Brian McHenry: [00:00:00] With, all these concerns and the various types of threats and risks that come with the cloud, how do I address them? And overwhelmingly organizations are saying AI is the answer. unsurprisingly, right?

Ashish Rajan: Is it though ?

Brian McHenry: I think in part the misconfiguration thing is interesting because it's not so much that we don't know what to do, it's just that one small misconfiguration can rapidly become a big problem because of automation. The rise of AI, as a way to make these tools better really can be a game changer when it comes to application security. The cloud environment is really suited to actually delivering better security, almost ironically, right? We have all these tools that should enable much better security at scale. However, we're moving so fast that we're doing silly things like misconfigurations that leave us vulnerable.

Ashish Rajan: A recent annual report from Amazon of their quarter spoke about they made 100 billion dollars from 15 percent of the market that is on the cloud. Yes, you heard that the remaining 85%, which is the interesting part, the remaining 85 percent of the world is still in data centers. And [00:01:00] they are moving towards using cloud because they're all adopting AI.

And one of the best places to use automation as well as having the compute available is the cloud. So in this episode, we had Brian McHenry, who is the Global Head for Cloud Security Engineering at Check Point. And we spoke about the report they had recently about the state of cloud security in 2024, for which they had surveyed thousands of professionals in the cloud security space to understand.

What is the biggest challenge they're facing in the cloud security world specifically? Now, Brian has been in the network security space for a long time. And as part of that, we also weaved into the conversation for the remaining 85 percent of the world that is moving to cloud today. What does it look like to come from a sysadmin, network admin role into this cloud world?

What are some things that you may have to unlearn? What are some of the new things you can naturally use from the cloud to make your job even better? We also spoke about some of the edge security bases, like things like, is the WAF that we have today, which is signature based, is good enough? Or should we be expecting more now that AI is more common than we would have expected it to be [00:02:00] a few years ago?

Should WAF be using AI? Should we be not having a massive wall of alerts anymore for our problems that we have from a security position sometimes? All that and a lot more in this conversation with Brian McHenry from Check Point. If you know someone who's working on the network security challenge, the edge security challenge, or even just to figure out what is the new level of network security looking like as more organizations move towards multi cloud, hybrid cloud, And the biggest one of all, is CSPM good enough anymore?

Or should we just get rid of that completely? This is the episode for you. If you know someone who's actually looking into this definitely share this with them as well, a friend or a colleague. And if you're here for a second or third time, and if you enjoy this kind of episode I would really appreciate if you're watching this on YouTube or LinkedIn, definitely give a subscribe or follow.

And if you are listening to this on audio platforms, definitely give us a review or rating on Spotify or iTunes. It only takes a few minutes, but it definitely helps spread the word for the cloud security podcast as well.

Things have been evolving quite well in Black Hat in terms of AI and cloud and a lot about this.

So I have Brian, welcome back Brian to [00:03:00] the cloud security podcast. Can you share a bit about yourself for people who don't know about you much?

Brian McHenry: Yeah. Run all of cloud security engineering at Check Point. And what you may not know, if Checkpoint as the network firewall company, is that we have a whole suite of products called Cloud Guard, which are all about, protecting your cloud and your cloud assets.

Ashish Rajan: Before we started recording, we were having a conversation about the current state of the cloud market as it stands at the moment. And you guys did some reports on this. How many people were surveyed for this? And what was the themes from this?

Brian McHenry: Yes, several thousand organizations and large enterprises primarily were surveyed.

And the main themes were, I'm really concerned about my cloud security, which was a really remarkable rise from the previous year's report, where it was, a minority were concerned about cloud security. So clearly you're doing good work here on the podcast, driving awareness, getting people to think about what are the concerns that are specific to the cloud and not just is it somebody else's data center?

Other things are things like. I, do I have enough people? Do I have enough skilled expertise available to help me respond to [00:04:00] these things? And the answer is overwhelmingly no. And then, with, all these concerns and the various types of threats and risks that come with the cloud, how do I address them?

And overwhelmingly organizations are saying AI is the answer, unsurprisingly, right?

Is it though?

I think in part, right? It's never a silver bullet, but certainly when we're struggling to hire people and retain people to do these important work for our organizations. If I can automate some of that, if I can help the human operator, sort out the signal to noise ratio, really, so that I can focus in on what are the real threats, what are the real risks, and not just an avalanche of alerts, which was another element of the report was alert fatigue, averaging, 10 critical alerts per day or something along that line.

Ashish Rajan: Because most people hear misconfiguration, and I think the market has been trained enough. At least for people who have been in the cloud for some time, the market has been trained enough to say, Oh, CSPM. I know that's what that's the answer. I'm looking for. Is that not enough?

Brian McHenry: It's not enough because CSPM while [00:05:00] it tells us where the misconfiguration is, security posture management, right?

So it tells us what our posture is. Whether that's something like the SBOM, the software bill of materials, or it's something like a misconfiguration, it gives us the news, there's some remediation capabilities available in CSPM and CNAPP tools, but really not full remediation. It's not like you get an alert oh, it's misconfigured, you push a button and something fixes it.

And that's where, orchestration and automation come into play and that's where potentially, AI can fill a gap there as well.

Ashish Rajan: A lot of the conversations and you touched on incident response. I'm glad you did because I'm going to come back to that in terms of how we look at cloud security, we only look at misconfiguration as it's a symptom.

It's not the actual problem because you're the picture for most cybersecurity people is that we want to protect the application, the data, where, who, and how, what can they do, blah, blah, the list goes on. Yeah, since we've been having conversations a few times before, you've been in the networking space for a long time I think you've been there. before this in another networking company. So you've done [00:06:00] your time in the whole networking space way, way more than I have. Is there an obvious thing we're missing over here with the, if we just go with the CSPM perspective?

Brian McHenry: Yeah it's the notion of prevention, right? CSPM gives us the news, tells us where the threats, where the risks, more importantly, where the vulnerabilities are.

What do I do about it? What's the next step? And that can be anything from, network edge firewall configurations. It might be reconfiguring the asset, other behavioral detections that you could do via, modern web app firewall. So there are a number of different things you can do to take what you learn from CSPM and turn it into more meaningful remediation and therefore, prevention of an attack.

Ashish Rajan: I think a lot of people in the cloud security community has started shifting towards the whole edge security as the world has now started calling most of those things. What is edge security for people probably who are unknown to this? Why is it important in the cloud world?

Brian McHenry: Yeah, so edge security is the network firewall.

It's the DDoS mitigation layer. It's the web application firewall. It's everything that happens, towards the edge of the data center or the edge of the virtual boundaries in [00:07:00] the public cloud. Every public cloud vendor has native security offerings to do these things. So it's not like you go into the public cloud and there's nothing there and you're naked and you got to bring your own security.

So there are things there, but they tend to be best effort type of tools. They're not very advanced in most cases. And if you're in multiple clouds, and we talked about this last time, I think everybody that I talked to in the larger enterprises is in multiple clouds, right? They're not just in Azure, just in AWS.

And in fact, they're in, probably two or three or even four clouds, and those things can be dictated anything from what are the workloads I'm running? Is it in a certain geography that where I need a workload to run? There's any number of things where you know, a certain public cloud is the right one for this thing that I want to do.

And that's why how you end up with these different public clouds. So when you're in these multiple clouds, And you are looking at native security tools. Now you're looking at different tools in every single environment you're in, including, oh, by the way, the on prem environment, which isn't going away as we talked about [00:08:00] last time, right?

Ashish Rajan: So the hybrid network that we have all been, as much as we would like to, because one of the things that was called out, we were talking about how AI is going to be the silver bullet, and we said, it may not be. Is it? The misconfigurations have gotten more complex. Is that why there's a lot more alert fatigue or what's the driving force for there's this alert fatigue, there is the whole perspective of edge security is missing out.

Where are we going with this as a cloud security space to what you're hearing from your customers?

Brian McHenry: The misconfiguration thing is interesting because it's not so much that we don't know what to do. It's just that one small misconfiguration can rapidly become a big problem because of automation, right?

Oh, so it tends to, I use things like Terraform and other automation tools to go and roll out a whole, architecture. Yeah. Application architecture, and then whatever is misconfigured gets misconfigured in mass right across the whole landscape. So a small misconfiguration can turn into a big risk very easily.

And that's, something that's, we can address that to some degree [00:09:00] automation is the key to making sure I have good templates that I'm building from so that the base configuration is solid and we are getting better in that regard, just more work to be done right and we shouldn't get complacent, which I think in the early days of cloud, we were complacent that hey, I'm automating these things and I know that configuration is good and off you go and we come to find out, with all the breaches and there's so many different attack surfaces in the public cloud that It, it really is a little bit of a different thing than when you have your on prem data center where I can really much more restrict the access to it, both, the front door, the internet facing door and the service door where the administrative activities happen.

Ashish Rajan: So we'll obviously have a lot of practitioners and CISOs listening to this conversation and a lot of them are starting today in cloud, and I think I was watching it. I think I read the report the annual report that was shared by Amazon. They're saying 85 percent of the world is still on premise, like they have not even left data centers.

I'm going, wow, it's like huge chunk of people who are going to start [00:10:00] today and to layer I guess what it can look like, and clearly we've defined the CSPM is no longer the answer for this. What is the right way to start approaching this problem?

Brian McHenry: So you start with CSPM, don't forget about it, but look at CNAPP as a broader suite.

So cloud native application protection, that's the broader suite where CSPM has been subsumed. And in there, you also have things like identity and entitlement management, you have both workload protection all driven towards cloud native security to do things that the public cloud providers cannot provide you.

And so if you're looking to move to the cloud, look to move to the cloud and build from scratch with tools that you know you can take to any cloud not the tools that just the public cloud provider can hand you, right as you deploy, I would also say, get involved with your developers who are selecting the cloud.

When the applications are being deployed, decisions are getting made, whether you as a security organization know it or not. Okay. And they may be checking the box. You may hear, Oh, I need a WAF or I need a network firewall here. I'm going to make the API call to the public cloud offering for this, and I'm going [00:11:00] to check the box and say, I've got the security covered.

And to some degree they do, but they're making decisions that you later as a security organization have to live with.

Ashish Rajan: Especially for the people who are from a. networking background. There's a lot of sysadmins who've clearly loved the firewall market for a long time. I was one of them as well. Most of us have started our career in firewall management, or I would say misconfiguration.

I think this is definitely management of firewall for hey, what port needs to be open, right? And where are we going with this? What's the new endpoint that's being released? How would you describe the change that's going to happen for the current sysadmins of the world who are in that 85 percent who have yet to take that journey.

And I'm like, oh, we've both taken that journey. What was your experience like? And what would you tell them for how to approach their existing skill set onto the cloud world to apply security?

Brian McHenry: First, trust that network security skills never go out of style, networking skills in general never go out of style.

So lean on that experience, but then avail yourself to the fact that AWS, Azure, GCP, [00:12:00] they all have different networking infrastructures. They have different nuances. There's unfortunately not one cloud networking security standard or networking standard. So the architectures are different. The way they do things, anything from how they handle, high availability to load balancing, routing, all those things are a little different depending on which cloud you're in.

So for anybody who's in networking or network security and they're in that 85 percent that's going to be moving to the cloud at some point, that's probably where you're going to run into the most roadblocks early on is, oh, I didn't realize that this was different in AWS versus how it is in Azure, and maybe, I need to look at, not only the security tools I bring with me there, but how do those different networks work?

And certifications are probably a good way to go there. If your organization has picked AWS as the public cloud standard, get an AWS certification, learn how that network works, because it's a little different than your on prem data center.

Ashish Rajan: I think another thing that's almost shaking at the market, which is probably pushing the 85 percent data center folks onto the cloud is the whole AI space as well.[00:13:00]

And we spoke about the whole data security challenge in that space as well. In terms of, where do you see the security for that? And is, does edge security play a role in this as well?

Brian McHenry: Old things sometimes are good things, and the cybersecurity kill chain is an old thing.

But the kill chain is a really good model for telling us like, Hey, I can kill, I can stop a threat at any point in this chain. Whether it's at the edge or all the way down to where the data actually lives. And having multiple layers is not a bad thing. Defense in depth is never gonna go outta style.

Yeah. So the more chances I have to detect a threat, the further it traverses into my environment. The better off I am. And so we're developing new tools all the time based on AI. So one example we talked about, before we were recording was DLP, right? We've all come to see DLP data loss prevention as something that like high promise, low delivery because of things like false positives and, difficult configurations.

Things like high false positives and difficult complex configurations are things that AI is very well suited to solve for and so [00:14:00] data security posture management or DSPM has become a very hot market almost overnight And I think of it as a next gen DLP and those vendors probably don't want to hear me say that But I think of it really as a next gen DLP because it does all this automated classification and tagging and of the data so that you know what needs to be protected, where it is, has it been touched, , does it have the integrity who's the identity that has access to this data?

So it's taking all the concepts that we know in CNAPP and CSPM and Cloud Identity Entitlement Management, taking all those concepts and applying them right at where the data lives. Yeah. Yeah. So that's, we have the edge, we have the cloud environment, and then we have the data that the cloud environment is presenting access to.

And so giving us multiple places in the kill chain or in the defense in depth. to detect and stop a threat.

Ashish Rajan: Would you say with now AI data security, all of these other things coming into play as well, for people who are trying to move into the cloud space, a lot of enterprise have clearly been trying for a while, or some of them already there.

Has the say the WAF space evolved a bit as well? How is [00:15:00] edge security for those things that have been trusted for some time, like a WAF and DDoS protection? Has that changed with the new world?

Brian McHenry: It's starting to. So we're starting to see many web app firewalls that adopt AI machine learning to try to get detection rates up and false positive rates down. So if you mentioned web app firewall to anyone who's touched one, the first thing it says, man, that tuning false positives, right? And that happens, and that's if they're even in blocking mode.

Many WAFs are put up and they're just in a detect only mode. Oh, so the goal really is to try to take these complex signatures, which trigger false positives, although they can detect things, they are also, very specific. Those signatures are very specific to a certain way to exploit a vulnerability, whereas, take log4j, for example.

There were in the first few weeks, several different iterations of the log4j exploit that needed different signature updates. It was that cat and mouse game. So over several weeks you're doing all these iterations. Now, what we're doing a little differently at CloudGuard is we're not a signature based approach.

So the Check Point CloudGuard [00:16:00] WAF is completely AI from the ground up and using contextual AI, much like the data security posture management I was talking about. We're using contextual AI and the CloudGuard WAF to say you don't need signatures anymore. And in fact we had preemptive zero day protection for log4j for move it for, all the vulnerabilities we've seen in the last couple of years, they've all been protected on zero day if you had CloudGuard WAF.

Ashish Rajan: So you're saying signature model doesn't work. In the broader scheme of things?

Brian McHenry: In the broader scheme of things, it's a helpful tool, but ultimately it's not going to provide you the level of prevention and protection that you would expect. And I think we talked about this last time, like networking is something that we've gotten really good at as far as security, right?

We know which ports to leave listening. You said it yourself. When was the last time I did a networking pentest? You just don't do them because we know how to do that and we know how to do it at scale. Yeah. Unfortunately, application security is a lot harder. It's a lot more complex, has a lot more nuance per application.

So we didn't have these one size fits all type of application security policies like we had in network security. [00:17:00] So the rise of AI as a way to make these tools better is really, can be a game changer when it comes to application security.

Ashish Rajan: So if it's not signature, then is it? I guess definitely, I hope so it's not Regex, I guess that would be probably going down the worst part.

If signature based WAFs are not the answer, I guess to your point, AI is definitely enabling a lot more. Are we at that stage with WAFs where we can reduce the false positives to a point where I don't have to have someone in my team go through this for months or weeks before they can find out a true false positive?

Brian McHenry: Yeah, that's exactly it. That's where we want to get to where you're not, you're much like before the network firewall where I know I can listen on port 80 and I let traffic in. In fact, we don't listen on port 80 anymore. It's really only 443 encrypted traffic. So where we can get to these one size fits all approaches where there's a lot less tuning and a lot more just monitoring for potential risks and threats.

And that's where we want to get to. And that's what we've gotten to a network security where really we're looking mostly at IPS on network security. We're not really looking at, the five tuple ACL logs and [00:18:00] saying, what's being blocked here. We don't really care about that anymore because we know, Hey, the bad stuff is it's a really obviously bad stuff is blocked.

I just need to focus on what are the threats that are coming in across the network, the part of the network that I need to leave open. Yeah. And so that's where we really need to get to with application security. So we can have a safer internet.

Ashish Rajan: Would you say I think it's funny, I think as you mentioned the port 80 port 443 was the first thing that came to mind. I was like, oh, actually, yeah, I don't think I've heard port 80 for a long time. It's oh, it's oh, when was the last time I heard about an actual VMware machine being used?

I don't hate on VMware. Just saying it's been a while since you hear about, hey, I'm going to do a network pentest or I'm going to change my WAF. dramatically. So now that we have established that, okay, so the WAF model needs to change. Is it, are there other elements around edge security that needs to evolve?

Because I imagine with the network security context, a lot of people clearly have not done network pentest. Should people be doing network pentest?

Brian McHenry: You should always double check, right? Yeah. Trust but verify, you would say. Yeah, that's right. Most of the default configurations are not going to [00:19:00] leave obvious, really risky ports open like SSH on port 22, what have you.

We're not going to leave those things open, but you should check. You should make sure you're not doing it. Not just assume that, hey the base template is not leaving that open. Everybody makes mistakes. Humans are involved somewhere in the process. Yeah. And so anything can happen.

So we should always have a good baseline of our network security, of our application security, of our cloud security posture and data posture. Knowing what our baselines are the key to any of these AI things working actually, because. When I talk about the web app firewall and the AI there, the way AI works there is by being able to tell what good looks like, right?

It's a lot of the behavioral analysis. It's not just relying on, simple, Hey, oh, this looks like an SQL injection because it's got this SQL embedded in the payload, it's actually looking at more than that to try to determine the intent of a given session or looking at the behavior saying, Hey, this varies wildly from the typical behavior of the average user of this web application.

Ashish Rajan: Would you say it doesn't make a difference [00:20:00] when people are trying to consider a network pentest in the cloud context or hybrid context or whatever the true state you want to get you from a cybersecurity program for a WAF to what you were saying? It's not to just triage through mountains of false positive, it's to get to a point where you're simply monitoring for what's escaped and why did it escape, right?

Is that what you say, like the true North Star for most people, what people should be aiming for?

Brian McHenry: Yeah, absolutely, so I want to be able to trust that the WAF is detecting most things and not blocking much, if any, legitimate traffic. Yeah. So I want to be at that point and then if I do see something in my logs.

I go, this is something really interesting. It's warrants investigation of warrants the stretched team of security engineers I have it warrants them spending time on it because they don't necessarily have a lot of spare time because there's four people in a large organization.

Sometimes this you want to make sure that the alerts that they're taking action on are ones that are meaningful and ones that are addressing real threats to the business.

Ashish Rajan: How do you see the space evolved over the next couple of years? So obviously, talking to a lot of people or [00:21:00] customers and they're asking, and we spoke about just the DSPM space as well, we spoke about edge security.

We're like, I think for people who are coming from a on premise environment, it's just like already overload for Wow, it's like everything's changing that my entire world has flipped 180. What else do you see as coming through? From a tech perspective that security people would have to look out for any obvious ones field that you want to throw at people

Brian McHenry: One that's a it's a hot topic conversation is platformization right is you know versus best of breed and a lot of customers a lot of enterprises that I talked to you are saying I've got 50 60 70 vendors for just security in my environment, and it's, a lot for them to manage from a business and contract point of view. It's also a lot to manage from a tools and techniques point of view, right? How do I train up my staff on all these different tools? And so they're looking to get down to, fewer vendors and that demands a platform.

And that might be anathema to certain security purists who say, you want the best of breed tool everywhere you can have it. That's a nice idea. Yeah. But the larger the [00:22:00] organization oftentimes you need, something that'll scale and then in a smaller organization you might not have the people to learn all the different tools. So a platform is actually useful there as well. And some of the benefits of a platform is, hey, I might not need a third party to do security orchestration, right? So if I detect something with CSPM, I can automatically remediate, or at least be able to tell if I'm remediating that at the edge, and I can buy myself some time to actually reconfigure that misconfiguration or patch that vulnerable software library.

Ashish Rajan: It's not that this was not possible before, Now it's a new, it's a new environment, but we should be able to use the same capability and same accountability that we used to have on premise in the cloud world as well,

Brian McHenry: Right. And I think the advantage the cloud world has is that almost everything is API first, right?

Whereas in the on prem environment, many things, APIs came later after the fact, anything deployed to the cloud is API first, which means. It's very highly automatable is very highly suited to adding AI enhancements for orchestration. The [00:23:00] cloud environment is really suited to actually delivering better security.

Almost ironically, right? We have all these tools that should enable much better security at scale. However, we're moving so fast that we're doing silly things like misconfigurations that leave us vulnerable.

Ashish Rajan: Yeah, I guess as most of the questions that I had, but I think in terms of what you would want people to take away, because I think I find it's really fascinating.

What's been the highlight for you? So far from Black Hat, I know it's only been day one.

Brian McHenry: So every year, it always seems like there's a theme that's running through. AI is obviously a big theme. Everybody's got some element of AI in their solutions. What I think is interesting is how many organizations or how many vendors I should say are already offering something to protect your generative AI implementation.

So it really surprises me just because that tells me that there are a lot of enterprises out there who have their own implementation of an LLM in place, and they need to protect it somehow, or they are realizing the chat bot that they put on their website can be compromised by somebody who wants to do a little bit of prompt hacking.

So I [00:24:00] think that's probably the thing that's really jumped out at me is there's a lot of vendors with really big booths with names that I've only heard a few times and it's all about, protecting a large language model and a generative AI implementation.

Ashish Rajan: Interesting. I need to walk the floor once as well, but no, that's pretty much what I had to thank you for sharing that as well.

Where can people find you on the internet to connect with you and talk more about edge security and

Brian McHenry: so I'm mainly just on LinkedIn. BA McHenry is the URL. So you know, the LinkedIn I'll share that in the short notes as well. And you can find me at most conferences like this.

We saw you at re:Inforce. I, right? I'll be at re:Invent. Oh yeah. In December. These large conferences I'm usually around and yeah. Available. So if you ping me I'm more than happy to meet and I will plug in October. Security BSides, New York City. I'm one of the co-founders there always.

We're hosting that event again this October, and it's a very low cost event. So it's really designed to create more equal access to not only cybersecurity careers talks and education, as well as this year I'm actually chairing a, an [00:25:00] entrepreneur track. So we have some really cool talks from people who are experienced cybersecurity entrepreneurs.

So we're pretty excited about that track being added.

Ashish Rajan: Yeah, I'll drop that in the link as well. And I'm good on you for starting that as well. Because running a conference and attending in two different like ballgames altogether.

I'm surprised you went from just I'm gonna just, you know what, I'm going to organize with myself.

Brian McHenry: Yeah,

it's a team and not just me as a co founder, not solo founder.

Ashish Rajan: But still, I think it's a lot of effort.

Brian McHenry: Yeah, it's a lot of effort. But the feedback we get every year we run it, it seems like it's every two years cause it does take a lot of effort to get it off the ground, especially our chapter being in New York city.

Look, a free or low cost event in Manhattan is very hard to pull off, but we managed to do it. And we're really proud of the feedback we get. We really try to have a diverse selection of speakers as well as attendees.

Ashish Rajan: So yeah. I will definitely put the link on the show notes as well, but thank you so much for coming on the show.

Thank you for listening or watching this episode of Cloud Security Podcast.

We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or [00:26:00] make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at Cloud Security Podcast TV.

By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT, and everything else continues.

If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.

‍