Comparing Cloud Security Tools: CWPP vs CSPM vs CASB

View Show Notes and Transcript

Episode Description

What We Discuss with Patrick Pushor:

  • 00:00 Intro
  • 02:16 Patrick’s Professional Background
  • 03:42 How Patrick defines Cloud Security
  • 06:29 4 Cs of Cloud Security Tools (CWPP, CSPM, CASB and CNAPP)
  • 09:35 Which Cloud Security tools do you need?
  • 14:51 Challenges with Cloud Security Posture Management (CSPM)?
  • 16:50 What is CNAPP?
  • 19:17 When would you choose CSPM or CNAPP over Cloud Native Tools?
  • 21:53 Challenges with solving Security Posture at Scale
  • 24:14 Challenges with Compliance at Scale
  • 28:42 Challenges with Multi-Cloud environments
  • 31:06 Who manages Cloud Security Tools in an Organisation?
  • 35:41 CSPM & Alert Fatigue
  • 40:20 ORCA CSPM
  • 43:00 The Fun Section
  • And much more…

THANKS, Patrick Pushor!

If you enjoyed this session with Pawel Rzepa, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Patrick Pushor at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Ashish Rajan: hey, how’s it going, patrick?

Patrick Pushor: Hello Ashish very, very well. How are you? My friend.

Ashish Rajan: Good, good, good to have you here. I’m going to start with something which is probably a lot of people may not be aware of some of your history before your current job.

So I’m keen to know if you can share. I mean, what was Patrick involvement with CSPM

space and the cloud security space? If you can elaborate a bit more about your professional background.

Patrick Pushor: Sure. Yeah, no, I’d love to you know, I’ve been about, I think this is year 27 in ITyou can, you know, that’s responsible for a lot of things.

For sure. I think that’s all, that’s all IT grey, if not security, grey . I made the move to work exclusively for startups in 2008. Like I got my taste of a first one and I loved it. I have no intention of ever sort of looking back. And I think from a cloud security perspective, the most relevant of those was, was likely dome9, which I guess I started at, I was an early employee there in 2014.

And if you’re sort of familiar with the CSPM space, you know, that it was really three companies that defined it. It was us at Dome9 it was a company called evident IO. And a little bit later, it was a [00:01:00] company called red lock. And all of these companies went on to be bought by kind of larger security companies trying to build out their cloud security portfolio.

Obviously we knew we were doing something right when that happened. But that’s sort of my, you know I, I’m very fortunate that I was lucky to be there at the birth of sort of CSPM and maybe even luckier that what I’m doing now builds on that experience. So directly.

Ashish Rajan: Wow. Okay. So I’m definitely gonna dive into the CSPM space, but maybe this is the question that I asked a lot of people who will come on our show as well.

It’ll be really interesting to get your, so offer doing CSPM from the vendor side, what does cloud security mean for you?

Patrick Pushor: Yeah, that’s a great question. I think about cloud security as the added bucket of things you need on top of what we did in the data center, right? Need some of the same things, but I think we often make this.

Poor assumption that we can drag these tool sets over. And it almost, it’s a bit of an illusion at the start of our sort of cloud journey because they do work at the start, right? Because we’re doing the same thing we did at the data center where we’re building [00:02:00] VMs, we’re building containers where maybe we’re doing something a little bit different where we’re spinning up, you know, like a storage bucket, which is a little bit different than what you do in the data center and behind the firewall.

You know, for me, cloud security is , all the different assumptions, the different tool sets it started for me as, okay, we’ve got this additional plane of concern and that is the cloud provider themselves. Right. I can go and spin up workloads really with zero delay, which is very different than you and I spoke to this when we thought about what we’d speak about, right.

Procurement used to have this kind of delay in infrastructure. This necessarily delay that that meant really, no matter how fast we moved, it really didn’t matter. Right. It was a kind of this necessary a bit of time. We had to take all that’s of course gone credit cards, replace that big procurement window and we can spin up absolutely anything.

And not only those old things we’re used to, but. You know databases as a service, we can long-term store data. We can host our DNS in the cloud. I mean you know, as well as I do the list goes on everything you [00:03:00] could do, the data center, you can absolutely do on any of the big public cloud providers.

And, and we do now, right? So it takes because things are so fast, things are ephemeral. They spin up, they occupy IP address, basically spin down the assumptions. We the tools made in the data center don’t really work. That well, they can, like I say, if you operate things by hand and you’re kind of mimicking what you did in the data center, they can have the illusion of working, but then as you begin to really, let’s be honest.

We didn’t drive to the public cloud at the rate we did to spin up VMs and containers. Right. We, at least the promise and, and I’m going to challenge this a little bit. If we get into it, is that we were going to leave the tech stack to those that did the best and focus on our business.

Right. And that was the promise of the public cloud. I’m not sure. Kubernetes has maybe good evidence. We’re not.

Ashish Rajan: Oh, yeah, we did. We did a whole month on Kubernetes security for, yeah, I can totally say that it’s not perfect yet, but maybe let’s get into the crux of this. And so CSPM CWPP CASB . What else is out there?

And what are these like for people who have no idea?

Patrick Pushor: Yeah, the four CS [00:04:00] well, first let’s lay out high level. They’re all Gartner categories of tools. And we, you know, we’ve largely adopted these because they make a lot of sense that even the traditional tools that we use kind of fall into these categories right or wrong.

But one of these isn’t quite the same as the other. So let’s take CASB out for a second. CASB is is unique in that you know, that’s a cloud access security broker, right? And it’s the broker is the key word that sits between the user and the cloud services they consume. Right. And you just typically log into the CASB or are logged into it directly with their organizational SSO and then it enforces it.

Policies, it does many things, but it enforces those organizational policies as that user goes out and uses the SAS services, right. Including, you know, how much data they can kind of bring outside the organization, what that looks like. Basically extend the organizational security policies to those services.

Important tool, I think just about every organization that leverages SAS, which is let’s face it, everybody. And infrastructure as a service as well. Your, your sys admins would log into the CASBY to log [00:05:00] in to Amazon. For sure. That would be kind of one path, right? You log all their activity that way.

It’s just a great centralized way to govern that activity. And it also prohibits kind of going around that as well and trying to log into those services directly. That’s a unique thing. The rest of the three don’t have anything to do with the end user. And in fact, CNAPP is an umbrella term for the first two plus a little bit more.

So let’s talk. CSPM , and CWPP, they’re kind of the cornerstones of the default set of tools you need for cloud security. Yeah. Yup. CSPM is really about all of the security controls that the knobs, the dials of those services you use at your cloud. Right. So when you this is the part of the example, everyone knows best when you spin up that storage bucket and you open it up to the world CSPM through its myriad of tests.

It does. It’s going to find that and alert you and say, Hey, you know, you’ve got a publicly accessible storage bucket here, and then you’ve got to go and figure out what to do about it. But that’s the role of the CSPM . It does not have any perspective on your. Inside that S3 bucket, for example, or down in your workloads, you know, the operating [00:06:00] system in a VM or even the configuration of a container, there’s a little bit of an asterisk on that statement.

Basically CSPM can tell you about something. If there’s an API call available from the cloud provider, that’s how a CSPM gets its information or follows CloudTrail log or, and, or it’s asking questions of that cloud provider.

Ashish Rajan: Interesting. Yeah. So if that’s the case, that’s my, begs the obvious question.

Do I need all of these? As a CISO I’m looking at this, say, okay, I’ve got the four CS in front of me. Do I need all of these? It’s

Patrick Pushor: a good question. If you’re starting native and you’re not bringing a tool set, I think you do because. The CSPM side again, the way it’s architected is that it has no perspective inside a workload or in a storage bucket of your data. So there’s always the potential that you have a mismatch between kind of the security control and the desired state and the data that’s underneath it. And with the CSBM alone, you’ll never know.

Ashish Rajan: Oh, maybe, maybe a better way to put this across. Maybe let’s start from a scenario then in that case I’m starting cloud security today. I have I guess to your point earlier, [00:07:00] I bought a credit card. I swiped it or decided to go down the path of AWS and I am starting my career in AWS. AWS. Yeah. Do I need CSPM at that point from starting day one today,

Patrick Pushor: probably not.

You probably don’t eat. I think the, my answer to that question has probably changed over time. I think people ask me that kind of in the early days of Dome9 as we were kind of building that tool. And, and honestly, if we hit a customer or a prospect a little bit too early before they felt the pain of scale, And we sort of define that as at that time, you know, kind of in 2014, it was still very much kind of virtual machine and container based.

It was a little bit less kind of service fabric consumption that we see now. So, you know, we base that on that you know, that machine. So I think once you hit that scale, mark, and yeah, we defined it on that virtual machine basis. And in fact, we sort of still do, there are very few cloud native applications that don’t have let’s say at least containers, if not, you know, some EC2kind of instances, there are some absolutely.

And we see more and more, but we built that on that. And we said it was about the point where they had sort of 50 workloads. And let’s define [00:08:00] workload a little bit loosely on purpose is where you started to feel the pain of how do I govern this? You know, let’s not forget every workload has a security group around it.

You can share those, but sometimes you don’t. And so you’d go from, you know, again, if you are moving from that traditional word, you go from managing a pair or for redundancy in the low double digits of firewalls to literally like with 50 workloads, maybe a hundred fighters. Maybe 200 firewalls. Right. And so these aren’t all anticipated and that’s the one, one of many examples.

Right? And so I think around that 50 workload areas, you really start to feel the pain. Now, why did the answer is different now? Is that I think we’re doing a better job at getting to them. Consumer that hasn’t yet made the leap and they’re fewer and fewer, right. That haven’t dabbled at least in, in, in these infrastructure as a service platforms, but we’re doing a better job of evangelizing, I think, right from the start that just adopt it, adopt it now so that you don’t have to sort of retrofit it into your process.

Cause it seems really cool when you start credit swiping, but there is a little bit of governance that makes that process a little bit slower, right? Like you do want to know as you debut these [00:09:00] resources, you want them to have some level of security hardening. You want great visibility over them all. If you’re a multi-cloud.

Consumer as you grow from one platform to two to three to maybe more, you want to govern them all sort of similarly. So as you scale, the challenges really do. They’re huge, but I think we’re doing a better job of just even informing the consumer. That’s just getting there that think about it from the outset and it’ll save you time

Ashish Rajan: oh, actually, that’s interesting because it goes back to what he was saying just before, as well, where CSPM is a great way to look at tools that allow you to use an iCloud cloud API to find your security posture, or at the same time, if you are someone who is new in AWS or any of the cloud for that matter, you don’t really need necessarily in the jump into it to your point, unless you reach a certain workload.

Oh, this is getting to a point where probably I can maintain this on my own anymore. Either I grow a team or I do automation, or I use the CSPM to somehow figure out , how wide my attack surface is. Right?

Patrick Pushor: Yeah. And at some point it grows so big that you’re not [00:10:00] confident. You even know what it is.

Ashish Rajan: Yeah. Or maybe this is where people look what whole visibility thing as well.

Right. Where it kind of goes to. Oh, I dunno how many workload accounts are or I don’t know how many workloads are running at any given point in time because they keep going up and down. So just to even have that precise what are some of the challenges people see in the earlier point?

And I’m curious because you did the Dome9 period, and it seems like you’ve seen a few generations of CSPM as well. What are some of the challenges that people can expect in the beginning of starting their cloud security posture management

Patrick Pushor: yeah, I think without the tool it’s like I suggested before a proliferation of controls, not just security groups, but you know, in inside a VPC, you need a very specific configuration, depending on what you’re doing.

If you want traffic in or out. And, you know, you’ve got similar conventions to what you’re used to, but they’re all expressed differently. They’re all editable by anyone. Who’s got enough access. That’s kind of the other side. It’s not just about. How much infrastructure there is, but there’s , how many people have their hands into this?

How many people do you need? You know, are you thinking at this? Are you thinking like this from the start or out of convenience, are you taking your [00:11:00] built-in administrator level profile and copying it for every user? Right. That’s often how we start. Cause we don’t really understand the implications.

We don’t understand that. Look, these, all I need is one malicious. Actor with a set of credentials and they can do, they don’t even need to know what my network looks like. Why would they, they log into my cloud console and they know everything and they can manipulate everything if I’m depending on how many services I use and DNS is, is a terrible one for this, because it’s sort of the authority for.

Where users get routed based on kind of the name resolution that happens. I mean, if, if someone’s got the keys to that, , they can harvest passwords via kind of, you know, a different route and a malicious site. It’s it’s terrible. There’s a reason we’re focusing on access.

How many times have we heard IAM as the new permineter . Right. And as we talk about CNAPP we’ll talk about a category of tool that gartner thinks that that’s true as well. And that’s part of the reason they’ve kind of made this umbrella category is that makes sure we’re thinking about IAM and entitlements and all that.

Ashish Rajan: Wait. Wait, did we go into, I don’t so maybe it’s a good time to explain CNAPP again.

Patrick Pushor: No, we haven’t. We’re stuck on CSPM . This is the problem with the people that like

Ashish Rajan: I’m like, [00:12:00] I don’t remember what I was talking about. So good segway . What is CNAPP ?

Patrick Pushor: Yeah. So CNAPP is really new. It’s still evolving. It’s an umbrella.

That encompasses CSPM which I think we’ve done a good job of sort of high-level talking about and CWPP, which we haven’t talked about enough yet. We’ll get to it. And a couple of other things and a couple of other things that are sort of on the roadmap. One is CIEM , the identity and entitlements part of this, right.

The identity part. And because it, again, when you have one central login, boy, we’ve got to get that nailed. We really do. We can’t be sloppy, you know, concepts like blast radius, and just how much permission each login has. It’s an effort to fine tune that. But it’s an effort that pays off in space.

Right. If we ever do heaven, forbid , have an issue like that. So, so we’re getting ahead of herself. That’s an see, now let’s talk about CWPP cause it kind of rounds out, you know, that traditional, which is so silly because CSPM is less than 10 years old, but traditionally in cloud lineage, at least bucket.

So CWP PP is exactly the compliment to what a CSPM can’t do. And that is down at the workload level inside of. VMs my [00:13:00] instances and inside of my containers, I have content that the CSPM can’t see now I did say there’s a little asterisk there. As we get to more and more container utilization, container orchestration, these public cloud platforms are doing a better job of.

Being able to host these containers and registries. Amazon, for example, has a feature that you can scan for basic vulnerabilities inside a container that’s inside of ECR. And so because Amazon can do it, you can make an API call to get those results. Some CSPMs now claim they also have CWPP covers. But a consumer has to be careful because they only do where the workload is supported in this way by natively, by their cloud provider.

And they can get the details via API. So, you know, that’s never true for EC2 instances or VMs or, the equivalent on the other. There is no API call that tells me what’s inside that, but there is for some containers because we’re getting smarter about this, you know, at the platform.

Ashish Rajan: Wow. I actually got a question here from Obaid where and why you would choose CSPM CNAPP over [00:14:00] cloud native tools, such as AWS guard duty.

Patrick Pushor: Great question. And real common question. I don’t know if it’s an either or kind of thing. Guard duty. Is this really powerful, but completely black box, a native tool from AWS that looks at your configuration looks at activity via CloudTrail log and looks at network activity as well, and can do some really cool things.

The thing it doesn’t do has have any perspective in your workload. So it can do a little bit of what a CSPM does, but we haven’t even got really into the compliance side of the CSPM and the guard rails and remediation. And there’s a lot of conversation to have kind of on the advanced CSPM side. But remember CSPM has no perspective into the workload.

Neither does guard duty. The CWPP is truly the one thing you can’t do without, because at least at some small scale you can probably get by with the native tools of the cloud provider on the CSPM side, I would say for a very limited time in your scale, but you can.

Ashish Rajan: Perfect. Oh, hopefully Obaid that does answer the question? Feel free to foster followup as woman. Good question as well. [00:15:00] And that kind of takes me to the other point. Yeah. CWPP is an interesting one as well, because if you were to take away, I guess the well, so many seeds now that are evolving, even with theidentity and access management as well.

If I take a step back and we started with a conversation about someone starting today in an AWS environment, one AWS account, simple infrastructure, you probably do not need a CSPM you probably can use cloud natives will choose. Understand a bit like, for example, because they’re on guard duty and you can see what’s happening from a network perspective or other things that Guard Duty can share information on.

But if you say create a lot of resources, even within that one AWS account, you kind of still reach point where. It does quickly go out of your hand and I’m thinking about this, maybe if you follow best practice and instead of creating everything in one AWS account, you start creating multiple AWS accounts, which is where the scale comes in.

What kind of challenges in the beginning can people expect who are looking at solving security posture? Like, I mean, we spoke about visibility. I’m sure [00:16:00] visibility gets even more complex as we kind of go through multiple AWS accounts. Is there anything else that kind of happens? Scale your AWS accounts, even though that’s the best, I mean, quote unquote, best practice from all cloud service providers create more because they don’t charge any more extra

Patrick Pushor: that’s right.

Create more. It limits that blast radius that we sorta talked about a little bit, right? No longer do I have simply one login. There are several, cause there’s one top level root login. We, you know, that always exists now. There’s several, it’s not, one ring to rule them all.

Exactly. Which is great. And that’s why we do that, but you’re right. It’s just more. Organizational challenge. Right? I would say if, if that’s your strategy and I think for the enterprise, that’s your strategy necessarily, but to your point, even if you’re smaller, it might be your strategy from a security and governance perspective.

If that’s your strategy there are some native tools, if you’re a consumer of AWS organizations, for example, they’re high-level tool. Observe that, and sort of allow you to roll out policy across your organization your master in your kind of child accounts, as I think of them, [00:17:00] at least, I don’t know if that’s the right nomenclature.

So, you know, if you do think about a third party tool set, it’s really important to, make sure that it ticks that box and it observes the same thing. And you know, if you are an organization’s customer, you want to make sure that this CSPM or CWPP, or both are bolted to everything. Right.

Don’t allow a shadow account that isn’t governed, make sure that it’s somehow bolted to your AWS organization so that when you spin up a new account, it’s there without having a ticket and someone have to do something manually. Just make sure that if you do go third-party that’s something , that happens.

Ashish Rajan: Also the, scaling it with the newer accounts being created. And cause I guess I’m going to be going to the details of this, but I think my understanding was even with starting a new AWS account, you can automate quite a bit in the provisioning of the account as well. So you can use that as an opportunity to include this conversation as well.

If you’re able to add more things in there now sounds like. We definitely didn’t touch on compliance a bit more, but what does compliance look like at this scale now? Cause I imagine in one AWS account it’s still a data center for comparison stake, but at a scale level, I imagine.

The compliance [00:18:00] complexity increases as well then. So can you touch a bit on that as well?

Patrick Pushor: Yeah. Multi-cloud is where the complexity really jumps. Right. Because you’re trying to govern

Ashish Rajan: yes. And then move on to the multicloud one because that’d be, that’d be interesting as well.

Patrick Pushor: Sounds good.. There’s a compliance piece to every CSPM and there’s a compliance piece to every CWPP on purpose, right? Because a lot of us are governed formally, and we have to observe a data security standards.

Others simply. To adhere to a standard to prove to their stakeholders that we’re taking security seriously. Right. So a lot of people drive this stake between security and compliance. Don’t so much because I think they’re intimately related. They’re so related that I don’t bother doing so, you know, I think there was certainly very different personas about concerns.

Compliance and security, but let’s leave that for maybe another podcast. So yeah, the challenge as you scale, like you say, is simply another account. Often what’ll happen , is like you say, we’ll automate the creation of that account. We’ll even automate the set of base resources via Terraform or cloud formation in that child account.

We’ll put something standards so that, you know, they’re a base set of tools we can use as we go forward. So, you know, There’s a lot to measure. As we scale out, I think the largest [00:19:00] Dome9 customers had, you know, in the high hundreds of accounts because they adopted a cloud first strategy and they use it across every business unit, across every project team, they had central kind of GRC with risk management.

It was a very significant leap for them. And so they, you know, it was, it was absolutely a cloud first process. And, you know, that was with one provider. Wow by now, I can’t imagine their scale. Right. And maybe I’ll have the luxury of having them as a customer again. But so, you know, imagine just the need to govern all of that consistently.

You do need one tool set at that point. I I’m a firm believer that even having a master parent account that has visibility via I am relationships to the rest of these things. Just again, if the promise of the cloud is. Yes. If we didn’t come to build our security tools ourselves, then, you know, I think, I think a third party tool that has that’s built for this purpose built for that.

We hear that a lot. We hear where we’re successful at Orca. We hear that our customers were. Challenged in sort of scotch taping services together to get the visibility they wanted, they could for a [00:20:00] certain amount of time, but they felt like at some point it was out of their control and they really liked how easy Orca was.

And I think that purpose built that way. For sure.

Ashish Rajan: It’s interesting. Cause I always go back to like, I mean, obviously I’m a massive believer open source as well. And. A lot of times every time I do say that, I always add the caveat that, that also means that whoever has written the code for you in the organization is probably I mean, I guess you kind of need to hold it onto them for a long time and make sure they’re really happy because once they move on and then you’re left with this framework behind, you’re not really sure what’s covered, what’s not covered how much documentation is there or not there.

I think at that point, cause I mean, I mean, in my I guess my day job is we use the CSPMs and because it does make sense after a certain scale that , it just goes sort of control. And to your point about it’s not even credit card swiping because even if you use the AWS organization, you’ve logically connected all of them together, but.

If an organization is large enough, there’s already people still coming up with new accounts coming up with new compute instances. AWS keeps coming up with [00:21:00] new compute instances or, I mean all the cloud providers, do , and then you have this compliance piece where in the middle of all of that, that you need to separate out from everything else.

Or maybe sometimes include the entire environment in the compliance standard that to me. And so from a multicloud perspective I’m curious. I mean we get that challenge. That’s why we went on the CSPM part. But apart from compliance, I imagine there are other things as well in the multicloud space where I have AWS Google cloud Azure.

And I’m trying to go security across that for what kind of challenge am I looking at at that point? That at your point where it goes out.

Patrick Pushor: Yeah. And this is where I think the line between compliance and security doesn’t service that well, because you know, really what you’re trying to do is governed the same.

So that means infrastructure. That means rights and permissions. That that means hopefully if you’re. More than one cloud provider. You’re connected to all three with some kind of SSL because you know, managing three sets of identities and, you know, different project teams using different platforms, you can get that alone.

Can I think get really complex. So at that point, I think you’re sort of [00:22:00] necessarily looking at the side of SSL, which again, if you’re looking for a security tool, make sure it supports that like you’d expect. Two for sure. , so you can simplify that, but yeah, it just becomes an absolute nightmare trying to govern.

And unfortunately what sometimes happens is that customers wind up kind of least common denominator in the technology, you know, so that they won’t use something in one platform that doesn’t have an equivalent function in another simply for, you know, maybe they wrote their DRP plan that they use, you know, if Amazon dies, I mean, yeah.

Silly in some ways, but you know, if Amazon dies, they’re going to DRP over to another provider or back to a data center or something. Right. I mean yeah, it’s it’s massively complex. I mean, Like you say, I think we often misjudge how complex it can be with one provider when you get to more than one.

Yeah. I mean, it’s CASB as part of it in terms of the user access. That’s really complicated too, but just governing what people can do and how much rights and privilege you have and blast radius around every kind of account that logs in. Now, even if you have SSO, if your kind of role that gets assigned, that gets , really good.

Ashish Rajan: As long as we were talking about this, I cannot keep thinking. I can see the value of a [00:23:00] CNAPP as well, because I’m looking at this going award a CSPM I’ve got a CWPP and I’ve got, I mean, I don’t have a CASB , but I’m pretty sure. If we had to go down that path as a security team, we are looking at managing all these different tools, which would provide a very different perspective of the same environment.

And it also are out of curiosity, . So who looks after all these? Is that like a, in your mind, is there like an individual who’s looking out for CSPM and other individuals CWPP and other individually are there, I mean, have you seen like certain patterns for who manages this in an organisation?

Patrick Pushor: Yeah. I mean, I think it’s different who manages it, who consumes the alerts generated by them.

They’re probably slightly different. Right? I think the alerts still go to your security operations center to be acted upon. That’s no different, right? From a CSPM or a CWPP look a CWPP isn’t new. It’s the only part of this that isn’t new from the data center days, you had something running on the host that was looking for.

Software vulnerabilities and malware. I mean, some of us didn’t some of us trusted that perimeter a little bit too much, but you know, at the enterprise level we did. [00:24:00] Right. And so, and in fact, you know, , there happened a lot of CloudWatch. Because vendors took that approach said, , we’re ready.

We’re cloud certified install our agents. And, you know, it’s still sort of identifies itself by IP address, which we have far less control over in the public cloud. And, you know, there are problems there, but so we brought that along with the CSBM is net new in the cloud. There was no equivalent, but we brought that workload protection with us.

Right. And so. See you’re right. CNAPP is the nice umbrella that kind of encapsulates this all. But it does say one thing very specifically as that the workload side and the cloud security posture management side, they have to share data. Yep. Predicted years ago that CWPP and CSPM would come together.

I think they saw the writing on the wall. As many of us did as they kind of unfolded. You’re right. You need both to get a holistic view of your visibility into where the risks lie. You absolutely need both when you get to above very beginning of scale. Right. How you get both can vary a little bit, but you need the functionality of both.

And so what CNAPP says is, look, if I find malware in a workload, what’s the [00:25:00] very next question I’m going to have about that. Is it exposed? Is it exploded? Right. And that’s a question I can answer with just a CWPP perspective. I need to know what the cloud security controls are around it. Security group config and internet gateway VPC.

Right. I need to know all that. Then I could be confident. Okay. There’s malware. It’s contained. I can take my time, get into it. Cause I’ve got a million other high priority alerts still in my sock. Right. But. What Gartner says, why CNAPP is so important it can be confusing. I mean, you’ve got these two categories.

It’s not like we have 10. Do we really mean an umbrella for two? The umbrella specifically says these things have to trade information and that’s a challenge, right? We’ve we’ve seen CSPM vendors. Buy or create CWPP technology, because I think this story has been unfolding for a long time.

You absolutely need both. What we haven’t seen is when they kind of acquire that functionality kind of going that extra mile and wrapping it into one cohesive platform because yeah, that’s how, that’s how we risk things. At least from, from an Orca standpoint, our perspective is how we risk observations in the workload is inseparable to the things around.

Right. It’s inseparable to a lot of things. It’s [00:26:00] inseparable to information about the vulnerability we found. Is there a fix that’s context too? It’s not just network context. Is, is there a fix? Is there some loose network security control around me that could provide maybe a lateral movement that’s context too.

So that’s important as we think about risk. I mean, we hear. This notion of alert fatigue so often. And I think it’s because we use a tool for this, a tool for that, and they all have their own perspective. They all have their own idea of what high priority or a high severity means. But no matter how we get there at the end of the day, when we look at those studies of SOC operators sitting there and responding to alerts, I mean, they’re, they have no ability even to get to the medium severity.

They can’t get through the high.

Ashish Rajan: Yeah. And wait. So because the SOC team also reminded me then, cause this is also getting fed into a SIEM , right. At a certain point whoever ends up having a, well, I guess at some point, I’m sure everyone wishes. They have a SIEM because it’s not just the four C’s of the world, but there’s all these other tools that you have in the organization as well, especially if you’re hybrid or multi-cloud or whatever, then.

So alert fatigue is a thing in this [00:27:00] space as well. But from that, how does the CSPM space , or just this cloud security posture space is dealing with not having people have a lot of alert, fatigue, like what’s the remedy, like more context or where’s I go,

Patrick Pushor: yeah, CSPM’s are famous for risking things, high severity that aren’t.

Let’s put it that way. I’ll give you a good example. Maybe you day one, you provision your AWS account. You spin up some infrastructure to region that’s closest to you cause you want great performance and you log off. And you know, you do that a couple of times, you kind of expand this region. You build a great little small tier point data center and we get to the point where you’re a little bit challenged with with visibility you throw a CSBM at.

And the first thing that’s going to tell you is that you’ve got all these high priority alerts for default security groups in every region. Because they’re there by default. Yep. That, that too. I won’t say CSBM but to the majority of them is a high severity alert. Now it should be an alert. I’m not suggesting this is information that we shouldn’t have anywhere.

Right. Because someone can go and manipulate that default security group assign it to something. And, you know, there can be either a misconfiguration or something worse [00:28:00] if there’s some ill intent. So it’s not that it’s not important, but should that be a high, severe. In relation to everything I do.

Right? That’s that’s the challenge is, and it’s because no perspective on data, no idea. If the, control violation, how severe it truly is, right. And their CSPMs are getting a little better. You can, you can customize some of the measurements you can take into account tagging standards you have.

And in that way, you can get a little bit more accurate on the tests you run for sure. But there’s still this disconnect.

Ashish Rajan: Interesting. So, maybe take this a step further. How has CSPM evolved? Cause I mean, you’ve worked in the space since Dome9, which for people who have been in the cloud space since the beginning was probably the pioneer in the whole cloud security posture management space that a lot of other companies came out of it..

Like people who were working in there in those companies started their own cloud security products off of that. It just goes into this spreads out and this whole platter of cloud security, posture managers came out after that.

So what’s the evolution. In the say, what kind of conversations were you having? TheDome9 [00:29:00] days and with CSPM and what it CSBM looked like then and what it hasn’t moved on to till today. Like what are the kinds of conversations you’re having now? I’m curious.

Patrick Pushor: Yeah, it’s a great question. And it dovetails real nice into our discussion of CNAPP

that the hardest questions to answer when I worked at Dome9 , were those around content? And what’s in my VMs. It wasn’t that you could measure anything. So CSPM , again, can measure most things that a API call to a cloud provider. We’re one as possible, right? So I can measure how many instances I’ve got running.

I can measure how much permission those instances have. There is some value there, right. But what we couldn’t do is then match that to what’s in there. We couldn’t say. Geez, your security group is configured, right? Because I see you’ve got a web server running in your workload. There was no perspective, or you’ve got a web server running.

That’s trying to hear on port 80, but your security group doesn’t have it open. Is this, are you sure this is what you want. That was the kind of thing. The more advanced customer. I mean, the beginner that got the domain was just so thankful for the visibility. Like it was great, especially the multicard beginner, you know, we just [00:30:00] saw smiles everywhere.

Honestly, it was probably the easiest thing I’ve ever sold outside of where I am now. Right. And so that was great. But the advanced customer really start to feel the limitations. Right. They did have a workload visibility, but it was from an old tool. They knew it well, so they’re comfortable with it, but it didn’t jive with the cloud security side, they had to manage these two separate things and that was getting frustrating for sure.

So, I mean, when I heard about what Orca was doing, I mean, I jumped, literally jumped to it because it, it answered that question right here. Here, we have this real, super cloud native way to do almost the very same magic on the CSPM side, but combine it with the workload side. Answer that question.

Ashish Rajan: Well, we actually Srinath from Netflix last week.

And he was talking about Orca as well. And you guys do site scanning. So I mean, I know we aren’t trying to sell anything, so I’m just kinda curious, it’s like a short elevator pitch for how does, how is Orca CSPM different to the previous generations?

Patrick Pushor: Yeah, it is that workload side. So a Dome9 , you could say we were agent-less because we were, there was absolutely no agent to install.

We got all this great visibility across the services you use, [00:31:00] but nobody could say I can get workload visibility without installing an agent. Right. And until Orca, that wasn’t part. And so really what we’ve done is said, let’s use some cloud native methods to do workload discovery and you’re right. We’ll call it process side scanning.

And what it does, is it mounts the volumes of your disc and it recreates it just like your workload is it reads all the logs. You know, it, it does even things like file integrity, monitoring that traditionally have needed an agent running down there. There’s about seven data security standards that required that kind of visibility and to change the file system.

It even does that all from the side. Right. So first scan, a complete inventory of what’s on your machine. We know the software, the versions, therefore, the vulnerabilities, we know what’s around it because Orca is also a CSPM built from the ground up. So we know the security controls around it too. And that’s the real difference is it’s both and both sides share information, right.

We build this data model and then we interrogate it. We ask a questions is okay. I found a vulnerability. What’s the deal is it open? Is it not? How old is it? Is it being talked about in the media? Is there a [00:32:00] fix? So, but we do all that again from the side without an agent and that’s kind of the, the agent listened the context or the foundations that Orca is built on, for sure.

Ashish Rajan: Awesome. Awesome. And I think I just got an answer from Obaid . That’s what I think Aquasec is probably the one company that came up from Dome9. I believe.

Patrick Pushor: Yeah, it may have been a spinoff we’ve we’ve got others too. We’ve got a really interesting kind of shift left approach, right? Judging kind of intent in the way of cloud formation or Terraform, kind of measuring that from a security perspective, which is really interesting.

I think most of these tools , are shifting there. I think some of these tools are shifting in the other direction too, too. I’ve had an incident now. Help me understand, help me understand from a networking perspective, help me understand from a workload perspective, what went on for almost like a forensic perspective, right?

There’s, there’s kind of both sides happening. Which is really interesting.

Ashish Rajan: Yeah, it sounds like I probably, in a few months I will be doing another one of these with another few more C’s at the end of this, like for something, for incidents, something from shifting left, but no, it was really awesome.

And I’m going to switch gears because I think we’ve been talking about technology for some time. I’m going to go through, it’s go into some fun. [00:33:00] Sure. I I’m just running to make sure I, once they’re all the questions that came up here. Yes, I did. Perfect. So this is Fun section. I know me as like three questions, not personal at all.

Just get to know you. I plus you’re Canadian, so I’m , pretty sure you’re super nice. And what the many ways. So the first question that I have is where do you spend most time on when you’re not working on class?

Patrick Pushor: I am a hardcore nerd, for sure. I think that’s, what’s kept me going for 27 years.

So, you know, I’d like to say that I have this elaborate list of hobbies, but I’m in this studio right. Of green screens and black screens to my right and cameras and lights. And so I do a lot of this. I have a hobby and in kind of a digital animation, too. And those dovetail really nicely. I do get outside.

I live here at the base of the Rocky mountains in Western Canada. So in 45 minutes, I’ve got like world-class hiking and skiing. And I definitely take advantage of that too. So yeah, probably that my second most fun thing to do other than nerd out is to be outside for sure.

Ashish Rajan: Awesome. Awesome. And it’s a great way to spend some winter in this winter here in Australia.

So hopefully get some snow as well. What is something that you’re proud of? Part is not [00:34:00] on your social media?

Patrick Pushor: Oh,

that’s a good

Ashish Rajan: one, boy. Yeah. Yeah. I think so. A lot of you were talking about families or talk about I guess what I can, I mean, from your perspective, I guess the whole evolution that you’ve seen as well, but it’s, I mean, yeah, it’s a, it’s a tough one to answer quickly though.

Patrick Pushor: It is too. Yeah. I’d go closer to sort of the, the family side and you know, for me, it’s.

Getting a work-life balance has been a little bit challenging this year, for sure. I think, I don’t think I’m unique in that way, but, you know, I joined Orca just over a year ago and you know, we’re moving so fast that I’m, I’m one of the most senior people there, which is hard to believe. Right. Just kind of how, how fast we’re moving.

And so to get there, especially in a COVID time we talked a little bit about travel and stuff. I haven’t really been able to see anybody we’ve built this. You know, large valued in the billions dollar company without meeting each other. Right. And that’s taken a lot of effort. , my health has kind of suffered for it, for sure.

So I’m really thankful for feeling better for my family, being there to help, you know, it’s, it’s hard. I hurt my back really bad. And then through a bunch of therapy and it’s doing much, much better, but it’s hard. , you fancy yourself, an independent person and all of a sudden. Boy, you [00:35:00] realize, you realize you’re sure, glad you have some people around you that love you.

So that’s, I think that’s the lesson for this year,

Ashish Rajan: is that awesome? And I think I’m, everyone’s grateful to have people support them. And I mean, even if it’s not injury in general, I feel so. Thank you for sharing that. So last question. What’s your favorite cuisine or restaurant that you can share?

Patrick Pushor: Oh boy. Yeah, the cuisine is not hard. It’s definitely sort of Mexican food as traditional as we can find. Yeah. Yeah. You know, like I met some people through my tenure of startups and, you know, super sort of international companies and lots of different cultures. So, you know, more than kind of the Western version of food that you can get here, the authentic versions, right.

Yeah, I think, I think my favorite is definitely sort of a Mexican, my family traveled to Mexico and stayed in a very kind of remote village and played brought Brockport hockey sticks with us and taught them hockey. And they taught us a bunch of kind of local local traditions and foods.

And that’s probably why it’s more like that, you know, as the

Ashish Rajan: wow tacos. Or like

Patrick Pushor: lots more. I’m not even going to attempt the names cause I will absolutely butcher them, [00:36:00] but those for sure. But you know, like yeah. Carnita and everything else, everything, everything spicier the better.

Ashish Rajan: Awesome. Love it. But Patrick this was really interesting, man.

I thank you so much for taking the time out. Where can people find you for follow up questions on this whole CSPM space? So we can.

Patrick Pushor: Yeah. I mean reach me on social media. I’m crowd proud Chronicle on Twitter. I’m on LinkedIn. Reach me at, at Orca for sure. I Nice and simple. Yeah.

Happy to answer your questions and, you know, just, just kind of do one of these. See if there’s a fit.

Ashish Rajan: Awesome. Thanks so much for going and doing this. And I think I definitely found that I needed to bring you back again, probably when we have the few more C’s to add, which I can put in the screen. I mean, I won’t be able to fit it into the screen anymore.

I believe that just like I would start making a big umbrella. Well, you got a

Patrick Pushor: scroller. We’ll just fill it with all the seas, right? Hey dude,

Ashish Rajan: Steven, there was some space in between there’s keeps increasing. It only makes it makes me think that as this continues and as each cloud provider kind of just keeps growing.

I wonder if the, it just would be like one cloud cause be like do complex, just one cloud,

Patrick Pushor: you know? Yeah. Some Metta kind of [00:37:00] broker that, you know, just one intern. I mean, that’s already attempted, right. Because it’s so complex for sure. Yeah. You’re

Ashish Rajan: ready to get. Right. I think it would be really interesting if someone can really simplify that.

Like abstracted to a point where you don’t care if you’re an AWS GCP or whatever. I think your point earlier, Kubernetes kind of tried doing it, but I mean that, that rendered in another direction. So that’s one other topic, but I hope everyone got got to enjoy to all these different tools as well.

But that’s all for today and I will see you next week with another episode on AWS.

But until then thank you. See you next week.

More Videos