Mandy Sidana, profile picture
Uploaded byMandy Sidana
PPTX, PDF106 views

Container Workload Security Solution Ideas by Mandy Sidana.pptx

This presentation discusses the challenges and strategies for securing container workloads in the context of cloud-native application protection (CNAPP). It highlights the rapid evolution and ephemeral nature of cloud resources, the difficulties in achieving visibility and threat detection, and the significant staffing shortages in the security sector. Additionally, it outlines proposed solutions, including real-time drift detection and automation, while emphasizing the growth potential and market dynamics within the CNAPP space.

Embed presentation

Download to read offline
Securing Container Workloads Mandy Sidana Dec 2022
Audience and Intent This presentation was prepared as a part of case study for coming up with good candidate ideas for a new entrant in the CNAPP market (Cloud Native Application Protection) The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product manager exploring the solution space for an MVP.
Where we play Custom Code Applications Cloud Application Security Infrastructure APIs Workloads Innersource 3rd party OSS Containers Serverless functions Virtual Machines PaaS Identity and permissions IaaS Networking Container Workload Protection (CWPP) AppSec and composition analysis products Cloud Security Posture Mgmt. (CSPM)
Challenges For Cloud Security Professionals
Rapidly changing and ephemeral workloads - More than 70% of containers live less than 5 mins - Many containers only need to execute a function and terminate once complete - Companies are becoming more efficient in cloud resource utilization - Because they can be spun up, used, and discarded quickly, it can be difficult to get insights into their usage and security posture. - Multiple containers are typically running on a single host also increases the difficulty of tracking individual containers' activities. Lifespan of years Physical Server Months to Years Virtual Machines Minutes to Days Containers Seconds to Minutes Serverless
Complete visibility into host and container activity Getting visibility into dynamic containers is challenging due to their short-lived behaviors, and even more difficult to understand the container security impact. While a number of approaches exist in getting visibility into containers / workloads each comes with its own set of unique challenges Agents based scanners Agentless scanners - Take time to install and scan which can be too long for ephemeral workloads - Require the installation of agents on individual container hosts, which can be tedious and resource-intensive. - Rely on network or log data which can potentially be incomplete or inaccurate - May not be able to detect certain types of malicious activity such as lateral movement or privilege escalation.
Preventing misconfigurations, container drift - Challenges - 27% of a survey respondents reported a public cloud security incident. Of those incidents, 23% resulted from misconfigurations. - Human error is a common factor in many security incidents today. Manual processes leave room for typos, misconfigurations, and oversight that can lead to a breach. While IPS, IDS, and firewalling can help reduce risk after these misconfigurations occur, they don’t go far enough. - In an analysis run by Datadog on tens of thousands of customers, 40 percent of clusters being used by still use lax privileges, which presents a security risk. - Containers don't contain - If an attacker is able to exploit a vulnerability in OS components, they can compromise one or more workloads.
Threat detection is resource intensive and noisy - Treats investigations take too long — often 20+ minutes per alert — and with hundreds of alerts per day, potential security threats go unexamined. - Requires installation of agents or other side containers to detect and analyze threats in the first place. - It’s cumbersome and frustrating to maintain rules to detect threats, and it’s impossible to keep up with ever- changing attack profiles. - Signature-based tools create a lot of noise. - Lack of actionable and easy to configure reporting of suspicious activities further alleviates the problem for alert- fatigued cloud security world
Lack of cloud security professionals Based on a survey of 775 security professionals in 2022, Forty-five percent (45%) of respondents cited lack of qualified staff as their biggest day-to-day headache trying to protect cloud workloads. Interestingly, Followed by compliance (39%) and lack of visibility into infrastructure security (35%) as mentioned earlier. According to one study, there were roughly 715,000 unfilled cybersecurity positions in the U.S. in 2021. There are few IT organizations that aren't suffering from a lack of skilled security personnel which means security teams are over-worked, understaffed and always have too many priorities on their plate.
Emerging Trends Trends for container workload security
Convergence of CWPP, CPSM into CNAPP - Most organizations have stitched together devsecops pipeline often with 10 or more disparate security tools - old and new - each with a siloed responsibility and limited view of risk - Most commonly cited method in a Gartner survey for integrating different security tools is manual ingestion - which is error prone and tedious - Investment in DevOps security has increased recently due to the need for shift-left security to inject security in the early stage of the software development life cycle. - Cloud infrastructure entitlement management (CIEM) and cloud network security are in wide use among early cloud adopters that used cloud-native solutions from their cloud service providers. - Companies are increasingly leveraging artificial intelligence/machine learning (AI/ML) capabilities to better manage risks. CNAPP solutions will have to shift left into the earliest stages of code development to create better insights into the workload/application behavior and how it interacts within the cloud infrastructure in order to increase the automated threat detection and response capabilities. Eg: Lacework
Cloud native application protection platform capabilities Runtime Protection Application Monitoring Network Segmentation Container Workload Protection (CWPP) Exposure Scanning Artifact Scanning SAST/DAST API Scanning SCA CVEs Attack path Analysis Cloud Configuration IaC Scanning Cloud intra entitlements mgmt Kubernetes Security Posture Management Require CNAPP tools to shift-left into development Use AI/ML to prioritize threats, alerts and make reports actionable Use of open common standards for metrics, risk
Market Analysis
Market Size Cloud workload protection market Gartner estimates workload protection market to be $1.69B in 2021 growing at 18.1% YoY (Source: Gartner https://www.gartner.com/en/documents/3945611) In 2022 - Overall, the market for cloud workload security grew 36%. - The complexity of protecting cloud workloads increased as applications move from monolithic to microservices based, linking hundreds or even thousands of loosely coupled services that are dynamic, ephemeral, and highly distributed. - Security vendors offered new and innovative approaches to protecting those workloads such as leveraging eBPF or block storage. IDC pegged the worldwide CWPP market at $2.2B in 2022
Competitive landscape - CWPP Most companies have been growing at an average of 35% YoY with Lacework, Crowdstrike and Sysdig growing the fastest (200%, 100%, 60% from 2020 to 21) Source: IDC market share 2021 https://www.trendmicro.com/explore/idc- cloud-workload-security/01586-c1-en-rpt
Positioning Change CNAPP Traditional CWPP Vendors - Aqua security - Crowdstrike - Lacework - Palo Alto - Sophos - Sysdig Traditional CSPM Vendors - Checkpoint - Orca Security - Radware - Rapid 7 - Wiz Building / Acquiring CSPM capabilities Building / Acquiring CWPP capabilities
Market Size - CNAPP The global CNAPP market recorded revenue of $1.7B in 2021, representing year-over-year growth of 48.8%. Frost & Sullivan projects that momentum to continue at a compound annual growth rate of 25.7% from 2021 to 2026, with revenue reaching $5.4B in 2026 Growth is drive by increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle. TrendMicro PaloAlto Crowdstrike Lacework Sysdig Aqua security Checkpoint Orca Wiz Sophos Lacework Report
Looking at Sysdig and Aqua Based on Gartner vendor assessment - as rated by customers Sysdig Aqua Security California, CA Burlington, MA # employees 500-100 250-500 Linkedin employees 847 615 Open Roles 113 27 Funding $730M $265M Revenue $200M $50M Capability Sysdig Aqua Security Hardening, configuration and vuln management Workload segmentation, traffic visibility and optional network traffic encryption System integrity assurance Application controlling / whitelisting Exploit prevention / memory protection
Strategy Map (CNAPP)
Competitor Positioning Capability Sysdig Aqua Security Strengths - Container scanning, configuration drift detection, and orchestration platform protections - Strong features in CIEM, CWPP / container protection, reporting and scalability. - Positioned strongly as a CNAPP vendor with strong capabilities in CWP, CIEM - Great partner management metrics and processes Weaknesses - Lacks in CSPM - High-availability explicit setup, - Configuration for data protection, - Configuring the use of third-party reputation services - Explicit configuration of data sovereignty; - Patching, remediation, and built-in compliance policies in CWP - Memory integrity protection and application binary control are behind Feature strengths Malware and cryptomining detection with threat intelligence Digs directly into compromised or suspicious containers Automates scanning locally in continuous integration and continuous deployment (CI/CD) pipelines and registries Visualizes network communication between pods, services, and applications inside Kubernetes Conducts incident response using granular data with Kubernetes Continuously validates cloud security posture Kubernetes Security Posture Management (KSPM) and Kubernetes runtime protection provide policy-driven life cycle protection Real-time visibility into namespaces, deployments, nodes (hosts), containers and the images they came from Discover malware hidden in open source packages and third-party images, preventing attacks on container-based applications Analyzes images before they arrive in a secure isolated sandboxed environment, examining and tracing behavioral anomalies Static and dynamic scanning to create flexible image assurance policies Future capabilities plan - Use real time analysis to inspect virtual machines - Create a unified model of runtime and posture policies - Improve remediation in all CWS areas - CPSM - plans to expand it security posture and container protection offerings - collect events and correlate them across the stack to identify attacks - build out an automatic deployment of agents based on risk.
Problem Space Finding the right problem to solve
Target Segments Revenue Employee Size ACV # of estimated companies TAM Large Enterprise >$1B >5000 $100K 3,000 $300M Medium enterprise $100M TO $1B 1000 to 5000 $25K 20,000 $500M Mid Market $50 to $100M 100 to 5000 $10K 80,000 $800M Small and medium businesses >$50M Less than 100 $3K 150,000 $450M Mid - market focus - Large enterprise have compliance, scalability, integration and reporting needs - While enterprise have a patchwork of security tools (CIEM, CWPP, CSPM), less mature organizations have the change to implement a single integrated CNAPP platform
Orgs use multiple IaaS provides, some more popular - Based on a survey of 700+ security professionals in 2022, most organizations are using multiple vendors to deploy their containers, with Azure and AWS being the most popular - The initial MVP can be scoped to cover as the most popular IaaS vendors
MVP Scope To limit the scope for the MVP from the vast majority of CNAPP capabilities, we can use the following criteria ● Deliver a minimal cloud workload security solution for mid-market segment. ● The MVP should be scalable and can be matured into a CNAPP platform over time. ○ As these companies grow and expand, we would want the product to mature into complete CNAPP platform over time ● The scope of the MVP can be limited to most popular IaaS vendors (AWS, Azure) ● The proposed solution should be easy to implement assuming customers at different levels of devsecops maturity ● Time to value realization must be low ideally minutes not days ● Proposed features should not be large in terms of effort involved. This will help move fast and learn fast.
MVP Strategy - Where we play Runtime protection needs Assuming prescanning, the core runtime protection needs — such as segmentation, network monitoring and behavioral monitoring — may be delivered outside the workload. In serverless PaaS environments, agents and privileged containers/sidecars will not work. Some CWPP vendors are focusing only on the threat detection/response (sometimes referred to as workload detection and response). Users can choose to use these tools if the capability is required. Workload segmentation orchestration Segmentation orchestration is increasingly using the built-in capabilities of the underlying cloud platform. Many enterprises prefer using the built-in segmentation capabilities of the underlying cloud fabric (for example, Azure network security groups) Customers expect CWPP vendors to have CSPM capabilities as well
MVP Goals Zero Trust in Runtime Protection It is not possible to defend against outside threats using modern firewalls or to get meaningful data from log files in order to distinguish between good and bad events. Additionally, attempts to predict the permutations of authorized access in distributed computing have been unsuccessful. As a result, we assume that effectively preventing intrusions is an impractical idea. Immutable workloads Typically drift is introduced from 2 sources - Changes introduced by external actors - either humans or machines (scripts) - Dependency of your resources on external data sources that change Drift prevention is the cloud native answer to malware, worms and zero-day exploits.
Solution Space Candidates for CNAPP Solution MVP
Run-time in-memory drift detection and remediation Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. Proposed feature - Enable workloads memory drift detection / protection which prevents execution of executable files added after a container is deployed into production - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - Remediate container state automatically to the approved container state by re-deploying the original image Notify users of in-memory drift detection and remediation Benefits? - Less reliance on runtime threat detection and mitigation. - Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud- native. Containers and serverless functions should be scanned for vuln and configuration pre-deployment - Reduces the effort required to manually create and update image profiles
Continuous API discovery and drift control Problem To ensure multi-cloud environments are properly monitored and secured with regard to their APIs, comprehensive visibility and continual API discovery is necessary. Traditional solutions that protect web traffic and APIs usually rely on agent- or network-based measures to obtain detailed visibility, leading to high maintenance fees, incomplete surveillance, reduced API records, scalability issues and a lack of broader cloud security information. Proposed feature - Interactive API maps showing all API endpoints, requests, and server responses with focus on publicly exposed APIs - Track newly added API endpoints, domains, subdomains, API paths, and API operations on those paths. - Continuously monitor API behavior and usage and alert teams to potentially unwanted API drift. Benefits - Actionable data on API misconfigurations and vulnerabilities - Stops internal threats - Alerts on potentially risky API drift and changes.
IaC drift and insecure configuration detection Problem A vast majority of security incidents are related to over-privileged containers and excessive permissions on user roles. ‘Configuration drift’ is a common term to describe this change that takes place in production environments. Customers create pre-defined assurance policies to automate the secure deployment of K8s applications at K8s admission controller - but these can change over time. Proposed feature - Reporting drift and insecure configurations/ resources via failed merge requests directly to developers - Monitor the state of production clusters and reconciles them to their original declared state. Automatically rollback make sure that production system stays faithful to the declared state. - Reject PRs to IaC that present changes from allowed configuration states Benefits - Detect differences between the intended configuration represented by IaC, and the actual state for AWS.
Questions?
Appendix
Epic Run-time container drift prevention Desc. As someone responsible for workload security, I want to detect and stop any run-time container drift for critical production environments. If a deviation from expected behaviour is detected, the solution should automatically re-deploy the original container so potential run-time attack can be mitigated effortlessly. Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. The proposed feature aims to identify any memory drift and remediate it once detected. Possible solutions ( Can be changed based on engg inputs) 1. Automatically profile the runtime behavior of a container and use this information to build an image profile. The profile can contain information on the following, but not limited to - Network activity - File system activity - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - System calls 2. Optionaly, the image profile generated can be audited by the security team to verify if the image profile looks as expected. 3. This image profile can be used to - Apply container restriction - Create an allow-list for specific containers - Blocking them from executing certain runtime activities 4. If a deviation from container image profile is detected, re-deploy the original container to get to the approved container state 5. If a subsequent container drift is detected within a reasonable time, stop the container and notify the cloud security team 6. Notify users of in-memory drift detection and remediation 7. Allow users to configure auto re-deploy if drift detected on image basis User Benefits Less reliance on runtime threat detection and mitigation. Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud-native. Reduces the effort required to manually create and update image profiles Automatically remediates the state in case of an attack ACs - The feature should be able to detect fileless malicious attacks - The system should automatically notify the user if a drift is detected - The system should automatically re-deploy the original image seamlessly - The image drift detection should not require installation of agents - The image drift detection should not slow down or impact the performance of the workload - The re-deployment trigger of production image should be seamless and with any downtime - The system should be able to handle a X number of workloads and clusters
Feature priority Business Value Customer Impact Effort Zero trust configurations High High Medium Configuration drift prevention High Medium Medium Runtime drift protection High High Medium Networking drift prevention Medium Low Medium API drift prevention High High Medium

More Related Content

PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PPTX
CLOUD NATIVE SECURITY
byMaganathin Veeraragaloo
 
PDF
Security Teams & Tech In A Cloud World
byMark Nunnikhoven
 
PPTX
Cloud Security in 2025_ Top Challenges, Daily Risks & Key Threats You Need to...
byinfosprintseo
 
PDF
Security that Scales with Cloud Native Development
byPanoptica
 
PDF
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
PDF
Cloud Security Services: Safeguarding Enterprise Data, Applications, and Infr...
bybasilmph
 
PDF
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
CLOUD NATIVE SECURITY
byMaganathin Veeraragaloo
 
Security Teams & Tech In A Cloud World
byMark Nunnikhoven
 
Cloud Security in 2025_ Top Challenges, Daily Risks & Key Threats You Need to...
byinfosprintseo
 
Security that Scales with Cloud Native Development
byPanoptica
 
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
Cloud Security Services: Safeguarding Enterprise Data, Applications, and Infr...
bybasilmph
 
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 

Similar to Container Workload Security Solution Ideas by Mandy Sidana.pptx

PDF
Unified Protection for Multi-Cloud Infrastructure
byMarketingArrowECS_CZ
 
PDF
Cloud Infrastructure Security: Navigating Threats & Overcoming Challenges
byTeleglobal International
 
PDF
How We Protect Our Business in the Cloud (The Smart Way)
byCyberShield IT
 
PPTX
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
byPrime Infoserv
 
PDF
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
PDF
Security in the cloud planning guide
byYury Chemerkin
 
PDF
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
byCloudPassage
 
PPTX
093049ov4.pptx
byNguyenNM
 
PPTX
security and compliance in the cloud
byAjay Rathi
 
PPTX
Cloud Security By Dr. Anton Ravindran
byGSTF
 
PDF
Presd1 10
byNiels Groeneveld
 
PDF
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
byDevOps.com
 
PDF
Security Considerations When Using Cloud Infrastructure Services.pdf
byCiente
 
PPT
Cloud Computing Security Issues
byDiscover Cloud Computing
 
PPTX
TiEcon 2016 Keynote - Security Challenges & Opportunities with Public Cloud A...
byRavinder Reddy Amanaganti
 
PPTX
CSS17: Atlanta - Realities of Security in the Cloud
byAlert Logic
 
PPTX
stackArmor - Security MicroSummit - McAfee
byGaurav "GP" Pal
 
PDF
Symantec Best Practices for Cloud Security: Insights from the Front Lines
bySymantec
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PDF
Avoiding Container Vulnerabilities
byMighty Guides, Inc.
 
Unified Protection for Multi-Cloud Infrastructure
byMarketingArrowECS_CZ
 
Cloud Infrastructure Security: Navigating Threats & Overcoming Challenges
byTeleglobal International
 
How We Protect Our Business in the Cloud (The Smart Way)
byCyberShield IT
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
byPrime Infoserv
 
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
Security in the cloud planning guide
byYury Chemerkin
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
byCloudPassage
 
093049ov4.pptx
byNguyenNM
 
security and compliance in the cloud
byAjay Rathi
 
Cloud Security By Dr. Anton Ravindran
byGSTF
 
Presd1 10
byNiels Groeneveld
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
byDevOps.com
 
Security Considerations When Using Cloud Infrastructure Services.pdf
byCiente
 
Cloud Computing Security Issues
byDiscover Cloud Computing
 
TiEcon 2016 Keynote - Security Challenges & Opportunities with Public Cloud A...
byRavinder Reddy Amanaganti
 
CSS17: Atlanta - Realities of Security in the Cloud
byAlert Logic
 
stackArmor - Security MicroSummit - McAfee
byGaurav "GP" Pal
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
bySymantec
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Avoiding Container Vulnerabilities
byMighty Guides, Inc.
 

Recently uploaded

PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PPTX
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PDF
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PPTX
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 

Container Workload Security Solution Ideas by Mandy Sidana.pptx

  • 1.
  • 2.
    Audience and Intent Thispresentation was prepared as a part of case study for coming up with good candidate ideas for a new entrant in the CNAPP market (Cloud Native Application Protection) The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product manager exploring the solution space for an MVP.
  • 3.
    Where we playCustom Code Applications Cloud Application Security Infrastructure APIs Workloads Innersource 3rd party OSS Containers Serverless functions Virtual Machines PaaS Identity and permissions IaaS Networking Container Workload Protection (CWPP) AppSec and composition analysis products Cloud Security Posture Mgmt. (CSPM)
  • 4.
  • 5.
    Rapidly changing andephemeral workloads - More than 70% of containers live less than 5 mins - Many containers only need to execute a function and terminate once complete - Companies are becoming more efficient in cloud resource utilization - Because they can be spun up, used, and discarded quickly, it can be difficult to get insights into their usage and security posture. - Multiple containers are typically running on a single host also increases the difficulty of tracking individual containers' activities. Lifespan of years Physical Server Months to Years Virtual Machines Minutes to Days Containers Seconds to Minutes Serverless
  • 6.
    Complete visibility intohost and container activity Getting visibility into dynamic containers is challenging due to their short-lived behaviors, and even more difficult to understand the container security impact. While a number of approaches exist in getting visibility into containers / workloads each comes with its own set of unique challenges Agents based scanners Agentless scanners - Take time to install and scan which can be too long for ephemeral workloads - Require the installation of agents on individual container hosts, which can be tedious and resource-intensive. - Rely on network or log data which can potentially be incomplete or inaccurate - May not be able to detect certain types of malicious activity such as lateral movement or privilege escalation.
  • 7.
    Preventing misconfigurations, containerdrift - Challenges - 27% of a survey respondents reported a public cloud security incident. Of those incidents, 23% resulted from misconfigurations. - Human error is a common factor in many security incidents today. Manual processes leave room for typos, misconfigurations, and oversight that can lead to a breach. While IPS, IDS, and firewalling can help reduce risk after these misconfigurations occur, they don’t go far enough. - In an analysis run by Datadog on tens of thousands of customers, 40 percent of clusters being used by still use lax privileges, which presents a security risk. - Containers don't contain - If an attacker is able to exploit a vulnerability in OS components, they can compromise one or more workloads.
  • 8.
    Threat detection isresource intensive and noisy - Treats investigations take too long — often 20+ minutes per alert — and with hundreds of alerts per day, potential security threats go unexamined. - Requires installation of agents or other side containers to detect and analyze threats in the first place. - It’s cumbersome and frustrating to maintain rules to detect threats, and it’s impossible to keep up with ever- changing attack profiles. - Signature-based tools create a lot of noise. - Lack of actionable and easy to configure reporting of suspicious activities further alleviates the problem for alert- fatigued cloud security world
  • 9.
    Lack of cloudsecurity professionals Based on a survey of 775 security professionals in 2022, Forty-five percent (45%) of respondents cited lack of qualified staff as their biggest day-to-day headache trying to protect cloud workloads. Interestingly, Followed by compliance (39%) and lack of visibility into infrastructure security (35%) as mentioned earlier. According to one study, there were roughly 715,000 unfilled cybersecurity positions in the U.S. in 2021. There are few IT organizations that aren't suffering from a lack of skilled security personnel which means security teams are over-worked, understaffed and always have too many priorities on their plate.
  • 10.
  • 11.
    Convergence of CWPP,CPSM into CNAPP - Most organizations have stitched together devsecops pipeline often with 10 or more disparate security tools - old and new - each with a siloed responsibility and limited view of risk - Most commonly cited method in a Gartner survey for integrating different security tools is manual ingestion - which is error prone and tedious - Investment in DevOps security has increased recently due to the need for shift-left security to inject security in the early stage of the software development life cycle. - Cloud infrastructure entitlement management (CIEM) and cloud network security are in wide use among early cloud adopters that used cloud-native solutions from their cloud service providers. - Companies are increasingly leveraging artificial intelligence/machine learning (AI/ML) capabilities to better manage risks. CNAPP solutions will have to shift left into the earliest stages of code development to create better insights into the workload/application behavior and how it interacts within the cloud infrastructure in order to increase the automated threat detection and response capabilities. Eg: Lacework
  • 12.
    Cloud native applicationprotection platform capabilities Runtime Protection Application Monitoring Network Segmentation Container Workload Protection (CWPP) Exposure Scanning Artifact Scanning SAST/DAST API Scanning SCA CVEs Attack path Analysis Cloud Configuration IaC Scanning Cloud intra entitlements mgmt Kubernetes Security Posture Management Require CNAPP tools to shift-left into development Use AI/ML to prioritize threats, alerts and make reports actionable Use of open common standards for metrics, risk
  • 13.
  • 14.
    Market Size Cloud workloadprotection market Gartner estimates workload protection market to be $1.69B in 2021 growing at 18.1% YoY (Source: Gartner https://www.gartner.com/en/documents/3945611) In 2022 - Overall, the market for cloud workload security grew 36%. - The complexity of protecting cloud workloads increased as applications move from monolithic to microservices based, linking hundreds or even thousands of loosely coupled services that are dynamic, ephemeral, and highly distributed. - Security vendors offered new and innovative approaches to protecting those workloads such as leveraging eBPF or block storage. IDC pegged the worldwide CWPP market at $2.2B in 2022
  • 15.
    Competitive landscape -CWPP Most companies have been growing at an average of 35% YoY with Lacework, Crowdstrike and Sysdig growing the fastest (200%, 100%, 60% from 2020 to 21) Source: IDC market share 2021 https://www.trendmicro.com/explore/idc- cloud-workload-security/01586-c1-en-rpt
  • 16.
    Positioning Change CNAPP Traditional CWPPVendors - Aqua security - Crowdstrike - Lacework - Palo Alto - Sophos - Sysdig Traditional CSPM Vendors - Checkpoint - Orca Security - Radware - Rapid 7 - Wiz Building / Acquiring CSPM capabilities Building / Acquiring CWPP capabilities
  • 17.
    Market Size -CNAPP The global CNAPP market recorded revenue of $1.7B in 2021, representing year-over-year growth of 48.8%. Frost & Sullivan projects that momentum to continue at a compound annual growth rate of 25.7% from 2021 to 2026, with revenue reaching $5.4B in 2026 Growth is drive by increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle. TrendMicro PaloAlto Crowdstrike Lacework Sysdig Aqua security Checkpoint Orca Wiz Sophos Lacework Report
  • 18.
    Looking at Sysdigand Aqua Based on Gartner vendor assessment - as rated by customers Sysdig Aqua Security California, CA Burlington, MA # employees 500-100 250-500 Linkedin employees 847 615 Open Roles 113 27 Funding $730M $265M Revenue $200M $50M Capability Sysdig Aqua Security Hardening, configuration and vuln management Workload segmentation, traffic visibility and optional network traffic encryption System integrity assurance Application controlling / whitelisting Exploit prevention / memory protection
  • 19.
  • 20.
    Competitor Positioning Capability SysdigAqua Security Strengths - Container scanning, configuration drift detection, and orchestration platform protections - Strong features in CIEM, CWPP / container protection, reporting and scalability. - Positioned strongly as a CNAPP vendor with strong capabilities in CWP, CIEM - Great partner management metrics and processes Weaknesses - Lacks in CSPM - High-availability explicit setup, - Configuration for data protection, - Configuring the use of third-party reputation services - Explicit configuration of data sovereignty; - Patching, remediation, and built-in compliance policies in CWP - Memory integrity protection and application binary control are behind Feature strengths Malware and cryptomining detection with threat intelligence Digs directly into compromised or suspicious containers Automates scanning locally in continuous integration and continuous deployment (CI/CD) pipelines and registries Visualizes network communication between pods, services, and applications inside Kubernetes Conducts incident response using granular data with Kubernetes Continuously validates cloud security posture Kubernetes Security Posture Management (KSPM) and Kubernetes runtime protection provide policy-driven life cycle protection Real-time visibility into namespaces, deployments, nodes (hosts), containers and the images they came from Discover malware hidden in open source packages and third-party images, preventing attacks on container-based applications Analyzes images before they arrive in a secure isolated sandboxed environment, examining and tracing behavioral anomalies Static and dynamic scanning to create flexible image assurance policies Future capabilities plan - Use real time analysis to inspect virtual machines - Create a unified model of runtime and posture policies - Improve remediation in all CWS areas - CPSM - plans to expand it security posture and container protection offerings - collect events and correlate them across the stack to identify attacks - build out an automatic deployment of agents based on risk.
  • 21.
    Problem Space Finding theright problem to solve
  • 22.
    Target Segments Revenue Employee Size ACV # ofestimated companies TAM Large Enterprise >$1B >5000 $100K 3,000 $300M Medium enterprise $100M TO $1B 1000 to 5000 $25K 20,000 $500M Mid Market $50 to $100M 100 to 5000 $10K 80,000 $800M Small and medium businesses >$50M Less than 100 $3K 150,000 $450M Mid - market focus - Large enterprise have compliance, scalability, integration and reporting needs - While enterprise have a patchwork of security tools (CIEM, CWPP, CSPM), less mature organizations have the change to implement a single integrated CNAPP platform
  • 23.
    Orgs use multipleIaaS provides, some more popular - Based on a survey of 700+ security professionals in 2022, most organizations are using multiple vendors to deploy their containers, with Azure and AWS being the most popular - The initial MVP can be scoped to cover as the most popular IaaS vendors
  • 24.
    MVP Scope To limitthe scope for the MVP from the vast majority of CNAPP capabilities, we can use the following criteria ● Deliver a minimal cloud workload security solution for mid-market segment. ● The MVP should be scalable and can be matured into a CNAPP platform over time. ○ As these companies grow and expand, we would want the product to mature into complete CNAPP platform over time ● The scope of the MVP can be limited to most popular IaaS vendors (AWS, Azure) ● The proposed solution should be easy to implement assuming customers at different levels of devsecops maturity ● Time to value realization must be low ideally minutes not days ● Proposed features should not be large in terms of effort involved. This will help move fast and learn fast.
  • 25.
    MVP Strategy -Where we play Runtime protection needs Assuming prescanning, the core runtime protection needs — such as segmentation, network monitoring and behavioral monitoring — may be delivered outside the workload. In serverless PaaS environments, agents and privileged containers/sidecars will not work. Some CWPP vendors are focusing only on the threat detection/response (sometimes referred to as workload detection and response). Users can choose to use these tools if the capability is required. Workload segmentation orchestration Segmentation orchestration is increasingly using the built-in capabilities of the underlying cloud platform. Many enterprises prefer using the built-in segmentation capabilities of the underlying cloud fabric (for example, Azure network security groups) Customers expect CWPP vendors to have CSPM capabilities as well
  • 26.
    MVP Goals Zero Trustin Runtime Protection It is not possible to defend against outside threats using modern firewalls or to get meaningful data from log files in order to distinguish between good and bad events. Additionally, attempts to predict the permutations of authorized access in distributed computing have been unsuccessful. As a result, we assume that effectively preventing intrusions is an impractical idea. Immutable workloads Typically drift is introduced from 2 sources - Changes introduced by external actors - either humans or machines (scripts) - Dependency of your resources on external data sources that change Drift prevention is the cloud native answer to malware, worms and zero-day exploits.
  • 27.
  • 28.
    Run-time in-memory driftdetection and remediation Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. Proposed feature - Enable workloads memory drift detection / protection which prevents execution of executable files added after a container is deployed into production - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - Remediate container state automatically to the approved container state by re-deploying the original image Notify users of in-memory drift detection and remediation Benefits? - Less reliance on runtime threat detection and mitigation. - Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud- native. Containers and serverless functions should be scanned for vuln and configuration pre-deployment - Reduces the effort required to manually create and update image profiles
  • 29.
    Continuous API discoveryand drift control Problem To ensure multi-cloud environments are properly monitored and secured with regard to their APIs, comprehensive visibility and continual API discovery is necessary. Traditional solutions that protect web traffic and APIs usually rely on agent- or network-based measures to obtain detailed visibility, leading to high maintenance fees, incomplete surveillance, reduced API records, scalability issues and a lack of broader cloud security information. Proposed feature - Interactive API maps showing all API endpoints, requests, and server responses with focus on publicly exposed APIs - Track newly added API endpoints, domains, subdomains, API paths, and API operations on those paths. - Continuously monitor API behavior and usage and alert teams to potentially unwanted API drift. Benefits - Actionable data on API misconfigurations and vulnerabilities - Stops internal threats - Alerts on potentially risky API drift and changes.
  • 30.
    IaC drift andinsecure configuration detection Problem A vast majority of security incidents are related to over-privileged containers and excessive permissions on user roles. ‘Configuration drift’ is a common term to describe this change that takes place in production environments. Customers create pre-defined assurance policies to automate the secure deployment of K8s applications at K8s admission controller - but these can change over time. Proposed feature - Reporting drift and insecure configurations/ resources via failed merge requests directly to developers - Monitor the state of production clusters and reconciles them to their original declared state. Automatically rollback make sure that production system stays faithful to the declared state. - Reject PRs to IaC that present changes from allowed configuration states Benefits - Detect differences between the intended configuration represented by IaC, and the actual state for AWS.
  • 31.
  • 32.
  • 33.
    Epic Run-time containerdrift prevention Desc. As someone responsible for workload security, I want to detect and stop any run-time container drift for critical production environments. If a deviation from expected behaviour is detected, the solution should automatically re-deploy the original container so potential run-time attack can be mitigated effortlessly. Problem There is a lack of real-time visibility into what is going on inside containers. Strategies pursuing attack mitigation are riddled with noisy alerts. This can be tackled by increase run-time immutability. While containers can be secured by making the file system read-only, they are still vulnerable to fileless malicious attacks which store an executable in memory and execute it. The proposed feature aims to identify any memory drift and remediate it once detected. Possible solutions ( Can be changed based on engg inputs) 1. Automatically profile the runtime behavior of a container and use this information to build an image profile. The profile can contain information on the following, but not limited to - Network activity - File system activity - Comprehensive file integrity monitoring (FIM) that detects changes in metadata - System calls 2. Optionaly, the image profile generated can be audited by the security team to verify if the image profile looks as expected. 3. This image profile can be used to - Apply container restriction - Create an allow-list for specific containers - Blocking them from executing certain runtime activities 4. If a deviation from container image profile is detected, re-deploy the original container to get to the approved container state 5. If a subsequent container drift is detected within a reasonable time, stop the container and notify the cloud security team 6. Notify users of in-memory drift detection and remediation 7. Allow users to configure auto re-deploy if drift detected on image basis User Benefits Less reliance on runtime threat detection and mitigation. Well suited for container-as-a-service and serverless function environments which allows security departments to focus on scanning cloud-native. Reduces the effort required to manually create and update image profiles Automatically remediates the state in case of an attack ACs - The feature should be able to detect fileless malicious attacks - The system should automatically notify the user if a drift is detected - The system should automatically re-deploy the original image seamlessly - The image drift detection should not require installation of agents - The image drift detection should not slow down or impact the performance of the workload - The re-deployment trigger of production image should be seamless and with any downtime - The system should be able to handle a X number of workloads and clusters
  • 34.
    Feature priority Business ValueCustomer Impact Effort Zero trust configurations High High Medium Configuration drift prevention High Medium Medium Runtime drift protection High High Medium Networking drift prevention Medium Low Medium API drift prevention High High Medium

Editor's Notes

  • #4 Based on level of abstraction
  • #8 https://www.checkpoint.com/cyber-hub/cloud-security/what-is-container-security/top-7-container-security-issues/ https://www.datadoghq.com/container-report/
  • #9 https://www.checkpoint.com/cyber-hub/cloud-security/what-is-container-security/top-7-container-security-issues/
  • #10 https://www.checkpoint.com/cyber-hub/cloud-security/what-is-container-security/top-7-container-security-issues/
  • #15 Source: https://www.gartner.com/en/newsroom/press-releases/2022-10-13-gartner-identifies-three-factors-influencing-growth-i
  • #16 Source: IDC market share 2021 https://www.trendmicro.com/explore/idc-cloud-workload-security/01586-c1-en-rpt
  • #17 Building or Acquiring CSPM capabilities
  • #20 Based on capability maturity assessed by Forrester
  • #21 Align this back to Market share
  • #23 Source: https://www.gartner.com/en/documents/3945611 https://www.gartner.com/en/newsroom/press-releases/2022-10-13-gartner-identifies-three-factors-influencing-growth-i
  • #26 The Essence of Strategy is Choosing What Not to Do