December 08, 2023

00:41:05

Episode 232 Deep Dive: Pierre Liddle | Future-Proofing Security: Unpacking Cloud Native Application Protection Platforms (CNAPP)

Episode 232 Deep Dive: Pierre Liddle | Future-Proofing Security: Unpacking Cloud Native Application Protection Platforms (CNAPP)
KBKAST
Episode 232 Deep Dive: Pierre Liddle | Future-Proofing Security: Unpacking Cloud Native Application Protection Platforms (CNAPP)

Dec 08 2023 | 00:41:05

/

Show Notes

In this episode, we are joined by Pierre Liddle (Co-Founder, Plerion) dive deep into the ever-evolving landscape of cloud security, tackling misconceptions, and examining the potential of cloud native application protection platforms (CNAPP) as a line of defense against attacks. We shed light on the dynamic nature of security threats, the benefits of cloud technology, and the strategic importance of finding the right partners.

Pierre Liddle is a distinguished expert with over 20 years of dedicated experience in the dynamic field of security. As the Co-founder and CTO of Plerion, he serves as the guiding force behind the company’s strategic vision. Pierre’s extensive career includes an impressive seven-year tenure at AWS, where he played a crucial role in driving global internal security programs and collaborating with customers to design, build, and manage secure cloud workloads. This direct and hands-on engagement has equipped him with an unparalleled understanding of the precise challenges and pain points that organisations encounter in the realm of cloud security.

With a profound commitment to enhancing cloud security practices, and a vision to make the world a safer place by empowering customers to conquer the future, Pierre brings his wealth of knowledge to the forefront at Plerion. His leadership and domain expertise empower the company to provide cutting-edge solutions that address the evolving needs of businesses in an increasingly digital world. Pierre’s invaluable insights and dedication to innovation underscore his role as a driving force behind Plerion’s mission to revolutionise cloud security.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: I do think definitely there is a big move towards public cloud adoption. I don't know of an industry today that has not taken a step towards cloud adoption. From digital natives to critical infrastructure, all those sectors are considering cloud in one way, shape or form or another, because there are significant benefits to operating in the cloud that you can still move fast and you can still stay secure. [00:00:24] Speaker B: You this is KBCAT as a primary target for ransomware campaigns, security and testing. [00:00:33] Speaker A: And performance risk and compliance. We can actually automate that, take that. [00:00:37] Speaker B: Data and use it. Joining me today is Pierre Little, co founder from Plereon, and today we're discussing cloud Native application protection platforms, also known as CNAP. Pierre, thanks for joining and welcome. [00:00:53] Speaker A: Great to be connecting KV. Thank you. You're a longtime listener, first time caller. [00:00:57] Speaker B: Well, I'm excited to have you here. And I know this is a big topic, one I've actually never spoken about in 220 public episodes. So keen to maybe start with that. So for those who are not familiar, what is CNAP? [00:01:11] Speaker A: So if we had this conversation back in 2021, we might be talking about the same thing, but in a different way. Fortunately enough, Gartner coined this term and suggested to the market to evaluate CNAP over legacy approaches like posture management or standalone workload offerings. So cloud native Application Protection Platform, or CNAP, is a security solution that's really designed to protect cloud native applications. And these are the applications that customers build in the cloud running their environments, and they often utilize like microservices, architecture containers, or serverless computing. And basically, to sum it up, it's a modern approach to a modern challenge in cloud security. [00:01:58] Speaker B: So would you say as well, over you mentioned before, if you were asking me this question a few years ago, people's variation in their view on CNAP changes depending on who you speak to. Do you find that as well? [00:02:11] Speaker A: Yeah, I think there are variations around people's perception around what CNAP should be offering in the market. It is relatively a new definition in the security industry, and it's really born out of necessity around a better approach to help with cloud security because previous approaches or legacy approaches had shortcomings and ultimately created challenges for security engineers. So with this new approach, we're getting better engagement from security professionals, security engineers that can drive better outcomes for customers or for their own businesses, fundamentally. [00:02:46] Speaker B: Okay, so there's a couple of things in there. You said get better engagement. What does that look like? [00:02:51] Speaker A: If you take an example, like with previous or legacy approaches, they would often just look at singular data points inside cloud environments and generate a range of alerts. And this generally led to either alert fatigue, which means engineers or practitioners would get disengaged because they don't know where to start. But now with a new approach with contextual security, better data points, better technology, we can help engineers with more context, help them with prioritization, and ultimately get them to focus on what really matters in a shorter amount of time and drive better outcomes quicker. [00:03:27] Speaker B: Okay, so when you say what really matters, this is where I think it's interesting because depends on who you ask, you're going to get different viewpoints on what really matters. An engineer cares about things fundamentally different to a Sizo, for example. Would you agree? [00:03:39] Speaker A: Yes, most definitely. There are a lot more details closer to the ground for the engineers as a reference when we talk about focus on things that matter. So if you look at the different personas across engineering, you might have one individual that's focusing just on identity, you might have another security practitioner that's focusing just on vulnerability management, or a third security individual focusing just on configuration or networking. And that's all good and well, and they serve a specific problem, but together it's better, right, if you bring all those data points together, and that's where you can build better context. And I'll give you an example of what I mean by this. So if you've got a server that's sitting in the cloud, that is public as a web server, as an example, if you know it's vulnerable, if you know that there's exploit code that's available in the wild that can be used to exploit that vulnerability on that server, and you know as well what that server has access to in your environment, like maybe your crown jewels or a database, that's better context and helps engineers understand the true risk of that asset in the cloud environment versus just looking at the vulnerability in isolation of all the additional context. So this helps engineers prioritize with that enriched risk view. [00:04:53] Speaker B: Sure, I definitely hear what you're saying. It makes sense that of course an engineer will want to understand more context and more details. So how do you sort of find the middle ground? Because again, you can't help everyone. You're not going to always. Again, going back to my previous point, what's important to an engineer is fundamentally different to a sizeo, for example. There's different ends of the spectrum. So how do you sort of find the equilibrium on servicing everyone whilst trying to keep everyone happy? But also, we can't just be focused very singularly on one particular person's view. [00:05:22] Speaker A: That's a good point. So CNAP doesn't solve every security problem in cloud. There are many other problems that fall out of the scope within what CNAP can offer. So I'll give you an example that our approach that we've taken is to assess what are the various personas that are involved in getting a workload into the cloud environment. So you have the developers who are writing that infrastructure as code, and so they have specific requirements that they want to meet before they create that infrastructure in the cloud environment. And then you've got platform engineering teams that are looking at what does that running estate look like in the cloud environment. So they have a specific set of requirements as well. And then you look at line one, risk or compliance, and they also have a specific set of requirements. What's interesting though, and based on our analysis, is that they all want different things, but ultimately it's all from the same data set. It's just the way in which it's interpreted. So we try to serve those different personas to achieve the same outcome for those different individuals. But also we have a lot of flexibility in how an individual or business could define risk to their own risk levels within their business. We have some defaults that we believe are appropriate and every customer should have, but we understand that not every business is the same, to your point. And so there is a lot of flexibility to shape those specific outcomes that are relevant to each of those businesses. [00:06:43] Speaker B: But shaping it would then require maybe asking the right questions. So if you're going into a client, for example, you'd have to ask the right questions to be able to shape that. Because again, sometimes people don't know what they don't know. Again, the reason why consulting still exists to this day is people are so close to it, and it's that forest in the trees analogy. So of course, people lean on people like yourself to be able to ask those questions that perhaps they missed, overlooked, weren't aware of. Is that sort of what you're saying when you're talking through the data set that can be applied depending on who you're speaking to, whether it's platform teams or line one risk, for example. [00:07:17] Speaker A: So if we take a step back and we look at the full gamut of technology within a business, there's always that people process and technology, and we sit squarely in that technology area to help engineers and practitioners integrate technology with their processes. We also align strategically with partners that provide professional services, help deliver engagements with customers. Because also the challenge is not every business has the right skill set. And so you want to be able to identify who can you partner with? Who can you bring on board to help drive the right outcomes around security? So where the maturity is strong within organizations for security, as an example, they pretty much self serve. They get the technology, they know what to do with it. And where we have other businesses where the maturity might not be as strong, we refer to strategic partners that we're working with that can come in, complement the people and process aspect and drive those right outcomes. [00:08:20] Speaker B: So, Pierre, you probably already indirectly answered this, but maybe let's just do a bit of a recap. How does this work? Maybe purely and simply because, again, this is an executive podcast, not just people that are in security, all executives as well. So if you wouldn't mind just reiterating, how does it work? [00:08:36] Speaker A: So, because like you say, you've got a technical audience, but a lot of executives. And so maybe what I'll do is I'll draw reference to a mental model that the industry is well versed in is the NIST cybersecurity framework that has different aspects around identifying, protecting, detecting and responding to security related events as well as recovery. And so CNAC can help with this alignment in organizations across each one of those areas. So let's walk through them quickly. So if you think about identity or identifying within the cybersecurity framework, CNAP helps organizations identify where their assets are. What are those vulnerabilities on those assets? What are the threats that are specific to those cloud native applications that they're running? Then if you look at the next area, which is protect against the NIST framework, CNAP actively helps protect cloud native applications by enforcing access control or filtering malicious traffic scanning for vulnerabilities. Thirdly, from a detect standpoint, CNEP continuously monitors those applications. Their behavior, the network traffic, detects anomalies as well as potential security incidents. Then from a response standpoint, against that NIST framework, CNAP plays a crucial role in incident response, triggering automated responses when security incidents are actually being detected. And then from a recovery standpoint, CNAPS helps organizations recover from those security incidents, providing insights into those incidents that are impacting and assisting in the restoration of those affected services. So in summary, then think of CNAP as working in alignment with that NIST cybersecurity framework by providing proactive, comprehensive security measures for those cloud native applications. I think CNAP as a category within cybersecurity is relatively new, but there is an evolution from looking at just cloud data applications also to what we call SaaS Security posture Management, which is sometimes referred to as SSPM. So not only do you look at those cloud native apps that are running in your cloud environment, but what are the SaaS applications that are connecting and running on top of those cloud workloads, or what are those applications that users are interacting with. So for example, it could be Microsoft Teams, it could be slack, it could be Zoom, it could be my Google workspaces and the range of those third party SaaS applications that are also connecting, moving data, working with identities. And so also there's an element that you want to be able to assess that SaaS security posture management. Not to say that CNAP does that today, and again, it's subject to who you're speaking to and the understanding of CNAP. But definitely CNAP doesn't cover everything and we're seeing a lot of questions come through around. Well, can you also take care of my application estate across my cloud environment, which is often referred to as SaaS security posture management? [00:11:34] Speaker B: So it depends is what you're saying, depends on who you're talking to, et cetera? [00:11:39] Speaker A: Yeah, I think because it's just relatively new in the industry, it's not well defined. You can do a Google search and go CNAP and you'll get ten different answers. But I think what's important is from a business standpoint, what is that you're ultimately trying to protect and which are the technology partners that can help you overcome those challenges, not just today, but also forward looking, innovative technology partners can really unlock further business potential. [00:12:07] Speaker B: Yeah, and you're right, because that's why I sort of got you to start off with, like, what does it mean for you? Because everyone's version interpretation fundamentally changes. Again, on who you ask, who you speak to, what you read about. Similar to zero trust, for example, or sassy. So I think that it's very important to start the whole conversation on the right foot. So then from your point of view and what you're seeing, what do you think sort of the benefits are? Because if you said before, it's not well defined, it's still relatively new. What can people benefit from CNAP? [00:12:41] Speaker A: I think one of the overarching benefits is observability. Customers struggle and businesses struggle in the industry to understand what does their full cloud estate look like today? Where are my assets? What do I need to manage? How do I prioritize the range of vulnerabilities and issues that I've been un dataed with? Where CNAP provides a more holistic overview against that provides better observability, which means you're reducing that alert fatigue. Engineers are getting re engaged. They've got contextual data. Businesses can drive down risk and drive down costs. Because you can also look through tech consolidation and get better utilization out of your resources. You can do better risk prioritization. Comprehensive compliance reporting as well is a major factor across a lot of at least regulated industries. You also get continuous threat modeling. I used to be part of an AWS team, Amazon Web Services team. I used to do threat modeling internally, and that takes a lot of time and effort from days to weeks. But now we've built technology and capabilities in the platform that we offer to do continuous threat modeling for businesses. So again, you don't have to have that speciality, but CNEt can offer you that. And then you get data security assurance. So one of the points I mentioned previously was ultimately defining what is it that you're trying to protect? And a lot of the time it comes down to the key data sets within organizations, how that data is classified. And so now giving you a holistic view around, well, what is my data exposure in my cloud environment? So those are some of the key benefits I'll call out as well. [00:14:13] Speaker B: Just going back to the compliance reporting side of things. So would you say as well a benefit is it's easy to digest. So for someone, I obviously have built internal compliance reporting through tableau. This is going back like a decade ago, so it was all manually done. So you're saying that's an evolution of tableau because it's in the one dashboard? I know that you mentioned all the other things, but if I just focus on the compliance reporting, is it a better version of that, perhaps? [00:14:40] Speaker A: Yeah, I think it is definitely a better version because your compliance reporting is telling you what your active environment is looking like right now. And if that environment is changing, so is your compliance position so that you can attest to those changes over time and so you no longer have to rely on excel sheets or outdated information. You can get that compliance position at any time of the day as well as updated as that cloud environment is changing. And so you don't only have to model against one compliance regime, you have the opportunity to model against multiple compliance regimes. So for example, we spoke about NIST. We have customers and businesses that use NIST in the platform to benchmark themselves. We have the CIS benchmarks for cloud security. We have cloud provider best practices in the platform as well as we give businesses the opportunity to define their own custom regime. Because we know that yes, there's good industry references out there, but having worked with many regulated entities, they want to define something that's more specific to their internal benchmarks. And so businesses can also build their own and measure against their own compliance regimes internally. So a range of options, more real time, and so ultimately, again, better posture assessment and assurance across your cloud environments. [00:15:56] Speaker B: So I'm going to ask a different question again, because I have previously been a cybersecurity reporting analyst, so I'm familiar with this way of thinking and reporting. Do you think, though, it gets to the stage where we're looking at dashboards all the time, looking at compliance, et cetera, risk? Is it a little bit of, what is that saying? Analysis paralysis? Do you think sometimes it gets to that level? Because again, that sort of, and I asked this one, my background, but also even looking at the alert fatigue side of things, we can't look at every single thing. And sometimes where I think people perhaps don't think about it is, yes, we can report all day, we can look at these things, but if we're not deriving insights and telling a story, who cares? [00:16:40] Speaker A: Yeah, definitely. And this was one of the pain points I experienced in my consulting days as well, is helping businesses assess themselves against their compliance regime of choice. But ultimately, what we've undertaken within the business is more of a threat led, risk driven approach. And so this is really the value proposition, is when you look at different data sets, is ultimately what's your true risk to the business. Now, we understand compliance is important because regulated entities and the regulators define that industries or businesses need to meet a specific compliance position and attest to that compliance position. But what we know is that measuring just compliance is not sufficient to combat modern threats within the cloud. And so you have to consider both angles. So we provide the compliance reporting because we understand that those businesses need to report against their physician. But what we want customers and businesses to focus on is what's the real risk that you have in your cloud environment? And then you can set those thresholds to say, well, when this toxic combination is discovered in my environment, notify me, send it down to the right teams where there's eyes on glass and people can take the right action. [00:17:48] Speaker B: So when you go into a client and you ask that question which is relevant, do you get various answers? Do you think people don't know, they haven't thought about it? Or again, going back to, depending on who you ask, an engineer is going to say something different, perhaps with Sizo, share a little bit of insight around some of those. The meetings that you're having, it is. [00:18:09] Speaker A: A range, and I think it's a great question and I think it lends itself to the maturity within the industry and the different sectors, whether it's the financial, the fintechs, or highly regulated industries or public and private sector. Some businesses rely heavily on compliance because that's what they know, that's what they understand and that's what they've been measured against. Where on the other side, if you look at more digital native businesses that have progressive technology leadership and have embraced security and are very mature, they look at security very differently. And so it's a broad range. And I'll give you an example. We work with a group of fintechs and they swear by we are PCI compliant because they have to be able to report against their position for payment processing. But what the insight is that we bring to bear is when we connect Paleron and we do the discovery within the environment, we highlight significant blind spots that they were not aware about how adversaries would be able to access certain data stores within the environment. And this is key evidence of demonstrating where compliance just isn't enough. And so you have to look at the connected data to discover what the real risk is in those environments. And that's what we like to do is just discover those blind spots, help customers think about security in the cloud very differently and empower them with the right platform capability to help them move forward and where security can now become a business enabler and a strategic partner in the business. [00:19:34] Speaker B: So let's maybe flip over to the other sides around misconceptions. So we spoke about benefits, maybe misconceptions. Again, as you've alluded to multiple times, it is not very well defined yet. It's still relatively new. But is there anything that when you're speaking to people that perhaps are the misconceptions that commonly come up in your. [00:19:54] Speaker A: There are. There are a handful. And one is that everybody thinks CNAP is only suitable for large enterprises, where I think the benefit is CNAP and the capabilities provides enterprise grade security or makes it available to any business that's operating in the cloud today. So you can get that enterprise grade security at a fraction of the cost, a fraction of the complexity from traditional approaches to level up your security, which I think is a fantastic opportunity. The other misconception is that if I have CNAP, I no longer have to do a paint test in my environment. And that is definitely not the case. Maybe the last one I'd say is that if I have CNAP, I'm covered on all aspects of cloud security. And I would caution that there are still areas within cloud security that you want to consider where CNAP doesn't fit the shoe, for example, continuous attack surface management. Now we understand the value of providing customers an outsiders in view of their external perimeter. And so that's not generally considered within the CNAP landscape. But we understand that that's a good requirement to add to the full platform offering. So we have that in our platform today for customers to give them again, better visibility and observability around what does the full cloud estate look like? And CNAP is not expensive. It doesn't have to be expensive. [00:21:19] Speaker B: So why do you think people think it's only for enterprise only? Where do you think that comes from? [00:21:23] Speaker A: Good question. I think generally enterprises tend to have the highest level of maturity also in regulated industries and have the security teams that are driving the industry and the technology providers out there to deliver the best of breed. And generally enterprises have the wallet that they can accommodate those big asks. And so that would then remove the opportunity away from digital natives, small medium businesses or partners that are coming in board and entering the market where traditionally that would have been the case. And I've been part of that journey myself. I've seen how that perception can play out in the market. But today, being active in the market, building up Polarian as a co founder, we're making CNEP available to every business that operates. And so breaking down those barriers to entry is a key enabler for a lot of organizations now. [00:22:17] Speaker B: So just going back to the misconceptions again. So before we obviously doing my research and understanding a little bit more about CNAP, I'm not a CNAP expert, but do you think that people get confused around the CASB versus the CNAP? Just in the conversations I had with people, there seem to be people using these two terms interchangeably. Now, I know that they're different, but do you find that as well as part of a misconception? [00:22:43] Speaker A: Yes, I think the security industry is probably one of the worst around jargon abuse. And we have to be conscious ourselves not to just assume every business we interact with is well versed. A lot of organizations would refer to Gartner as we open up the conversation today. And what is Gartner defining in the industry around Chasm or CASB or SASE and CNAP, et cetera. But there is a large portion in the industry that has never heard of those concepts and capabilities. Again, it's an educational construct. It takes time. But we got to also introduce security concepts at the right level, to the right individuals, a lot of businesses have the technical acumen. Some of them don't have the technical acumen. Rely on partners or businesses to uplift their security capability. I think the security industry as a whole has a long way to go in simplifying security. And this is one of the cornerstones of Paleron is let's simplify security for our businesses. [00:23:43] Speaker B: Yes, please do. Because I think there's like, every day there's like a new acronym that gets spun up. And I mean, at the coalface of the industry, even I get confused. So I couldn't imagine people that are in organizations that are not doing this each day on where the confusion stems from. What about cloud first and then cloud native? Do you think people get confused with this? Then again, yeah. [00:24:08] Speaker A: Let'S just summarize there again. So cloud native, you're building applications in the cloud, utilizing cloud building blocks to microservices and containers. Whereas a cloud first strategy is often defined and say, well, let's go and evaluate if we have a new business initiative or a project or campaign we want to drive within a business. Let's consider whether or not cloud is a suitable platform in which we can go and build and then whether or not, if we choose to go the cloud route, can we use cloud native applications to build that capability. And so, yes, they are complementary, but they're definitely not one in the same thing. [00:24:48] Speaker B: Yeah, absolutely. And again, I think this is where I hear the terms used interchangeably. So it's about having this well defined. This is what this is, and this is what it means. Because I still do hear a few people that maybe don't understand or maybe someone's talking about something that is so convoluted that it doesn't resonate with others listening, for example. [00:25:11] Speaker A: Yeah, I mean, if we take a couple of steps back from my days when I was at Amazon Web Services as a security principal, security engineer in the field, when we looked at the early adoption of cloud and specifically here in AWS in the region back in 2020, twelve, there was a lot of conversations around migration to the cloud lift and shift, replatform, rearchitecture. And each one of them came with their nuances and were being, I would say, abused in the industry and created a lot of confusion. And so I do look to the industry and the technology providers and the consultancy firms out there that it's up to us to guide industry. What's the best way to do it? Let's try and simplify our taxonomy, because ultimately nobody's winning when we're just throwing more jargon out there. [00:25:57] Speaker B: No, absolutely right. So how do you think we do that then? Because we've obviously gone on a little bit of a rant here today about a couple of things and the misconceptions, but how do we simplify it? Because you're doing this each day, so of course you're an expert at it. But if you're a sizer or even a CFO, this one thing that we're talking about is very complex on its own. But there's another 50 other things that I speak to people about on this show. Each of those things are really important, but each of those things are really complex. So do you have any recommendations on how we can make it easier for people to digest and understand? [00:26:32] Speaker A: Yeah, my approach would be much like when we open up the conversation today is I don't want to go and define new capabilities within the industry because the industry has many references or mental models to refer to. So, for example, what I try to do is relate how does NIST apply to a specific business that we're working with? Do they understand NIST as a framework? Well, let's map NIST to their outcomes and business objectives around security. Then we're speaking a common language. If I'm talking to another business that doesn't use NIST or they use ISO or the CIS benchmark, that's up to us as practitioners in the industry, be able to identify that business mapping and use that same language that the customers or the businesses are using, not introduce new complexities. And so to your question, what can we do? Let's see what the industry has already defined well established standards like CIS benchmarks, NURs, cybersecurity framework, and use that as a standard platform and then start to iterate from there. Otherwise we don't even get off the starting blocks. [00:27:34] Speaker B: But here's the other side of it. Here I've spoken to people on the show saying even Nist is confusing. Then you've got people who summarize NIST because NIST is very, very long and very complex and very detailed. So then you got people that come in and say, okay, well, here's the top ten things you need to worry about. So do you think, then again, and I mean, it sounds like a silly question, but I've had multiple say, even that's too much for them to digest, so they just don't bother doing it. [00:27:58] Speaker A: Yeah, it's not the silver bullet, but a lot of businesses we speak to don't necessarily have a well defined security strategy. So in the absence of having nothing start with something that is well established in the industry, has stood the test of time and is a good starting point. Yes, you might grow out of that and evolve and then identify gaps. And that's okay because you would have grown so much in your journey in that point. Again, every business chooses their own compliance regime, whether it's NIST or CIS or their own. And it's again, it's about understanding where they are in their journey. What is their reference point that they measure themselves against and align with that. Don't come in and try shoehorn something new that has no relevance to their business. I think that's where the industry would be tripping up. [00:28:46] Speaker B: So from my understanding, CNAP doesn't just monitor, it actively sort of protects against attacks. So talk me through this and then how does this work? [00:29:00] Speaker A: Yeah, you're right 100%. So CNAP does way more than just monitor. It does actively protect against tax by implementing a range of security measures and responses to mitigate those threats in real time. So first of all, I'll just say CNAP is not your DDoS mitigation technique, right? Let's put that aside. That's a completely different aspect. But if you look at CNAP is offering regular vulnerability scanning so you can have early identification of your vulnerabilities, notifying you, and incorporating which of those assets are public. At the same time, which of them have only permissive access to data stores where your crown jewels are doing log inspection, looking for indicators of compromise or events of interest. Behavioral analysis as well, driving threat intelligence integration into your cloud environments, as well as in helping with those incidents if and when they do come to bear. So yeah, cloud native applications do help. They continuously monitor, they analyze, they assist in responding to security threats and vulnerabilities. They employ a combination of access controls, traffic filtering, behavioral analysis to help with those challenges within cloud. [00:30:11] Speaker B: So just going back to your DDoS example, do you think that's another misconception that people have around CNAP? [00:30:17] Speaker A: Yeah, again, CNAP is not the solo bullet. If DDoS is a serious concern, and especially if you're operating in cloud environments, my go to would be look at what your cloud providers are offering you. There was a recent report that came out that showed how Google mitigated one of the largest DDoS attacks recently. AWS has significant DDoS mitigation techniques. So lean on those cloud providers as your go to for DDoS mitigation. If for whatever reason, it might not be meeting your requirements, consider alternatives. But I can attest having been with AWS for many years. It's a phenomenal service that they offer around that capability. [00:30:53] Speaker B: Okay, so to your point before about simplifying this industry. So now talking about CNAP, everything that you've spoken about does make sense. But would you say that I love dashboards, all of those things, et cetera. But do you think maybe we're just adding more complexity because we've got scenes and we got CNAP? Is this another thing that security teams need to monitor, look at, be aware of? Are we then adding more complexity then? [00:31:24] Speaker A: We know already that the previous approaches didn't work. They're not working. We're still having an increase in breaches. We have mass adoption in cloud. There are new threat vectors that need to be taken into consideration. So legacy approaches don't work. So if we think about the other side of that equation is, well, let's move from complexity conversations to how are we introducing simplicity? How is it simpler today? Right. We have new technology that can drive better capabilities and give you different experiences. I'll give you an example. Play on AI search. We give customers the ability very much like you open up your browser, you're using Google and you're typing in your question, you get an answer. We give that same experience to executives that don't have to have the technical details. I can put in a simple question. They say, show me my vulnerable assets. Show me my riskiest assets. Show me my attack boss or toxic combinations. That was not possible many years ago. It was significantly harder. So not only can you give better experiences, which I'm a big fan of, but also offering consolidation. So I have a platform here that gives me better observability, more comprehensive coverage, integrated data sets. And I can reduce three or four or five different other isolated technologies that are deployed inside of my environment. So I would counter position this to say this is far more simpler. And I speak in the sense that I'm a security practitioner. We use Paleron to protect Paleron every single day. And we simplify it. I would have loved to have had this when I was in the trenches as a security engineer years back, but it wasn't possible. Or it was just out of reach because it was too expensive. [00:33:05] Speaker B: Yeah, true. You make a great point around things being too expensive. So then where do you think? So how do we sort of move forward from this? As you mentioned, it's still able to find. It's still new. Where do you think CNAP will sort of go in the future? Even the next twelve months? And like you said, the old ways weren't working. And look to your point, there's never going to be a silver bullet for everything, and we're obviously aware of that. But how do you sort of see this capability evolving? [00:33:35] Speaker A: So one of the key areas we fundamentally believe in is data is going to be key. We've seen how the adoption of AI machine learning models can unlock further insights for businesses. And so we made a significant investment in our data science and data engineering capability to look at data in a more holistic way, and move from the traditional concept of know and knowns and into an era of how do we model appropriately to understand what the unknown, unknown problems are. Now, yes, that is a long term vision requires a lot of data analysis, behavioral insights across where the market is moving. But what we know is rules based engines that do static matches won't scale based on the current challenges we have. So we have to find new dynamic ways in which to scale technology to align to the modern threats that are evolving. And so I do think we had an interesting point of technology across the industry. We've seen a huge adoption of generative AI, et cetera, and LLMs recently, and I think that's unlocking new potential and user experiences, which I think will drive a lot of changes over the next twelve months. [00:34:46] Speaker B: So just, again, maybe asking on people's perception about the cloud, just to sort of press on your previous point here, do you think that people are still sort of getting used to the cloud wrapping their head around the cloud, the security who's responsible for. What do you think then as well, that getting the cloud journey, et cetera, this will start to mature as well as we move forward? [00:35:16] Speaker A: Yes, I do think definitely there is a big move towards public cloud adoption. And I don't know of an industry today that has not taken a step towards cloud adoption. From digital natives to critical infrastructure, all those sectors are considering cloud in one way, shape or form or another, because there are significant benefits to operating in the cloud that you can still move fast and you can still say secure. Let's look at an example. Netflix, early adopter of cloud innovating, pioneering in the industry. And we all love Netflix bringing the content we love to our doorstep. They've embraced cloud, they've embraced security. You look at some of the studies that have come out from McKinsey, which mentions highly regulated industries are moving to the cloud four times faster than less regulated industries. So public cloud migrations will continue to define the enterprise technology strategies for the next several years. And if you look at startups today in different studies from the likes of rightscale. 94% of startups are using cloud today, 90% of small businesses are using cloud. And so I personally believe there is no going back to the world we knew. There is only one path forward with cloud adoption and increasing our business agility with cloud and security as a strategic partner there. [00:36:37] Speaker B: So do you think we'll just get to the point where everything's just cloud? So, like, I don't know, the next generation of kids that are born will just only know this? Do you think that in five years, ten years, I mean, there may be still a small percentage, but where are your thoughts at with that? [00:36:51] Speaker A: Yeah, I haven't come across a business today that when we speaking to co founders and entrepreneurs, no one is talking about buying servers and racking them in data centers. Even payment providers are working with cloud providers to build payment infrastructure in the cloud. I don't think there's any going back. There's only one way forward. We're looking at ways in which to run critical infrastructure applications in the cloud, because you have the right security and observability to drive that infrastructure. New businesses starting your first option is, well, can I do this in the cloud? If I can, it's going to be cheaper, I can do it faster, I can innovate at the speed of my business. Yeah, I think that's the only way. [00:37:34] Speaker B: What about regulated industries then as well? I don't know all the specifics, but as you mentioned, of course, the non regulated ones are four times faster. And I don't know whether it has to be. No, we have to do it this way in terms of on prem sort of stuff. But do you think that'll change? Perhaps? Because I know that some People say, oh, well, no, it depends on what it is. There's an element of it that still needs to be, we can't adopt cloud, but I don't know whether that'll change then over time, perhaps so on that point. [00:38:06] Speaker A: So regulated industries are moving four times faster than less regulated industries. Now, that's only possible because the regulators themselves have had the demand and the pressure from these business entities to move to the cloud, because these businesses realize they have better agility, better time to value involved in their applications, and better observability in the cloud. And so the blocker initially was the regulators understanding how to regulate and provide guidance to businesses around running critical infrastructure or heightened inherent workloads in the cloud. Now, if you look at APRA, APRA has more prescriptive guidance around running workloads in the cloud. So you can see the top banks and their business strategies adopting cloud. You look at Mass in Singapore, the regulator there also very prescriptive guidance now available on moving to the cloud or operating workloads in the cloud. Six, seven years ago that wasn't an option, and so the market had to go through an education process where I think we've overcome that barrier now, at least within the financial services sector, and you'll start to see more adoption across other sectors as well. [00:39:17] Speaker B: Yeah, most definitely. Well, I'm definitely, definitely for cloud seems very old school, the historical approach, but yeah, I don't know. Time will tell. I don't have a crystal ball. I'm assuming technology moves very fast. So who knows? Maybe on Prem in the future and all of that conversation won't even exist. I don't know. But again, maybe have to bring you back on the show to have that conversation. So, Pierre, is there anything specific you'd like to leave our audience with? Any final thoughts? Any closing comments? [00:39:46] Speaker A: I think for businesses today, whether you have an active security strategy or not, reevaluate what your priorities are. Look at how security can be a strategic business enabler. Assess the right technology partners that can help you move forward, not just today and tomorrow. And of course, if you want to have an open conversation with myself or any member of the team would welcome that. And we love collaborating with progressive technology leaders and helping the whole industry move forward. Thank you very much. I really appreciate the conversation today. [00:40:34] Speaker B: To get access today. This episode is brought to you by Mercksec, your smarter route to security talent. Mercksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand Talent Acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes