Rick Smith, CTO, SentinelOne
Public cloud adoption and cloud native development is often touted as the future; it’s the “green grass for nimble start-ups and the digital transformation vision” across established industries. And yet, within the opportunity of the cloud, there has long been an ugly security reality brewing.
Cloud Security is broken, and outdated.
To unpack this reality and help me outline the next (and very necessary evolution) of Cloud Security, I would like to welcome my new colleague Anand Prakash, CEO and Co-founder of PingSafe.
Anand has a wealth of experience both attacking and defending cloud architectures, considered one of the world’s top five white-hat hackers and prolific security researchers. His prolific work since 2012 has assisted over 400 companies in constructing “secure-by-design” tech systems, reflecting his forward-thinking mindset as the shift from on-premises to cloud computing emerged.
Anand, what is the current state of cloud security?
Anand Prakesh, CEO, PingSafe
Thank you Ric, and can I just start by saying it’s a pleasure and very exciting to be here!
The reality today is that while there are strong tools focused on solving multiple cloud security issues, whether open-source, 3rd party, or built natively in cloud service providers, they have not been designed to work together in addition to being built with purely defensive intentions.
What I mean by that is that these tools are built targeting “perfection.” I constantly see companies trying to sort through pages of endless CVE vulnerabilities or checking off compliance standards and benchmarks. But they still get hacked even after doing all of this because attackers are finding different ways to hack into a company’s cloud environment, often combining multiple vulnerabilities to create an Exploit Path.
How many high profile cloud breaches had all of the expected security policies and compliance badges in place? And yet the breach still occurred.
Before founding PingSafe, I was helping major software companies identify bugs in their code, APIs, and infrastructure. During this period, I witnessed issues firsthand, such as attackers exploiting SSRF vulnerabilities in the target’s cloud environment to obtain the company’s cloud credentials through the metadata service (from external endpoints without direct access to their cloud environment). Additionally, incidents like subdomain takeovers due to lingering DNS entries resulted in subdomain defacement, and led companies to pay substantial bounties.
Despite the use of CSPM solutions by these companies, ethical hackers like myself continued to discover highly critical issues overlooked by these tools. This experience motivated me to create PingSafe, addressing these gaps and safeguarding customers’ cloud assets on a large scale.
Attackers have clarity with an offensive mindset, not focused on what doors are closed, but on valid, dangerous opportunities that allow for Initial Access and a large enough scope to conduct an attack.
Unfortunately, the work is heavier for defenders. Defenders have to cover and protect an ever expanding, dynamic, always changing cloud attack surface and attempt to protect everything, while attackers only need that single opportunity to sneak in.
And this remains a problem, even while we are seeing some vendors consolidate point solutions, and industry talk about the contextual benefit of CNAPP solutions? Anand, would you mind also explaining the acronym for us?
Cloud Native Application Protection Platforms! Much better as an acronym. This is a recent naming convention from Gartner. CNAPPs are solutions that combine visibility and security across three main areas: the development pipeline, cloud services (storage, identity, database), and cloud & container infrastructure.
While combining these controls in a single platform helps some organizations cut down their vendors, their main problems remain. The issue isn’t switching consoles for container pipeline scanning versus control permissions on cloud storage, it’s that generally cloud security is overwhelmingly noisy. They don’t know what is the most critical issue to solve and where to focus their time.
It’s why I believe, and created PingSafe with this intention, that an attacker’s mindset is needed to drive prioritization in cloud security. What needs to be fixed, now? For example, instead of assessing a never-ending set of theoretical attack paths, I think defenders need to know where their cloud is offering immediately exploitable activity for threat actors. Show me the evidence-based reporting that there is an Exploit Path.
Let’s spend a little time there – Attack Path vs Exploit Path?
I’m a big fan of Attack Paths, and many CNAPPs have embraced Attack Paths. They are graphical views of mapped resources with contextual awareness of vulnerabilities, misconfigurations, and public access. However, these combinations do not always equate to a genuine exploitable risk. Attack Paths are a good start, representing theoretical possibilities, but they often provide security teams with fool’s gold.
We can do better. Defenders deserve better.
What we have built with PingSafe is an Offensive Attack Engine that plays the role of an attacker and safely simulates attacks to validate which Attack Paths are actual verified Exploit Paths.
It always comes back to signals versus noise. With limited resources and time versus increasing sophistication of cloud attacks, focus on what matters.
We have always believed that beyond robust and capable platforms, today’s security teams need intelligent automation that simplifies the analyst experience and boosts the productivity of their security teams. They need to drastically reduce mean time to detect, and mean time to respond & remediate.
A note on Agent-based and Agentless Cloud Security
This year we have heard conversations move from Agent vs Agentless to Agent and Agentless, should we talk about that?
Yes, so there are clear strengths on both sides. SentinelOne has always known that agent-based security allows superior stopping power for attacks as they happen, and increases remediation opportunities. It also allows access to more detailed forensics, so crucial to analysts.
And agentless controls allow security to extend beyond compute and containers to cloud services like cloud identity, cloud database, and cloud firewall. It also allows for security and visibility free of deployment dependencies.
Clearly, the answer is that combination of the two makes magic happen! This has been validated by some of the primarily agentless CNAPP vendors, who have publicly reversed their anti-agent stance and are now hard at work building their sensors/agents.
The reality is, however, that while agentless security can be quick to build, agents are not. Building an AI-backed lightweight agent that goes beyond rule-based security, and is capable of machine speed detections with low CPU usage is no easy engineering feat.
We are confident our ability to integrate with PingSafe’s innovative features outpaces agentless vendors who lack the engineering background necessary to create competitive sensors/agents.
Which leads to our combined efforts to redefine the future of cloud security
SentinelOne, as a leader in agent-based Cloud Workload Security (CWS) as well as Cloud Data Security (CDS), has been laser focused on keeping production environments secure.
With the PingSafe acquisition, SentinelOne expands our cloud security capabilities to include Cloud Security Posture Management (CSPM), Container Image Vulnerability Management, Kubernetes Security Posture Management (KSPM), and Infrastructure as Code (IaC) security. Crucially, PingSafe brings their industry-first attacker approach.
In addition to the Offensive Engine that Anand has described and that highlights legitimate Exploit Paths, there is also advanced Secrets Security that provides internal and external hunting for secrets to help secure sensitive information and prevent unauthorized access due to credential leakage.
Together, SentinelOne presents the future of cloud security
Yesterday’s solutions will not protect against tomorrow’s attacks. Our CNAPP solution enhanced with a unique Offensive Engine and combined with our industry-leading agent-based protection with AI-powered threat detection delivers a modern and comprehensive CNAPP.
Our commitment is to provide practitioners the industry’s most impactful CNAPP, ensuring best in breed security meets best in class useability and accelerated paths to value.
We are very excited by what we can achieve together. You can read more details about our PingSafe acquisition here.
Ric and Anand.
from SentinelOne https://bit.ly/3TH41vO