Real-World Cloud Threats and Multi-Cloud Defense in 2024

View Show Notes and Transcript

We spoke to Chris Hosking, AI and Cloud Evangelist at SentinelOne about why Cloud Security Posture Management (CSPM) is no longer sufficient in today's rapidly changing cloud environment, stating bluntly that "CSPM is dead." Ashish and Chris chatted about the rise of Cloud-Native Application Protection Platforms (CNAPP) and how they are critical for integrating infrastructure as code (IaC), runtime security, and vulnerability management across multi-cloud and hybrid environments.Chris also shares his perspective on the evolution of cloud attacks, emphasizing how threat actors are becoming more sophisticated, leveraging cloud-native tooling, and targeting misconfigurations and vulnerabilities in ways that were previously unseen. There is increasing complexity of multi-cloud and hybrid cloud setups and a need to build more resilient cloud defense strategies for 2024 and beyond.

Questions asked:
00:00 Introduction
02:43 A bit about Chris Hosking
03:16 Is CSPM Dead?
04:08 Attacks expected in Olympics 2024"
06:15 CSPM should be embedded
07:56 How has the attack landscape changed?
10:36 The evolution of CSPM
13:17 Time to respond to Cloud Security Incidents
14:00 Where to start for Cloud Security Program?
17:26 Consolidation of Cloud Security Tools
18:51 Where is the Cloud Security Tooling space headed?
23:52 Building vs buying Cloud Security Tools
26:35 Where does the security data lake fit in?  
27:57 Keeping up with the changing cloud landscape
30:05 The Fun Section

Chris Hosking: [00:00:00] I always find it hilarious, like everyone talks about cloud containers, cutting edge, and it's Buh, EC2 had its 17th birthday recently. It's not brand new stuff. This is going to sound like I'm going in two directions, but I think we need to embrace the fact that we're going to be multi cloud.

We need CNAPPP to be able to have conversations about, the pipeline, conversations about infrastructure as code, and conversations about runtime. But more importantly than needing CSPM, CIEM, runtime security, is how you tie all of those together.

Ashish Rajan: CSPM or Cloud Security Posture Manager is dead. Yes, you heard that right.

Now, this is not a clickbait, but I just want to let you know that it's like the same thing what happened with Excel, PowerPoint, and Word. It just sounds confusing. Let me just clarify that for you. These days, you would not find anyone put PowerPoint, Excel, Word in their resume, the same way in a cloud environment.

It's expected that the CSPM challenges that we had, at least the very first version of it, that has been taken care of. And there are multiple versions to it. There's whole generations of CSPM that [00:01:00] happened and you can definitely start Googling and YouTubing on the four generations of CSPM as well. In this particular conversation, we spoke about how the attack vectors of cloud are no longer just an S3 misconfiguration.

They could originate in your cloud, come back into your on premise environment, and then back onto your cloud environment. There could be a lot more complexity to the attack path that exists in any environment out there, especially in a enterprise space where we're looking at multi cloud hybrid environments, we're looking at environments where there are complexity for kubernetes, containers, AI, cloud, multi cloud, hybrid, private cloud tour, all of that in there.

In this particular conversation, I had Chris Hosking, who is the evangelist for AI and cloud from SentinelOne. And we spoke about the different evolutions of CSPM and it's moved over from just starting off as giving you a picture of visibility, all the way to today where we are in that CNAPP generation.

Some might even say we are evolving with CNAPP and AI and CNAPP and edge security. There's a lot more versions to it. In this particular conversation with Chris, we spoke about how it is [00:02:00] evolving, what should CISOs be doing as they build a cloud security program for 2024, and what kind of threats that they should be preparing for, whether tools are the right way to start.

Is it people process first? Isn't that what we really care about in the beginning as a leader? If you're thinking about how far CSPM has come in that it is dead as it stands today, this is the episode for you. I had a great conversation with Chris and I think you'll enjoy this episode as well.

And as always, if you are here for the second or third time, I would really appreciate if you're watching this on YouTube or LinkedIn, definitely give us a follow, subscribe. But if you are listening to this on iTunes or Spotify, definitely leave us a review or rating, it definitely helps more people find out about cloud security and cloud security podcast work that we're doing over here.

I really appreciate the share that you do. Chris, welcome to the show. Thank you for coming on, man.

Chris Hosking: Thank you very much. Thanks for having me.

Ashish Rajan: And maybe if you can share a bit about yourself and your background, so that people have some context about where you're coming from. So that'll be great, man.

Chris Hosking: Hey, I'm Chris Hosking,

AI and Cloud Security Evangelist for SentinelOne, which is a ridiculous title.

I know it's a ridiculous title, but it basically means that I talk to a lot of security teams, cloud teams, [00:03:00] DevSecOps teams day in and day out about How they're building, they're like cloud defense strategy, essentially. And I also talk about what we're doing in that space as well as a vendor.

Not that we can solve all of the world's problems. People process technology. We're only going to help out in a little bit, but I also talk about what we do in that space as well.

Ashish Rajan: And because you're talking about CSPM. I'm going to throw a word out there saying C S P M is dead. Do you agree?

Chris Hosking: I'd say C S P M is noisy.

I don't know how many people are buying standalone C S P M's anymore is what I would say. So I'd say C S P M is absolutely dead. Yeah. But it's absolutely a capability that's required within CNAPP.

Ashish Rajan: Yeah, I would say this as well.

It's like saying, I don't write my resume, Excel, Word, PowerPoint anymore. It's just expected it would be there.

I feel like CSPM is in that level where you should just have it. Yeah. Whatever you're doing right now for cloud security, it should already be a capability in there.

Chris Hosking: Yeah, and it just needs to be a part of what anyone has for effective cloud security.

Ashish Rajan: And maybe it's a good point to bring in because you talk about a lot of the attacks that happen.

Yeah. Before we started recording, we were talking about the Olympic attacks as well. [00:04:00] Yeah. And that was an interesting start. I'm sure everybody curious fact, you basically shared a number for the number of attacks that are expected in Olympics. What was the number again?

Chris Hosking: Oh, so yeah, I'm a little bit Olympics obsessed at the moment because it's on brand.

Beijing reported 12 mil, about 210, 250, 220 was what London reported. And then Tokyo reported 450 million, which is the highest reported to date. Which is about, 2. 5x larger than London, but 450 million is what Tokyo saw.

Wow. Yeah. And we haven't even got the stats for Paris yet.

Yeah. Who knows when we'll get the stats for Paris?

Yeah. But they've done so much work. 17 million dollars invested into building out the SOC. Twelve and a half thousand workstations that are putting telemetry into that, as well as so many other systems of record, right? Yeah. Madness, the size and scale of the security for the Olympics.

Ashish Rajan: Yeah. So that is also the size and scale is a good segment of the cloud space as well.

It's like the reason I wanted to start on the attack path was also because a lot of people rely on MITRE ATT& CK framework. Yeah. And we were talking about the whole, hey, aren't there like just four ways to [00:05:00] solve this problem? And I would love for you to share the four ways and what you found was interesting in there as well.

Chris Hosking: Yeah, sure. Yeah, there absolutely has been four waves of CSPM that have responded to the MITRE ATT& CK techniques. But what I love about the MITRE ATT& CK techniques is it's not made up. It's not hey, someone's done a POC of you might be able to do this backdoor with eBPF in a container. No, it's not some university like it's if it makes it into the threat matrix, it's because we've seen it in the wild.

And what I think is really interesting about. Looking at those tactics and techniques, if we look at containers, it's gone from 28 to 39 techniques in the last two and a half years, clouds gone from 50 to 61. So we're like literally seeing an expansion within the last two and a half years of the way in which people are first up attacking cloud environments and container environments, but also then like doing the next bit of reconnaissance, lateral movement, persistence grabbing creds, like moving around from there, that's really expanded out.

Ashish Rajan: Oh so the techniques within it has expanded?

Chris Hosking: Yeah, so there's literal, literally been an expansion of the [00:06:00] different techniques we're within initial access.

Ashish Rajan: Yeah.

Chris Hosking: Privilege escalation, lateral movement, discovery. reconnaissance, like all of those that those have expanded. So we're seeing more and more ways in which attacks are unfolding essentially in container, in cloud environments, as in container threat matrices.

Ashish Rajan: And considering we live in a world where space is saying the current version of CSPM should just be an embedded capability.

Chris Hosking: Yeah. Yeah. And so the reason why CSPM needs to be embedded because we'll also CSPM needs to have some understanding of vulnerabilities as well is because these cloud attacks that are happening, they're not just someone left a door open. And, or someone left something misconfigured and now someone's running crypto mining on your containers.

It's no, people are going to leverage hunting for temporary security credentials to then go and bump up their admin access rights and do lateral movement and head towards your host from a container and then see what they can achieve. And then maybe do data X film like people are also, they're using AWS CLI utility, they're using Boto three, they're using systems manager inventory, like they're using us tooling and changing services.

Ashish Rajan: [00:07:00] Yeah.

Chris Hosking: So first of all, for CSPM, if an attack is changing and hunting for creds and then changing services, I now have this challenge where I don't want to just look at what's misconfigured because I've misconfigured it. Or my dev team has or my cloud team or my infra team has, but what elements in my cloud were compromised artifacts from someone externally changing things?

There's a difference between, I left my S3 open and unencrypted, which hopefully we're far beyond that. Hopefully. Yeah. Hopefully to someone else has done that. to make data exfil easier for them after, maybe they've achieved remote code execution because of vulnerability. Yeah. They pinged IMDS, they've gotten temporary creds and now they're changing things, right?

So we need to look between what's the difference of messiness in the cloud that I've brought to the cloud versus what messiness might be from outside.

Ashish Rajan: Interesting. Are there examples of, and I'm glad you mentioned the whole S3 bucket misconfiguration thing as well. I feel like we've gone far from a situation where we might end up in a S3 bucket being misconfigured.

Chris Hosking: Yeah, hopefully.

Ashish Rajan: But what are some of the threats for our people? We obviously spoke about the Olympic attacks, [00:08:00] but I think in the cloud context, what has changed for the type of attacks that are being seen now? Is the ransomware still there? Is there like, what's going on? In terms of I think you and I have spoken a lot about the kind of attacks that happen.

So I'm curious if you want to share some of those examples as well.

Chris Hosking: Yeah, sure. Ransomware is a good example, right? Because we're seeing Linux variants of ransomware, which we didn't always see. So for example, Black Cat ransomware as a service operator gang, they pulled an exit scam off to change healthcare hack a couple months ago, but they were prolific, written in Rust out via ransomware so that it can target Linux environments.

But as an example of an attack, the roasted octopus. Threat actor who's known, they've got a UNC number. They're also known as scattered spider. They're the guys that did MGM, which is, now hosting BlackHat, not a threat, not a nation state. This is teenagers, 18 to 25 American, UK, Australian.

Ashish Rajan: Yeah.

Chris Hosking: Usually what they do is they start by smishing. In one example, they had an American technology firm. They hit up, they got Azure AD credentials through smishing SSO into AWS IAM. They use systems manager inventory to start their reconnaissance. [00:09:00] They created a brand new user. They added MFA to that user, which is like.

Who adds MFA as part of an attack, but it's because we're probably using a CSPM to see who doesn't have MFA. So they had one, but they bumped up admin access rights and they successfully disabled GuardDuty. They unsuccessfully disabled CloudTrail, and then they use some remote access tooling and some cloud orchestration tooling to drop the ransomware.

Back into the on prem dev environment and into S3. Oh, and also I should say, they also created a brand new EC2 and a new security group to allow for a backdoor. So we're seeing like US native tooling being used. We're seeing them change permissions. We're seeing them change cloud identity. We're seeing them do a really sophisticated reconnaissance, right?

All for their own goal to hit up the on prem environment again, and to lock up cloud object storage. And it's what that tells us is they know they can get away with targeting the cloud environment because they don't think they're going to get caught. Whereas they'll probably get caught quite quickly doing SSH, on prem to on prem stuff.

They think they can wait in the [00:10:00] cloud and not get caught, but they're going to leverage and modify and disable cloud services and change them. Like the new security group at the back door of a virtual machine to make sure that they've got another way in. That's the nature of these attacks.

And so within the context of a CSPM, it's okay great. I've now got to look at changing identity permissions. I've got to look at what new infrastructure is being spun up. I've got to look at, is there a credential that's being used? Or is there a remote code execution? There's just so many different things I need to look for.

And the CSPM just isn't built for that, right? Like it was built to make sure we're clean. Not in any Measure like try and respond to an attack like that. Yeah, it's just not how it's how the tools built.

Ashish Rajan: Where do you see the evolution of CSPM?

Where was it? And where's it going?

Chris Hosking: And I think that evolution is happening because of what I just talked about, right?

That like we now need so much more from our cloud tooling than we ever previously did. I always find it hilarious. Everyone talks about cloud containers cutting edge and it's EC2 had it's 17th birthday recently. It's not brand new stuff, but I think a lot of cloud tooling was built originally for how do we build clean?

How do we stay clean?

Ashish Rajan: Yeah,

Chris Hosking: and so I think the very first evolution that [00:11:00] phase one CSPM was just like hey How far am I from god if god is NIST or ISO or SOC or well architected? Yeah, and that's all it did on the tin right was just like hey, let's look at my environment. How far away am I?

Ashish Rajan: Yeah,

Chris Hosking: and I think phase two we start to get let's prioritize things a little let's operationalize this.

So you then get like ITSM integration, you get workflows that you can start to run. You get custom policies that you can build yourself.

All of that is phase two. And then there's a blurred line for me between phase two and phase three of let's then add in a view of vulnerabilities as well.

And let's start to have a visualization. And this is where you start to get, asset inventory, cloud asset inventory as well. Phase four with all of that information is then prioritization. The next level of prioritization, not just like severe, but something like what might be a poisonous combination of misconfigurations and vulnerabilities together and attack paths.

I think the big thing that phase four brought for CSPM was like, [00:12:00] What's a theoretical thing that could happen to you with where's vulnerable, where's misconfigured and what's the like the tree map of identities and privileges and permissions that could spell out a problem for you, right? And I think where phase five is and humbly, I think SentinelOne is doing some really cool things in phase five.

I don't want to just sit here and be like, chat about my company the whole time is that I think if an attack path is theoretical, you can't spend all your time validating a

Ashish Rajan: false positive,

Chris Hosking: false positives. That was, that's always been the problem with CSPMs, right? It's just noise of like you plug it in and you get three and a half thousand things about this is where we need to clean up the environment.

And so I think what phase five is for me is how can we look at vulnerabilities, misconfigurations relationships between assets, public facing identity, permissions, privileges, and then take away the legwork to validate that by doing that autonomously.

Ashish Rajan: Yeah, because I think it goes back to what you were saying about the type of attacks that are going on these days. It's not as simple as a S3 bucket has been misconfigured. It's a lot more [00:13:00] complexity in there. And the fact that it's a group of script kitties on the internet believe that they cannot be caught in the cloud because they know there's a wall of red in front of a cloud security engineer or a SOC person out there who's gonna I've got 20, 000 alerts to go through.

There's no way. I'm going to get to this. So they have a lot more. Is there some stat on this? I wonder how long does it take before something gets picked up by from a cloud security? Because was that was it a Verizon report or something?

Chris Hosking: There was a really cool Cloud Security Alliance report that I saw a while ago.

I don't have the numbers like in my head. But the timeframes are just quite shocking of how long it takes for SOC to realize there's something going wrong in the cloud. And then they've got to figure out who to go to. Yeah, a lot of the SOC teams aren't cloud. sufficient. And we see the same thing.

Every time something like XZ or Log4J it's like, where does this thing exist in prod? What's happening around it? Where do I need to clean up my pipeline? And those three questions are five different teams and 72 hours. And it's that's very clearly a problem.

Ashish Rajan: Yeah. Yeah.

Chris Hosking: Of DevOps versus SOC versus Infra versus. Cloud, if [00:14:00] there's a cloud team, like

Ashish Rajan: How would you describe because obviously these days for most enterprises standard is multi cloud hybrid cloud is actually a thing and we're just basically talking assuming S3 bucket, it may sound like we're primarily focusing on AWS, but the reality these days is that it's multi cloud, it's hybrid and clearly the example you gave earlier of the attack path went into the hybrid mode as well.

We haven't even added more clouds in there. So as more clouds are being added, how is this evolving? And what should someone consider as part of the cloud security program for this. People are obviously trying there's a stat that came out from the recent earnings report from Amazon that 85 percent of the world is still on data centers.

So a lot of them are trying to move into cloud or perhaps today is the day they decide, actually, I should make a cloud security program. What would you say are the things they should consider in there? Considering now that we know that, hey, CSPM is going towards evolution and I'm sure there's a product in each of those phases that continues to be in that phases.

Chris Hosking: Yeah.

Ashish Rajan: Where do you recommend they start and what should be things they should [00:15:00] consider for the cloud security program?

Chris Hosking: This is going to sound like I'm going in two directions, but I think we need to embrace the fact that we're going to be multi cloud. That's the reality of a lot of companies. So I don't think there's the way forward is to try and standardize by saying.

One cloud only and maybe one set of security tools. That's just not going to be what cloud and DevOps teams want to build with.

Ashish Rajan: Yeah,

Chris Hosking: I talked to so many organizations that love Google Cloud for some of the things that they do around supply chain and ERP. But then they're building an Azure and then they've got, a little bit of open shift that may come up to Azure may go to AWS like they don't know yet.

Yeah, but the. Shifting that on prem OpenShift stuff. So I think the security team shouldn't push for standardization of the cloud platforms that are being adopted, but should see where they can push for standardization and things like the DevSecOps pipeline of, Hey, can we all agree on the same thing?

Registry or the same tooling that we're all using so that we can start to put in best practices. But for me, it's really not about saying, Hey, get the SentinelOne CNAPP. I'd love to be able to [00:16:00] say that. It's about Hey, you've got people in processes that you need to fix.

Ashish Rajan: Yeah.

Chris Hosking: And it's about how are you going to build RACI matrices between these teams?

Ashish Rajan: Yeah.

Chris Hosking: If you are going to have a separate DevSecOps team, that's going to be about build clean. Stay clean.

Ashish Rajan: Yeah.

Chris Hosking: Separate to a cloud security team and maybe separate to a SOC analyst team. It's then what do I need to make sure that those teams can really efficiently work together of let's ensure maybe that there's a handshake between understanding if there's any incidents in runtime, how can we quickly pivot to the project if, and that might be about an integration with a vendor like Snyk, I think as you're building out your cloud security practice, you've got to look at what all teams do you have and how are you going to best have them work together for best practices, but also for the worst of days?

I feel like a lot of people prep for

Ashish Rajan: Best times.

Chris Hosking: Best times. Yes. And it's no, let's also prep for we find something awful out on a Friday because it's always a Friday.

Ashish Rajan: Yeah.

Chris Hosking: Who's going to find it first? Who do they then consult? The, RACI matrix of who all do we need in a room to quickly clean [00:17:00] up?

Ashish Rajan: You touched on something interesting right there as well about the multi cloud challenge also brings in and not use the same security tool. Were you referring more in the context of being cloud native as well? Like a lot of the things are, hey, your cloud provider does give you threat intel and all these other technologies which are native to them.

But the moment you start expanding into Azure or AWS or GCP and all of them combined and your hybrid environment in there as well, suddenly the water is quite muddy now.

Chris Hosking: Yeah, exactly. An over reliance on tooling from cloud service providers can be dangerous if you're then going to have three different cloud providers plus containers running on prem.

Like that could be quite dangerous. That being said, there's phenomenal tooling that I love. And I think for me, there's a really interesting stat from Gartner actually about consolidation of cloud security tools. They said, Hey, it was an average of 10 in 2022. We think it's gonna be three or fewer by the end of next year.

Oh, I think we're not on that timeline. But certainly like people are trying to consolidate. But I think there's potentially an issue in security teams [00:18:00] saying, Hey, this is the one CNAPP we're going to use. Everyone has to get on board developers as well. When it's hold on, that may not fit within their workflow.

And if there are tools that the development teams love in sneak and Clair and Trivy, whatever they might be open source tooling that they might love, it's let's figure out how we can integrate those into the CNAPP that maybe the cloud security team and SOC team need that the DevSecOps team may not want to use.

And so it's about let's not necessarily bully everyone into using one tool that theoretically could cover everything. Let's make sure that everyone can work together. So the CNAPP is still going to have visibility into the pipeline, into the health of container images, into infrastructure as code, but to leverage working relationships rather than to replace any existing tooling that maybe you shouldn't be getting rid of that the development team love.

Ashish Rajan: Interesting.

Chris Hosking: And that might be the wrong thing to say as a security vendor,

Ashish Rajan: it's like, it is the truth as well. But also to what you said, jumping onto a tool probably is not the right step to begin with as well. I think that's where I'm going with this as well. Because [00:19:00] as they standardize more, there will be Terraform.

It should be IaC languages. And now suddenly the infrastructure as code. I think you hit on the nail by saying, start with your DevOps pipeline, if you can do DevSecOps there. If you can build a CICD pipeline. How are these applications being deployed in the first place? In terms of the multi cloud challenges space as well, Do you find, where is this going then?

Cause as to what you said, it sounds like there's a lot more complexity being added and Gartner is saying everything is going to get combined into five or six or whatever. How do you see this environment shape? I remember we spoke about the CSPM evolution. Do you see the evolution in the cloud security space as well in terms of it's going to become more than infrastructure security conversation?

Chris Hosking: Yeah, absolutely. We need CNAPP to be able to have conversations about the pipeline conversations about infrastructure as code and conversations about runtime. But more importantly than needing CSPM, CIEM, runtime security is how you tie all of those together, right? Of Hey, if we do have something that's going wrong in a container environment, I need to have that KSPM [00:20:00] view.

That vulnerability view, that misconfiguration view, and runtime telemetry all in one.

Ashish Rajan: Yeah.

Chris Hosking: But beyond that, I then need to be able to make all that information useful. Yeah. I need to be able to have something that has enough teeth to kill processes as they're running it. If bash is happening, let's kill that bash.

Yeah. Not kill the container, but kill the bash. But then I need to be able to really easily pivot to what do I need to clean up where? Is it IAC that I need to clean up? Is it container image that I need to fix and repush?

Ashish Rajan: Yeah.

Chris Hosking: And I think that's the next evolution of CNAPP for me is not just how do we shift security left, not just how do we have runtime security and all of the middle part, but how do we have better respond left?

I like to call it right of like when something does go wrong, respond to remediate in prod and then respond left into the pipeline. And I think that's, we're on the cutting edge of it now. I think that's where the whole market's gonna go.

Ashish Rajan: So to your point then, for people who are trying to explore this today, how do you separate the signal from the noise then? In terms of what's the right way, and maybe to what you said, [00:21:00] the people process technology part. Yeah, people and process part, there's a skill set requirement there as well, which we haven't even touched on yet, but they might have to consider that in their cloud security program.

Is there something missing on the, as now that we're in the next evolution, CSPM, CNAPP, there's be a lot of signal versus noise conversation, where am I landing with this? Do I need a CSPM right now? And if I don't have one, like at what stage do, does one even need to think about it or start thinking about this?

Is it a multi cloud problem or is it a, if I have a single cloud, I just go cloud native only?

Chris Hosking: I think everyone needs to have a CNAPP approach at some point because we're going to need to have a look at within the same context of everything, misconfigurations, vulnerabilities, runtime telemetry.

That's just, what's needed if certainly if you're embracing multi cloud that can't then be through one of the cloud service provider because there's some limitations there, but it needs to have teeth from the onset. It can't just be visibility only like a lot of cloud security sort of starts with visibility ends with visibility, which is like absolutely.

I want to know about all of my assets. I want [00:22:00] to know about my sprawl. I want to know about spin up, spin down. See everything. Yeah, but I need to be able to take action. And so I think for a lot of organizations, I see a lot of organizations say, Hey, the environment's ephemeral for now or too small for now.

We're not gonna invest in cloud tooling. And it's hold on, you're going to be building out this large around. Start building the program now so you can build those fledgling relationships between when something goes wrong. How does SOC put a stop to it? And then find the right person in dev to push something new, use that to your benefit that it's small now to get action on those baby legs, right?

Let's get some miles under us of having a CNAPP in front of us. That's going to find something, kill something and then show us the path to remediation.

Ashish Rajan: Yeah,

Chris Hosking: but more importantly, like having the technology is one thing. Let's use that to build those working relationships between SOC and cloud, SOC and DevSecOps.

Ashish Rajan: Yeah.

Chris Hosking: With I T S M integration so that we now know Hey great, that flow really worked off into Jira or that really worked to send an email with a link [00:23:00] that bam, you click it and it goes right into the Snyk project for the exact developer that's working with instructions on, which package, which layer, which volume

Ashish Rajan: yeah,

Chris Hosking: let's get, those miles as you build out a team, which is then a very different challenge to people that are in the trenches right now that are multi cloud right now that have all these different solutions.

It's you still got the challenge

Ashish Rajan: and

Chris Hosking: my advice to those teams is look at what's not currently working. Does your SOC team have enough true signals within the noise, or are they just inundated with a bunch of telemetry that they don't know what to do with? Where are things falling down?

And then once you figure out what's working down, then you can start to look at CNAPPs. Because for me, I've seen all these Excel spreadsheets. I'm like, I need all these capabilities. It's yeah, we all need a lot of cloud security capabilities. But more than capabilities, we need outcomes, right?

Ashish Rajan: Yeah.

Chris Hosking: And so it's work out what's not working, what you need to improve on, and then find a CNAPP vendor that's going to help you with those specifically, is what I would say.

Ashish Rajan: Because you've covered all three people, process, technology, this is a cloud security program that people are building towards.

Obviously, there's a skills angle. [00:24:00] There is a process because now you're suddenly bringing all these stakeholders that you may not have interacted with as much before. It's an ownership question. Then you go into the whole tools part for, okay, you're probably looking at a CNAPP of, clearly, when you're starting off, because you're moving to one or more.

And if you are doing multi cloud, you're definitely going to see a CNAPP at that point in time. For people who are probably on that whole build versus buy pedestal, where I can build this shit. What's the challenge there? And what's the I guess I totally understand when some people feel like we have the engineering capability, so all the power to them for that as well.

Where do you stand on that whole people who are still unsure about whether I should build this or buy something in this?

Chris Hosking: I have seen people nail building it. Kill it.

Ashish Rajan: Yeah.

Chris Hosking: When we were at that like phase two of CSPM of h ey, I just need something that's going to assess the environment of my cloud, my business apps that I'm building my web apps.

I'm going to have these set of policies that I want to follow. I don't care about, NIST or ISO. I care about what I feel security should look like. Yeah, I think people killed it at that. Like I did see some really great build [00:25:00] solutions then the problem is nowadays we've got to look at too many things.

As I've said, we've got to have real time telemetry of what's going on across computing container with the ability to step in and have teeth and make changes. We've got to look at configuration. We've got to look at public access, interconnected relationships, vulnerabilities, images, IAC, what's going on the pipeline, registries, repos, credentials, secrets across all that environment plus live.

I don't see how you can build tooling that's going to help you with going to help achieve that maybe visibility. But even then, and also if we push all of that information to a SIEM, you say, Hey, I've got logging from my cloud environment. Yeah, push that to the SIEM. Hey, I've got an EDR sensor that does just fine on Linux.

Why don't I push that to the same too? I've got. a CSPM that also does a little bit of, side scanning of vulnerabilities. We're putting an incredibly large burden on a scene to find attacks that are literally evolving in front of us with a tool that isn't built to then allow for those use [00:26:00] cases of bringing those teams closer together, building those RACI matrices.

So I would say, I would not recommend building, I also wouldn't recommend just like pushing everything to the SIEM and hoping the SIEM's going to sort things out because that's crazy talk the best we could potentially do is because there are some really interesting evolutions in GenAI on top of SIEMs , you could potentially be able to query that yourself, but to really operationalize cloud security and get those handshakes of we've stopped something.

Let's find the owner. Let's have them fix it. Let's show them why it's important that they fix it. Let's go. I don't see that happening from a SIEM. That's going to happen from a CNAPP

Ashish Rajan: Where does the whole security data leak come into this? Cause you know how, there's that aspect as well.

The SIEM solution. People are like, Oh no, I'm going to build a security lake. I'm going to just query the shit out of it as well.

Chris Hosking: While I absolutely don't believe that SIEM is the way forward for cloud security, I absolutely think that a security data lake is the way forward for enterprise security.

Because as I said, in my own example that I gave, people are pivoting from on prem to the cloud back to on prem or [00:27:00] on prem to cloud. And then, storage, which is still in cloud, but like we're seeing attacks that start with identity or that evolve. And I think where we really need a security data lake and the ability to query that in natural language, hopefully with an autonomous SOC analyst working alongside us is to have a broader scope of cloud sits within enterprise security.

It's not just my world of Azure and IAC and Azure container registry. It's a developer environment as well.

Ashish Rajan: Yeah,

Chris Hosking: credentials that are regular credentials aside from cloud credentials and cloud permissions and cloud identity. And so I think the security data lake is absolutely necessary, but for me, that's about when we want to see the scope of the attack within the context of enterprise architecture of I'm now gonna, I now have to look at more things, but certainly when I'm want to tee together what's going on, how do I reduce risk before the fact?

How do I respond to something after the fact? That's all pure CNAPP for me.

Ashish Rajan: Yeah, which kind of makes sense also because I think another [00:28:00] aspect which people should consider, and this is probably to what you said about the problem with phase two was we just always assumed the cloud provider is going to remain static.

They would never add any more services. They would never progress from the S3 bucket that they had or 17 years ago when they started EC2 instances, there was never going to be a iteration where they were actually getting into the older instances as well. Even that is a moving target.

Chris Hosking: Yeah, 100%. And that's why we see things like AI-SPM now as well and AI SBOM. And. When I'm looking at configuration, it's not just CSPM, there's KSPM as well. Let's make sure I'm not running containers as root, like still on my bare metal machines as well. And so it's hold on.

We've got a sort of larger view of what we need in terms of health and configuration that needs serious prioritization and validation as well, because it can't just all be noise. And it then needs to be connected to everything else so that I can build a cloud defense that's both proactive and then let me try and radically reduce my cloud attack surface.

As I live and breathe, but let me be incredibly ready for the attack that does come. Because as much as we'd like [00:29:00] to say, if you clean, nothing will happen things will happen that's the nature of the beast.

Ashish Rajan: Yeah, and funny enough, one of the conversations that I had at Black Hat where we are, was more on the fact that people assume that, oh, if I put AI threat would stop coming over because I've got an AI or I've got automated or whatever way to look at any other problem.

The thing the person said was there's a human at the end of this behind this , with a motive or goal. Today is cloud, tomorrow is AI. The day after could be something else. Threats are going to continue to evolve. 100%. And keeping up with it is going to be a challenge when you are doing a buy versus build conversation.

And again, to your point, like there's no bias here. It's more that even as a practitioner, like how often, like we're not all professional chefs and wrestlers and MMA fighters and something else, right? We have focused in on one particular thing and we are really good at it. If I want to know how to make a I don't know, freaking Hawaiian pizza. I go on YouTube and see chef making it. I'm not trying to be the chef out there, right? That's how I describe it. I don't know if you feel the same as well.

Chris Hosking: Certainly cloud security is asking people to wear a lot of hats that we're not ready to wear.

And [00:30:00] so I think we've got to lean on technology a bit to help us with those hats, right?

Ashish Rajan: Yeah, we've touched on all of them as well. But that's most of the technical questions I had. I've got three non technical questions for you. And the first one being, what do you spend most time on when you're not working on evangelizing AI and cloud?

I

Chris Hosking: love cooking.

Ashish Rajan: Oh, no. Are you the chef then?

Chris Hosking: Oh yeah. So I am the chef. No, but for me, I don't like following any recipes. So it's let's look at six different recipes for something and then I'll do whatever I want to do.

Ashish Rajan: Your version of it

Chris Hosking: Yeah, exactly. Probably drink too much. No, I do love traveling and I love visiting, fancy restaurants, new bars.

Whatever street food I can find. Oh, nice. So I'm either in my own kitchen or I'm out there. In other people's kitchens. In other people's kitchens or another and that kitchen may well be on, a taco truck. Yeah. With a goat taco and in Brooklyn kind of thing. Oh, nice. But yeah, I do love seeing the world and eating when I'm not chatting cloud attacks

Ashish Rajan: Second question being what is something that you're proud of that is not on social media?

Chris Hosking: Yeah, i've got a small community of friends and we've all done really random journeys from like where we've started to where we are now Okay, and most of us are in doing different [00:31:00] things with security and application modernization, but we all didn't come from technical backgrounds, but I've got, this group of friends that we get to talk about modernizing banking applications.

We get to talk about cloud security. We get to talk about Olympics attacks, but we all come from all these wildly different backgrounds 15 years ago. Oh, wow. And so I do have a small community of my friends, I'm very proud of for what they've been able to achieve and what I've been able to achieve with them as well.

Ashish Rajan: What's your favorite cuisine or restaurant that you can share?

Chris Hosking: Oh, it's got to be Mexican, Mexican all day, every day. Oh, wow. Is that the goat taco that you were referring to earlier? Oh yeah. If at all possible, wherever I am in the world, I try and get my hands on Mexican food, which is a struggle sometimes living in Australia.

That's why I love coming to Vegas, not just for Black Hat or RSA in San Francisco, is I get to run off and have a little Mexican feast. Yeah, actually,

Ashish Rajan: maybe Australians should up their game with Mexican food, though.

Chris Hosking: They're getting better. Yeah. They're getting better.

Ashish Rajan: Taco Bell is not the answer, if anyone's thinking.

If anything, you don't mean Taco Bell, I imagine.

Chris Hosking: Taco bell is CSPM version 1. We're past that, right?

Ashish Rajan: Where can people find [00:32:00] you on the internet to connect with you and talk more about the space that you're evangelizing?

Chris Hosking: I think LinkedIn is probably the best way to find me. I'm not on X. I haven't quite got there yet.

But LinkedIn, that's where I post all of the webinars that I'm doing. I'm often talking about what do cloud attacks actually look like? How to build those better RACI matrices, Olympics attacks, because at the moment, why not?

Yeah, fair.

But yeah, LinkedIn is always best place to find me.

Ashish Rajan: I will push it on the shownotes as well.

Thank you so much for coming on the show. I feel there's another conversation with the complexity of attacks that are there in the cloud space. It's not enough spoken. So I feel there's a second episode as well, but I appreciate you coming on the show. Thank you so much for doing this.

Thank you for listening or watching this episode of Cloud Security Podcast.

We have been running for the past five years, so I'm sure we haven't covered Everything cloud security, if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on cloud security bootcamp, definitely reach out to us on info at cloud security podcast.tv

By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, [00:33:00] you might be interested in our sister podcast called AI cybersecurity podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT and everything else continues.

If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.