Case study for coming up with good candidate ideas for a new entrant in the CNAPP market (Cloud Native Application Protection)
The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product manager exploring the solution space for an MVP.
2. Audience and Intent
This presentation was prepared as a part of case study for coming up with good candidate ideas for a new entrant in the
CNAPP market (Cloud Native Application Protection)
The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product
manager exploring the solution space for an MVP.
3. Where we play Custom Code
Applications
Cloud
Application
Security
Infrastructure
APIs
Workloads
Innersource
3rd party OSS
Containers
Serverless functions
Virtual Machines
PaaS
Identity and permissions
IaaS
Networking
Container
Workload
Protection
(CWPP)
AppSec and
composition
analysis
products
Cloud
Security
Posture
Mgmt.
(CSPM)
5. Rapidly changing and ephemeral workloads
- More than 70% of containers live less than 5 mins
- Many containers only need to execute a function and terminate once complete
- Companies are becoming more efficient in cloud resource utilization
- Because they can be spun up, used, and discarded quickly, it can be difficult to get insights into their usage and
security posture.
- Multiple containers are typically running on a single host also increases the difficulty of tracking individual
containers' activities.
Lifespan
of years
Physical Server
Months
to Years
Virtual Machines
Minutes
to Days
Containers
Seconds
to Minutes
Serverless
6. Complete visibility into host and container activity
Getting visibility into dynamic containers is challenging due to their short-lived behaviors, and even more difficult to
understand the container security impact. While a number of approaches exist in getting visibility into containers /
workloads each comes with its own set of unique challenges
Agents based scanners Agentless scanners
- Take time to install and scan which can
be too long for ephemeral workloads
- Require the installation of agents on
individual container hosts, which can be
tedious and resource-intensive.
- Rely on network or log data which can
potentially be incomplete or
inaccurate
- May not be able to detect certain
types of malicious activity such as
lateral movement or privilege
escalation.
7. Preventing misconfigurations, container drift
- Challenges
- 27% of a survey respondents reported a public cloud security incident. Of those incidents, 23% resulted from
misconfigurations.
- Human error is a common factor in many security incidents today. Manual processes leave room for typos,
misconfigurations, and oversight that can lead to a breach. While IPS, IDS, and firewalling can help reduce risk
after these misconfigurations occur, they don’t go far enough.
- In an analysis run by Datadog on tens of thousands of customers, 40 percent of clusters being used by still
use lax privileges, which presents a security risk.
- Containers don't contain - If an attacker is able to exploit a vulnerability in OS components, they can
compromise one or more workloads.
8. Threat detection is resource intensive and noisy
- Treats investigations take too long — often 20+ minutes per alert — and with hundreds of alerts per day, potential
security threats go unexamined.
- Requires installation of agents or other side containers to detect and analyze threats in the first place.
- It’s cumbersome and frustrating to maintain rules to detect threats, and it’s impossible to keep up with ever-
changing attack profiles.
- Signature-based tools create a lot of noise.
- Lack of actionable and easy to configure reporting of suspicious activities further alleviates the problem for alert-
fatigued cloud security world
9. Lack of cloud security professionals
Based on a survey of 775 security professionals in 2022, Forty-five percent (45%) of respondents cited lack of qualified
staff as their biggest day-to-day headache trying to protect cloud workloads. Interestingly, Followed by compliance (39%)
and lack of visibility into infrastructure security (35%) as mentioned earlier.
According to one study, there were roughly 715,000 unfilled cybersecurity positions in the U.S. in 2021. There are few IT
organizations that aren't suffering from a lack of skilled security personnel which means security teams are over-worked,
understaffed and always have too many priorities on their plate.
11. Convergence of CWPP, CPSM into CNAPP
- Most organizations have stitched together devsecops pipeline often with 10
or more disparate security tools - old and new - each with a siloed
responsibility and limited view of risk
- Most commonly cited method in a Gartner survey for integrating different
security tools is manual ingestion - which is error prone and tedious
- Investment in DevOps security has increased recently due to the need for
shift-left security to inject security in the early stage of the software
development life cycle.
- Cloud infrastructure entitlement management (CIEM) and cloud network
security are in wide use among early cloud adopters that used cloud-native
solutions from their cloud service providers.
- Companies are increasingly leveraging artificial intelligence/machine learning
(AI/ML) capabilities to better manage risks. CNAPP solutions will have to
shift left into the earliest stages of code development to create better
insights into the workload/application behavior and how it interacts within the
cloud infrastructure in order to increase the automated threat detection and
response capabilities. Eg: Lacework
12. Cloud native application protection platform capabilities
Runtime Protection
Application Monitoring
Network Segmentation
Container Workload
Protection (CWPP)
Exposure Scanning
Artifact Scanning
SAST/DAST
API Scanning
SCA
CVEs
Attack path Analysis
Cloud Configuration
IaC Scanning
Cloud intra entitlements
mgmt
Kubernetes Security Posture
Management
Require CNAPP tools to
shift-left into
development
Use AI/ML to prioritize
threats, alerts and make
reports actionable
Use of open common
standards for metrics,
risk
14. Market Size
Cloud workload protection market
Gartner estimates workload protection market to be
$1.69B in 2021 growing at 18.1% YoY
(Source: Gartner https://www.gartner.com/en/documents/3945611)
In 2022
- Overall, the market for cloud workload
security grew 36%.
- The complexity of protecting cloud
workloads increased as applications move
from monolithic to microservices based,
linking hundreds or even thousands of
loosely coupled services that are dynamic,
ephemeral, and highly distributed.
- Security vendors offered new and
innovative approaches to protecting those
workloads such as leveraging eBPF or
block storage.
IDC pegged the worldwide CWPP market at $2.2B
in 2022
15. Competitive landscape - CWPP
Most companies have been
growing at an average of
35% YoY with Lacework,
Crowdstrike and Sysdig
growing the fastest (200%,
100%, 60% from 2020 to 21)
Source: IDC market share 2021
https://www.trendmicro.com/explore/idc-
cloud-workload-security/01586-c1-en-rpt
16. Positioning Change
CNAPP
Traditional CWPP Vendors
- Aqua security
- Crowdstrike
- Lacework
- Palo Alto
- Sophos
- Sysdig
Traditional CSPM Vendors
- Checkpoint
- Orca Security
- Radware
- Rapid 7
- Wiz
Building /
Acquiring
CSPM
capabilities
Building /
Acquiring
CWPP
capabilities
17. Market Size - CNAPP
The global CNAPP market recorded revenue of $1.7B in 2021, representing year-over-year growth of 48.8%.
Frost & Sullivan projects that momentum to continue at a compound annual growth rate of 25.7% from 2021
to 2026, with revenue reaching $5.4B in 2026
Growth is drive by increasing demand for a unified cloud security platform that strengthens cloud
infrastructure security and protects applications and data throughout their life cycle.
TrendMicro
PaloAlto
Crowdstrike
Lacework
Sysdig
Aqua security
Checkpoint
Orca
Wiz
Sophos
Lacework Report
18. Looking at Sysdig and Aqua
Based on Gartner vendor assessment
- as rated by customers
Sysdig Aqua Security
California, CA Burlington, MA
# employees 500-100 250-500
Linkedin employees 847 615
Open Roles 113 27
Funding $730M $265M
Revenue $200M $50M
Capability Sysdig Aqua Security
Hardening, configuration and
vuln management
Workload segmentation,
traffic visibility and optional
network traffic
encryption
System integrity assurance
Application controlling /
whitelisting
Exploit prevention / memory
protection
20. Competitor Positioning
Capability Sysdig Aqua Security
Strengths
- Container scanning, configuration drift detection,
and orchestration platform protections
- Strong features in CIEM, CWPP / container protection,
reporting and scalability.
- Positioned strongly as a CNAPP vendor with strong
capabilities in CWP, CIEM
- Great partner management metrics and processes
Weaknesses
- Lacks in CSPM
- High-availability explicit setup,
- Configuration for data protection,
- Configuring the use of third-party reputation
services
- Explicit configuration of data sovereignty;
- Patching, remediation, and built-in compliance policies in
CWP
- Memory integrity protection and application binary
control are behind
Feature strengths
Malware and cryptomining detection with threat intelligence
Digs directly into compromised or suspicious containers
Automates scanning locally in continuous integration and
continuous deployment (CI/CD) pipelines and registries
Visualizes network communication between pods, services, and
applications inside Kubernetes
Conducts incident response using granular data with Kubernetes
Continuously validates cloud security posture
Kubernetes Security Posture Management (KSPM) and Kubernetes
runtime protection provide policy-driven life cycle protection Real-time
visibility into namespaces, deployments, nodes (hosts), containers and
the images they came from
Discover malware hidden in open source packages and third-party
images, preventing attacks on container-based applications
Analyzes images before they arrive in a secure isolated sandboxed
environment, examining and tracing behavioral anomalies
Static and dynamic scanning to create flexible image assurance policies
Future capabilities plan
- Use real time analysis to inspect virtual machines
- Create a unified model of runtime and posture policies
- Improve remediation in all CWS areas
- CPSM - plans to expand it security posture and container
protection offerings
- collect events and correlate them across the stack to identify
attacks
- build out an automatic deployment of agents based on risk.
22. Target Segments
Revenue
Employee
Size
ACV
# of estimated
companies
TAM
Large Enterprise >$1B >5000 $100K 3,000 $300M
Medium enterprise
$100M TO
$1B
1000 to 5000 $25K 20,000 $500M
Mid Market $50 to $100M 100 to 5000 $10K 80,000 $800M
Small and medium
businesses
>$50M
Less than
100
$3K 150,000 $450M
Mid - market
focus
- Large enterprise have compliance, scalability, integration and reporting needs
- While enterprise have a patchwork of security tools (CIEM, CWPP, CSPM), less
mature organizations have the change to implement a single integrated CNAPP
platform
23. Orgs use multiple IaaS provides, some more popular
- Based on a survey of 700+
security professionals in
2022, most organizations
are using multiple vendors
to deploy their containers,
with Azure and AWS being
the most popular
- The initial MVP can be
scoped to cover as the
most popular IaaS
vendors
24. MVP Scope
To limit the scope for the MVP from the vast majority of CNAPP capabilities, we can use the following criteria
● Deliver a minimal cloud workload security solution for mid-market segment.
● The MVP should be scalable and can be matured into a CNAPP platform over time.
○ As these companies grow and expand, we would want the product to mature into complete CNAPP platform
over time
● The scope of the MVP can be limited to most popular IaaS vendors (AWS, Azure)
● The proposed solution should be easy to implement assuming customers at different levels of devsecops maturity
● Time to value realization must be low ideally minutes not days
● Proposed features should not be large in terms of effort involved. This will help move fast and learn fast.
25. MVP Strategy - Where we play
Runtime protection needs
Assuming prescanning, the core runtime protection needs — such as segmentation, network monitoring and behavioral
monitoring — may be delivered outside the workload.
In serverless PaaS environments, agents and privileged containers/sidecars will not work. Some CWPP vendors are
focusing only on the threat detection/response (sometimes referred to as workload detection and response). Users can
choose to use these tools if the capability is required.
Workload segmentation orchestration
Segmentation orchestration is increasingly using the built-in capabilities of the underlying cloud platform. Many enterprises
prefer using the built-in segmentation capabilities of the underlying cloud fabric (for example, Azure network security
groups)
Customers expect CWPP vendors to have CSPM capabilities as well
26. MVP Goals
Zero Trust in Runtime Protection
It is not possible to defend against outside threats using modern firewalls or to get meaningful data from log files in order
to distinguish between good and bad events. Additionally, attempts to predict the permutations of authorized access in
distributed computing have been unsuccessful. As a result, we assume that effectively preventing intrusions is an
impractical idea.
Immutable workloads
Typically drift is introduced from 2 sources
- Changes introduced by external actors - either humans or machines (scripts)
- Dependency of your resources on external data sources that change
Drift prevention is the cloud native answer to malware, worms and zero-day exploits.
28. Run-time in-memory drift detection and remediation
Problem
There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This
can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to
fileless malicious attacks which store an executable in memory and execute it.
Proposed feature
- Enable workloads memory drift detection / protection which prevents execution of executable files added after a container is deployed into
production
- Comprehensive file integrity monitoring (FIM) that detects changes in metadata
- Remediate container state automatically to the approved container state by re-deploying the original image Notify users of in-memory drift
detection and remediation
Benefits?
- Less reliance on runtime threat detection and mitigation.
- Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud-
native. Containers and serverless functions should be scanned for vuln and configuration pre-deployment
- Reduces the effort required to manually create and update image profiles
29. Continuous API discovery and drift control
Problem
To ensure multi-cloud environments are properly monitored and secured with regard to their APIs, comprehensive visibility and
continual API discovery is necessary. Traditional solutions that protect web traffic and APIs usually rely on agent- or network-based
measures to obtain detailed visibility, leading to high maintenance fees, incomplete surveillance, reduced API records, scalability
issues and a lack of broader cloud security information.
Proposed feature
- Interactive API maps showing all API endpoints, requests, and server responses with focus on publicly exposed APIs
- Track newly added API endpoints, domains, subdomains, API paths, and API operations on those paths.
- Continuously monitor API behavior and usage and alert teams to potentially unwanted API drift.
Benefits
- Actionable data on API misconfigurations and vulnerabilities
- Stops internal threats
- Alerts on potentially risky API drift and changes.
30. IaC drift and insecure configuration detection
Problem
A vast majority of security incidents are related to over-privileged containers and excessive permissions on user roles. ‘Configuration
drift’ is a common term to describe this change that takes place in production environments. Customers create pre-defined assurance
policies to automate the secure deployment of K8s applications at K8s admission controller - but these can change over time.
Proposed feature
- Reporting drift and insecure configurations/ resources via failed merge requests directly to developers
- Monitor the state of production clusters and reconciles them to their original declared state. Automatically rollback make sure
that production system stays faithful to the declared state.
- Reject PRs to IaC that present changes from allowed configuration states
Benefits
- Detect differences between the intended configuration represented by IaC, and the actual state for AWS.
33. Epic Run-time container drift prevention
Desc.
As someone responsible for workload security, I want to detect and stop any run-time container drift for critical production environments. If a deviation from
expected behaviour is detected, the solution should automatically re-deploy the original container so potential run-time attack can be mitigated effortlessly.
Problem
There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase
run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in
memory and execute it. The proposed feature aims to identify any memory drift and remediate it once detected.
Possible solutions ( Can be changed based on engg inputs)
1. Automatically profile the runtime behavior of a container and use this information to build an image profile. The profile can contain information on the following, but not limited
to
- Network activity
- File system activity
- Comprehensive file integrity monitoring (FIM) that detects changes in metadata
- System calls
2. Optionaly, the image profile generated can be audited by the security team to verify if the image profile looks as expected.
3. This image profile can be used to
- Apply container restriction
- Create an allow-list for specific containers
- Blocking them from executing certain runtime activities
4. If a deviation from container image profile is detected, re-deploy the original container to get to the approved container state
5. If a subsequent container drift is detected within a reasonable time, stop the container and notify the cloud security team
6. Notify users of in-memory drift detection and remediation
7. Allow users to configure auto re-deploy if drift detected on image basis
User Benefits
Less reliance on runtime threat detection and mitigation.
Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud-native.
Reduces the effort required to manually create and update image profiles
Automatically remediates the state in case of an attack
ACs
- The feature should be able to detect fileless malicious attacks
- The system should automatically notify the user if a drift is detected
- The system should automatically re-deploy the original image seamlessly
- The image drift detection should not require installation of agents
- The image drift detection should not slow down or impact the performance of the workload
- The re-deployment trigger of production image should be seamless and with any downtime
- The system should be able to handle a X number of workloads and clusters
34. Feature priority
Business Value Customer Impact Effort
Zero trust
configurations
High High Medium
Configuration
drift prevention
High Medium Medium
Runtime drift
protection
High High Medium
Networking
drift prevention
Medium Low Medium
API drift
prevention
High High Medium