A New Approach to Public Cloud Security
We are going to talk about the need that formed Orca, some background and history regarding the problem, and how Orca solves that problem with an industry-unique approach. Eight ex-CheckPoint employees founded Orca just under two years ago. They left CheckPoint to build a cloud security platform that was unlike anything else that existed. And I’ll show you exactly how we’ve done that throughout the rest of this presentation. Orca Security provides workload-level security across AWS, Microsoft Azure, and Google Cloud Platform. It is the only cloud security solution that identifies these security risks without the use of agents, scanners, or any code running in your cloud environment. Orca has FinTech, cloud, mid-market, and enterprise customers across North America, EMEA, and Asia Pacific. Many Orca customers have gone on the record. We have more case studies on our website than IT security firms 10 times our size.
Let’s talk about the need that inspired Orca’s founding. To do that, let’s consider what we currently use to secure our data centers. If we consider what we’ve done from a security perspective in the past, it’s not a long list. First, agents. Agents are installed and maintained as another application that runs alongside your important workloads. Agents provide visibility into what’s running and rogue activity on the host. They detect data that shouldn’t exist, and more. The problem with agents, is that you must install and maintain them. When you don’t, these workloads effectively become invisible and orphaned, which is a real challenge from a security perspective. Unsupervised workloads are a little bit like unsupervised children, they find ways to get in trouble.
Another approach used in the past is the network scan. Network scanners probe resources externally looking for known configuration errors. And these two solutions have really been the cornerstone of data center security for many years. If you want to understand a physical machine security posture, for example, you are necessarily using one or both of these technologies. And in fact, we still use these today, even in modern public cloud environments. Where agents used to run physical machines, they now run on virtual machines. Network scanners are now deployed as appliances in our virtual networks.
In the last several years, we’ve added a third type of security product into the mix, the CSPM or cloud security posture manager. These SaaS products measure the security configuration of cloud services, but have no perspective over workload or data risks. We saw two main problems with this approach. The first is that agent deployments do not scale. On average, we’ve seen that less than 50% of all cloud assets are covered by the security solutions that an organization leverages. It’s almost impossible to deploy agents everywhere. The second problem is that there are simply too many security alerts. We found that, on average, you’ll discover 10,000 vulnerabilities for every 100 assets. The main reason for this is these tools work in their respective silos. They don’t understand the overall picture and, more importantly, how security controls relate to one another.
To address these shortcomings, Orca was founded on a patent-pending technology called SideScanning that has several industry-unique benefits. First, Orca does not require or depend on any agents, network scanners, or cloud security posture managers. And yet, we’re able to detect risks in the workloads without sending a single packet over the network or running any ops code in the environment. Orca collects data directly from the workloads’ runtime block storage. This is the first ingredient of Orca’s secret sauce. We combine this intelligence with cloud metadata, like which security groups cover which workloads, how traffic is routed in your virtual networks, and much more.
Instead of integrating with every workload requiring credentials, network access, or installing agents, we read from the common shared virtualization environment. This facilitates an immediate understanding of all the major risks in the cloud environment. So, in the end, you’re achieving much more comprehensive visibility because you do not require per-asset integration as agents do. The Orca approach is complete. We detect everything that exists now, but also into the future. No more orphaned workloads because a business unit decided they didn’t want to fuss with security agents.
SideScanning is also 100% zero impact. Orca does not affect the workload as there is no code running or installed. We scan the storage, the building blocks of your workloads and virtually reconstruct the bytes and bits to the block level, and then reconstruct the file system, operating system, application, and data in a virtual read-only view. Next, we look for any risks that are found within the workload. So, in fact, we have full access to everything that the host sees.
Orca is proving superior security because of our agentless deep scanning. We can see the risks associated with each host. And we combine that with context and prioritization based on the cloud configuration, something that didn’t exist in the pre-cloud world. You don’t only see a workload, but you understand its location and context within the service fabric. You understand its current operational state, whether it’s connected to an external versus an internal network, which ports are open on the firewall protecting it, and much more. All this data is available in a very normalized fashion. And it allows Orca to provide a holistic prioritization in an effort to understand which risks matter to you most versus those that don’t.
Now that we have a conceptual understanding of SideScanning and the advantages it provides, let’s review the second pillar of Orca’s secret sauce; context. Orca builds a context map by mashing up all of this deep workload discovery detail combined with cloud context. Orca will discover cloud assets, identify asset roles, identify how resources are connected to each other, and then and only then will Orca identify risks with full contextual awareness.
Let’s take an example and have a look at how these two workloads, server 1 and server 2, both running a web server that uses a vulnerable library. Vulnerable to remote execution code risk in this case. And for the sake of the example, let’s assume the vulnerability is the exact same in both. A context less vulnerability scanner, such as an agent will simply report this vulnerability with its static CVSS Score, and both workloads will end up getting the exact same risk score. Orca, on the other hand, deduces from the cloud configuration that the service on server 1 is internet-facing and, therefore, the risk level is imminent compromise. Server 2 is not internet-facing and cannot be reached directly from anywhere, but a particular host and, therefore, the risk is only hazardous. But Orca doesn’t stop here, we also show you that the imminent compromise risk in server 2 puts at risk two databases that contain PII as the vulnerable web server includes keys that facilitate lateral movement to it.
Orca detects the risks that matter most, like vulnerabilities in operating systems and in applications, misconfigurations, machines that are already compromised, those neglected or orphaned workloads, machines that have flown under the radar and have not been maintained for years. Neglected machines are especially troublesome because these are not difficult to detect, but both agents and network scanners make assumptions regarding everything being connected to the internet, which simply isn’t true.
Orca detects the risks of lateral movement; for example, workloads that have keys that can be used to access other sensitive resources. And we see this often. AWS keys left behind provide route access due to poor security hygiene, or secure shell keys that facilitate accessing the entire cloud environment. We do all of this for your cloud environment literally within minutes.
And that’s it. I understand that was a very short crash course on Orca, but hopefully, that provides enough of an idea of how Orca can help you achieve unprecedented security situational awareness and separate the noise from what is truly critical.