“More and more breaches are focusing on cloud infrastructure,” says Sysdig CEO Suresh Vasudevan. “What we've also seen – and this is perhaps the most distinctly different thing about the cloud – is that once attackers make their way into customers’ cloud estates, the dwell time is typically only 10 minutes.” That is, he emphasises, “about 10 minutes for your engineering team to detect, triage and respond to an incident.”
Sysdig – a “full-fledged CNAPP” operating in a space Vasudevan says just five or fewer companies meaningfully compete in – provides a suite of cloud security and observability tools; many built around the open source runtime security software Falco that its founders created. Given the pace with which attacks on cloud environments take place, it now proposes a so-called “5/5/5” framework that posits five seconds to detect, five minutes to triage, and five minutes to respond to cloud security incidents.
5/5/5: lol/lol/lol?
To many defenders, the idea may seem a stretch.
After all, security operations centres (SOCs) are already inundated with a wall of security noise (often including thousands of false positives) from sensors across endpoints or cloud instances. Fixing things within 10 minutes, let alone triaging them within five minutes seems like a stretch, not least for established SOC teams used to anticipating attacker dwell times of something more like 10 days (a number changing rapidly…)
But to Vasudevan, the opportunity to respond like this is real: The technology and tools exist to move a lot faster: It just takes not only their adoption and careful integration, but often an organisational and cultural shift across the SOC and security function to optimise their use.
The Big Interview with JPMorgan CISO Pat Opet
As he puts it: “There's such a deep familiarity with networking concepts, and end-user concepts and SIEM queries in the SOC. But in the cloud detection and response world, there's a deep partnership needed [between] the DevOps team, and the SOC team, that may not have been as important when you're dealing with traditional networking.
“You have to change the process as a CISO, to figure out how to partner more deeply with DevSecOps teams; bring them in earlier.” (As he earlier told The Stack in a separate conversation: “I'm seeing security teams increasingly made up of security engineers that come from a DevOps background and are embedded as part of the application teams”; these often have a big focus on avoiding adding security friction to workflows.)
One area where SOCs often still need to mature when it comes to securing cloud-native or containerised applications or infrastructure is understanding identities, Sysdig’s CEO adds: “You don't want to start by saying, ‘tell me the IP address of this machine’, because the IP address is no longer relevant when that machine has disappeared entirely within a matter of minutes… [In the cloud] my entitlements are not tied to a machine; more than 50% of the identities are non-human identities, they’re roles, they’re service accounts. The machines themselves are ephemeral in nature, as are their IP addresses” Vasudevan adds.
(Some 72% of containers vanish in five minutes…)
See also: Platform Engineering: Lessons, queries from the First Hype Cycle
That means a different skill set and notably different set of tools are needed for cloud security, as well as that cultural and organisational shift.
Sysdig – unsurprisingly – says it is using generative AI to help sift through the sea of alerts that cloud-focused SOC can end up getting hit with. In June it announced an LLM-powered assistant called Sysdig Sage that it says can assist with risk assessment, prioritisation, and decision-making. (It is going through beta testing with early access customers later this year.) That can help massively contextualise alerts, says Vasudevan.
“A lot of the data that the SOC analyst needs is posture context. For example, if I see an event on this EC2 machine, I want to understand if there's a vulnerability on that EC2 machine that might have been the source of how they got in. I want to understand what misconfigurations may have existed on that machine; whether that machine had access through a firewall to data in an S3 bucket that had sensitive information…
“All of these other attributes are really better understood by [platform engineering or DevOps] so there's a people dimension, which a SOC analyst cannot fully appreciate unless [they] have a shared understanding with their counterparts,” he says, referring back to that organisational structure component. AI now also looks likely to be able to support here, Sysdig believes, although as with many new LLM-powered offerings, production use-case lessons await; the proof is in a still-cooking pudding. (It has, however, been using machine learning
The CNAPP world evolves
Just as both platform toolings and organisational structures are evolving to tighten up cloud security, so is the vendor industry – and Google’s recent aborted bid for Sysdig rival Wiz put a fresh spotlight on this sector.
The Stack asks Vasudevan for his views on how he sees it evolving.
“Cloud security”, he says, “is very much established in most CISOs minds as a category [and] has now evolved into a set of core capabilities.”
“When you look at RFP [request for proposal] patterns, RFPs look much more well thought out; the set of capabilities that customers look for are more standardised” he says, adding “It's caused some consternation for smaller companies that cannot have this critical mass of capabilities…”
The Big Interview: Jinhong Brejnholt, Chief Cloud Architect, Saxo
Vasudevan adds: “It's harder and harder to say, ‘we are really good at just this specific aspect of cloud security’ (maybe it's just vulnerability management, or maybe it's just entitlement management). The set of capabilities needed to say ‘I'm a cloud security platform’ is about eight to 10 fairly substantive features that need to be integrated… that makes it harder for those that don't have [them] to make the shortlist on RFPs.
That has thinned the playing field in this space significantly, he suggests.
To whom?
Asked for names, he says “We think of ourselves as a full fledged CNAPP platform. It's unusual today if we compete in a CNAPP RFP to not be shortlisted alongside Palo. Wiz, with their entry into detection response [based on the recent acquisition of Gem Security] is also able to compete,
He adds: “Crowdstrike has the financial resources. It's more a question for them of how long will it take, because they started in the journey late; but that's the other company that's very focused on being a full CNAPP platform… Then Defender [for] Azure is the fifth” he concludes. “The number of vendors that can meaningfully participate has shrunk a little bit; even some larger companies are pulling back from cloud security.”
Resurgent service meshes: A threat?
It’s a complex marketplace, not least as CNAPP vendors have a lot of overlap with existing toolings. As Gartner put it in June in a CNAPP market guide: “Many organizations have existing technical debt from a variety of niche vendors to cover code to cloud security and compliance.
“Most organizations already have some form of runtime CWP [cloud workload protection] in their virtual machines such as existing traditional endpoint detection and response solutions. Many public cloud adopters selected scanning tools for containers in development and also introduced a stand-alone solution for CSPM [cloud security posture management.]
Gartner added: “Most organizations have several vendors for different (or sometimes similar overlapping) functions, creating silos of users and findings and making it difficult to create a unified picture of risk… the synergy of an integrated [CNAPP] platform will provide more benefits than a best-of-breed strategy that is difficult to scale…”
It’s here – in this vision of a truly integrated and infrastructure-agnostic cloud security platform – that Sysdig (which raised a monster $500 million in 2021) continues to invest and Vasudevan, who has seen his company win clients like Goldman Sachs and Cisco, is bullish.
But is another risk to Sysdig and its peers’ growth the much-promised, if thinly-seen rise of the open source service mesh, e.g. Istio, as a layer to handle much of the observability and security controls around containerised workloads? Vasudevan doesn’t think so, candidly, but even if it does become a standard (Google, IBM, and Microsoft have all now aligned behind Istio, which is going through a real overhaul as well), sees it as complementary: “We went through a really deep dissection of how we would work in the context of a service mesh. It makes so much sense to have that layer front-ending the infrastructure, and have a logical view of your entire infrastructure orchestrated through service meshes.
“But partly because of the complexity, partly because there's a latency impact to deploying service meshes [this hasn’t happened]. Imagine that it does take off at some point, frankly, for us, it's an enabler,” he says.
“For example, we do in Kubernetes something that's oriented towards network segmentation, where we segment within a Kubernetes cluster, which ports can communicate to which ports and we do that at the CNI layer, or the networking layer within Kubernetes that allows you to logically say this namespace should not speak to this namespace
“If we now had a service mesh sitting on top, then you would enforce it at a slightly higher layer… [because when it comes to] Kubernetes network policies,which we use for network segmentation, we don't try and recreate the actual network layer, which CNI is allowing you to do.
“We basically orchestrate that segmentation by saying ‘based on everything else we are doing, these parts need to be segregated from these parts’ and it's one of a dozen things we need to do to protect that workload, including detection, including killing a container when needed.
“So we think of segmentation as one of the tools you have for blocking from a security standpoint. [If Istio took off in a big way] it would be somewhat similar, we would use Istio firewalling as a capability; [as one of] the dozen different we deploy. So we think of it as complementary.”
We’re getting into the weeds at this point. Cutting back out, Sysdig’s CEO emphasises that to improve cloud security more broadly and SOC performance specifically, setting “the tools and technologies aside, understanding what people and process changes have to take place… are some of the most important things that have to happen as well.”
