Thursday, July 28, 2022, Orca Security hosted its first-ever global cybersecurity summit – Cloud Security LIVE – to a virtual ‘packed house’ of cybersecurity professionals and leaders.
As companies grapple with new and old security challenges while taking advantage of the cloud, this summer’s summit was focused on the cloud security landscape and actionable takeaways that security teams can use now.
From enterprise leaders and researchers on the cutting edge of cloud security technology, the cybersecurity summit featured insights from CISOs, CEOs, Cloud Security leaders from Google Cloud and JupiterOne, and world-renowned cyber crime investigator, Brian Krebs, founder of the award-winning cybersecurity website, KrebsonSecurity.com.
Check out the Cloud Security LIVE 2022 Highlights in this 2-minute video.
Read on for the top highlights and insights unveiled at Cloud Security LIVE – and ICYMI, you can watch Orca’s cybersecurity summit here on-demand.
1. Security should help the business – not slow it down
Jeremy Turner is the Deputy CISO & Senior Cloud Security Engineer at Paidy. He sat down with Andy Ellis, Orca’s Advisory CISO, to share Paidy’s Journey to Full Cloud Security Visibility & Compliance with the Orca Cloud Security Platform.
Jeremy offers a metaphor to explain his team’s focus at Paidy: “I look at security as having the job of making sure you keep getting a paycheck. So you just start with half a paycheck. That’s the business doing it, and you want to keep getting it. So we’re going to make sure the business keeps making money – rather than impacting it so it’s not making the money. Installing and supporting agents does not give us more customers and merchants.”
Explaining his view on why agents just don’t work, Jeremy says, “We’re building custom applications. An agent requires a lot of support to make it work. The time it takes to integrate an agent on one platform may be longer than the business takes to build three new applications.”
Paidy is also saving year-over-year on the total cost of ownership (TCO) to manage their cloud security requirements with Orca Security. Jeremy says, “We’re close to [saving] about $1M U.S. dollars over the past few years [with Orca].”
Jeremy and Paidy are also measuring time saved on audit preparedness with Orca. “Without a doubt, it’s definitely reduced audit time. We had a big four auditor come in… I said, ‘Hey, have you heard of Orca Security?’ They’re like, ‘Yeah… this is great, because with this dashboard, we can connect the dots of the findings so we don’t have to ask you 100 questions.’ We completed that engagement in four weeks, and it would have taken longer had we not had Orca Security in place.” Jeremy enjoys showing how his audit exports match the dashboards in Orca, noting, “I’ve walked auditors through this before. I’m like, ‘Look, here’s the export I just gave you. And here’s the actual dashboard. Let’s look together. It is accurate. It is up to date.’”
Taking advantage of the ease-of-use Orca offers his staff, Jeremy is accelerating time to value as new practitioners join his team and hit the ground running with the Orca platform. “As an example, we had a new employee that started a few weeks ago. He’s now doing API security tasks on his own and providing value to the organization.”
Jeremy’s team is also building teamwork and having fun at Orca’s new Cloud Camp program – a gamified closed training for customers and prospects who want to explore Orca’s full capabilities for DevSecOps. “I attended that [cloud camp] last week. And I went into that thinking, ‘This is going to be easy – we’ve been using this for a while.’ I actually learned quite a bit. That was a fantastic camp. Absolutely fantastic.”
2. Focus on resiliency to prepare for the next Log4j
Critical and ubiquitous vulnerabilities, like Log4Shell and Spring4Shell, have had security teams working around the clock and over the holidays. Cloud Security LIVE’s experts honed in on cybersecurity resilience so teams are as prepared as possible when the next zero-day vulnerability strikes.
“Log4j taught us some crucial things – first, you need up-to-date security,” explains Avi Shua, CEO and Founder of Orca Security, on the three Log4j lessons learned in December 2022. “If you need to deploy or update a security tool in order to get an asset inventory or detect files with vulnerabilities, including ones inside Java files, you’re simply not going to make it in time. Secondly, because most organizations cannot fix all of the vulnerable assets in the last two weeks of the year, you need to prioritize. Third, you need to find the right person to route each vulnerability to, so it’s about consuming the data,” concludes Avi. In case you missed it, you can get the rest of Avi’s insights in the Lessons from the Trenches: What We Learned This Year to Get Cloud Security Right session using the on-demand link above.
Brian Krebs, leading cybercrime journalist, founder of Krebs on Security, and NY Times Bestselling Author of “Spam Nation”, echoed the need for an accurate asset inventory to prepare for the next Log4j event. “One obvious takeaway from Log4j is to inventory all the open source libraries you’re using, and try to understand – before the **** hits the rotating blade – exactly where all that stuff is present in your infrastructure. It just makes it a little easier, a little faster, to triage this stuff when patches become available. Keep your libraries up to date.”
Brian says security basics still matter: “Come back to the basic stuff: update your libraries, have a great inventory of what you use, and have good processes to be able to patch on time. This is very old advice – but it’s still valid today.”
Resiliency was also needed to manage the risks associated with an emerging Atlassian vulnerability in May 2022, notes Avi. “Similar to Log4j, was the Atlassian Confluence vulnerability in late Spring 2022. It happened as usual on Memorial Day weekend, with no CVE number, no patch, nothing, besides a rumor that there was a remote code execution affecting the latest version of Confluence. To which, Orca said, ‘Of course.’ We then helped our customers prevent external attackers from even approaching their Confluence instances. Weeks later in June, the advisory was signed and Atlassian recommendations came a few days later, including patches. In order to get through tough situations like that, you need to have an accurate asset inventory.”
3. Enable security teams to quickly respond and remediate threats
Recent research shows ransomware attackers are gaining initial access and executing attacks in less than 4 minutes. With the business of cyber crime becoming more accessible on the dark web and ransomware-as-a-service, security teams need to reduce their mean times to identify, detect, respond, and remediate critical risks and threats.
Erkang Zheng, CEO & Founder of JupiterOne, a leader in cyber asset management, joined Alicja Cade, Director, Financial Services, Office of the CISO, at Google Cloud, and Keith Morkis, Orca’s VP of Product Marketing and Evangelism, in The Evolution of the Cloud and Innovation in Cloud Native Security session, to discuss cloud-native solutions to address these challenges. Erkang explains how teams can improve security outcomes, including rapid response to cloud-based attacks: “If you’ve done this right, you have the opportunity to build a better foundation, better visibility, and also be able to react faster, respond faster, and react faster, and innovate faster. That’s the key advantage in the cloud.”
4. Integrate Shift Left Security in the CI/CD pipeline
Cloud environments and container configurations are too diverse for security practitioners to rely on a single point-in-time security check. By shifting left and making sure containers are securely configured early in the build phase, and monitored through runtime, security teams can manage cloud risks, remediate vulnerabilities, fix misconfigurations, and respond to incidents. Shifting security left informs the SOC when issues arise in build, test, and run phases of the software development lifecycle, helps engineers secure their code in the CI/CD pipeline proactively, and aids CISOs in managing the risks that can severely impact an organization in production.
“We have to make security easier for the engineers in two ways. One is to proactively provision and push sufficient guardrails so that we can create this kind of TSA precheck lane for developers,” explains Erkang Zheng. “The second part is the security teams also need to have the right visibility that provides the right context. Security teams don’t own the code. They don’t own the infrastructure. They have to provide the right context to collaborate with somebody to remediate.”
“Cloud providers have hundreds of services these days. Unfortunately, the security posture of them is not equal,” notes Avi Shua, considering recent cloud vulnerabilities discovered and reported by Orca’s Research Pod – including Superglue, BreakingFormation, and SynLapse, which took Microsoft over 100 hundred days to patch. “Security leaders, especially ones with stringent security requirements, need to consider whether they use these new [CSP] services or not, and what is the security posture of the service before choosing to enable it. It’s not an easy conversation.”
5. Build security into cloud migration
By 2025, Gartner estimates that more than 95% of new digital workloads will be deployed on cloud-native platforms. And the sheer number of organizations utilizing cloud services is on the rise, too. While enterprises realize the power of the cloud, security teams are struggling to keep up — or even, know where to start — when it comes to their cloud security posture.
From Alicja Cade’s perspective, teams have to get it right to achieve the benefits from the cloud: “When you manage the physical environment, you have security policies directly being applied manually to your environment. But here, you have the opportunity to apply them directly in the cloud, making security central to your company’s development process built in – not the afterthought – and minimizing the security risks from the start. However, if you get that wrong, then the consequences can be big.”
Digital transformation projects should include cloud security when a project starts, notes Erkang. “When companies start going down the path of digital transformation, there’s this tendency to do lift and shift. But if you’re simply shifting the on prem workloads that are not architected and not designed to operate in the cloud – it may become more complex and more costly to manage. Those are things that we want to think about at the beginning.”
Alicja has seen what it takes for companies to successfully migrate to Google Cloud: “So what we have seen is organizations undergoing large scale digital transformation projects also implement security strategy in the migration. It involves a shift from the on-premise mindset to develop an actual security strategy for the cloud.”
6. Democratize security across teams with unified data and context
Erkang Zheng sees two priorities to enable security teams now: “We have to leverage the right tooling, number one, and number two is to democratize security.”
Alicja Cade notes that better data is required to manage security in cloud environments. “That elimination of on-prem has to be coupled with real transformation and ability of the security team to be able to supervise and assess the new, more complex environment,” explains Alicja.
Companies can simplify cloud security and manage cloud risks with next-generation cloud technology in place: “The tools – like Orca and JupiterOne – can significantly help reduce the complexity that’s needed to understand the underlying infrastructure. Leverage those tools to help the practitioners make decisions easier and faster,” explains Erkang.
What teams are critical to democratizing security?
“You can only do this right if you provide the right context both to the security teams and the partners of the security teams,” continues Erkang. “We have to engage the developers, the DevOps teams, the SRE users so they have domain knowledge in cyberspace. We all have to be on the same page.” Seeing how teams can meet their security outcomes in Google Cloud, Alicja confirms data is crucial for DevSecOps decision-making: “For that, you do need data analytics and robustness of the cloud.”
How does context and unified data build teamwork?
Context is one of the reasons the Orca Security platform was built in 2019. Avi Shua, CEO and founder of Orca Security, founded Orca to help customers protect and defend their rapidly expanding cloud environments at scale. “In order to master cloud security, you need to understand the context of the issues.”
Seeing that cloud tools were falling short and failing teams, Avi and Orca’s founders developed Orca’s revolutionary SideScanning technology that scans workloads both wide and deep in the cloud without requiring any agents. Avi explains how the Orca Cloud Security platform’s context and data analysis help security teams understand “not only how easy it is to pick the lock, how severe the vulnerability is, how the misconfiguration is, but also, who has access to what’s behind it.”
Erkang explains how data and context can be used to prioritize teamwork across the org: “You have to have that context to aggregate the data into one system record and be able to provide that context to different teams.” Using Orca’s unified data model, teams can continuously monitor cloud environments, streamline team workflows, triage tickets with cross-functional teams, and use one cloud data source to ingest into the SIEM.
Gain visibility in minutes with the Orca Cloud Security Platform
With these takeaways from experts who understand the real-world challenges, we hope everyone can now take action using this intel from the first-ever Cloud Security LIVE 2022 and join us for future cybersecurity summits.
Ready to take action and discover what unlimited visibility looks like in your cloud estate? Try out the Orca platform free for 30 days, without obligation, and receive a complementary cloud risk assessment. Organizations have reported seeing 50% or more of previously invisible assets in their cloud estate – minutes after launching Orca’s leading, analyst-recognized technology for multi-cloud environments.
