveillance, reduced API records, scalability issues and a lack of broader cloud security information. Proposed feature - Interactive API maps showing all API endpoints, requests, and server responses with focus on publicly exposed APIs - Track newly added API endpoints, domains, subdomains, API paths, and API operations on those paths. - Continuously monitor API behavior and usage and alert teams to potentially unwanted API drift. Benefits - Actionable data on API misconfigurations and vulnerabilities - Stops internal threats - Alerts on potentially risky API drift and changes.
IaC drift and insecure configuration detection Problem A vast majority of security incidents are related to over-privileged containers and excessive permissions on user roles. ‘Configuration drift’ is a common term to describe this change that takes place in production environments. Customers create pre-defined assurance policies to automate the secure deployment of K8s applications at K8s admission controller - but these can change over time. Proposed feature - Reporting drift and insecure configurations/ resources via failed merge requests directly to developers - Monitor the state of production clusters and reconciles them to their original declared state. Automatically rollback make sure that production system stays faithful to the declared state. - Reject PRs to IaC that present changes from allowed configuration states Benefits - Detect differences between the intended configuration represented by IaC, and the actual state for AWS.
Questions?
Appendix
Epic Run-time container drift prevention Desc. As someone responsible for workload security, I want to detect and stop any run-time container drift for critical production environments. If a deviation from expected behaviour is detected, the solution should automatically re-deploy the original container so potential run-time attack can be mitigated effortlessly. Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. The proposed feature aims to identify any memory drift and remediate it once detected. Possible solutions ( Can be changed based on engg inputs) 1. Automatically profile the runtime behavior of a container and use this information to build an image profile. The profile can contain information on the following, but not limited to - Network activity - File system activity - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - System calls 2. Optionaly, the image profile generated can be audited by the security team to verify if the image profile looks as expected. 3. This image profile can be used to - Apply container restriction - Create an allow-list for specific containers - Blocking them from executing certain runtime activities 4. If a deviation from container image profile is detected, re-deploy the original container to get to the approved container state 5. If a subsequent container drift is detected within a reasonable time, stop the container and notify the cloud security team 6. Notify users of in-memory drift detection and remediation 7. Allow users to configure auto re-deploy if drift detected on image basis User Benefits Less reliance on runtime threat detection and mitigation. Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud-native. Reduces the effort required to manually create and update image profiles Automatically remediates the state in case of an attack ACs - The feature should be able to detect fileless malicious attacks - The system should automatically notify the user if a drift is detected - The system should automatically re-deploy the original image seamlessly - The image drift detection should not require installation of agents - The image drift detection should not slow down or impact the performance of the workload - The re-deployment trigger of production image should be seamless and with any downtime - The system should be able to handle a X number of workloads and clusters
Feature priority Business Value Customer Impact Effort Zero trust configurations High High Medium Configuration drift prevention High Medium Medium Runtime drift protection High High Medium Networking drift prevention Medium Low Medium API drift prevention High High Medium

Recommended

WP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfWP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfChristopher Doman
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationChristopher Doman
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET Journal
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 

Recommended

WP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfWP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfChristopher Doman
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationChristopher Doman
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET Journal
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the MassesIRJET Journal
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
 
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET Journal
 
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET Journal
 
International Journal of Network Security & Its Applications (IJNSA)
International Journal of Network Security & Its Applications (IJNSA)International Journal of Network Security & Its Applications (IJNSA)
International Journal of Network Security & Its Applications (IJNSA)IJNSA Journal
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...Dana Gardner
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingIRJET Journal
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat managementRajendra Menon
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET Journal
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET Journal
 
Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...IJNSA Journal
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Securing Your Cloud Transformation
Securing Your Cloud TransformationSecuring Your Cloud Transformation
Securing Your Cloud TransformationMarketingArrowECS_CZ
 
Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...IJNSA Journal
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingCommit Software Sh.p.k.
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

More Related Content

Similar to Container Workload Security Solution Ideas by Mandy Sidana.pptx

Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the MassesIRJET Journal
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
 
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET Journal
 
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET Journal
 
International Journal of Network Security & Its Applications (IJNSA)
International Journal of Network Security & Its Applications (IJNSA)International Journal of Network Security & Its Applications (IJNSA)
International Journal of Network Security & Its Applications (IJNSA)IJNSA Journal
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...Dana Gardner
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingIRJET Journal
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat managementRajendra Menon
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET Journal
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET Journal
 
Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...IJNSA Journal
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Securing Your Cloud Transformation
Securing Your Cloud TransformationSecuring Your Cloud Transformation
Securing Your Cloud TransformationMarketingArrowECS_CZ
 
Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...IJNSA Journal
 

Similar to Container Workload Security Solution Ideas by Mandy Sidana.pptx (20)

Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the Masses
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
 
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
 
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in CloudIRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
IRJET- Security Enhance using Hash and Chaostic Algorithm in Cloud
 
International Journal of Network Security & Its Applications (IJNSA)
International Journal of Network Security & Its Applications (IJNSA)International Journal of Network Security & Its Applications (IJNSA)
International Journal of Network Security & Its Applications (IJNSA)
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
 
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...
How Deep Observability Powers Strong Cybersecurity and Network Insights Acros...
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud Computing
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital Forensic
 
Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Securing Your Cloud Transformation
Securing Your Cloud TransformationSecuring Your Cloud Transformation
Securing Your Cloud Transformation
 
Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...Top Cited Papers - International Journal of Network Security & Its Applicatio...
Top Cited Papers - International Journal of Network Security & Its Applicatio...
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Container Workload Security Solution Ideas by Mandy Sidana.pptx

  • 2. Audience and Intent This presentation was prepared as a part of case study for coming up with good candidate ideas for a new entrant in the CNAPP market (Cloud Native Application Protection) The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product manager exploring the solution space for an MVP.
  • 3. Where we play Custom Code Applications Cloud Application Security Infrastructure APIs Workloads Innersource 3rd party OSS Containers Serverless functions Virtual Machines PaaS Identity and permissions IaaS Networking Container Workload Protection (CWPP) AppSec and composition analysis products Cloud Security Posture Mgmt. (CSPM)
  • 5. Rapidly changing and ephemeral workloads - More than 70% of containers live less than 5 mins - Many containers only need to execute a function and terminate once complete - Companies are becoming more efficient in cloud resource utilization - Because they can be spun up, used, and discarded quickly, it can be difficult to get insights into their usage and security posture. - Multiple containers are typically running on a single host also increases the difficulty of tracking individual containers' activities. Lifespan of years Physical Server Months to Years Virtual Machines Minutes to Days Containers Seconds to Minutes Serverless
  • 6. Complete visibility into host and container activity Getting visibility into dynamic containers is challenging due to their short-lived behaviors, and even more difficult to understand the container security impact. While a number of approaches exist in getting visibility into containers / workloads each comes with its own set of unique challenges Agents based scanners Agentless scanners - Take time to install and scan which can be too long for ephemeral workloads - Require the installation of agents on individual container hosts, which can be tedious and resource-intensive. - Rely on network or log data which can potentially be incomplete or inaccurate - May not be able to detect certain types of malicious activity such as lateral movement or privilege escalation.
  • 7. Preventing misconfigurations, container drift - Challenges - 27% of a survey respondents reported a public cloud security incident. Of those incidents, 23% resulted from misconfigurations. - Human error is a common factor in many security incidents today. Manual processes leave room for typos, misconfigurations, and oversight that can lead to a breach. While IPS, IDS, and firewalling can help reduce risk after these misconfigurations occur, they don’t go far enough. - In an analysis run by Datadog on tens of thousands of customers, 40 percent of clusters being used by still use lax privileges, which presents a security risk. - Containers don't contain - If an attacker is able to exploit a vulnerability in OS components, they can compromise one or more workloads.
  • 8. Threat detection is resource intensive and noisy - Treats investigations take too long — often 20+ minutes per alert — and with hundreds of alerts per day, potential security threats go unexamined. - Requires installation of agents or other side containers to detect and analyze threats in the first place. - It’s cumbersome and frustrating to maintain rules to detect threats, and it’s impossible to keep up with ever- changing attack profiles. - Signature-based tools create a lot of noise. - Lack of actionable and easy to configure reporting of suspicious activities further alleviates the problem for alert- fatigued cloud security world
  • 9. Lack of cloud security professionals Based on a survey of 775 security professionals in 2022, Forty-five percent (45%) of respondents cited lack of qualified staff as their biggest day-to-day headache trying to protect cloud workloads. Interestingly, Followed by compliance (39%) and lack of visibility into infrastructure security (35%) as mentioned earlier. According to one study, there were roughly 715,000 unfilled cybersecurity positions in the U.S. in 2021. There are few IT organizations that aren't suffering from a lack of skilled security personnel which means security teams are over-worked, understaffed and always have too many priorities on their plate.
  • 11. Convergence of CWPP, CPSM into CNAPP - Most organizations have stitched together devsecops pipeline often with 10 or more disparate security tools - old and new - each with a siloed responsibility and limited view of risk - Most commonly cited method in a Gartner survey for integrating different security tools is manual ingestion - which is error prone and tedious - Investment in DevOps security has increased recently due to the need for shift-left security to inject security in the early stage of the software development life cycle. - Cloud infrastructure entitlement management (CIEM) and cloud network security are in wide use among early cloud adopters that used cloud-native solutions from their cloud service providers. - Companies are increasingly leveraging artificial intelligence/machine learning (AI/ML) capabilities to better manage risks. CNAPP solutions will have to shift left into the earliest stages of code development to create better insights into the workload/application behavior and how it interacts within the cloud infrastructure in order to increase the automated threat detection and response capabilities. Eg: Lacework
  • 12. Cloud native application protection platform capabilities Runtime Protection Application Monitoring Network Segmentation Container Workload Protection (CWPP) Exposure Scanning Artifact Scanning SAST/DAST API Scanning SCA CVEs Attack path Analysis Cloud Configuration IaC Scanning Cloud intra entitlements mgmt Kubernetes Security Posture Management Require CNAPP tools to shift-left into development Use AI/ML to prioritize threats, alerts and make reports actionable Use of open common standards for metrics, risk
  • 14. Market Size Cloud workload protection market Gartner estimates workload protection market to be $1.69B in 2021 growing at 18.1% YoY (Source: Gartner https://www.gartner.com/en/documents/3945611) In 2022 - Overall, the market for cloud workload security grew 36%. - The complexity of protecting cloud workloads increased as applications move from monolithic to microservices based, linking hundreds or even thousands of loosely coupled services that are dynamic, ephemeral, and highly distributed. - Security vendors offered new and innovative approaches to protecting those workloads such as leveraging eBPF or block storage. IDC pegged the worldwide CWPP market at $2.2B in 2022
  • 15. Competitive landscape - CWPP Most companies have been growing at an average of 35% YoY with Lacework, Crowdstrike and Sysdig growing the fastest (200%, 100%, 60% from 2020 to 21) Source: IDC market share 2021 https://www.trendmicro.com/explore/idc- cloud-workload-security/01586-c1-en-rpt
  • 16. Positioning Change CNAPP Traditional CWPP Vendors - Aqua security - Crowdstrike - Lacework - Palo Alto - Sophos - Sysdig Traditional CSPM Vendors - Checkpoint - Orca Security - Radware - Rapid 7 - Wiz Building / Acquiring CSPM capabilities Building / Acquiring CWPP capabilities
  • 17. Market Size - CNAPP The global CNAPP market recorded revenue of $1.7B in 2021, representing year-over-year growth of 48.8%. Frost & Sullivan projects that momentum to continue at a compound annual growth rate of 25.7% from 2021 to 2026, with revenue reaching $5.4B in 2026 Growth is drive by increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle. TrendMicro PaloAlto Crowdstrike Lacework Sysdig Aqua security Checkpoint Orca Wiz Sophos Lacework Report
  • 18. Looking at Sysdig and Aqua Based on Gartner vendor assessment - as rated by customers Sysdig Aqua Security California, CA Burlington, MA # employees 500-100 250-500 Linkedin employees 847 615 Open Roles 113 27 Funding $730M $265M Revenue $200M $50M Capability Sysdig Aqua Security Hardening, configuration and vuln management Workload segmentation, traffic visibility and optional network traffic encryption System integrity assurance Application controlling / whitelisting Exploit prevention / memory protection
  • 20. Competitor Positioning Capability Sysdig Aqua Security Strengths - Container scanning, configuration drift detection, and orchestration platform protections - Strong features in CIEM, CWPP / container protection, reporting and scalability. - Positioned strongly as a CNAPP vendor with strong capabilities in CWP, CIEM - Great partner management metrics and processes Weaknesses - Lacks in CSPM - High-availability explicit setup, - Configuration for data protection, - Configuring the use of third-party reputation services - Explicit configuration of data sovereignty; - Patching, remediation, and built-in compliance policies in CWP - Memory integrity protection and application binary control are behind Feature strengths Malware and cryptomining detection with threat intelligence Digs directly into compromised or suspicious containers Automates scanning locally in continuous integration and continuous deployment (CI/CD) pipelines and registries Visualizes network communication between pods, services, and applications inside Kubernetes Conducts incident response using granular data with Kubernetes Continuously validates cloud security posture Kubernetes Security Posture Management (KSPM) and Kubernetes runtime protection provide policy-driven life cycle protection Real-time visibility into namespaces, deployments, nodes (hosts), containers and the images they came from Discover malware hidden in open source packages and third-party images, preventing attacks on container-based applications Analyzes images before they arrive in a secure isolated sandboxed environment, examining and tracing behavioral anomalies Static and dynamic scanning to create flexible image assurance policies Future capabilities plan - Use real time analysis to inspect virtual machines - Create a unified model of runtime and posture policies - Improve remediation in all CWS areas - CPSM - plans to expand it security posture and container protection offerings - collect events and correlate them across the stack to identify attacks - build out an automatic deployment of agents based on risk.
  • 21. Problem Space Finding the right problem to solve
  • 22. Target Segments Revenue Employee Size ACV # of estimated companies TAM Large Enterprise >$1B >5000 $100K 3,000 $300M Medium enterprise $100M TO $1B 1000 to 5000 $25K 20,000 $500M Mid Market $50 to $100M 100 to 5000 $10K 80,000 $800M Small and medium businesses >$50M Less than 100 $3K 150,000 $450M Mid - market focus - Large enterprise have compliance, scalability, integration and reporting needs - While enterprise have a patchwork of security tools (CIEM, CWPP, CSPM), less mature organizations have the change to implement a single integrated CNAPP platform
  • 23. Orgs use multiple IaaS provides, some more popular - Based on a survey of 700+ security professionals in 2022, most organizations are using multiple vendors to deploy their containers, with Azure and AWS being the most popular - The initial MVP can be scoped to cover as the most popular IaaS vendors
  • 24. MVP Scope To limit the scope for the MVP from the vast majority of CNAPP capabilities, we can use the following criteria ● Deliver a minimal cloud workload security solution for mid-market segment. ● The MVP should be scalable and can be matured into a CNAPP platform over time. ○ As these companies grow and expand, we would want the product to mature into complete CNAPP platform over time ● The scope of the MVP can be limited to most popular IaaS vendors (AWS, Azure) ● The proposed solution should be easy to implement assuming customers at different levels of devsecops maturity ● Time to value realization must be low ideally minutes not days ● Proposed features should not be large in terms of effort involved. This will help move fast and learn fast.
  • 25. MVP Strategy - Where we play Runtime protection needs Assuming prescanning, the core runtime protection needs — such as segmentation, network monitoring and behavioral monitoring — may be delivered outside the workload. In serverless PaaS environments, agents and privileged containers/sidecars will not work. Some CWPP vendors are focusing only on the threat detection/response (sometimes referred to as workload detection and response). Users can choose to use these tools if the capability is required. Workload segmentation orchestration Segmentation orchestration is increasingly using the built-in capabilities of the underlying cloud platform. Many enterprises prefer using the built-in segmentation capabilities of the underlying cloud fabric (for example, Azure network security groups) Customers expect CWPP vendors to have CSPM capabilities as well
  • 26. MVP Goals Zero Trust in Runtime Protection It is not possible to defend against outside threats using modern firewalls or to get meaningful data from log files in order to distinguish between good and bad events. Additionally, attempts to predict the permutations of authorized access in distributed computing have been unsuccessful. As a result, we assume that effectively preventing intrusions is an impractical idea. Immutable workloads Typically drift is introduced from 2 sources - Changes introduced by external actors - either humans or machines (scripts) - Dependency of your resources on external data sources that change Drift prevention is the cloud native answer to malware, worms and zero-day exploits.
  • 28. Run-time in-memory drift detection and remediation Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. Proposed feature - Enable workloads memory drift detection / protection which prevents execution of executable files added after a container is deployed into production - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - Remediate container state automatically to the approved container state by re-deploying the original image Notify users of in-memory drift detection and remediation Benefits? - Less reliance on runtime threat detection and mitigation. - Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud- native. Containers and serverless functions should be scanned for vuln and configuration pre-deployment - Reduces the effort required to manually create and update image profiles
  • 29. Continuous API discovery and drift control Problem To ensure multi-cloud environments are properly monitored and secured with regard to their APIs, comprehensive visibility and continual API discovery is necessary. Traditional solutions that protect web traffic and APIs usually rely on agent- or network-based measures to obtain detailed visibility, leading to high maintenance fees, incomplete surveillance, reduced API records, scalability issues and a lack of broader cloud security information. Proposed feature - Interactive API maps showing all API endpoints, requests, and server responses with focus on publicly exposed APIs - Track newly added API endpoints, domains, subdomains, API paths, and API operations on those paths. - Continuously monitor API behavior and usage and alert teams to potentially unwanted API drift. Benefits - Actionable data on API misconfigurations and vulnerabilities - Stops internal threats - Alerts on potentially risky API drift and changes.
  • 30. IaC drift and insecure configuration detection Problem A vast majority of security incidents are related to over-privileged containers and excessive permissions on user roles. ‘Configuration drift’ is a common term to describe this change that takes place in production environments. Customers create pre-defined assurance policies to automate the secure deployment of K8s applications at K8s admission controller - but these can change over time. Proposed feature - Reporting drift and insecure configurations/ resources via failed merge requests directly to developers - Monitor the state of production clusters and reconciles them to their original declared state. Automatically rollback make sure that production system stays faithful to the declared state. - Reject PRs to IaC that present changes from allowed configuration states Benefits - Detect differences between the intended configuration represented by IaC, and the actual state for AWS.
  • 33. Epic Run-time container drift prevention Desc. As someone responsible for workload security, I want to detect and stop any run-time container drift for critical production environments. If a deviation from expected behaviour is detected, the solution should automatically re-deploy the original container so potential run-time attack can be mitigated effortlessly. Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. The proposed feature aims to identify any memory drift and remediate it once detected. Possible solutions ( Can be changed based on engg inputs) 1. Automatically profile the runtime behavior of a container and use this information to build an image profile. The profile can contain information on the following, but not limited to - Network activity - File system activity - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - System calls 2. Optionaly, the image profile generated can be audited by the security team to verify if the image profile looks as expected. 3. This image profile can be used to - Apply container restriction - Create an allow-list for specific containers - Blocking them from executing certain runtime activities 4. If a deviation from container image profile is detected, re-deploy the original container to get to the approved container state 5. If a subsequent container drift is detected within a reasonable time, stop the container and notify the cloud security team 6. Notify users of in-memory drift detection and remediation 7. Allow users to configure auto re-deploy if drift detected on image basis User Benefits Less reliance on runtime threat detection and mitigation. Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud-native. Reduces the effort required to manually create and update image profiles Automatically remediates the state in case of an attack ACs - The feature should be able to detect fileless malicious attacks - The system should automatically notify the user if a drift is detected - The system should automatically re-deploy the original image seamlessly - The image drift detection should not require installation of agents - The image drift detection should not slow down or impact the performance of the workload - The re-deployment trigger of production image should be seamless and with any downtime - The system should be able to handle a X number of workloads and clusters
  • 34. Feature priority Business Value Customer Impact Effort Zero trust configurations High High Medium Configuration drift prevention High Medium Medium Runtime drift protection High High Medium Networking drift prevention Medium Low Medium API drift prevention High High Medium

Editor's Notes

  1. Based on level of abstraction
  2. https://www.checkpoint.com/cyber-hub/cloud-security/what-is-container-security/top-7-container-security-issues/ https://www.datadoghq.com/container-report/
  3. https://www.checkpoint.com/cyber-hub/cloud-security/what-is-container-security/top-7-container-security-issues/
  4. https://www.checkpoint.com/cyber-hub/cloud-security/what-is-container-security/top-7-container-security-issues/
  5. Source: https://www.gartner.com/en/newsroom/press-releases/2022-10-13-gartner-identifies-three-factors-influencing-growth-i
  6. Source: IDC market share 2021 https://www.trendmicro.com/explore/idc-cloud-workload-security/01586-c1-en-rpt
  7. Building or Acquiring CSPM capabilities
  8. Based on capability maturity assessed by Forrester
  9. Align this back to Market share
  10. Source: https://www.gartner.com/en/documents/3945611 https://www.gartner.com/en/newsroom/press-releases/2022-10-13-gartner-identifies-three-factors-influencing-growth-i
  11. The Essence of Strategy is Choosing What Not to Do