What is Cloud Native Application Protection (CNAPP)?

View Show Notes and Transcript

Episode Description

What We Discuss with Om Moolchandani:

  • 00:00 Intro
  • 06:39 What is CNAPP?
  • 12:13 Do you need a CNAPP?
  • 14:52 What is Cloud Native Security?
  • 19:09 Evolution of Cloud Native
  • 34:08 Getting started in Cloud Native Security
  • 42:21 SIEM and CNAPP
  • 47:16 Maturity in Cloud Native Security
  • 53:17 Who is responsible for CNAPP in an organisation?
  • 59:48 The Fun Section
  • And much more…

THANKS, Om Moolchandani!

If you enjoyed this session with Om Moolchandani, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to Thank Om Moolchandi on Twitter or here on Linkeidn

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Welcome to the show. Thank you for coming in. Appreciate for

Om Moolchandani: having me always a

Ashish Rajan: fun. No problem, man. Thank you. So maybe a good place for us to start would be for people who don’t know who OMI is a bit about yourself and how did you get into sub

Om Moolchandani: security? Well, a quick intro about me is. Seattle cybersecurity entrepreneur and I recently was co-founder CSO of a company called we recently got acquired by tenable and I’ve been in cybersecurity or 15 years now.

And well, I got into cybersecurity because someone identify some kind of talent in me, which I didn’t know, I possessed and I was advised, Hey, why don’t you not try? You have an inquisitiveness of knowing things and going into deeper second level details. Why don’t you not try. Doing some work around cyber security, gained some experience or gain some certifications.

And that’s how kind of, I got more into cyber security. However, my first job was as a software engineer at a cybersecurity startup. So I wasn’t [00:01:00] like too much, far away from cybersecurity as a subject, but I took interest into the subject only after working for one, one and a half years as a software engineer at the beginning of my

Ashish Rajan: career.

Om Moolchandani: Yeah. So application software development, and from there got into cyber security. I started very opposite than what I see people doing in cyber security world. People who are interested in kind of offensive and defensive side of things, they don’t usually start from audit, but I started my cybersecurity journey, got started with the Caesar certification as my first kind of attempt to understand how audit works.

And I got into pen testing or a CP then. Practice to all sorts of cyber security disciplines at Australia, actually at Melbourne.

Ashish Rajan: That’s awesome, man. I was going to say it’s always good to have a Melbourne night for lack of a better word. Like sounds like kryptonite, but I got Melbourne night. I’m making it happen as well.

And congratulations on accurate it’s being acquired by tenable as well. I think a regular files to get [00:02:00] previous guests as well to already the coolest guests with his own beat PayGo. You’re getting recognition already. So I’ll definitely leave the music beat in the insurance as well. We get into that as well.

But so for people who don’t know where they’re seen at maybe a good place to start, could be, what do you define as cloud or cloud site cloud security or cloud native security? What does that mean for you?

Om Moolchandani: We really have to kind of get at high level. What scene app is, we need to kind of go a little bit back in the history and around 2000, between two 14 and 2016, when the CASBY industry cloud access security broker industry was kind of at a maturity curve and.

We saw introduction of CSPs, cloud security, Porsche management. So CSBM products, their focus has been to detect the level of posture from the point of view of compliance misconfigurations and best practices. How much of those you have kind of implemented. Developing and while operating your cloud environments, it it’s more of a [00:03:00] CSO focused product.

And the outcome is pretty much around compliance detection is part of it, but compliance is there. And then we saw around 2015, 16, we saw companies like Twistlock introduced one of the first CWPP is cloud workload protection plan. Whose primary responsibility is to protect your workloads from network based attacks as well as host based protection equal and in the container world now.

Yeah. Is if I have to give you a very short definition is kind of a combination of CSBM CWPP and everything that you would have to do to secure your cloud from code DevSecOps. And from deployment point of view, when you, when you put these three aspects together, of course, there’s lot more to talk about primary purposes to source findings from these different cloud security patterns, create a result, which [00:04:00] data mines, a holistic risk that you.

Kind of possess in a cloud environment. It’s like, let’s say you have a very simple web application deployed on a cloud environment, which is running on an say, AWS, it’s running on easy two instance. It’s part of a sub-net. It has a database which is running on another sub-net and then a load balancer, which is basically forwarding the.

To this easy two instance using target groups, there are some security groups being used. There are some, I am roles being used, product that can tell you that, listen, you have deployed an application which has a SSR fundability running on this easy two instance since it is exposed to internet because of the routing that exists between ELB and this application that is being hosted.

And because of overly permissive, I am role that you have on this easy to answer. And another misconfiguration that you have on it. Attacker, if it takes or this easy two instance can directly also dump the database. If there’s a product that can tell you all this, this entire story by [00:05:00] now, CSP and what I wanted to tell you that your easy two instances have got misconfiguring.

That’s about it, no context, likewise, a CWPP product would have told you, you have one debilities on this easy two instance, or if there was a container involved, it would have told you the vulnerability. But when you have to be able to stitch these different results together, but the story of a attack. Or a breach path, that’s the primary purpose of, but of course from the business perspective, it’s being designed as a space.

It’s designed to create this single glass of being kind of visualizations as well for CSOs, as well as for CTO organizations. And there’s a lot more detail into it, but that’s kind of up a hundred thousand feet high just of what at. And


Ashish Rajan: purposes, it kind of makes sense as well, but it also, as you kind of mentioned it from an evolution perspective in like, oh yeah, of course, that, that should have been like the obvious thing for it to happen.

But it sounds like for people who may not be from, I guess, that space of beginning of the cloud world to see the transition [00:06:00] of CSPs CWPP and now there’s another one. See NAB being like, oh my God, like, what is the scene? I think that I forgot to use. So from that perspective, it make economic sense. What people are ready to do.

You mentioned the end-to-end and you mentioned DevSecOps in there as well. And you mentioned the fact that all these previous components used to have, how do I put this a different components of the big picture? They don’t tell you the entire thing they just saying, Hey, do you have a problem here? You know, from there, it’s really interesting, man.

And to me that makes me think that, do I need a C nap today though? Like, like I have a CSBM already, I have a CWPP as well. Does that mean I should go look for

Om Moolchandani: it? Frankly speaking the industry. If you even see the analyst tool, Gartner has barely just started speaking about CNN and one fact remains that is a maturity curve.

So you would first want to make sure that now you could go for a C Napa vendor, anyone who offers C nap, but you may choose to start from implementing the CSBM capabilities first, because that’s kind [00:07:00] of the low hanging fruit you may want to enable the CWP. Next from the same platform. And then you may want to also enable the DevSecOps speeds to reduce the cost of doing security also to reduce the meantime to remediations and then eventually achieve the final goal of seen app.

Now, what seen app is not as you bring in. You press a button and you start seeing the bridge paths or the Democrats. That’s not realistic at least in 2021. Of course, in the next few years of time, the technology might mature to a level where data collection becomes kind of so mature that all the data which is required for snap to work might be easy to collect.

And. On de Zito, but that’s not the case today. You need to be able to acquire a lot of data, to be able to get to the analysis piece, which is the core of CNM. Otherwise you’re good with just CSBM and CWPP for that matter,

Ashish Rajan: I get where you’re coming from. And I also understand the fact that maybe not the first step to kind of.

[00:08:00] Deploy and suddenly you have an attack pass everywhere from end to end. There’s lots of moving parts to it. Maybe it’s a good morning to kind of take a step back and go what’s this cloud native security than people talk about. Cause I feel like what we’ve spoken about as an example is you’re, I guess everyone’s talking about it, but there’s another conversation that a lot of people are having on about Kubernetes Terraform.

Like, Hey, I want to go multi cloud cloud native. So maybe something along the lines of cloud data security, what is cloud native, according to you, and what does cloud security mean for you? The

Om Moolchandani: definition of cloud native for a lot of people have evolved. There was a big part of the community who believed, I guess, up until recently that cloud native strictly means running.

Applications on workloads, which you don’t have to manage the infrastructure for. And it’s the responsibility of the cloud provider, the CSB to manage the infrastructure and in some shape or form people started associating cloud native strictly to container based or. So less base [00:09:00] kind of architectures.

However, recently I’ve kind of spoken to a lot of different CTOs and CCOs, and I’m understanding that that definition has evolved. And now one of the latest definitions that I have come across and mind you, these are all controversial definitions, derive the meaning of cloudy. From CNCF now, DNC have does everything, which is pretty much around Kubernetes.

A lot of other projects that they have, it’s pretty much around that kind of architecture. So Kubernete is, in my opinion is not just Kubernetes, which is cloud native and. Opinion is that now anything and everything that allows you to build architectures purely on cloud based environments is cloud native using cloud service.

So for example, even easy, two instances, I mean, I know what I’m going to say is a little controversial for a long time. I have. Myself, that cloud native strictly relates to container serverless based architectures because you get to know what’s happening behind the scene and you don’t have to, you just package everything in containers [00:10:00] and container becomes actually a integral component of application Lear despite of having elements of infrastructure in it.

That’s why I, it, but my understanding today is that every service that is available on cloud and. If you’re using those services to build your architecture, that’s a cloud native architecture. The moment you have a hybrid approach where you have some portions of your architecture running on-prem, that’s where the kind of dude in line, if I can call it, it comes because between the, between the cloud and the on-premise and that’s where your cloud native.

Start to break up. Otherwise for me, if you are running of application on an easy to instance, that is a cloud native architecture in my personal

Ashish Rajan: opinion. And I think we have gore African men as well. Definitely. I think technology has changed over time and cloud native adoption is growing over time. So see now with.

Yeah. So I think that’s based on the previous comment that you mentioned about whether we actually needed to know, but thanks for sharing that sound good. So [00:11:00] we’ve explored cloud-native definition to what you said. If it’s hosted in ECE two in the AWS Azure or wherever, whichever cloud environment. And I agree with you in the Def mission, having its own variations among different people.

Like a lot of people, when you say cloud native, they automatically think it’s talking about containers or Kubernetes, or like one of those. They find my CNCF, even though all these providers already part of it. And then there is another definition where people talking about, if you use services from your cloud service provider, that’s also cloud native, like, well, which one is it like, but somehow, anyway, everyone has an opinion on this, but what are some of the traits, or I guess for people to kind of think about from a security perspective, what are some of the things that define these days, cloud native products?

How are we kind of venting the history with CASPI CSBM is there a version to that as well? Like how has that evolved?

Om Moolchandani: We started around two times. 10 11, a couple of vendors have kind of introduced the technology CASBY, mostly focused on proxy base of technology to [00:12:00] protect your data and its confidentiality.

The data that would have left. Secure trust, boundary, and would have gone into the cloud environments. And it was primarily designed also to solve the problem of shadow it in any given organization. If you have hundreds of employees, everybody has their own favorite cloud service that they want to use.

How secure is how secure those services are in which services should be allowed for employees. So that’s kind of a shadow it problem. CASBY was designed for. Mostly. And of course it has evolved. CASBY itself has evolved. Has now got a lot of different capabilities. It’s phenomenal to see CASBY is growth.

I mean, we can see Z scaler, how in a Z scaler has come along and various different other vendors in that space cloud native the hope was, and see around 2014, 15 when the container orchestration was when they began right for different players, we had DACA. On one corner and your show has a feel to it.

You should one day do something around cloud native wars, the container [00:13:00] orchestration wars, that’s where all the cloud native kind of thing emerged or the evolution emerged from there on. So you had DACA swarm on one side, you had Kubernetes on one side and of course you had in a two other players.

Cloud Foundry, which is now a different thing altogether. A couple of other vendors, we’re also trying to attempt orchestration when the container acquisition was over and officially kind of cooling it as won the war, it was being hoped, or it was taught that now Kubernetes is going to be the new operating system for the cloud and everything that runs on top of it is something which is going to prove.

Image add value to the application. Technology will, however, and that is what was driving people to believe that cloud native now means anything and everything that you are running on top of Kubernetes. And you don’t even get to know as a consumer, that what kind of Kubernetes is actually running behind the scenes.

So that’s where you saw the emergence of EKS. Kind of [00:14:00] existed, but GK and now you have D two IQ and many other platforms. They like to tout themselves as cloud native, but that hasn’t really happened. Like all workloads are not on Kubernetes. All workloads are not on containers as much as I would want them to be, but that’s not the ground reality.

And so the CSPs putting together another net. Into the industry that, okay, listen, what is the difference between cloud native and what we offer as services for bringing up your infrastructure? Like in case of easy two instances or virtual instances for Azure or other instances in GCP, nobody gets to know who they are running behind the scene.

What hypervisors on it. We don’t even have to know that we don’t even care. Maybe everything is so hyper virtualized that maybe VR in the seventh dimension of the virtualization. Maybe there’s a virtual machine. And inside that there’s another virtual machine inside, the easy to maybe it’s the six layer of the [00:15:00] virtualization who knows.

We don’t even know. So CSP started talking that, okay, we need to break through this narrative because we don’t want confusion to happen that it’s not a bad or good thing to be, or be not to be cloud native. Suddenly that became a status symbol kind of thing. Or we are a hundred percent cloud native. Yeah.

What does it mean? And that’s when people started defining. Sometimes like immutable infrastructure. So one of the traits of cloud native infrastructure is it has to be designed with immutability and immutable. It has two components to it. One is rip and replace strategy. That means nothing is going to get changed in the production or in operations, but you will replace.

Right with that came the need for hyper automation. So how can you do dependent place if you cannot program, particularly do that. And if you programmatically do that, that means there’s an opportunity for you to code it or to script it. And that’s what origins of ISC happen. Of course, kind of farms and other technologies exist in Dr.

1314, but it was around 16 onwards. When [00:16:00] we saw tremendous growth around Terraform kind of technologies. That’s what kind of came to the us. For the industry. So anything that you can do with Terraform today in the cloud now it is considered, that is what is cloud native, basically as an example, or you can do it with DRM polo me.

There are other ISE technologies to them. I just want to, I don’t want to name one vendor here, but can you spin virtual instances using Terraform? Absolutely. Can you network layers using Terraform? Absolutely. Now we’ll also spend Kubernetes using ham charts. You can, so that’s not for as long as you can achieve immutability and your hyper automation.

That is what is defining cloud native. Now what I’m predicting already. I mean, I’ve been talking to a few people that as soon as these two capabilities are brought into the on-premise world as well, because even that world is going to undergo a change where everything will be API driven, and then you can see technologies supporting immutability and hyper automation, even for on-premise.[00:17:00]

So then what I’m going to call that a cloud native on-premise. So these are some of the new answers. So I guess cloud native now is being understood as if you are adopting highly programing and immutable based architecture, where your strategy is rip and replace. You do not have to worry about various other operational overheads that is architecture.

Cloud-native interesting.

Ashish Rajan: We’ve got an interesting definition from Sangam as well. Sangam definition is my definition. Cloud-native is word culture, not containers. There’s another version there, but did you have a comment


Om Moolchandani: that? I think that the programmatic approach and the immutability as much as being strategy, it is also the cultural shift.

I mean, the, it. We’ll never used to write code for doing operations. Now have to shift, bring the shift into the culture. And now the one thing that was sent him is raising is, is absolutely true, is that cloud engineering is more and more becoming like software engineering because you’re writing a lot of software to maintain and manage.

And that’s a [00:18:00] big cultural change. That’s a cultural shift element

Ashish Rajan: as well. Yeah. No. And thanks for that comment as well. It’s pretty interesting that you mentioned the cultural shift, both you and Sangam as well because. Condensation initially was talking also about, Hey security folks, you learn how to code, but people are, oh, what does that really mean?

And then they then came the whole policy and code as escort as well. So keeping that whole scene thing in mind with cloud native application protection platform, whereas they want to call it. So the, we spoke about the end to end piece. We spoke about the pieces where, oh, okay. So I’m turning from the left and we’ve kind of, I love how the conversation has gone so far because we’ve kind of touched on a few.

And now we kind of realize, okay, this is what cloud native is. So in my mind seen app is more suited for people who are already doing ISE or infrastructure’s code using Terraform gloomy, or whatever those languages provision infrastructure of any kind. And as that kind of provisions and economies the configurations.

So it sounds like an end to end, like if I were to take a step back and go, it’s like a big picture. All for [00:19:00] a newly defined cloud native application should look like from a protection.

Om Moolchandani: Absolutely. Isn’t this is again, part of the evolution. So as the realization has kind of been observed and achieved by the industry that look, if cloud native strategies are being used for provisioning applications, I mean, ultimately you do everything.

You build the infrastructure to host your revenue, generating applications. Those that generate the app applications are the one regenerated. So if the applications are in provision, packaged, deployed more and more using cloud native strategies. As I said, two traits, programmatic way of provisioning immutability.

That means now the security also gets an opportunity to start detecting problems even before the environments are built, because a lot of the definitions of your. All the cloud infrastructure are defined within the code that you’re writing, whether it is Terraform, cloud formation, templates, Azure resource manager, templates, or many of the type of IFCs, including him jog [00:20:00] customized Yamhills things like those.

So if those are intelligently analyzed, 80% of. Cyber hygiene and security posture related issues can be detected from them. Now, if you detect your security issues at the time when this code is being written or when the code is being passed through the pipeline, you are doing tremendous cost savings in terms of detection cost for security point of view, and you get an opportunity to do early remediation.

It’s a huge deal in the cloud world. The applications are running faster than anybody else. In terms of development, velocity. Every day, we get 10 different where we don’t even get to know how many new versions of Netflix gets released on daily basis. So it’s fast. That means you have to have an opportunity to do.

Problems at a low cost because you cannot be affording to detect them. All of them in the runtime, you need runtime security like an insurance, but you have to be able to detect things early so that you can reduce meantime to remediation because it’s not the [00:21:00] detection, which is a biggest problem of industries.

If you notice any kind of breaches that have happened today,

when it comes to production environment based patching. When you do the same thing in the development environment, you reduce meantime to remediation and that’s what is going to protect you from breaches. Of course, detection still has to work without detection. You cannot patch or you cannot remediate.

Yeah. Yeah, it has to be to do. That’s one advantage that you get as seen at defines clearly that you have to be able to do your cloud security from left, and then you have to go all the way till the right and you have to achieve different goals of different stages. Like you have to be able to do early detection reduced meantime to remediation from the left on the run.

Continuously defend and detect any leftovers. Like you cannot underestimate run time security. You have to do it. Yep. That’s that’s kind of the whole objective of

Ashish Rajan: CNF that’s so much you want back there as well. It’s exactly. As you mentioned, meantime, detection is always [00:22:00] easy because there’s so many tools.

The mediation is the harder part that made. That’s where the whole auto remediation came in. Hey, don’t worry. How do you detect them? Get to it. Let me, or to remediate for you that as well as the whole CSV inContact, that was quite interesting at that point as well. I think we’re definitely finding that as a team where we have the right tool sets in the.

I guess arsenal, for lack of lack of a better word, but getting to the problem, how do we solve the problem is probably the hardest piece. So thinking, taking that a step further, then if I, if I’m a CSO or if I’m like a security leader, who’s now realized that, oh, I’ve got cloud native infrastructure running, or my applications are cloud native.

And I had to figure this out. I heard this inspiring history from home, and I know now I feel like I need to do something with. What’s a good place to start thinking about security for cloud native. It doesn’t have to be a complex scenario. We’re in a very simple use case. Someone starting today, trying to get the head around cloud native or securing cloud native applications.

More, should they be looking at well,

Om Moolchandani: as much as I want to test and talk about security, we can discuss about a lot of security controls that can be [00:23:00] potentially applied in such kind of environment. But the fact for me, my mentor told me like 15 years ago when I was part of initiatives around it GRC. So before CASBY, the industry was doing ITG RC, just ITG, RC everywhere.

So at that time, my mentor, who was based out of Melbourne, actually, he had. Favorite line. He used to speak a lot. It’s all about visibility. So one of the first thing that Cecil will have to do is figure out whether CSO has visibility into all potential. Critical business, critical assets or not. So it has nothing to do with security to begin with.

The first step is about asset visibility, asset classification, because if you don’t have visibility, you can secure anyways. So you need to first figure that thing out. And it’s unfortunate that figuring that. In 2021 is a challenge, especially when you talk about so-called quote unquote cloud native world, how do you figure out, first of all right, that let’s talk about a non containerized environment.

How do you figure out how many workloads today, [00:24:00] those workloads that are running, they use how many other different kinds of resources, because cloud has got really a lot of different services and. You can spin a resource. You need to have eye upon. Then you need to then figure out what is the data classification or criticality of those assets.

How many of them are business critical from a revenue point of view? And then you start designing your security controls based on the objectives that you want to achieve. You may have new compliance objectives, then you have nowhere to go. You have to do those controls, which they are asking you to do it.

The compliance controls are securing. You are not, she hackers don’t care whether you have a compliance certification. So first you need to figure it out like that. And, and by the time you figure out all of this 18 months am a shelf-life of a CSO is not more than 18 months. And then you have to come back and think, oh, what I have to secure as well.

So now see his point about that is that, well, if you are an organization, which is decently mature and all the fun foundation and fundamental science is there, [00:25:00] they can. Asset visibility, asset classifications, and you have basic fundamentals in place then definitely you must start first by conducting extensive threat assessments, but in terms of threat models, first understand what are the specific type of.

That your type of organization that you’re working for and you can correlate industry metrics there, and many other kinds of aspects like technologies tax, what are the actual threats that you then start thinking about how much of a targeted attack. Versus scavenger type of attacks you could face because of the technologies that you might be using, you may kind of figure out that what you’re using WordPress, and if you’re using WordPress in your tech stack, then of course those adversities, which are called as opportunistic attackers, who are not necessarily after, after anybody on internet with common set of tools, the hacking tools that they’re using, then you definitely are in the line of sight for them too.

If they get to know your IP addresses and other. [00:26:00] So you got to worry about protecting against those kinds of adversities. And then if you belong to say critical infrastructure, you belong to some kind of industry. Then you also need to put in effort to analyze your threat landscape in terms of potential adversities that can come after you.

There could be nation states. There could be other adversity groups. So one of the methods that has become very popular, it’s called us. Moderately where you basically use your organization’s texts. What says adversity capability, information that is available from. In a frameworks, MITRE has an attack framework.

Also gives you that. And then you map and see that the tech stack that you have versus the adversity groups that are out there, whose information is available, who is that adversity group, whose favorite attack, technique maps to your technology stack. So those are the kinds of attacks that are potentially going to come after you.

And you design your security controls. This is not for compliance compliance. You have to do 32 character passwords. Doesn’t get into, they’re going to protect you, but you have to do that. [00:27:00] So I’m not talking about. Security. Yes. Then you saw designing your controls accordingly. What? I need to be able to prioritize.

I need to be able to see enrich data like human, decide that one of the controls, I want to have this particular region of the, we don’t have any customers. We don’t have anything to do with that region. I’m going to block the hell out of it. I’m not going to take that risk. And then. Kind of understanding your threat landscape more and more design your controls to bring your residual risk towards those threats lower as possible.

When I was very young, I thought watching so many different Hollywood movies always taught. There are these silver bullets, a hacker sits behind the laptop. And so the dependent would sit behind the lab. We can protect right factor. The mattress cybersecurity is a journey. It’s not destination. Things are constantly.

You need to make it as much more difficult, as much as you can for the attackers and adversities to cause harm. So you need to be able to defeat these adversities in their mission, [00:28:00] even if you’re not able to protect. But if you can make sure that if the hacker hacks in the hacker is not able to succeed in the mission, you would still come out as.

So if you have that tactical and strategy mentality as a CSO, you’ll be able to then protect well, but definitely you need to understand who are your adversities. You have to understand that better in order to then design your controls in a mobile.

Ashish Rajan: So we announced it because I forgot for a second.

You’re a, you’re a fellow CSO as well. So you definitely got a deep understanding of this. I think another question that I get asked when I talk about cloud native security by a lot of CSOs that we kind of have, or at least have, as listeners are even security leaders for that matter. Is that, Hey, we have a seam.

So we technically, we don’t have to worry about like, whatever, throw at anything at me. I can make sure to your point, get visibility of any threats that may be coming across there. Like obviously Siena sounds like a, it’s more of a taking a step back in the big picture thing. You’re going all the way from the IAC infrastructure net score all the way to the runtime piece, but we got.[00:29:00]

Clarified. So the runtime piece in a CNR category is that done by the CSBM or a app itself has the capability. So, and that’s what goes into a seam like, or is there a point of talking about seeing when this conflict at all? I

Om Moolchandani: guess, interesting question. Look from the same point of view. I partly agree the statement that you made or what some of your fellows have kind of spoken and partly disagree because see, in cybersecurity world also.

There has been a saying for so long I’m secure because I have a firewall or for that particular, because I have an antivirus that seam, of course, it’s a great technology oxide brought it into the commercial world. Maybe there were few open-source projects before that. So it seemed, goes much beyond 2001.

The same had since 1999, 2000. And it’s a very, very efficient tool. You can achieve a lot out of it. Absolutely. You can achieve. Out of it now totally depends how skillful that team is, which is using seam, how much skills are expected from [00:30:00] your internal sec ops teams or internal security operations team, which is able to enrich, detect.

Dual threat hunting. If you have that much skillful team, which can do all of this, you can then do it using a lot of open source technology as well. You don’t really need commercial technology to be able to go back. So, yes, I agree with the fact that seams have come a long way and they have lot of capabilities they can do.

But with scenes a lot more skill to be able to fetch the greatness out of it. And that’s where I guess some of the problems, as it seems are not going anywhere since are here to stay. We’ll be a second part of the question. What about C app? Is it going to be disrupting some elements of seam? So the answer is sort of yes, but strictly I believe for cloud world look, seam is not just cloud.

It is a lot more about on premises. A lot of cloud workloads as well. I can ingest a great deal of data from sources, which has [00:31:00] seen app is right now not designed or is not being spoken about from the scene app strategy point of view. So it is purely focusing on however, there is going to be certain elements that is going to overlap between scene happens.

From the cloud point of view at this time, it’s, it’s not, I would say the C nap has to mature for us to be able to see that, is it going to totally replace SIM in the cloud world, but a lot of elements are going to overlap. And I believe for cloud native environments, at some point in time, seen apps are going to include a great deal of features of what seems Gaddy today for now non-cloud world.

That is

Ashish Rajan: going to interesting. So. Same is going to still continue to play a part in this somewhere, but maybe not because it moving forward. If you’re living in a hybrid world where we have cloud on-prem IOT, all these other living on edge 5g, like all that, that’s not cloud, that’s a lot more there than just the cloud for any Fieser to be dealing with.

So I’m a hundred percent agree with you on [00:32:00] that one as well. I think so from a visibility perspective, So what should technically like, cause you’re a CSO as well. So what’s from a visibility perspective that you mentioned earlier that that’s probably the first step that you’re trying to grab on to.

What kind of elements are you looking for from security perspective for cloud native? Because I guess you mentioned. The fact that having visibility of asset, asset inventory, now someone define what that is. Are there like, I think the right word probably is like, if I’ve already got like a 10 Kubernetes cluster kind of environment, it’s a massive application and I’ve done, Hey, go deal with this.

Are there certain level of maturity that you see in the way people do cloud native security people who understand. And have visibility, like, what’s that? What does that

Om Moolchandani: look like? Well, yeah, one aspect definitely, which is superior in pure Kubernetes base architectures is it is far more, I would say, consistent in terms of its workload management.

And so [00:33:00] therefore it is far more, I would say straight forward, there’s still a lot of effort needed, but the complexity levels, I would say are not up to, in a way where you have to do. 20 different types of things versus dealing one type of thing. So in the world of Kubernetes, it is far more straightforward to gain visibility into the workloads.

So as you said, you have 10 clusters. Each cluster has its own ATC database. You go. And do whatever you want to do. You can write your own script so you can use windows. You can use products which can just fetch all information from etcd. Everything is defined as a kind in Kubernetes, you get to see all your namespaces.

You get to see all your pods. You get to see all your containers running within each pod. And then you can see a lot of other services running around them as well. You can see ingress, you cannot have different type of kinds of jobs running. One single place where you can fetch all this information. Yeah.

You still have to do [00:34:00] the dissecting work. You have to bring these assets in and you have to define them. Each asset type has to be defined and you have to classify things like those, but you can achieve a lot of this using infrastructure automation as well. When you are spinning assets, you can kind of, you know, push a policy.

You can, you can have your infrastructure teams follow some policies that what do proper tax. If you are spinning applications in this namespace, tag them using these values, and then you can use those to kind of define your business criticality as well. So in Kubernetes, one is, I would say it’s still straightforward.

Once you have gained that visibility of how many clusters you have, how many namespaces you have, how many pods you have start off first by detecting your say, CIS benchmarks, thought of them. See how much of, how much of compliance is there from CIS point of view? See what country. You may really want to be enabled if they are not enabled from configurations point of view, keep a tight grip on the exposure piece, expose as little as what you [00:35:00] can and don’t expose too many services or too many.

And from there on start building. Your security controls on top of it. So you identify that. Okay. What, for this particular cluster, I need to be able to do traffic inspection. I need to be able to do wonder bloody detection. I need to be able to scan the container images which are living in the registry, or there could be some cluster which maybe has a crown Juul service running or application running.

And you may want to use a mission controller there to ensure that certain policies. Never breached. So as a Seesaw, you want to make sure what I do not ever want overly permissive are back on this namespace here, because this is going to be a conduit to a volume or a database. And I just don’t want any extra permissions to be going on this.

Creates such kind of policies pushed them into admission and you can block them to anybody attempting to do that will not be able to do it, but that’s like last mile [00:36:00] enforcement. So these controls then are possible to design. Once you have gained visibility in a non-covered as well. On the other side, things are a little tricky because each service provider ETS.

It has its own way of defining resources. Like today around 250 different types of resources are possible on AWS, similar number of possible on Azure. And then you have a little bit 10, 20% up and down in GCP. And each of the sources, like for example, in AWS, a security group is a resource. It’s not a workload it’s designed differently, but what are the new answers of that?

So in the CSP world, that’s where you need more help coming in. Commercial products who have spent a lot of time understanding these different asset types, these resources, and what are their security implications? What are their security? Misconfiguring. Or what are the connections or the relationships that these resources possess, which can trigger attacks.

That’s where the [00:37:00] CSPs of the world are investing a lot of time for consumers to kind of not become entangled in all of this.

Ashish Rajan: Interesting. And I loved that the way you defined it as to the two different kinds of works for probably defined what kind of. Approach you need to take from a visibility and security perspective for people who may be listening in from like the perspective you mentioned DevSecOps in shifting to the left.

There’s always this confusion that a lot of people have that, Hey, it sounds like a security tool, but a security tool that needs help from DevOps developers. So, should they be looking after this? Or should we be looking out for this who looks up in your opinion, who looks after the CNV usually? Is that like just as a security team or the DevOps team or the devs themselves, who’s looking out for this, or at least the stuff that’s being alerted, or

Om Moolchandani: you rightly said developers still have nothing got to do with security applications.

Although the cultural shift is happening, we are seeing a lot more organizations are making a mandate for. Developers to start getting [00:38:00] trained on fundamentals of security and start doing secure coding practices. Things like those, some elements of security are coming in, but still by and large developers, unfortunately hate security or for that matter, they might, they hate anything else, which in their way of releasing the software quickly and in a timely fashion.

So from, from that cultural aspect, the way senior. And similar kind of products they work is that their primary goal is to embed security into existing developer workflows from detection point of view, as well as in some cases from limitation point of view, but in such a way that fusion or that instrumentation has to happen in such a way, in a manner where the developers don’t even get to know.

That there is some security tool working behind the scene. The moment you ask developers, what we need to introduce this particular security tool in your workflow, but from today on one of the processes that you are following is not going to be same. It is changing. They’re not going to [00:39:00] adopt it. They will only adopt things when things are working seamlessly behind the scene.

So as an example, let’s say I’m a. I’m writing a bunch of code and I’ve written the code. Now I want to check that code into say Bitbucket or main hub right now, as a developer, don’t ask me to fire another process to scan that code. You want to do the scanning, you do it. I shouldn’t even get to know it.

And if something goes wrong in your scanning process, just send me a pull request or I will look into it, but don’t tell me to find anything else. Disrupt my workflow. So. Products like seen app all the DevSecOps based products have to ensure that they’re introducing security, validation, gateways, and other kinds of detection processes into existing developer workflows and do not introduce a new workflow.

So embed yourself with a source code repository based kind of integration in such a way the developer doesn’t even get to know it. All right. Orbit something which is called. Pull request, interception, pull request, review kind of [00:40:00] thing, where you will see that option is happening. Otherwise adoption will not happen, but the results, as you asked, who’s going to view the results.

So still the operation responsibility for security point of view is with the, the immediate possibility has shifted to left with engineering CSOs, keep the visibility from security operations, point of view, but they use shift-left CSOs are using shift lab for policy enforcement. For early detection and reduction of cost of security.

So what they want to decide is CSOs wants to decide that these are 10 things that I do not want developers ever to do. Like for example, in case of AWS, again, NEC two, there’s a configuration called as instance metadata. Which has been the reason behind a lot of breaches. So as a CSO, I do not want any developer to ever write a Terraform code with a UC two instance that is enabling that.

So I want to be able to enforce that, but I want to do that in such a way that developers should not get interrupted in their code development process. So I would want to then. [00:41:00] Product or a tool which goes and integrates with source code management tool in such a way that developer writes the code checks the coding, and now developer just gets the code back saying that, sorry, I cannot accept this because there’s a security problem in that.

It’s still okay with them because developer is dealing only with social management tool. If you will, as a developer, before you check the code in, into get up, upload this code onto this new product you are. See what the results are they going to say? What they want to use the term, which is used commonly.

Yeah. Yeah.

Ashish Rajan: I agree with you. And as well, because this is kind of where a lot of the initial lack of maturity that we will talk about with CSBM as well. It was almost like their work is done by engineering, but there was no visibility of what was being found for engineering, but the visibility piece was always, Hey.

So website to see what the result is, or I think even now that I think about it after this conversation, even the slack notification truly, that’s probably not even deems notification or whatever. That’s not [00:42:00] truly native for them as well. They still have to like go away from what they were doing onto this.

Another application. Cause chat slack is usually or slack or teams usually for this conversation. Hey, or maybe someone’s raised an issue trying to collaborate together. Like it’s not for finding bugs for your, for your code that you’ve written down. So I love what you’ve described over there as well.


Om Moolchandani: go on. I live by just three tools, ID, SCM source code management tool and the pipeline, but as long as playing within these three tools. Yeah.

Ashish Rajan: And as long as it feedback comes dead itself, instead of on this another platform, I think you’d probably be. Having a very security first culture at that point as well.

I guess maybe that’s another definition of having a security first culture to be able to integrate where your, I guess your colleagues are for lack of a better word. It’s trying to make sure because I’m just conscious of our time as well and your time as well. So the, I think I’ve covered all the questions over there.

I’ve got towards the end. I’ve got three questions to just like general questions for people to get to know you a bit. And there aren’t too many. So the first one [00:43:00] being, where do you spend most time on when you’re not working on cloud cloud-native or technology?

Om Moolchandani: I’m a ferocious reader and I’m spending these days.

I spend a lot of time reading different types of encyclopedias for my daughter, trying to make sure that she learns a few things. Oh, cool.

Ashish Rajan: Well, maybe you should. It’s good. I wish I’m, like I mentioned. . And since that, I wish I could read as much as other people, but I don’t enough. So the next question I have is what is something that you’re proud of, but it’s not on your social media.

It’s something that you’re proud of, but it’s not only social media. Well, I

Om Moolchandani: represented Australia in cyber Olympics in 2009. To L and I don’t think so that’s there anywhere on their social

Ashish Rajan: media. Wow. Is that even a thing I didn’t re I didn’t even realize it was a cyber security.

Om Moolchandani: Yeah. It’s an easy constant event.

They kind of do these regional hacking competitions. So it was in Australia at that time. So I ended up presenting Australia, came to me. Wow.

Ashish Rajan: Well, I’m glad [00:44:00] Australia was represented with someone as talented as you, man. That’s pretty awesome. Final question. What is your favorite cuisine or restaurant that you can share?

Om Moolchandani: My favorite cuisines have been mostly Indian, but offline. Thanks to my wife. She’s introduced me to different kinds of cuisines. So it’s now fettuccine or what’s kind of my favorite and well in Chicago. There are a lot of. Kind of restaurants, but there’s a chain here next to my state. So we live in Illinois next to my state is Iowa.

We need one. I just loved them for the fettuccine. Interesting.

Ashish Rajan: Thanks for sharing that by the way, for people who may have, that’s pretty much the end of the fun question as well, but for people who may want to reach out to you for further clarification or reach out for the general, if you can. They are very people can find you and just put a little bit actually accessible.

Om Moolchandani: Yeah. Well, people can reach me on my Twitter handle or my TUDCA, which is my daughter’s name. And

Ashish Rajan: by the way, so

Om Moolchandani: people can find you there. Well, I made sure that at least I’m giving her one asset when she grows up, which is a digital asset. So

Ashish Rajan: like maybe 1st of May [00:45:00] make you make it a NFD one may as well.


Om Moolchandani: And otherwise I could be reached on LinkedIn too. Mostly on LinkedIn or on Twitter, unfortunately, not on Instagram or on Facebook. So, and regarding a cure ex. So we started, we were a, shift-left a CSBM product when we began, but we kind of developed a lot of capability around CSBM and runtime CSBM as well.

And we recently became part of attainable. One of my dream, I would say companies, I started my career actually coding on the neces platform back in 2007. So it’s funny that I landed with tenable. So

Ashish Rajan: I’ll definitely will the show notes. I lay at least linked in the shorts. Thank you so much for coming in.

I really appreciate the time you’ve spent with us and the knowledge you’ve shared as well. I’m sure everyone else did as well. So I do really appreciate

Om Moolchandani: this. Thank you. Thanks for having me. No

Ashish Rajan: problem. And for everyone else watching, and I will see you all next week on another episode of our Transforce cloud security, which is month of October.

So I’ll see you all next weekend. [00:46:00] Have a safe one and talk to you soon.