Sergej Epp

Sergej Epp: [00:00:00] Software ecosystem as well. Yeah, because very often, this could be the injection point as well, right? Yeah. Or for certain malicious codes, so

Ashish Rajan: yeah.

Sergej Epp: Running that and trying with purple teaming, try to identify as well, what kind of telemetry do you get, how would you do investigation around that?

And yeah, starting to learn about that because that's not the future, it's happening right now. And we start to see more and more attacks around that. Yeah. And yeah, getting hands on and building this muscle.

Ashish Rajan: Runtime security has been top of mind for a lot of people, but a lot of people don't even understand what runtime security is.

So I had Sergej, to have this conversation with me, he has been in Deutsche Bank and now currently he works for Sysdig. We were talking about what runtime security is, how cloud security has evolved. What do we know about Cloud Native as it stands today? Apparently, turns out containers only run for one minute now.

Who would've thought, how do you even do incident response to that? So if you are someone who works in security operations or trying to look at cloud native runtime security, this is the episode for you. Or if you know someone who is like considering looking into runtime security and wants to understand what that is, this [00:01:00] is definitely something I'll share with them as well.

Now as always, if you have been listening or watching cloud get podcast episodes for a long time, and this is probably a third or fourth or fifth episode, I would really appreciate if you can drop us a follow or subscribe if you're on an audio platform like iTunes or Spotify or if you're on video platform like YouTube or LinkedIn, definitely give us a follow or subscribe there as well.

Thank you so much for leaving us reviews, and this was short at KubeCon EU as well, so thank you for everyone who came and said hello to us as well. Alright, I'll let you enjoy the episode with Sergej Talk soon. Peace. Hello, welcome to another episode of Cloud Security Podcast. Today I've got Sergej. Dude, thanks to coming in.

I really appreciate your time. And before we start, we'd love a bit about yourself. What have you been up to? How did you get to stuck in cloud?

Sergej Epp: Yeah, sure. Thanks for having me. So look, I've spent more than 20 years in cybersecurity and I think most of my career I've been working at Deutsche Bank, spent in the financial industry, really building cyber defense centers running cyber forensic teams cyber hygiene, driving investigations and back then I think Deutsche Bank was the third most systemic bank in the world, right? So it was a lot of fun just to, [00:02:00] to see all those different threats and then to address all the regulatory requirements on the other hand. And then I moved to PaloAlto Networks.

Yeah. Spend there six years as a field CISO covering EMEA central and now I'm with Sysdig. Yeah. And Sysdig, when they've called up I immediately sign up. Running the internal security compliance, but then also the Field CISO programs and I know how much our audience knows about Sysdig.

Sysdig was one of the contributors and initial creators of Wireshark. Yeah. And then also Falco. Falco is today potentially the same as Wireshark, the most adopted security tool for runtime security being used more than, 60% of, by 60% of Fortune 500 companies and Sysdg built a commercial cloud security product around this runtime security portion.

Ashish Rajan: Yeah. Because you've been in the space for a long time, especially when you started Deutsche Bank I think cloud was still in that adolescent stage at that point in time, right? How do you define cloud native today?

Sergej Epp: So I think it's very different, right? And I've, perhaps a good picture, how to illustrate that [00:03:00] because in 10 years ago 2016, 15 I feel managing a cloud was like managing a big train station, right?

You've got this, you've got this track your virtual machines, Linux, a bit of Kubernetes potentially, and then you've got this workloads being the long haul trains coming in, being very slow. Yep. But being very predictable as one other hand.

Ashish Rajan: Yeah.

Sergej Epp: And our job of security was to guard all this train station and then to check for tickets as all the time, right?

Ashish Rajan: Oh yeah. Yep.

Sergej Epp: And today, everything is completely different. I would picture this more as a as an airport with, thousands, hundreds of thousands of drones flying around and, you have not to understand like what are the drones really trying to do, right? Yeah. 'cause every small workload is a small drone, spin, spinning up and then doing a job and then disappearing somewhere.

And we're talking here really about kubernetes pods and containers, serverless, and the question is just from a security point of view, how to approach that because the lifespan of this workloads is. It's really seconds and not, not [00:04:00] months. Wow. And imagine like back then I think a reboot of our server was quite of a big deal.

Oh my God. Yeah. Today we're deploying containers horizontally, globally, and we don't care if one of them is disappearing.

Ashish Rajan: Yeah.

Sergej Epp: So the question's just, how does it really impact security? Yeah. Yeah. And I feel there are, first of all, some good news. And the good news is the complexity is just creating this, security by obscurity type of, yeah of of environment. So it's very hard as well for the attackers just to understand how to exploit certain things. But we all know that this doesn't help on a long term basis, so you have to compensate for that. And now you have to understand really how do you track in real time as well?

All this, workloads focus on identity management, focus on integration to CICD. And really understand where this drones supposed to fly, right? Yeah. What are they supposed to do? What is a blast radius if one is crashing into another one? Yeah. And I would say this is how the modern cloud is, cloud security is being being working today.

Ashish Rajan: Yeah. And I guess, yeah, obviously you mentioned I love of the transition of workload [00:05:00] to containers to now Kubernetes. You're sitting in here in KubeCon EU as well. And it's top of mind conversation, but a lot of people, and we talked, we spoke with this earlier where Kubernetes, even though it seems to be like the first choice for a lot of AI workloads, a lot of new workload that's being produced in general, somehow a lot of people think about cloud security as, hey, I have a CNAPP or a CSPM but like posture management is like table stake these days. The thing is expected that, oh, if I have a cloud security or if I have public cloud or private cloud, I have cloud security.

And that by generally people mean is I have a posture management tool.

Sergej Epp: Yep.

Ashish Rajan: We spoke about runtime and I think there's a transition happening towards runtime as well in terms of a lot of us see us seeing it. Why is runtime important now and maybe what is it in the beginning? So people get some idea of what is it?

Sergej Epp: Perhaps just to picture as well, the evolution of cloud security. We can just look back and see what happened as what was, other security domains in the past. And everybody who is working in the cybersecurity domain for the last 10 years have seen this movie pretty much in the past already.

Let's [00:06:00] take the endpoint security domain as an example. So an endpoint security back like 15, 20 years ago, I think we started just with visibility, right? Yeah. We would then try to understand what kind of configuration do we have across our server environments? We would install antivirus systems.

I remember the systems where the first systems, they would just, spin off a couple of jobs and then scan the entire computer for one hour and then slow it down. Oh, yeah. And then come back and say zero malware detected because it was too late sometimes already. And then I remember the second generation of that was, Hey, can, how can we really stop attacks in real time?

Yeah.

And this is where runtime security really came into the play for this traditional world. If I'm correct to saying Norton invented this first capability to block and stop malware. Oh and then it was still not enough because malware and certain attacks were very smart.

We couldn't really encounter four of them as well, so we to get more visibility as well on, on the endpoint and with endpoint detection response tools being first I would say pioneered by CrowdStrike back then we saw [00:07:00] this capability as well to provide visibility back to SOC and try to give them the power to understand what's really happening very quickly and then to to have this feedback loop as well to stop that attacks, create new detections, preventions and so on.

Ashish Rajan: Yeah.

Sergej Epp: And I feel we, we are undergoing the same type of the same type of transition Yeah transition wave as well. Cloud security.

Yeah. And we had this, by the way, as well across identity management network. And let me let's just test it out. Let me ask you a question, right? Yeah. If you would have those two scenarios today, the one scenario is we assume we're secure. So you do the scans with posture management, let's say once a day.

Yeah. And then if there's a vulnerability, you can give this vulnerability data back to engineering groups so they can patch it.

Ashish Rajan: Yeah.

Sergej Epp: And the second scenario, assume breach, assume that there will be potential supply chain compromises and you uncover them. Yeah. Very late in your production environment.

Yeah. Because exact utils Yeah. And patches are showing this, that this is real.

Ashish Rajan: Yeah.

Sergej Epp: There will be zero day vulnerabilities, which I exploited. Of course. We see just last year, 24% of Yeah new vulnerabilities were [00:08:00] exploited before patch was released.

Ashish Rajan: Yeah.

Sergej Epp: The new there will be AI workloads being, moving to production.

So you have to assume breach. So if you have this two scenarios, assume breach

Ashish Rajan: Yeah.

Sergej Epp: Or assume you can still keep your production environment secure. Which one are you going to take?

Ashish Rajan: Yeah. I think it's funny 'cause I think to it's a great question also because coming from an enterprise background I definitely lean more on the assume breach, right?

Also because. Most enterprise are already targets to begin with. And I think assuming that, hey we prepare for zero day, always you prepare for the worst case scenario. So I definitely lean on the assume breach side. Sure. But I also believe that a lot after a certain level of maturity of security, everyone becomes more assume breach.

You have to, because it's almost like assuming oh, you read something on the newspaper today that, oh, there's a vulnerability. And you're like, do I run this? I don't know if I had run this or am I breached by this? There's a.

Sergej Epp: And how quickly can you check that as well, right? Yeah. So you have to compensate for this window of exposure as well.

Yeah. Therefore, there's this expansion right now from this like first stage I've just [00:09:00] described to the third stage, more or less. Cloud security is expanding from post ship to runtime.

Ashish Rajan: And to your point, the workload is getting complex as well. Now we, to, to your analogy, we don't have trains coming long haul trains.

We have drones coming in. Which come in, come out. I think the conversation you and I had was more around as well, that containers are one minute. Now. Yeah. Yeah. So they're only alive one day. Yeah.

Sergej Epp: So yeah, this is an interesting data point as well. Let me share this a bit because Sysdig is doing once a year a study around cloud security native and usage.

Ashish Rajan: Yeah.

Sergej Epp: Across our customers, across open source community as well. And for this year, we saw for the first time that more than 60% of containers are living less than one minute. So take this less than one minute.

Ashish Rajan: Yeah.

Sergej Epp: How quickly can you respond? How quickly can you detect even that certain things are happening?

In this, 60 seconds. And then another interesting data point is we saw more than 35%, 35% more non-human identities than human identities, of which more than half was not, never rotated. There were no multifactor [00:10:00] authentication or anything like that. So I think it's a very very complicated environment right now.

Yeah. And it just shows that it's getting much more faster and much more complex, year by year.

Ashish Rajan: Yeah.

Sergej Epp: Which is posing again, a completely different challenge as well to security operation centers because they have to compensate for, all the madness or. All the challenges really we have in production environment because we are, we were not able simply to keep up with the speed from a security architecture, engineering point view.

Yeah.

Ashish Rajan: So what does runtime look like then? Because you obviously obviously you guys have the Falco project, which is very popular as an open source project as well, and there's a huge community around it. I think from what I understanding, a lot of defense people government people use it as well. What is I think just to give some example around some of the other complexities for runtime I think I'm thinking things like hybrid cloud.

We spoke about AI gap environments. We talk, obviously we're in Europe. We'd love to hear some European context as well for what, what is runtime security or cloud security today. And especially with the, I guess everything that's going on in the world as well. How do you see the [00:11:00] cloud security evolution evolving to where we are today now.

Sergej Epp: The question I'm hearing very often is, first of all, we've got our CNAPP, we don't need a runtime. And then you know how I see this is CNAPP is a really good map. Yeah. And runtime is really your radar, to stay with the knowledge as well.

Yeah. And while CNAPP is potentially showing you this topology of your environment, runtime is really showing you the moving threats. Yeah. And you need both as we've just discussed, right? Yeah. The problem is that this, with this first generation of CNAPPs are saying we have not really considered security operation centers.

We are not considered architecture and engineering teams as the key stakeholders of this tools. Yeah. And let me tell you a story there. I just had a a meeting with one of the users from a large bank recently. And then they would have a CNAPP with a bolt in runtime capability.

They would have for the on-prem environment a SIEM system. They would, they've bought for every cloud environment they're using Google, AWS Azure, they've bought the, their own [00:12:00] SIEM. Oh wow. So Chronicle and Sentinel. And then they would try to aggregate all those different alerts and push them together into a centralised SIEM again.

Ashish Rajan: Oh wow.

Sergej Epp: And the question there is just how do you really cope with this type of. Scenario as well, right? Yeah. If you need to analyze this, if you need to understand what's really happening how quick, how quickly can you react as well to this to this threats. Because just even understanding the propagation of an alert back to SIEM, it's taking a lot of time, right?

Ashish Rajan: Yeah. Yeah.

Sergej Epp: Now to go back a bit to your question runtime security is really about about getting this transparency and visibility into Kubernetes and cloud security was always about Kubernetes itself. Talking about public cloud, but then also talking about private cloud.

Yeah. Because there's a lot of, a lot of organizations out there who are considering private cloud being very important for them.

Ashish Rajan: Yeah.

Sergej Epp: And now you've just mentioned it being in the, in Europe right now, I think there's a big initiative right now around sovereign clouds where some of the clouds are considering to use Kubernetes to build out [00:13:00] large, large private clouds and some of them are even considering to build air gap environments. Yep. Where they also run Kubernetes because they wanna have this flexibility, they wanna swap very quickly certain containers, certain projects. And this is where security is also required.

Yeah. Because, again, in the same way, like a public cloud can be exposed, a private cloud can be also exposed by even an air gapped environment by potentially a malicious actor who can come in and then just plug in and USB stick, right? Yeah. And then get access to that. And then if you think about some of these use cases where Kubernetes is being used today windmills defense Cloud.

There's a big project in, in Europe right now where you'll have defense, mobile containers running Kubernetes moving around as well.

Ashish Rajan: Wow.

Sergej Epp: We have simply to compensate for security because you have, again, to assume breach, right? Yeah.

Ashish Rajan: And your point about adding the complexity of a container going down one minute.

More NHI being in the environment, there's a lot, it's not just as simple as that. Oh, I know it's a [00:14:00] locked in, right click usage credentials, and I can follow the trail all the way back, but then these days, and it's always been the case cloud, there is a delay in when you receive the log from cloud as well.

So the posture management world worked when all we cared about was compliance and all we cared about is the fact that, oh, is my storage, whatever, S3 or blob or whatever, is that open the into the internet? Oh no. All good. Everything is good. I don't have to worry about anything else. But to your, what you and I are trying to get to as well is because there's a lot more workload in production in cloud whether it's Kubernetes, workload, non Kubernetes, doesn't really matter.

There is a need for security operations to now have a clear picture for whether that one minute container, was it actually malicious or was it a false positive? Which makes me think, how does a modern incident, obviously you have a forensic background as well, right? How does modern incident response look like now?

Because you almost feel the, they know, they used to think about, oh, I need to contain, detect the you expect the thing to be still there. Use a malware example, right? If you think malware is [00:15:00] replicating itself across the network, you're like, oh you see it replicate, right?

But it container is not there anymore. So what does it look like now?

Sergej Epp: Yeah, look, it's, I think it's very different, right? Because if you, if an organization really embraces Kubernetes in the right way. The question is just how can you deal with this one minute containers? Yeah.

Like this term by the way, very much because yes, you have first of all to understand why is it even required to do incident response in Kubernetes. And of course it's required today because we see right now attacks happening, form cloud to runtime and attacker basically compromising some identities, moving to runtime to run certain workloads.

But although, the other way around, an application is being compromised and then a worker is being compromised, and then you'll find credentials, in your environment, variables and so on, and just move back to the cloud and compromise and take over the entire cloud. So this attacks is starting to happen, and therefore you have now to understand.

How can you first of all prevent this? Yeah. But then also detect and respond to that. And I also always feel that security operations centers incident response has to [00:16:00] have this preventive mind as well. Oh, so everything you're doing to derive the lessons learned as well to stop it next time again.

Yeah. So this DevSecOps feedback, right? The feedback loop. But first of all, I think the biggest challenge is if you want to do instant response, you need to have the data. Today again, it's not just the speed of the containers living only one minute, but also the amount of data this containers can produce.

And if you don't capture this data, it's a big problem. So you need to have a, some sort of a flight recorder where you can get data from the container itself, because this is where the logic of the application is happening. Yeah. This is where you can find really the traces around what kind of activity happened.

What was it threat actor's trying to do? Yeah. If he's fast enough to do it within one minute. Yeah. But again, most of that is getting very automated today and then collect as well certain telemetry around how can you stitch all this data together.

Ashish Rajan: Yeah.

Sergej Epp: Because even just trying to understand if this continues living just one minute.

How do you map this container now to some activity in the cloud? Can you do this based on IP address? Do you even store [00:17:00] IP addresses of this containers back then? Yeah. Very simple question, but most of the organizations would just follow even, based on this questions. So data, capture data collection is very important.

And then from that point of view, you can, you need to understand how to stitch all this data together. And that's already a challenge. Because as Kubernetes cloud is very complicated. Yeah. And I was saying originally security operations teams haven't really got enough experience in this space.

Yeah. But I think what is very important is as well try to sync incident response in cloud differently. As I've started at the beginning, we need to understand how can we automatically as well prevent a lot of the different attacks. So if you've got a really good signal to noise type of ratio, you can say you can detect drifts and you can directly kill containers, right?

You can embed yourself into CICD pipeline. And that's your, the feedback loop and there you need but to do this really good, you need to get the visibility and you need to be able to triage as well. Yeah. All these different attacks. Yeah. [00:18:00] And one last example, we'll leave on a table. Just look at how long it took Microsoft for the last two attacks, to find out what really happened.

Ashish Rajan: Yeah.

Sergej Epp: Trying to find out who is your person zero. Yeah. Was there any lateral movement happening? Are they still in the network?

Just answering this three question is impossible, and if you cannot answer this three question, you have to assume breach and you have to assume the attackers being in your environment. Yeah. And that's really a nightmare scenario.

Ashish Rajan: Yeah. And containment is not really practical at that point in time. 'cause you're still trying to figure out how, where else has this traveled and all of that as well.

Sergej Epp: Exactly.

Ashish Rajan: I wonder because of your background with Deutsche Bank and doing security operations there, for people who are listening to around and actually maybe a good point would be, who do you see the as the audience for runtime, security operations people?

Sergej Epp: Yeah, no, look, I think I see runtime more as a platform. Okay. It's a platform capability because just looking for instance at Falco and the adoption of Falco, again, being used by 60% of Fortune 500 companies and [00:19:00] mostly platform engineering teams who have this requirement to collect data, but they cannot collect the role sys calls.

So they have to collect pre-filtered data. And this is where Falco is really good at, just really filtering out the right data for the cloud indicating the right alerts as well and providing this alerts back to whoever requires us are the security teams, security operations teams and platform teams.

I think that's, that's one use case. The second use case we see commercial Sysdig is really where runtime is being used for vulnerability management. And I'll, let me give you an example there. We know that a lot of the code, which is being used by the applications not being used in production because you just use one function from a specific library and 90% of the functions are not being used. Yeah. But in case there's a vulnerability and the CVEs is being assigned to this library, then you're being pushed by security all the time to, patch the entire library. And that's really costly. Yeah. So an average 95% of vulnerabilities [00:20:00] are not related or relevant to application at all because they're not being used.

Yeah. Take that. So you can put 95% of the vulnerability out of scope because they're not reachable by the code. They're not really used by the code. And I think that's really strong. You can do the same type of checks on court level.

Ashish Rajan: Yeah.

Sergej Epp: But again, they're not as accurate as in runtime.

And that's where we see as well a lot of platform security, architecture, engineering teams. Yeah. Using this capability. And then I think we start to see more and more SOC teams as well. Trying to understand how can we get this deep insights as well in what's really happening across the workloads so that we can tell the story and understand in case there's a signal.

Yeah. In my cloud. What is patient zero? Was there any lateral movement happening? So all of these questions have to be answered. And again, you have to be very smart about that.

Ashish Rajan: Yeah.

Sergej Epp: Because you have to understand how much data you capture, where you capture this data and how you stitch it together.

Yeah. But I think it's more of a platform and there are [00:21:00] multiple use cases we're seeing from runtime.

Ashish Rajan: Interesting. Because I think a lot of people confuse runtime also with the whole DAST world that came up, or SOAR came across as well. So the, so are they playing any role in this? Like the whole, Hey I detect something at runtime and automatically something happens and the other one is where, hey, I'm gonna pull in application pieces in there as well.

Yep. 'cause I guess a lot of people at the end of the, to your point, platform cares about the application. They don't really care about, hey, Kubernetes or whatever's underneath. So is runtime a mixer of all of that, or would you say runtime at the moment for security operation is at that stage where it's primarily information from different applications?

Sergej Epp: No, I think runtime is also shifting left the different insights. So I'd love to think about runtime as a platform because the insights we're getting from runtime this, they're reflecting the true reality. While if you're looking at the code level, you have to assume a lot of things.

So we've talked about vulnerability management but we can talk as well about non-security use [00:22:00] cases. Let's talk about profiling for instance, right? Yeah. How effective and efficient is your code being executed? That's what we saw in the observability space happening for ages as well.

You need to have runtime visibility so that you can code, much more efficiently and effectively as well. So it's, I think it's a platform where you start to see a lot of different capabilities on the left side. Yeah. Yeah. So the shift left, but then also on the right side, the security operations starting really to leverage this insights more and more.

Yeah. Various use cases.

Ashish Rajan: So the audience ultimately becomes your, platform people who probably want a holistic view, which is including security. Yep. But also security operation people who have the need for, if there's a container, one minute container still there. Yep. I got an alert from it. I need to be able to go and investigate where that is.

Hopefully there's logs for it as well.

Sergej Epp: Yeah, exactly. And then you looking into the define security operation center. What kind of logs do I want to collect? Because for instance, what we can do very effectively is if there's a specific alert, start recording of all the different [00:23:00] signals and locks specific in the next 15 minutes for this specific, particular alert.

Oh, which is like a flight box record as well. Yeah. Which you need if you wanna explain what really happened. Yeah. 'cause you wouldn't. You would not want to have terabytes of data coming per hour from, your environment or from a single workload in some cases.

Ashish Rajan: Yeah.

Sergej Epp: 'cause it's not efficient.

You can't really install this data, so you need to have the smart prefilter of data, what you monitor. Yeah. And where it can react automatically. Yeah. As close and as fast as possible to the workload. And on the other hand, you wanna make sure that you collect when something happens, which is relevant.

Yeah. And that's something typically secure operation centers would define, because they now know all the tactics as well, is this is a container escape, which is happening very rarely. So we want to definitely make sure that, recording is starting.

Ashish Rajan: Yeah.

Sergej Epp: But this one is potentially just something we want to use, as part of enriching our, SOC data.

So we don't really need detailed information. So this type of questions you would need to define together with the security operations.

Ashish Rajan: And maybe just to dive one more step into the whole security operation thing, [00:24:00] because. A lot of to what, as you said, security operation would be playing an important role in the runtime security space.

So people who are, I guess we're in that phase where still the beginning of the year people look at conferences to see, hey, what else should I be looking out for? So for people who are building a security operation program today or at least planning for one they obviously have an existing one.

Most enterprises do, they're doing an amazing job at on-premise, perhaps to an extent in cloud as well as you're seeing a lot more of it come through from Cenaps and everything else. What's your recommendation for what should be different kinds of maturity they should look, in terms of uplifting an existing SOC program.

Yeah. What should they consider as part of their roadmap? Hey, you know what, this is where the world is going. And make sure you at least have these things we obviously talking about runtime, but Right. Feel free. Should

Sergej Epp: I say listen into cloud security podcast?

Ashish Rajan: Yeah. You can have me say that as well, but in terms of this, definitely this podcast, but I definitely would say have a for most people wanna know, Hey, where am I? What's the maturity levels I'm looking at in a world where containers only one minute I have runtime coming up. Do [00:25:00] I even need runtime? Because I already have CNAPP, you've answered that question. So what do you think is, like for people who are starting to uplift that program?

From say, maybe actually, funny enough, 'cause I have had conversations where people are still moving in cloud today. So people who are on premise have done that amazing job, moving to cloud, what should they be, maturity that they should aim for in terms of, if you can, different stages that they should consider for the program to have?

Sergej Epp: Look, first of all, I guess it's very important just to, to get familiar with Kubernetes as well, right? Yeah. And then, and the cloud itself. Yeah, just, there are. Amazing resource out there. Actually, James just pointed me during the weekend to a great resource. It's called KodeCloud with K yeah.

Where you can do a lot of this, exercise and trainings as well. Really like that one. But then again, I think what's important is in the business world, we are planning for success. Yeah. In security, we're planning always for failure. So we have right to simulate these failures as well.

And the best way to do it is just, to go out and really try to experience both sides, the blue and the red team.

So on the red team [00:26:00] point of view, just try to understand how you, how attacks would work.

Ashish Rajan: Yeah.

Sergej Epp: There are really great simulations we're running, for instance, here at KubeCon as well. This type of exercise where we simulate Mitre attack, techniques, but on the other side show what kind of events are being generated, how you can detect this, how you can triage this. So try to experience both. And I think last but not least, I would just always encourage everybody, every company out there just to run potential red team exercises. Specifically targeting this environments, Kubernetes environment, your entire software ecosystem as well. Yeah. Because very often, this could be the injection point as well, right? Yeah. For certain malicious codes

Ashish Rajan: yeah.

Sergej Epp: Running that and trying with purple teaming, try to identify as well, what kind of telemetry do you get, how would you do investigation around that?

And yeah, starting to learn about that because that's not the future, it's happening right now. And we start to see more and more attacks around that. Yeah. And yeah, getting hands-on and building this muscle power thing is what we need.

Ashish Rajan: And for people who are leading the security operation team, I guess having relationships [00:27:00] between different departments to what we were saying earlier about Yeah. Is that even more important now and is that going beyond just security, going to applications as well?

Sergej Epp: Oh, yes. Oh yes. I think that's really important. So back in the days when, you know, working for a large bank, you'll find everything from mainframe, Solaris server up to the most modern Kubernetes stacks so on, if incident will happen let's say in a mainframe environment, you would just pull this system administrator who can help you explain RAC F and how this entire administration and, AI m permission world is working there. So you need to have and build this relationship internally. I think what's different to a couple of years ago.

You've got now, ChatGPT and Mistral on all these different models to explain that to you. Yeah. And that's where we see a lot of exciting work. So we, for instance we've implemented the AI system called Sage.

Ashish Rajan: Okay.

Sergej Epp: Whom you can just ask about the Kubernetes world while triaging a specific alert, Hey, explain me what is the namespace, right?

How could the different lateral movement techniques [00:28:00] happen now if this alert was related to specific execution, on this on this container. So you can start talking to that and get educated while you're triaging already a specific alert. This relationships are potentially not as important as it was in the past.

Okay. But I think it's still very important. 'cause obviously, these guys understand the entire architecture.

Ashish Rajan: Of course. And the new nuances of what, how many bandages for putting a crossware and how something stacked up. 'cause your point, a ChatGPT version may give you an ideal version, but you may have a bandaid fix somewhere that only one person in the team knows about, or one particular team knows about.

Sergej Epp: No, exactly. This architectural questions are very difficult to be answered. I think we start to see slowly that the AI systems are starting to, understand as well the internal environment. Yeah. And then feed in also certain data from internal environment. That's what we start to see.

And then I'm very excited about things like deep research, on your Kubernetes or cloud data. Yeah. How cool is that? You just give it a task and. It goes [00:29:00] ahead and then comes back with a specific answer, right?

Ashish Rajan: Yeah. Yep.

Sergej Epp: This type of scenarios and capabilities we start to see, we're just piloting as well.

Some of that with some of our customers as well. Obviously, things like hallucination and so on are very dangerous in security. Yeah. So you wanna make sure that you get this under control before your releases to a broader, of course but, we start to see very promising results here.

Ashish Rajan: Interesting. Are you seeing AI being used in security operation, like

Sergej Epp: Yes, absolutely. Absolutely, because look, especially in forensics. It's it's data crunching and there's a lot of unstructured data not just data you receive from in real time, from real time point of view.

We've got fixed and static rules how to stitch this together, but a lot of other unstructured data around your environment, config files and things like that. Oh yeah. So that's really powerful for so specific forensics.

Ashish Rajan: Yeah. 'cause your point, you might get a kube config file. You have no idea what it looks like or what it's supposed to be, but you just feed it to your internal chat, whatever AI thing it can tell you, Hey, this is, this seems odd.

Yeah. And I'm like, oh. Because to your point earlier, people would be like, I have to go on a [00:30:00] Google forum or stack overflow or subreddit somewhere to figure out what that is.

Sergej Epp: Look, in the past we've been doing like this you would just do this, that bot forensics, you would just try to take the hardware, create an image from that.

Yeah. Run you lock to timeline to get some, some sort of a timeline and explanation what happened there.

Ashish Rajan: Yeah.

Sergej Epp: Calf out other data and then bring this together. So it was very difficult in the past to to get this context. And I think this is where we see generative being very strong.

It helps with from signal to context. From signal to story. Yeah. In the best way. And that's what you need in security operations because the mission of security operation is to compensate for bad security.

Ashish Rajan: Yeah.

Sergej Epp: And you have to be in the position to, to explain what really happened so you can go back and fix that.

Ashish Rajan: Yeah.

Sergej Epp: And that's ultimately, how you can stop attacks as well. But in the past it would take ages to do that. In the cloud it would be today. For most organizations, I would say even not possible because you're missing some data. But I think once we start to collect the data and [00:31:00] pair this with AI we'll start to see much more interesting use cases going forward to Yeah, explain this and have this story and be able to stop that attacks very quickly and be able as well to feedback into your detect engineering, into your CICD pipeline into your engineering world as well. To see Yeah. How you fix certain things. Yeah.

Yeah. I think that's where I'm. Very excited about it.

Ashish Rajan: Yeah, I'm excited as well. But that's all the tecnical questions I had for you. I've got three fun questions for you as well. First one being, what do you spend most of your time on maybe not trying to assume breach everywhere. What's your favorite activity to do?

Sergej Epp: So I think it changed in the last year because I've got three kids and are my teenagers. Oh, they're teenagers. Okay. I'm reading a lot of books. Oh okay. Fair. Right now how to how to spend effectively time with teenagers.

But no. Look, I love to, to hike and really spend my time in nature as well. Yeah. With family, kids, friends potentially some CISOs, so I can see that hiking. Hiking the mountain or hacking the mountain. Oh, that's bad. Yeah. Yeah.

Ashish Rajan: Yeah, I think that's awesome. And second question. What is something that [00:32:00] you're proud of that is not on your social media?

Sergej Epp: I think my drawing skills Oh, I am a visual person. I almost started to as feel like a proper Yeah. Drawing and then painting Oh, wow. And so on. I'm wow. Pretty good in that. And that's sometimes good. Sometimes it's pretty bad because if you work with marketing departments and then you point them to certain aspects.

They've spent a lot of work time and you are very picky. It's not good.

Oh,

Ashish Rajan: fair. Oh, okay. So have you always drawn like

Sergej Epp: Yeah. Yeah. I was drawing already as a kid and almost started to study

Ashish Rajan: You not like canvas drawing.

Sergej Epp: Yeah. Real drawing. Like picture. Oh, watercolor and watercolor.

Watercolor. But also like realistic portrait. Yeah. Portraits as well and so on. Oh, wow. So my, when I was back at in Germany at school, I was, deciding either to go on and study physics. Yeah. And do a PhD there or art academy. Oh, wow.

Ashish Rajan: And you chose physics?

Sergej Epp: No. I chose something in between because my teacher was working in the financial services space and said, Hey, you have to go to, to work for bank because 80% of guys studying physics and doing PhD anyway, ending up at banks, working for banks. [00:33:00] Oh, go straight and it will be much more quicker path for you.

Ashish Rajan: Oh, wow. There you go. You could have had an artist for all, Sergej could have been like the artist that people, do you do put them online somewhere?

Sergej Epp: No.

I have not put, that was a question. Yeah. Yeah. Fair. I can show you. I have some on my phone

Ashish Rajan: I would definitely look to. And the third question is, what's your favorite restaurant cuisine you can share with us?

Sergej Epp: I think it's it's really there are two Indian and sushi. Oh, nice. I like Japanese cuisine, but also Indian cuisine very much together.

No, not together. But I'm like, wow, that'd be interesting. This, yeah. This is, all cooking. I'm not really good at cooking Indian food myself. Oh. But I cook a lot as well.

Ashish Rajan: And any favorite restaurant that comes to mind?

Sergej Epp: Oh gosh, I don't think that there's the restaurant so many, to be honest.

Fair. There are lot many, I'm traveling a lot, so it's very hard to say that there's like one single favorite restaurant.

Ashish Rajan: Oh, fair. Yeah. But I think we are in London,

Sergej Epp: so I'm sure there'll be many

Ashish Rajan: over here as well. Expensive as well, I'm pretty sure. But dude, thank you so for coming.

Where can people find you on the internet to connect and talk more about runtime security?

Sergej Epp: Yeah I'm on LinkedIn, so feel free to connect. Don't sell cloud security or other [00:34:00] container security solutions to me because that's something companies are trying to do. Being back at Palo Networks, they would try to sell me firewalls.

Oh, cloud security. I don't know if it's a joke or not, but yeah, please feel free to connect on LinkedIn. And then I love to, to talk about cloud security, Kubernetes security, AI security is a very important topic. We have not touched on that today too much. Yeah. But that's exciting and yeah.

Ashish Rajan: I'll put those in the show notes, but thank you so much for coming up. Thank you. Thanks so much. Thanks everyone, for you next time. Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv we are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do an in-depth analysis of different topics within cloud security, ranging from identity endpoint all the way up to what is a CNAPP or whatever, a new acronym that comes out tomorrow.

Thank you so much for supporting, [00:35:00] listening and watching. I'll see you next time.

‍