4: Bitdefender: Securing the Cloud – The Critical Role of CSPM

Aaron Banner   0:08
 OK.
 Hello, I’m Aaron banner.
 I’m the host of command and control.
 Today I’m joined by our partners from Bitdefender, Nick, who goes by, or Nicholas, who goes by Nick Raphael, who goes by Rath and then Daniel from Bitdefender.
 So gentlemen and welcome.

Daniel TEAGUE   0:29
 Awesome.

Raphael Frederic Nicolas PEYRET   0:29
 I Aaron.

Daniel TEAGUE   0:29
 Thanks for inviting us today, Aaron.

Nicolas OBERNDORFER   0:31
 But to be here.

Aaron Banner   0:31
 OK.
 So on on today’s podcast, we’re gonna focus on an article that Bitdefender posted in the past couple of months.
 It’s called a stabbing, a foundation.
 The essential role of CSPM in cloud security, maturity.
 And so I’m gonna ask raft to really jump in here and talk a little bit about what this article is kind of summarize it for us.
 You know, tell us the the point of writing the article and then we’re gonna get into some questions about, you know, how Bitdefender kind of helps in this area.
 Ralph, I’m gonna go ahead and turn it over to you.

Raphael Frederic Nicolas PEYRET   1:12
 Thanks, Aaron.
 And to maybe it a little bit of background on on on this article, what we found with a lot of the organizations that we work with is that cloud security and CPMS are relatively misunderstood because they are relatively new field.
 So the idea here was to shed a little bit of light on that, explain why cloud security is a little different, what it even means.
 And then going into how you can start to build up your cloud security posture and that’s where the name, you know, cloud security posture management, CSM comes from to help organizations get started with securing their cloud to avoid the many, many breaches that we’ve been seeing recently that are predominantly caused by misconfigurations or mistakes.

Aaron Banner   2:09
 OK, great.
 And and so I mean to to summarize in in more layman’s terms for me to understand, I I kind of look at this as you know early on as as organizations were moving to the cloud we we adopted using on Prem solutions or solutions that were developed for on Prem security challenges to address needs in the cloud.
 And so while those tools still have a place in today’s Security, both both in the cloud and and on Prem, there has been a revelation in security tools that are more cloud native.
 And I think the argument argues that there exists a gap between the on Prem tools that were developed and the the need for more cloud native security tools to be developed.
 And so I I believe Bitdefender has has kind of taken a lead in in trying to develop those tools.
 And I think as we get on, we’ll we’ll kind of uncover that a little bit, but would that be a fair summation of of what the article is about?

Raphael Frederic Nicolas PEYRET   3:17
 Yeah, absolutely.
 I think the this gap is one that stems from just a change in the way that the technology works.
 And you know when it is your computer, your server on Prem and when it is someone else’s server in the cloud.
 It’s not actually that simple, right?
 There’s an extra control plane of how you configure that server in the cloud provider that creates a new attack surface that the traditional tools have no visibility on, right?
 So if you’re looking at the end point, or if you’re looking at the network, they won’t know what’s going on at that level kind of above of the cloud provider.

Aaron Banner   4:04
 Good.
 Thanks graph.
 So I have a question for you.
 So why should organizations prioritize cloud security, especially as they adopt cloud services?
 And I think we’ve covered a little bit that here, but if if you can just get straight to that point.

Raphael Frederic Nicolas PEYRET   4:22
 Yeah.
 I mean, there’s one number that I love to share because it makes it so obvious.
 IBM’s cost of a breach report from 2020 382% of breaches involved data in the cloud, 82%.

Aaron Banner   4:41
 Hmm.

Raphael Frederic Nicolas PEYRET   4:42
 Now, if you think about where you’re spending your time as a security practitioner, does it reflect that?
 Probably not, right?
 So there’s.
 So there’s a massive discrepancy between kind of risk based on the data of actual breaches and where people are spending their time to, let’s say, to strengthen their defenses, right?
 And that’s the number one reason why organizations should, right.
 But beyond me saying, of course you should absolutely should buy my, you know, my brilliant product.
 But the data follow the data of where you need to shore up your defenses.

Aaron Banner   5:19
 Yeah, 82% that’s a that’s a pretty surprising number.
 I would have never expected that.

Raphael Frederic Nicolas PEYRET   5:26
 So The thing is, the cloud is now so prevalent it’s everywhere.
 Certain percentage of those are not exclusive to cloud, right?
 These are not necessarily breaches that were only in cloud, but that at some point or another involved the cloud right with the attackers moving laterally from an on Prem environment to the cloud or from a business email compromise or stolen credentials, and then pivoting, et cetera.
 So because a lot of the data is in the cloud, a lot of the risks is naturally also in the cloud today.

Aaron Banner   6:04
 Right.
 Umm, so for anyone listening that may not be 100% familiar with cloud security and or cloud native Security.
 Can you describe what that is and why it would be relevant to them?

Raphael Frederic Nicolas PEYRET   6:20
 Yeah.
 So cloud security has been used and misused for a while.
 For a long time, you know, maybe 10-15 years ago providers were talking about cloud security when they were talking about security delivered by a cloud service.
 You know way security tool that is for example delivered in a software as a service model.
 They would put cloud there so everybody knew that it was a, you know, a hosted solution.
 But today, that’s kind of the the basic expectation for most services.

Aaron Banner   7:03
 Hmm.

Raphael Frederic Nicolas PEYRET   7:03
 So you can kind of remove that.
 Umm.
 Then there are also lots of different types of cloud, right?
 There’s software as a service.
 There’s infrastructure as a service.
 There’s platform as a service.
 There’s private cloud, hybrid count, public cloud, and sometimes there’s definitions.
 Don’t always match between the various different groups that are talking about them.
 So the reason that there has been a shift towards cloud native security cloud native security is actually much more specific to what we call cloud native ways of doing software development.
 And that means that it is typically hosted in the cloud, but that’s not the only difference.
 It’s also the number of practices around that including the CI CD, pipeline, DevOps, et cetera.
 That kind of go with that.
 So when we’re talking about cloud native Security, we’re talking about how do you secure?
 Workloads and infrastructure in this new way of working that is kind of the modern way of developing software that includes being deployed in the cloud.
 So that’s kind of cloud native security.
 Now, why is it relevant? Yep.

Aaron Banner   8:17
 Right.

Nicolas OBERNDORFER   8:17
 Through can I add a?
 Sorry, I want I wanna add a little bit of color there because I everything you just mentioned incredibly true and it sounds like this is geared towards software developers and infrastructure teams and other organizations developing SaaS tools.
 But I feel like there’s a growing, let’s say, a growing customer base of organizations that are just starting their digital transformation that have 1/2 or 20 servers running in cloud infrastructure because they’ve moved off of their traditional on Prem and they’re using those servers much like they used to in an on Prem environment.
 Simply using AWS to host a virtual ad server or some other virtual appliance that are used to that comes with the same set of challenges as if you were a cloud first or cloud native organization. Correct?
 So so there’s a need for for cloud native security for all organizations using public clouds, not just those that are developing software, is that right?

Raphael Frederic Nicolas PEYRET   9:13
 Absolutely.
 And I think like the one of the points that you you made there is a is a good one.
 We see all kinds of different types of usage of cloud and it’ll be from a lift and shift, which is this idea of you basically take what you had on your servers on Prem and just translate and have virtual servers that work exactly the way the same way in the cloud.
 The problem still exists exactly the same.
 If you have not properly secured that cloud management plane, then hackers are going to come in the the other thing to note is that in the cloud, in in some sense you’re much more visible.
 Your IP ranges the IP ranges of the big cloud providers are known and are public, and so they’re constantly being scanned.
 When you had your kind of on Prem server, you could kind of hope to be to be hidden away just because nobody cared enough to look for you.
 Whereas now on the cloud, attackers are constantly looking at those IPS because they know that they’re that they’re organizations behind them.
 Using AWS, you know Google Cloud platform in Azure.
 So you now have a target on your back.
 If you’re not secure, whereas before maybe you were hidden right.
 So that’s another shift that we see on.
 In addition to that, a lot of organizations realize that moving to the cloud, if you do lift and shift, you’re not going to get most of the benefits that the cloud brings.
 And most of those benefits are actually not so much in terms of cost.
 If you have a stable, known set of workloads, but it’s more in terms of the variety of services, the scalability, the innovation that you can have because you don’t need to manage all of this, you know piping and infrastructure, you can go straight for the value added work and you only get that if you start changing the way that you’ve, umm, been managing or toying software.
 Moving away from these server centric ways of doing things to maybe containers or even going further towards serverless or functions.

Aaron Banner   11:33
 Umm umm, you know Ray for or Nick, whoever wants to answer this.
 So the article that we’re we’re discussing referenced a gardener report that estimated A5 year compounded annual growth rate of 19.7% over the next five years in in basically in in growth in cloud.
 And so it seems like we’re on the precipice of of requiring almost a paradigm shift in how we’ve done security in the past and how we’re gonna have to do it in the future.
 So with that in mind, could you discuss with us?
 How has the approach to cloud security shifted over time?
 You know, just just to give us a little bit of background.
 And then if you agree, why would a paradigm shift actually be necessary?

Raphael Frederic Nicolas PEYRET   12:34
 Yeah, that’s a that’s a great question.
 The the history of cloud security is, is that basically saying well, now I have these servers running in the cloud and the technology that I use to protect them, you know, it’s still a workload, it’s still running code.
 I need to protect that.
 I’m just going to protect it the same way that I used to, and that’s typically endpoint centric or network centric, mostly endpoint centric.
 So you’ve got endpoint protection platforms that exists for all endpoints, but we realize that workloads in the cloud, they’re a little bit different.
 Umm.
 Maybe there were more of them.
 There are managed differently, typically because of, you know, cicd pipelines and so maybe the management aspect of these workloads means that you might want to have a tool that does endpoint protection in kind of a specialized way for the cloud.
 The other thing is that the type of endpoints are different in the cloud.
 I think it’s 85 or 90% of servers are Linux based servers, right?
 So that means that again, you need to tune the protection to make sure that you protect those types of workloads really well.
 And there’s this category that was created.
 Mostly startups that were then adopted by larger organizations, larger security organizations, security vendors, that was called cloud workload security, cloud workload protection platforms.
 Depending on which kind of analysts you choose to follow, those were basically endpoint protection specialized for cloud workloads, but functionally they still work in exactly the same way.
 Again, we’re forgetting the meta level of how the cloud is configured, and that’s where the paradigm shift is necessary.
 Even if you have the best endpoint protection in the world, if an attacker gets access to the credentials of your root account or admin permissions on your cloud account, they can make a copy of every single thing you have in your cloud, exfiltrate it, and your endpoints won’t even know to all of your existing security tools won’t even know that anything has happened.
 That’s why we need that shift, and it’s a shift that goes from hey endpoints and network are the only way we the only way that we need to protect things and they’ve been this way forever.
 If you look at computing for like 30-40 years ago, those were still the main ways that you would choose to protect your your (I/T) footprint.
 Now we need to add this extra layer, which is the.
 How do you protect the orchestration, the management plane, whether that’s within the cloud, within communities or whatnot, and how do you fit all of these pieces together because you’re going to need to have an understanding of the control plane?
 That’s what cloud security posture management tools do.
 They essentially plug into the cloud providers.
 Ask the cloud provider.
 Hey this organization, Acme Inc what do they have running here?
 They list all of that and the ask.
 Ohh how is this set up?
 How is that set up and run it against the set of rules to understand whether it’s properly configured or not?
 End mapping that to best practices or compliance standards to be able to easily know.
 Ohh how do I become compliant to X ray?
 That’s what cloud security posture management solutions do, and they fit into a broader picture, which now has these names like cloud, native Security platforms, cloud native protection platforms that will combine this aspect to the ones that we previously know about, cloud workload protection, for example, to form a full picture and you need the full picture to be to be very well protected and you need at least the cloud security posture management to have.
 That’s a basic cyber hygiene.

Aaron Banner   16:53
 So, umm, you know, it’s interesting how you describe that multiple times you you discussed cloud security posture management, UM and I think you highlighted a lot of aspects as to why it’s important.
 Umm can you?
 Can you clearly define the the role that cloud security posture management or CSPM plays in securing our cloud infrastructure?

Raphael Frederic Nicolas PEYRET   17:23
 It’s the it’s the basic hygiene, the.
 You basically went to harden your cloud and the way that you harden your cloud is by looking at all of its different configuration settings and making sure that the gaps are closed and to take the analogy of a building you want to check that the windows and doors are properly closed, that you’re using the right, you know, level of security that you need.
 So if you’re going to be, you know, in a sensitive environment, you’re going to want to have hardened steel for the doors bars on the windows and things like that.
 But that might be dependent on your on your situation.
 Now in the cloud, those things are constantly changing.
 So doing it manually is just not realistic, right?
 If you do a.
 I know a security assessment once a year, but your cloud has changing every day by the time you do your next assess, you know by the time you finished an assessment, it’s already outdated.
 So cloud security posture management tools they plug into the cloud providers and continuously analyze all of that configuration to tell you what is properly configured and what is not properly configured.
 It’s a pure prevention and governance layer, right?

Nicolas OBERNDORFER   18:49
 Aaron, can I add a little bit to that just to to make it, yeah, I I just wanna equate it to what the existing competing service would be in an on Prem or traditional environment.

Aaron Banner   18:51
 Yeah. Nick go.
 Yeah, go ahead.

Nicolas OBERNDORFER   19:01
 So traditionally before when you had your, your endpoints and maybe your physical data center, you knew what controls you had to have at the perimeter of your data center.
 You locked those down, hopefully to a specific compliance framework or matching to CIS benchmarks.
 You had some sort of rule set to match it against, and you knew what those controls were.
 So you might use a firewall tool or an action firewall, something like that to help lock that down.
 And that’s where you’re managing the configurations there.
 The CSM tool is helping you do that in the cloud, where you might not know what those specific benchmarks and regulations are.
 So one of the one of the favorite numbers I picked up from rough when I was first learning about this was across the big three cloud providers in the US there are about 40,000 plus configuration changes to make now 40 thousands of very large number.

Aaron Banner   19:48
 Wow.

Raphael Frederic Nicolas PEYRET   19:49
 So.

Nicolas OBERNDORFER   19:51
 Go ahead, rob.

Aaron Banner   19:51
 Yeah.

Raphael Frederic Nicolas PEYRET   19:51
 And and and that is just a portion that’s just the identity and access management, right we so that basically what I’m saying is that’s just scratching the surface the the configurations.

Nicolas OBERNDORFER   20:06
 Yeah.

Raphael Frederic Nicolas PEYRET   20:08
 I I’m glad nobody.
 I personally have not counted them all, but it’s probably a, you know, an order of magnitude larger if you were to list everything now.
 Thankfully, you’re not going to be using everything, but once again, it’s impossible to do this manually.
 Even if you have an expert cloud security practitioner, they will probably know one cloud very, very well.
 Maybe a second cloud a little bit, but you know all of the clouds that you’re using is going to be really difficult for somebody to understand all of the services of all of the cloud providers that the level of detail that you need to properly stop attackers because you just need one single mistake for the attacker to come in.

Nicolas OBERNDORFER   20:55
 Yeah.
 So So what?
 In this case, CS PM is doing is it’s taking the role of a network scanner, scanning for open ports in your data center because it’s telling you if your machines are configured to have open communication or they’re not locked down, it’s doing that proactive risk management for your endpoints that you would expect from a risk management tool that you install.
 So it’s combining a lot of the traditional preventative point solutions where you might have two or three and then it’s it’s translating that to a cloud native area where in this case I would say most organizations don’t know what they don’t know and it’s solving that that problem for them because we’re providing compliance mapping or some GRC assistance to help you reach a benchmark of security where you are a less likely to be attacked.
 It’s all about proactive reduction of that attack surface, the same way we’ve been traditionally talking about that at the endpoint level for 20 plus years, making sure your endpoints don’t have any misconfigurations leading to vulnerabilities, but mapping it to the cloud, where I would say most folks that are just getting started with the cloud by default, there are several different ways.
 If they don’t harden, they may be vulnerable, and when you’re first getting started, it’s a whole new skill set.
 So this is helping ease that transition period for new organizations or even cloud mature organizations who just don’t have the manpower to constantly evolve because all it takes is 1 new deployment changed, one new account being created with the wrong permissions and suddenly you’re vulnerable again.
 So you you can’t just have a a point in time and look back at that.
 It needs to be continuous management.

Aaron Banner   22:31
 Yeah.
 Umm yeah.
 Me.
 You guys are clearly experts in this area and and we definitely appreciate or I appreciate you coming on and and kind of leading us through this.
 I do try to keep my podcast to 30 minutes or less and so as we’re approaching that time hack, I’d like to ask you just one more thing, given your your history and your background in implementing the this this tool in these capabilities and securing some of your customers in the cloud, could you give us a practical example of two of successful cloud security implementations using CPM?

Raphael Frederic Nicolas PEYRET   23:17
 Sure, tough to choose, but I think we we’ve got a few that are that are gonna be relevant to to a decent number of organizations that are listening here.
 I think the first thing that we note is that it’s going to be a journey because the level of maturity that organizations have versus the level of maturity that they have in other things like you know, Nick was talking earlier about knowing the controls that you have on the endpoint because the endpoints haven’t really changed that much in the last 20 years.
 It’s going to take a while for your organizations to get a good grip of what you need for the cloud.
 That means that typically organizations have started with a CPM.
 They’ve done basic hygiene, but then they need to go beyond that.
 After a year two years, they’ve closed all of their major gaps.
 They’ve gone from hygiene to starting to do defense in depth with more layers and more advanced controls, right then the next step is going to be going deeper into the identity and access management side of the house and that’s gonna be how do you manage those 40,000 permissions?
 All of the different identities, both the human users, but also all of your microservice service accounts et cetera, et cetera that have access to your infrastructure and how can we implement least privilege for your cloud.
 So that’s going to be kind of another step on that journey and then you’re going to continue down that journey as well with endpoint protection, right?
 With Patch management we then point detection and response that ties into cloud detection and response etcetera.
 So that’s typically what we see now in practice.
 What does that look like?
 Organization.
 We’ve got one 20,000 employees, 3 clouds, that they’re that they’re working on.
 They need to comply to a national regulation for their industry, which in this case was banking and they need a single point of control and view for all of their cloud environment.
 They plug it in.
 It’s very easy to be overwhelmed the first time that you plug it in because you get a very large number of alerts.
 But the Bitdefender solution CPM provides you plenty of ways to identify which ones matter for your organization.
 So you can go from a very, very noisy number of alerts if you’re looking at everything kind of blindly to hear the key things that you need to work on in order for you to meet your compliance standard.
 And so this bank managed to get their digital banking license, which was essential for their uh, for their business within just over a year.
 And then you know, Security no longer is a, is a blocker for the business teams trying to innovate in the digital banking space.

Nicolas OBERNDORFER   26:27
 So I also want to add two things there.
 One very selfishly, I think CS PM and and Cloud native security is part of a larger organizational security initiative.
 So there are benefits of a tool that ties in with your existing tools if you have them already.
 So I will use this an opportunity to try and plug Bitdefender a bit, but the ability to have the cloud detection and response, whereas Rob said earlier if someone breaches an account credential and exfiltrates data from your cloud, your endpoints won’t see it.
 The cloud detection and response could see that and tie it into a larger organizational incident so the compliance piece, the posture management piece incredibly important.
 But if you were being attacked right now while you’re figuring that out, you need some way to to detect and respond to that which badly we can support.
 We can provide.
 The other piece is the continuous ability to respond to new misconfigurations over time.
 We’ve seen success with with various customers implementing internal Slas and controls to meet with a compliance framework or to meet and resolve critical findings within a certain period of time.
 So Aaron, if you were, if you were head of GRC governance, risk and compliance at a large organization that is moving to the cloud and you first plugged in CS PM, you might find these alerts are findings 20,000 might show up in the first day and then over the course of 121624 months, you might go through resolve 80 to 90% of those.
 But in the meantime, you could implement an SLA where any new finding that pops up you can resolve that critical finding within one to two hours, and that gives you a big leg up when it’s time comes to your organization’s posture, because you can go ahead and say a new zero day is exposed within cloud providers, you were quick enough to respond to it where you’re no longer the likely subject of an attack compared to any other organization.
 That’s not responding for two or six months until they’re next security assessment.
 So we we’ve seen in practice a couple of our customers implement Slas on new findings and then also get as close to 100% as possible when it comes to these compliance frameworks like CIS or meeting their standards necessary for a banking license for example.
 So there’s a large piece of compliance here.
 I I just.
 I don’t wanna lose the component of being able to protect in real time as well or the workloads themselves or for the cloud platforms, whether there’s a thread in there, the ability to do all of that from a single tool set single console it, it adds a lot of value and Peace of Mind to be able to do that quickly and effectively.

Aaron Banner   29:07
 Yeah.
 Well, hey, this is this has been fascinating.
 It’s it’s a very complex topic.
 I think we could have spent two hours at least just going through this talking about the CSPM tool, better understanding the difference between cloud security on Prem security.
 You know what is and what is not cloud native in in the need for that paradigm shift over to more of a cloud native security posture.
 But I you know, we we do have to go.
 I I really appreciate your time for anyone listening.
 If if you wanna get in touch with our partners over a Bitdefender about this topic or any topic, really, just reach out to me, let me know and I’ll put you in touch with these clear experts.
 So this has been another episode from command and control.
 I am your host, Aaron Banner, and stay informed.
 Stay secure.

Nicolas OBERNDORFER   30:04
 Thanks for having us in.

Aaron Banner   30:06
 Absolutely guys.

Raphael Frederic Nicolas PEYRET   30:06
 Thanks, Sir. Pleasure.

Aaron Banner   30:08
 Thank you.

Aaron Banner stopped transcription