Implementing Cloud Security Tools the Right way

View Show Notes and Transcript

Episode Description

What We Discuss with Gaurav Kumar:

  • 00:00 Introduction
  • 06:07 Cloud Security + Cloud Security Tooling
  • 09:56 How does it compare to the on-prem world?
  • 13:45 Implementation of Cloud Security Tools
  • 15:51 Runtime Tooling
  • 17:35 Operationalising CSPM
  • 20:20 Whats causing Alert Fatigue?
  • 22:45 SIEM in the Cloud world
  • 26:12 Normalising Cloud Security Alerts
  • 35:38 Challenges with Normalisation of Cloud Security Alerts
  • 37:58 Operationalising and new Cloud tooling
  • 40:12 The Fun Section
  • And much more…

THANKS, Gaurav Kumar!

If you enjoyed this session with John Kinsella, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Gaurav Kumar at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

  • Tools & services, discussed during the Interview
  • Dassana

Ashish Rajan: Hello, and welcome to another episode of cloud security podcast with Virtual Coffee with Ashish. Thank you so much for joining us today. We are talking about cloud security tools and maybe the right way to do it because we’ve been talking about CSPMs CNAPP and all these other tools that come into the. but we never spoke about what does it take to operationalize that? So I’m looking forward to talk about this with a really good friend of mine. And funny enough, he’s also a repeat guest as well,

hey, good to see you, man. Good to see you as well, man. I think it w it feels like it’s been ages that we kind of came onto the show, but I’m so glad I could bring you back on. Yeah. Yeah. Awesome.

For people, I know you, some people who are new to us, like having, since you’ve come in last, we’ve kind of grown quite a bit.

So who is Gaurav for the new folks who probably have not heard from you? And the security as well. Why you want to throw that in there?

Gaurav Kumar: Yeah. That’s a simple security person. That’s all I know. That’s all I do. That’s all I want to do.

Ashish Rajan: That’s a good one. Yeah, because actually you have an interesting story of how you stumbled onto the whole cyber security start up thing as well. But I’m curious, like, cause you, you went on a programmer before.

Gaurav Kumar: No, I was not a [00:01:00] programmer before. Although I just love everything related to technology in general.

I don’t know when I was last time when I was on the podcast, I spoke about how I actually, I really got into security and not just cloud security, the radio thing. Did I talk about it? Yeah, you did. You did. Yeah. So basically those who are listening to me for the first time here, basically, I used to have this FM radio and it used to have this band FM band, which would go from 88 megahertz to 1 0 8 megahertz.

And I just most curious, like, why won’t it go above 1 0 8? And that’s when I realized that, oh, I can just open it up and just turn it manually. And it did. And that’s when I realized that, oh, I’m listening to my neighbors conversation. So whatever they are speaking or a car. And that was like early nineties when people didn’t have encryption on the cordless phone.

And that was really interesting to me. And I think that’s when I realized that, oh, okay. The fun things really happen at the boundaries of things.

Ashish Rajan: Yeah. And actually, it’s funny, you mentioned [00:02:00] that because. For, for folks who are a bit more experienced in the cybersecurity space, I think they have. So whenever they share this story, it’s always interesting to know kind of like what was unique about that particular time as well, because these are things you kind of don’t hear anymore.

Anyone talk about it. So I’m glad you got to share that as well then. So, because it isis Cloud Security Podcast and I kind of wanted to touch on the whole cloud security as a topic itself. What is cloud security for you? Because I’ve just realized I have a few more people that the last time I saw you, so where does cloud security mean?

Gaurav Kumar: I think for me, it begins with security. So it’s as simple as applying your security principles to cloud. I like to think in terms of like object oriented programming, so it’s something like cloud extended. Data centers kind of a thing. It’s a form of a data center, but managed by someone else.

So whatever the unique things are to the cloud, you simply apply the same security principles, to the cloud and that’s cloud security.

Ashish Rajan: Yeah. And what about the tooling then? When you think of like cloud security, tooling, what kind of tooling are you thinking in terms of, I guess, but what I find with the examples that come to your mind.

Gaurav Kumar: I think tooling [00:03:00] wise, you will find that it’s just all over the place. Like you have tools, which tell you the risk in the system. These are typically our CSPMs and CWPP is otherwise. Then you have current detection systems, like your ideas kind of thing. They are looking at your traffic pattern and your, API calls and your event and audit data and telling you that, oh, this seems like you have some attacks going on.

Right. But I started to think about this whole In a different perspective altogether now. So those of you who write code, you probably know about the compile time errors and your runtime errors, right? So the way that I think of in the security also is you can think of your risk detection kind of tools as your compile errors right? These are things like, oh, you have the server open to the internet. Right. Whereas if somebody is actively attacking you, those are more like incident kind of alerts. So those I would say are really like truly run time things. And you can look for runtime [00:04:00] things at compile times. And that’s where, it helps to think in terms of compile time versus.

Ashish Rajan: Actually thats an interesting one. I never thought about it that way, because, so the ones that are giving you a risk information like theCSPMs of the world . A lot of the times it may be just talking about, Hey, your posture is not right, but that’s not telling you there’s an active attack going on. There’s not right.

It’s it just means that, Hey, your S3 buckets is public. I guess you should look at it. It’s like one of those, the companies.

Gaurav Kumar: Yeah. It’s like a compile time warning that, Hey, you are assigning a string to an integer or something like that. It’s a warning. It’s against the best practice. In fact, you can probably find Q in what I just said.

Two more like compile time warning to run time. And one thing is for sure that the compile time warnings will likely become runtime errors under the right conditions. Right? So suppose somebody gives a integer and you assign it to a string, that’s when it could become an error, but it’s not yet.

Right. So same way. If you have S3 bucket open to the internet, it’s not. It has been compromised [00:05:00] immediately. Well, for all practical purposes, people will just listen on these events and just get to know. But in general, yes, you can apply a similar kind of pattern or thinking.

Ashish Rajan: So how is that different from like an on-premise security then?

Cause sounds like. Like it’s. Yeah, I’m just curious. I feel like there’s a similar challenges there as well, but how is the cloud security, tooling or cloud security world different to the on-premise security world?

Gaurav Kumar: I think if you look at what are the unique things about cloud things that you will not find in the on-prem world is what really changes, , how you think about it.

In the cloud world, more or less, everything is public, unless you configured it in a way it will be not public. Or you can just say everything is private unless you configure it to be up to the public. So there is very Sort of API driven to make things public or private. Right. Whereas in the on-prem world, it’s like just one data center.

You have a public IP range, everything that public, but in the cloud world , That distinction becomes a little bit hazy. It’s not very clear like [00:06:00] how public a public thing has to be before it becomes public. Like if today I launch a virtual machine in the cloud and I say that, okay, I can receive incoming connections from within the cloud.

Is that. Oh, is it private? Is it already a semi-public? So, things I would say in general are a little bit more complicated and some ways they are simple when it comes to on-prem versus cloud.

Ashish Rajan: Right. And you mentioned the CSPM and VM as well those are not really applicable for like an on-premise world as well.

So they’re specifically designed for, I guess, for a cloud environment. That may not be a full picture as well. So maybe that’s also where it’s a bit of a difference there, because I guess you have tooling, which is just clear for cloud and there’s tooling is geared for on-premise, but then it’s tooling, which is on premise, but they’re saying, Hey, I can do the cloud as well.

So there is that kind of like a, what do you call it? A confusing world being created there as well?

Gaurav Kumar: Yeah, in fact another analogy I was just thinking about is. Think of it like if somebody is asking you OK can you carry this ice from one place to other place? 100 place [00:07:00] carry ice in a water bottle?

Likely not because here I, right. At the same time I S is an abstraction or water. Just a form of water. Right. So think of it cloud. Right. So cloud is again an abstraction over your on-prem system in some ways. Right. So, so in theory, you can say that yeah, I mean, at the end of the day, it’s all water, but again, it’s when you apply the context, things change a lot.

So I would say that, yes, the on-premise. Sort of works in the cloud, but not really. It is up to you that you bring in you configure things , and you apply that cloud context with that on-prem tooling. And that’s why you will see that, , there are so many cloud security companies just building very cloud native.

Ashish Rajan: All right. And so maybe using that as an example, cause I know we are talking about implementation, so of cloud security tools. I’m sure there are challenges which are just implementing challenges, in general, across the plethora of tools we have on-premise or trying to be cloud native, we have [00:08:00] cloud native, and then we have cloud security tools because when you mentioned cloud security tools as well, we mentioned CSPM CWPP .

But even cloud providers have their own tooling as well. So it’s almost like there are three buckets of these. So, how are people normally implementing these these days? Like, what are some of the examples of how people are implementing some of these tools?

Gaurav Kumar: That’s a difficult and important question.

I think. Essentially boils down to how your organization is structured and where you are in the cloud journey. And you will find that companies who are doing this lift and shift kind of projects, they are bringing their on-prem tooling to the cloud as is. And that’s why you will find that even the cloud service providers.

Allowing you to run that on prem tooling, like things like bring a packet captures, like it was never a thing in the cloud, but all of the cloud service providers more or less provide you this functionality because without that your on-prem ideas are not going to work. Right. So how people ended up implementing is very, very heterogeneous.

Gaurav Kumar: It’s all over the place. No standardization. [00:09:00] And that’s why , I see this as a very common challenge is that people don’t have a holistic view of their things are in the cloud.

Ashish Rajan: Oh, that’s to your point, because if I’m going into cloud today, and if I already have say a security product IDs, IPS, or.

And endpoint protection or something or the other, most likely the license is still active. The company may have gone to cloud, but I’m like, I’m not going to buy a new tooling because I’ve still got the existing tooling and find out a way to figure this out because I don’t have the budget for a new one.

So keeping that in mind, I guess to your point, there will be pockets of different kinds of implementation. And we kind of spoke about depending on whether it’s runtime or compiled, which I love the idea is there a lot of tooling around runtime? I didn’t realize it was a lot of tooling around runtime.

Cause I guess that’s the word, I’m sorry, I’m going with this as that, because that’s for people like us would be worried about right. I want to find out something’s happening and I to your point about if an S3 bucket is an issue, I probably would find out through runtime. Is that right?

Gaurav Kumar: Well, S3bucket open to the internet [00:10:00] is probably, you can find easily at the compile time, also, depending upon how you go about creating buckets.

So if you are using IAAS infrastructure as code, like your cloud formation on teraform , You can do compile time checks to figure it out. But at the same time, let’s suppose you have our Docker image and it’s a simple web server at compile time. Or there the bill time, you can at best find out the number of vulnerabilities , but guess what if a zero day has been just found in a particular. Operating system, you are not going to find it just by using compile time tooling. You have to do run time scan software environment, unless you have a completely immutable infrastructure and that you are refreshing every single day. Another thing is the when it comes to the runtime security, you have things like, oh, if somebody is doing a SQL injection on server cross-sex scripting course, things like that.

Ashish Rajan: Oh yeah. Causewe are going into WAF territory and application security as well.

Gaurav Kumar: Yeah, exactly. Or has somebody compromised your , cloud credentials? Like somebody was able to access [00:11:00] your access key secret key, and is now doing S B C P star and our star at that point of time, it becomes like a runtime thing because there is no way in, on the compile time he will be able to fix.

Ashish Rajan: That’s interesting, man, because as you were saying that I’m just realizing. As a conversation that I have with other CISO as well, a lot of the times people may think that as, Hey CSPM would solve all your problems, but to what he was saying earlier, just compile time, I guess there’s the next generation of CSPM and for lack of a better word coming.

Well, now context is certainly become important. So the context is that runtime part that you’re referring to. Right? So for people who have been kind of like you’ve had a history with CSPMs before you had your previous startup , so maybe that could be a good from the start because a lot of people may already have a CSPM .

And if they have the assumption that, Hey, I have an answer for this already, but how do people normally I want to use the, use the word operationalized, because I feel like that’s very kind of fitting more into the enterprise sites, but it still means the same as implementation.

So how do people operationalize? Like a CSPM

Gaurav Kumar: yeah, that’s a. Interesting, because [00:12:00] by our definition, , CSPMs are supposed to tell you the risk in the environment. And, one of the biggest challenge that I see is that you need to be very careful about what kind of risk you actually want to know. Right.

CSPMs can tell you just about everything that you have used, many of agents, and this is the configuration, which is not in the desired state. And, I think that incentives CSPM tooling is more aligned towards, or I’m supposed to show more and more risk, where things become really challenging from an operational perspective.

Do you care? You be, are bound anytime you do some, any sort of a scan, right. And it’s just not about CSPM even if you do one vulnerability scanning right. You are bound to find tons and tons of issues in the environment. Right? The most important thing when it comes to operationalization is about how do you find tune your system to only get the alerts that matter?

Ashish Rajan: Interesting. So is that what you’re looking at is failing as a CSPM implementation where now we have, it’s not [00:13:00] like the alerts that matter, but it’s almost 20,000, 30,000 alerts, like a screen of red on your face. So people just go, that’s just way too much, man. I saw your t-shirt as well. Stay alert. So and it’s a very known thing in the industry that for people who work in security operations, or brought people who are monitoring, the space, they always talk about alert, fatigue, and I’m curious. Cause kind of like why do you feel people are in this alert fatigue phase because you don’t fine tune enough or like what what’s some of the reasons for that?

Gaurav Kumar: It’s I think there are multiple ways to think about this problem.

One is. Believe it or not compliance for compliance reasons. People don’t want to say that. Oh, we don’t care about encryption of our storage volumes like EBS volume, not encrypted is one of the most common, AWS CSPM alert. You will find, right. That’s fine. From a compliance perspective. Sure. It probably matters.

, that you have some disc volume, which is not. But if you really think about it, what are the chances that some data center employee will go to a specific availability zone, find a server [00:14:00] and find that, oh, this is your server. This is where the data decides take their disc out and walk away.

Right? Why is that risk a medium risk, right? So from a compliance perspective, you can argue that yes, if that were to happen, so many things can go wrong, but chances of that happening or your focus should not necessarily be tapped to begin with. Right? You have much higher chances of some employee making a very honest mistake of not configuring your IAM properly or launching some sort of regular sort of Hadoop server without authentication and not putting in proper network.

So that’s like one way to think about, on, on the alert fatigue, because, Hey, we don’t want to get all these alerts, but I don’t think so that, , you probably want to get all these alerts, but the alerts that you want to act upon finding that needle in a haystack, I think is the number one challenge.

Ashish Rajan: Yep. And so keeping that in mind then, is it more like a situation , where people are going. , you have a lot of things that you’re dealing with at any given point in time and alert fatigue is something that [00:15:00] can be managed. Cause I know you kind of did some work on this space. Cause I feel like normally when people talk about alert, fatigue, and it’s usually related to a SIEM , and I’d love to know.

For you to kind of just define what SIEM is for, for people who may not know what SIEM is and how does SIEM play a role , in a cloud world, I guess, and the tooling,

Gaurav Kumar: SIEM space is fairly interesting like anything else in cloud security, because I just think that the SIEMs of the world are, just not doing what people used to think of, like how a SIEM system should work.

So think about it right. 10 15 years back. The whole point of using a SIEM system was to normalize the alerts and aggregate them and contextualize them. That’s no longer happening. Like every single SIEM , system that I know of, they are all focused on here. Give us raw data to track detection and we will surface high quality alerts.

But that’s not the premise of a SIEM system. It is supposed to be normalizing your alerts and aggregating and contextualizing and it’s not happening. Right. So yeah, I mean, that’s where the challenge lies. You will think that, Hey, why can’t I solve this problem [00:16:00] by using some part from SIEM, but I don’t think so thatany SIEM is considering Cloud Security

Ashish Rajan: Oh so you’re saying, and this is for everyone. I think I may have been guilty of this as well in the past where a lot of security folks are all about, Hey all the logs just go into a SIEM and my security operation team would look at it and they will be able to raise alerts on it. But I guess one time that I used to have the SIEM was the security operation team never had the context for.

What I guess what kind of alerts are relevant for, for like a cloud and to your point, a lot of times you kind of like give them the CSPMs feed as well. And then to your point, they are going and find it, investigate all these medium risk issues where Hey encryption is not enabled. Is this serious?

I don’t know. Like maybe, maybe it seems because reasonable, medium risk. So is talking about the number of alerts that are coming in that I feel like one of those people process technology kind of problem that we’re talking about over here. Cause I feel like we kind of spoke about implementation. compilation time and run time . Then we kind of went into like what are some of the existing tools in this space. We had the on-premise solution, which people are trying to make a [00:17:00] cloud native, and we have cloud native solution. We also have SIEMs of the world, which were initially start there.

They started using something else, but now they are going. In a very different part. And I think I just got a comment from as well. Oh yeah. He’s your fan. i dont know if you remember Darpan a hundred percent agree SIEMs need to be designed mainly keeping in mind traditional on premise systems . Did you want to add anything to what Darpan is saying?

Gaurav Kumar: Yeah, I agree. And They were indeed designed and the whole point of the cloud context is just not available and they have just stopped, , just focusing on what they’re supposed to be. So, same as our, like a log aggregation system.

Ashish Rajan: Yeah. And to your point, because a lot of people who may be not having the money off the SIEM as an organization, they got on the open source. And, I feel like if this is what is causing a alert fatigue , and now you kind of have been, been looking at a t-shirt as very calming, quite invested into this alert fatigue space.

And you kind of have like an open source thing that you recently opened to the world, I guess, open source part that you opened up to the world. That’s a great way to say it. So can you tell us a bit about that as well?

Gaurav Kumar: Yeah, sure. so we [00:18:00] realized that because. There is no one who is doing the normalization of the cloud security alerts and without doing normalization you just cannot get. Homogeneous and a holistic view of security. So we open source sources solution, which can take an alert from your CSPMs normalize it and contextualize it, and then just send the alert forward to some sort of a SIEM solution. So the open sources tool, because again, I think open sources is the right way to go about doing security, especially in the cloud.

You’d want to be able to leverage the power of community. And yeah, the purpose is to just help people deal with alert, fatigue of CSPMs

Ashish Rajan: So considering we are talking about implementing cloud security tool. And we went through introduce another tool which works the right way to implement a cloud security tool.

And I kept going back or operationalized. So would you say it, the folks who are listening and are curious about the open source, if you can name it as well, and probably talk about, , from a context of people who probably have a [00:19:00] SIEM at the moment, or have a, like a CSPM tool at the moment, how, how would.

Be challenging or making making a difference to the.

Gaurav Kumar: Yeah. So the tool that you can actually, it’s a simple cloud formation template that you can deploy in your AWS account is a hundred percent serverless open source available under Apache license. And you simply send your alerts to our queue, inbound queue and alerts become available in the outbound queue.

And the only thing that we do at the open source project is that it adds the normalization and the context within . And then you can send it, take that alert and put it in your SIEM solution. And on your SIEM , all you have to do is just refer to this normalized alert. So it could be examples would be that suppose you want to find out alerts related to. IAM issues to permissioning issues. Right? And you do not care about which vendor has sent that alert. You likely don’t even care about which cloud service provider you are using because you aren’t just curious [00:20:00] or you are investigating or you want to just find out they’re all, of my issues related to, permission managementIAM , or maybe related to storage. Because we do this normalization, you can just write simple thing. , alert dot classification equals network, that’s it? So all of the network security issues, you will be able to find that

Ashish Rajan: actually that’s interesting, man. Cause I think a lot of people may not even know what normalization really mean.

Cause , normalization in a different context, actually for people who may not be from the log aggregation kind of. What do you mean by normalization? If you don’t mind defining that as well?

Gaurav Kumar: I think there’s a potato potato. It’s as simple as that, calling a thing.

I think that’s it basically let’s suppose you want to find out, or suppose you are curious about your disk volumes should be encrypted. Suppose this is your desired state. That if I am a disc in the cloud, it should be encrypted the way that you will go about finding about their disc, which are not encrypted, is that different cloud service provider has different sort of tooling, or you might be using a commercial CSPM tool.

All of the [00:21:00] alerts, all of the information which has given out is just very much specific to the vendor. So there is no way that you can just say just one simple thing, alert dot classification equals storage, not encryption because you cannot say this one thing. Now you’re going to have to write a very complicated.

Saying that this are this or this or this, because there are just so many different things. Right? So, think offer like, , the, why do we have standards like internet to think about it, one of the greatest normalization thing ever you and I are able to have this podcast, I bet you are likely to not using Firefox are, but I am using firefox right now you are using a different browser. But you have different probably audio system yet we are able to have this communication in a seamless manner because things are normalized. Right? I think that’s missing insecurity. Everybody’s just doing their own thing. Nobody is thinking of the greater good . And that’s what I mean by sort of normalization in cloud security.

Is that greater good?

Ashish Rajan: That’s a great example of man. Cause I think And it kind of hones into the point that he was saying earlier [00:22:00] about the different kinds of other on-premise tooling or your CSPM tooling or CWPP or all the other four letter acronyms that Gartner has been kind of introducing left right and centre .

I feel like I need to bring someone from Gartner talk about why . They keep releasing all these different, like four letter acronym for cloud. It’s almost like every other day. There’s a new one. I think I saw yesterday, C I E M M or something. And I’m like, what the hell is that? But, apparently we need another one.

So Darpan has a question, curious for your thoughts on CSPM shifting to pre deployed time. As shift-left mindset gets embedded into security. Does it remove the effort of aggregation and normalization?

Gaurav Kumar: I think the normalization is not just about run time versus compile time, those kinds of things, but it’s more about attaining vendor neutrality, because what happens is even if you’re able to do shifts.

That’s great. You are able to detect things right on your good hub. It’s a pull request. That’s great for, you’ll still want to be doing runtime checks because things change and run time. Right. And not everybody is [00:23:00] doing compile time checks, think coffee, like unit tests versus a system integration test.

Just because you have a unit test doesn’t mean that you’re not going to do a system integration test and vice versa. Right. So there, the normalization and aggregation really is that. And you are sort of future-proofing yourself. Now, you can easily acquire another company without worrying about their tooling, right?

People like, , buy companies and they got acquired and everything, and you will find that as companies grow, they become more and more heterogeneous. So I think you should do go for both. You should be doing as much of a unit testing as possible. And you should be doing system integration test, which means that you should be doing compile time checks, runtime checks as well as normalization, right?

All three, all three.

Ashish Rajan: All three. Oh, wow. So hopefully that answered your question, but feel free to drop another one . And I was going to say just , that shift left mindset, because, that kind of adds to the complexity of the number of tools that we kind of keep in a cloud context.

I mean, cause cloud security in a lot of ways, CSPMs of the world, , that’s solving , the cloud. [00:24:00] Infrastructure environment a lot of ways. That’s why I spoke about the EBS volumes s3bucket. We haven’t even gotten to the application security side. Right. So no one is talking aboutnormalisation for that, but , to bring, bring back to where we were talking about the whole deployment of CSPMs.

Now I I’m just putting a hat of someone who’s basically gone okay. Ive got a deployed CSPM Ive got a SIEM as well And I know my team is experiencing alert, fatigue. And so based on what you just basically said earlier, the open source tool that you’re talking about, it’s kind of fixed, talking about putting some context around it.

And so, because we believe, and I think this has been a thing in the industry for some time that there is not much context do we have the flexibility these days to kind of talk about, Hey, this is the context from my environment. Like, for example, not everyone needs to be PCI. But every tool out there will tell you, Hey, use this uses PCR, PFE, IDSS compliance check.

I’m like, but I don’t need it, but know that it’s available if you need it. So from that context, do you find that, the normalization that you were referring to, that’s even more harder [00:25:00] if you already have existing tool set or is that easy? You’re still let. If you, even, if you have like an existing SIEM, existing CSPMs of the world, what are some of the challenges people are seeing in this space in terms of other more normalization, as you mentioned,

Gaurav Kumar: Many of times people confuse between the standardization and normalization. Right? They say that, oh, we have all these standards, right? Why do we need to normalize? Well, guess what? You will find that. One standard is never ever going to fit your needs. Right. You’re going to have multiple standards which apply to you and these standards call things differently.

So for example, a storage bucket permissions, like simple bucket policies or your IAM permissions, right? You will find that, oh, it is in CIS were CIS one dot three maps to PCI four dot five maps, do this. Alright, so now if you want to find out, okay. Show me. I want to figure out who I have issues related to my next

Now are there, do you go like you write your order conditions because one standard has some subsets super. So that’s why if you [00:26:00] had to like come up with our own on there. So that’s why, instead of, , there’s datas, I think a comic too, which has the venue have, , and standards and all these are not fulfilling our needs.

So let’s just create a new standard. So we did not want to do that. So instead of creating a new standard, all we have done is that we have just. The standards among themselves that, okay. You are saying it’s X, you are saying that it’s Y okay, cool. So basically when X is the phase, this like this, this guy says it’s Y so they simply do this mapping of X and Y.

Ashish Rajan: So what about people who are starting today then? Cause I feel like there’s a lot of people and I think there was a report that came out that mentioned 60% of the enterprise phase and still has not gone into cloud. I think it was last year’s report, but so there might be, so a lot of people who may not have considered a CSPM or a cloud security tool, but they are in a cloud world, and possibly thinking about sending the logs of.

So, what are some of the things that they should be thinking about so that they can, I guess, operationalize the right way the cloud for implementation or operationalization, I think, feel like very enterprise like [00:27:00] a normal people term and enterprise term, but what can people do to operationalize the right way, when they’re looking at any new tooling for their cloud.

Gaurav Kumar: Yeah, I would say just one thing and I would say it thrice prioritize, prioritize, prioritize. Okay. Figure it out. What matters to you? Because if you go and ask someone what’s wrong, you are bound to get all these things are wrong. Right? It’s like, , you go to a doctor for your annual checkup.

You are bound to find that, oh, these things, multiple things are wrong with you. Right. My doctor is the one who they tell you, why this is doesn’t matter. This is the one you should focus on. So something like that there, you need to figure out what matters to you and what are your business priorities and just focus on those.

You can send all of your alerts to SIEM solutions if you want, but I recommend even if you do that, figuring out what matters and just work on. Interesting.

Ashish Rajan: so going back to people, process technology, this is definitely not a technology.

Gaurav Kumar: I think, depending upon who you ask, people, incentives are aligned in a different way.

Like if you ask me, , like somebody like [00:28:00] a manager of security or something like our director or VP or person who is trying to become like, , in the security space, he, or she might say that, or this seems like a people problem. I wish I had more people or I could train people. , I need people.

It’s those people in problem. If you ask a consulting company, they will say, oh, this is a process problem. If you just, , buy or consulting service in three months, we’re going to give you this very tricky. And then you problem will be gone. If you ask a vendor. And these days you just throw a stone at, it will likely hit a cloud security vendor.

You will find that this is a technology problem, but in reality, things are just very complicated and they are all interconnected. I think it is people process and technology problem. It’s not just.

Ashish Rajan: Yeah, that’s a great answer as well, because you gotta like hit different nails at layers as there as well

. So that’s kind of what I had the time for it. So I just want to go into some of the fun questions, so we will get to know you a bit more as well.

I know some people may already know you from before, so but it’d be good for new folks to get to know you as. The, the, just three questions, not too many. The [00:29:00] first question that I have is where do you spend most time on when you’re not working on. Normalizing the alert fatigue of the world for people.

Gaurav Kumar: Oh, well, that’s probably a very difficult question because that’s all I think about , especially I’ve been working from home these days. I imagine that the only thing that’s going on on people’s mind, like how do I keep my. Yeah. Well, I do, I think spend a lot of time just learning new things. I just have this knack of learning, some really arcane things which have.

Nothing to do with computer science, software security, nothing. So I’ve been gardening a lot. So I’m learning about plants, vegetables, and how to grow them. And I like to be fairly scientific about it. So I sign up on these different courses online. And so one of those auto portering thing where, , at a certain point in time, it just waters the plant.

‘ cause I totally kill off a little bit of a manual. I can enjoy the process. So I actually like to know like, okay, how often I should water this thing. And I do a little bit of AB testing with my plants too. Like one plant. I will get this much [00:30:00] water, get more water and then see, okay, which one is doing better?

Ashish Rajan: I let you do AB testing with your water. The next question that I have is what is something that your word is something that you’re proud of, but it’s not on your social media. I just came back on social media on Twitter.

Gaurav Kumar: So I’m not really, and I’m on LinkedIn only. I’m not on Facebook or anything, but what am I proud of? That is one bad at the moment on the, on the immediate, I just said that. Gosh, I would say that I have become a fairly minimalist person and I’m very proud of it. I just don’t need things anymore. So personally that has been has been the biggest, I would say how to my like mental health and everything.

Yeah. And I just donate a lot. I do a lot of charity work now, so rather than getting things, it’s the giving away of things that had to be, I would say. Oh, man.

Ashish Rajan: That’s pretty awesome. And so I was like, you’re going up the Maslow’s hierarchy of need, as I say. So like, no, it’s not about, yeah. It’s pretty awesome, man.

Thanks for sharing that as well. One final question. What’s your favorite cuisine or restaurant that you can share?

Gaurav Kumar: But last time I said coffee is not going to change an answer. So my favorite

[00:31:00] coffee. Yes.

Coffee as well. Yeah. So those of you who are in the us, there’s a coffee roasting company called blue bottle. And they have this night. Decaf. So if you are, if you want a decaf coffee, I highly recommend ordering this a night, light decaf. It has such an old north soft creme brulee and it’s decaf. So you can probably would drink it as much as you want or more.

Wow. But by the way, a fun fact, ,blue bottel is an Australian company, or at least started by an Australian. Yeah. Yeah, yeah. That’s right. No, so they’re just saying, so that’s why wasn’t coffee, the sheets. It was like, if you live in Melbourne, you cannot get away. Not having a good coffee every day.

So I’m, I’m bad. Your favorite Australian brand Fritz for your favorite coffee brand is those tailing coffee brands. That’s great for me to hear as online, but for people who may not have, may have more questions about the whole alert fatigue side implementing or operationalizing cloud security tools.

Malbec. We can define you, man. We can reach out to you

on LinkedIn. I’m fairly like, I think that you can connect me, follow, just send me a message. Most awesome. And I think I enjoyed my conversation cause that’s, I feel like [00:32:00] this was a topic that I wanted to cover for sure, because a lot of us have been talking about tooling for time.

Ashish Rajan: It’s about use this, use that, but no one has taken the step back and go, Hey, is this really. The way we wanted this to function. So I’m glad I could bring you on to talk about. But that’s all we had time for to integrate showman. I’ve I’m hoping to kind of bring you again and maybe have a similar conversation, but for everyone else, I will see you on the next weekend’s episode.

Thanks so much for hanging out thanks to all of you guys for joining us as well. But we will see you on the next weekend’s episode until then stay safe and have a good one. Thanks. Thanks everyone.

No items found.