Mark Nunnikhoven, Lacework: as the cloud grows, the attack surface becomes seemingly infinite
The increasing popularity of the cloud can be easily explained by its effectiveness and a wide range of benefits - from lowering costs for businesses to simplifying the working routine for employees. However, the move comes with pressing security concerns, which don’t seem to be going away any time soon.
While the cloud is strengthening its positions across the world, companies worry about the security of their data. Some reports cite as much as 94% of companies to be concerned about cloud security, with the main worries surrounding misconfiguration, unauthorized access, and insecure interfaces. However, those issues should not stop businesses from moving to the cloud but rather prepare them to work on their defenses.
Mark Nunnikhoven, a distinguished Cloud Strategist at Lacework, shared why the cloud will inevitably become the go-to solution for most businesses in less than five years, and how they can best prepare for the upcoming change.
The year started off with major funding deals for Lacework. Why do you think investors choose your services over other cloud security companies?
Existing cloud workload protection platforms rely on rules engines to detect anomalies, which require constant tuning. Enterprises spend hours daily updating mammoth black and white lists, which are usually outdated even before they go into production. Investors see major potential in Lacework as the first and only zero-touch cloud workload protection platform, which requires no rules, no policies, and no logs for breach detection.
We take a data-driven approach to cloud security, which is a key differentiator that has drawn significant investor attention. With hundreds or even thousands of alerts coming in per day and the prospect of missing one being detrimental, security practitioners are feeling high levels of burnout and stress. Lacework’s platform, powered by its Polygraph technology, collects, analyzes, and accurately correlates data across an organization’s AWS, Azure, GCP, and Kubernetes environments, and narrows it down to the handful of security events that matter so that security practitioners aren’t bogged down with endless alerts. Instead, they can focus on what matters: proactively mitigating risk.
In your opinion, what other factors contributed to this focus on cloud services?
Simply put, the assumptions that most security programs were built upon no longer hold up. Infrastructure security tooling is mainly designed for an on-premises and hybrid environment, despite a massive push to the cloud over the past year. The dynamic nature of cloud and containerized environments create pervasive blind spots, making securing cloud environments uniquely challenging. The old legacy approach to securing monoliths, from the technology to the security teams, simply does not work for the cloud. Cloud-based businesses need centralized control for the myriad services, workloads, configurations, APIs, and infrastructure underpinning their business, but existing solutions don’t address these modern challenges. At Lacework, we’re garnering a lot of investor interest because of our laser-sharp focus on taking a new approach to security that caters to the challenges of cloud environments.
Lacework takes pride in Polygraph technology. Could you tell us more about it?
In the world of criminal investigation, a polygraph is used to detect if people are lying. Polygraph tests use multiple sensors attached to a person and look for changes like a racing heartbeat or elevated blood pressure to detect if that person is not being honest. Lacework's platform, powered by Polygraph, uses a similar approach for DC/cloud entities (users, workloads, and applications) and their behaviors by looking for deviations to detect breaches.
This technology dynamically develops a behavioral and communication model of your services and infrastructure that understands natural hierarchies (processes, containers, pods, machines, etc.) and aggregates them to develop behavioral models at scale. Together with a behavioral model, the Polygraph can monitor your infrastructure for activities that fall outside the model and dynamically update as behaviors change over time. Using this information, the Polygraph detects anomalies and generates high-fidelity alerts appropriate to your unique environment. Polygraph maps the truth of your cloud instance and helps users quickly visualize the ‘who, what, where, and how far’ of an event.
Unlike existing cloud workload protection, machine learning-based, and host-based platforms that require extensive tuning, generate a lot of false positives, and are not based on peer analysis groups, Polygraph uses deviation from a temporal baseline to detect deviations or changes in the behavior resulting in only meaningful alerts. Alerts are either due to a desired change, misconfiguration, or malicious activity. The Lacework Polygraph then scores the alerts based on severity and threat. By analyzing data from individual servers at the datacenter level, Polygraph makes detection more precise as the comparison is made with similar entity peers and the entity itself over time, irrespective of the server.
Despite the advantages, the cloud is still not the leading security option. Why are people hesitant to fully move to the cloud?
Cloud software requires the integration of a large number of complex technologies across different systems and clouds, which places huge new demands on security operations. To secure applications in the cloud and the underlying infrastructure and orchestration layers like Kubernetes, businesses are forced to confront new security challenges from both an architectural and organizational standpoint.
One of the greatest cloud security challenges is that the cloud delivers its infrastructure components, things like gateways, servers, storage, compute, and all the resources and assets that make up the cloud platform environment as virtual services. There is no traditional network or infrastructure architecture in the cloud. Deploying workloads into the cloud can quickly involve complex sets of microservices and serverless instances that function in fluid architectures that change every few minutes or seconds, creating a constantly changing security environment.
Confronting these challenges is a tall task for any organization, and these dynamic, ever-changing cloud environments are not well served by traditional security tools. That’s because those tools were never designed for fluid, high-access environments like the cloud. When operating in the cloud, businesses need to know that their infrastructure remains secure as it scales. They need assurance that they can deploy services that are not compromising compliance or introducing new risks. This can only happen with new tools designed specifically for highly dynamic cloud environments, tools that provide continuous, real-time monitoring, analysis, and alerting. These are the challenges that we’re solving at Lacework. It’s why investors and customers are coming to us at such a rapid pace amidst the rush to the cloud.
The pandemic caused a spike in ransomware and cyber attacks. Did it pose any new challenges for Lacework?
Like any company, Lacework had to juggle priorities as we shifted to working from home. Security is always top of mind for our teams, and the spike in attacks kept us on our toes. Our teams are always working to make sure that we’re providing as much information to our customers about their environments as possible to help defend against these attacks.
Lacework is no exception, as we use our platform to ensure that we know what’s happening with our own systems. Thankfully, because we have a strong security culture, we could continue to focus on providing our customers with a critical tool to help them through this turbulent time.
What measures can organizations take to reduce the risk of such attacks?
The spike in ransomware and cyber attacks proved how organizations need to get ahead of cybercrime before it takes hold of our networks. Continuous monitoring and behavior analysis are essential to identifying vulnerabilities that exist within an organization’s environment. Too many organizations compartmentalize risk and create mitigation scenarios to rationalize inattentiveness. And while no one wants to go into fire-drill mode, that's exactly what happens when a ransomware attack hits, and we're not prepared. We need a protection-default button, not an alarm switch, and that default button has to be about preparation, and it needs to be on at all times.
Here are ways to ensure strong security best practices in your organization, both in terms of organizational requirements and through buy-in from stakeholders:
Some estimates claim that the majority of businesses will be cloud-native in less than five years. Do you think that is feasible, and how can companies prepare to avoid gaps in security?
It’s absolutely feasible. The cloud offers too many benefits for companies to be ignored. That said, it may be more accurate to say that the majority of businesses will be cloud-first in less than five years. There’s a long tail of legacy systems that are doing their job that can be difficult to justify the effort and expense to migrate at the moment.
The best way that companies can prepare for this move is to be aware that security in the cloud is inherently different than on-premises. In the cloud, you’re working with the cloud service provider to meet your security goals. That relationship is critical to your success. Once you’re aware of those differences, the next step is to take advantage of all of the data about your environment. The cloud provides an unprecedented level of visibility which will help you have a stronger security posture than you can on-premises if you take advantage of that opportunity.
You often stress the role of data in establishing security. Could you tell us a little more about your data-centric point of view?
Unprecedented data growth is forcing enterprises around the world to reconsider their data storage infrastructure, forgoing legacy architecture and shuffling to cloud platforms. But while everyone focuses on migrating their data from one place to another, we overlook the most important aspect of data management: security. At Lacework, we’ve always believed that security is a data problem, and that’s why we built our rules-free Polygraph technology.
Through data, we can contextualize and organize behaviors unique to a customer's environment. This helps an organization understand and surface the needles in the haystack without the noise of false positives and meaningless alerts.
As data expands and the cloud inevitably grows, the attack surface becomes seemingly infinite. Rules-based approaches will fail at scale. As the world increasingly embraces the cloud’s simplicity (and by definition, the complexity that comes with securing it), the expiration date on rules-based approaches is quickly approaching.
And finally, what’s next for Lacework?
Lacework is hyper-focused on our mission to change security forever with automation and data so customers can innovate with speed and safety. We have exciting innovations in the pipeline already, and coupled with a next-gen vision for the Lacework platform -- which you’ll have to stay tuned for more details on -- we’re going to be unstoppable.