"Uh well, welcome. My name is Amal Masur. I'm the SVP of Products for Prisma Cloud. Uh I've been doing cyber security for a bit before Palo Alto. I worked at TR XA, I ran AEC Network Security, enterprise, etcetera. Uh that's all I've done in my career. So I find it quite interesting now, sort of before I go into the topic, which is how do you secure applications by shifting left and shielding? Right.
Let me talk a little bit about quick Palo Alto Networks. What do we do? What are we focused on and so on? Right. So there are three sort of grand challenges, three key missions that Palo Alto is tackling.
Number one, we are transforming network security to deliver best in class security, whether it's hardware firewalls, virtual manage services or, or market leading. Sassy.
The second is how do we completely transform security operations with a fully integrated approach with data analytics automation.
And the third one, which is what we are going to focus on today is how do we secure applications from code all the way to public cloud?
Now, the third thing that you see at the bottom is Unit 42 which is the underpinnings of, of everything that we do and develop essentially a world class threat research, threat intelligence and security response team, which provides us a lot of real world hands on intelligence on what's going out in the threat, threat landscape.
So let's sort of zero in on the code to cloud journey or mission that we are focused on now before we sort of go into how are we thinking about it and what are we tackling? I just wanted to level set on what is what are the modern challenges of using today's cloud developing, deploying running applications today in the cloud? Right.
So what we see is there's like a perfect storm of innovation and risk, right? On the innovation side, we see that applications are no longer just natively 100% developed. They are kind of like assembled together using a bunch of first party and third party pieces. In fact, 75% of code out there based on all sorts of different studies uses open source components which you might have no control over as an organization.
Now, on the risk side, 80% of all open source components have more than one vulnerability. And we all know that as soon as a new CVE comes out and it's exploitable within 15 minutes, you start seeing people on the internet trying to find the systems that are vulnerable and attack. I'm sure all of you live through the joyous horror of Log4J, which is I think right around this time in the holiday season, running through Christmas where it was just, you know, extremely hard.
Now, on the continuous delivery side, like applications used to be monolithic, maybe one release a quarter. Now we see 77% of organizations are releasing software weekly and there are a large number of organizations especially born in the cloud internet facing apps which are doing number of changes on a daily basis, right? So the speed of what you're putting out there is increasing, but the amount of security personnel that you have to deal with securing and analyzing is not growing.
So you know, some studies say there's a 10 to 1 ratio of developers to security. I think that ratio is far more skewed and I'm sure based on your own personal experience, you just don't have nearly as many people trying to secure your application, your infrastructure and so on.
And the last one is Gen, right? I mean, anybody heard of G right? You can't walk 5 ft in a conference like this and not hear about Gen or go online and not hear about Gen, right? So what we are seeing is that Gen is causing a lot of acceleration in security risk.
So on one end, we see that you know the output of software that can be that can be produced with Gen, with things like Copilot and so on is going to increase the velocity by 10x. And but when you, when you evaluate the software that Gen is producing, and there was a published 40% of the 1600 plus things produced by the GitHub Copilot had a lot of vulnerabilities. Even on the attack side, you can see attack, scaling in speed, in stealthiness because G can craft these attacks much, much faster.
So it's a perfect storm between all the innovation that public cloud and all these new technologies afford. But it brings with it a lot of substantial risk as well.
Now, let's talk about how cloud applications are assembled today, right? They're assembled in different stages. So everything starts with code, you've got custom code, you've got open source code, you've got codified infrastructure or IaC this sort of creates a bunch of infrastructure and then those instances get deployed in your runtime applications.
So what starts with probably a single issue in a single package all the way in the left can become hundreds of thousands of deployed vulnerabilities on the right, right. Whether it's open source packages causing vulnerabilities, whether it's resources, a single resource used in 1000 places causing the same misconfiguration.
Now, the way the industry has responded and largely how people have tried to secure all those sort of exclamation marks, which is nothing but the attack surface is use point products, right? There's an alphabet soup of security posture management and you can put whatever letter you want at the beginning, right? Everything from cloud to application to data, to identity, to whatever right now, what has happened is that while these solutions are trying to protect their little piece of the puzzle, there is no intelligence that is shared between these solutions, right? There is no context being shared from run time back to the source or from source to the run time. And this causes a lot of operational efficiencies.
Because if you look at your own organizations for vast majority of the organizations, there's an AEC engineer which is very different from the DevOps for people managing infrastructure, which is very different from the SOC that is looking at the run time, incidents and alerts that are coming from technologies that are able to detect and prevent threats and the tool that becomes the most collaboration tool across all these are is Microsoft Excel, essentially a countless number of meetings in Excel and this is causing a lot of risks to go unaddressed.
So even in this day and age when you are investing in all sorts of security posture management solutions, it's just not enough. So let's look at some of the stuff that we are seeing in terms of risk that is going unaddressed.
So we did an assessment from our own sort of customer base. 1000 plus customers, 210,000 plus cloud environment, 70,000 repositories. And what we saw is like, for example, 83% of the customers still have hard coded credentials in their STM systems or 75% customers who have not even enforced basic AWS CloudTrail logging.
And as a result, you see that it takes a ridiculous amount of time, 145 hours for them for an alert to even get resolved. Even if it is a critical alert and customers are taking a significant amount of time because they just do not have that context that intelligence stitched from all these point solutions.
Now, let's talk about open source and everybody uses open source. I saw this line, I don't know where it came from. I just stole it. It basically said, hey, the magic of open source is anyone can use it, but no one is obligated to maintain a secure open source, right?
So we looked at about 70,000 repositories that we monitor, which were using a little over 100 open source packages and 63% had unpatched critical or high vulnerabilities. Now, if you think about it, right? Like these are like an abundance of open source packages out there. These are being put into production applications with a high degree of vulnerabilities.
The other side of open source that we are seeing is that open source packages are being weaponized and targeted to create supply chain attacks, SolarWinds CodeCove all of these have been in the public domain where you know these packages which are very often used by developers are essentially being weaponized to cause applications to have major breaches.
So as a result, all these fragmented solutions out there, you still have issues where large organizations with significant investments still have had major breaches, right? You've heard of CircleCI it got in from a developer laptop using a malware and then reused a token or SolarWinds which was a very famous breach out there and so on.
So with all, all this sort of threat landscape and all this investment, what is the right approach? How do you provide that intelligence so that you can actually have a reasonable shot at protecting your applications?
So we sort of spent over a year or the last year. Really thinking about how do we take what we have in terms of best of breed capability and really stitch it together to allow for customers to have an end users, to have a reasonable chance to securing their applications.
So a few things that we have thought about. Number one is you've got to be empowered to fix at scale the issues at the source, right? As we saw one issue at source becomes more than 1000 issues in run time. If you're just trying to fix stuff in run time and not fixing the root source, you'll always be in this endless loop.
Number two is you've got to block the breaches and run time. So while you're fixing, you've got to have a way to look at events, look at actual incidents happening and have preventative in line technology to block it.
So we came up with a code to cloud sort of intelligence that stitches together from your source, your infrastructure all the way to your runtime environment. And I'm going to walk through capability that we always had and some new innovation that we recently launched at tackling some of these problems where this context is just not just not available.
So let's talk about visibility first. Right now, we have always had the ability to look at 350 plus cloud services, really understand what are the misconfigurations in these services and so on. So this is table stakes, this is already been there.
What we have added on top is how do you understand and visualize your rogue shadow IT or shadow clouds, right? So we have a capability called Cloud Discover Discovery Exposure Manage, which is outside in view into your unmanaged, unsecured cloud assets. These could be assets in the cloud that you already know about or these could be just clouds which you don't even know about, which are unsanctioned are just being used by teams to to deploy applications.
So not only it discovers all your assets, but it also discovers the vulnerabilities, the risks that are exposed as an outside in view from the internet.
Now, once you know all your known and your unknown assets with the shadow clouds, then you need to sort of figure out, ok, what are the risks, right, whether it's vulnerabilities, misconfigurations overly permissive or, and then on the incident side, we are looking at, you know, user anomalies, network anomalies, how malware is moving in your environment and so on and so forth.
Now, of course, we have a ton of out of the box policies, but you can write your own custom policies as well. And then the last area is compliance, who doesn't love compliance, right? I mean, compliance makes pockets open. Compliance also gives people C plus nights, but it's just the tax that we all have to pay and we are trying to make that as easy as possible by giving you one click ability to take your posture or your good things or your gaps and map it to all the widely known compliance standards, whether your financial services or healthcare or, or some other industry.
Now, um the thing that we have recently added into the visibility is it is a capability called App DNA, right? So today, when you think about an application, it constitutes of your compute resources, network resources in the cloud, you got some storage, you got some data assets APIs. But at the end of the day, all of these things group together in the service of some business application.
So let's say if you're in the retail industry, you could have a payment application, a shopping cart application, a product catalog application."
And typically what we hear from end users is that they want to visualize risk, report risk on how the applications are constructed versus on container images or repos or running virtual machines and so on. So using kan's name spaces or if you have a mature tagging strategy, we automatically without any end user config needed discover the application boundary across all these resources.
Now, there are sort of two ways to think about this. One is we create your application inventory. So you can go once you on board your cloud account and look at these are all my apps. But also this becomes rich context that we overlay throughout all the risks that we visualize, which I'll talk about in the subsequent slides.
So once you have sort of gotten the visibility, you've gotten an understanding of what your applications are and all the infrastructure or resources that support that application. Now it's time to really prioritize and understand your risks right now. Everybody talks about, hey, I want to prioritize my risks so that I'm focused on the most important things. But its table stakes. It's very important. Don't get me wrong. But what's really, really important at the end of the day is how are you successfully set up to remediate or mitigate those risks? Right?
Prioritization, just basically reorders the same 1000 plus things or more in a different order. But you still need to go do something about it, you still need to find the people who will action those issues and so on. So the way we have sort of dealt with this is that we get signals from multiple different sensors, you can call it whether it's looking at vulnerabilities or mis configurations in code or whether it's looking at container images or your running instances, your identity permissions, we put all of that together in a single data lake and then we are able to correlate risks and attack path.
So for example, you could have five or six disparate events which are interesting, there are issues, but when stitched together, they are actually a latent risk which at any moment can become into a breach. So for example, you could have an two instance that's exposed to the internet has a critical vulnerability, a mis configuration and an i am role which is overly permissive with access to an s3 bucket with sensitive data inside it.
Now these are like six different atomic things. But when stitched together, they present a major risk to your organization. So the whole idea is that you might have a billion log lines, 17,000 total alerts within that critical alerts. But what really matters, what you really need to action on is those 2030 40 things which we call attack parts, which you which we are automatically able to stitch together in our platform.
Now, the next thing is once we stitch these things together, you need to sort of understand what is the root cause of this. You need to get all the context around it, right? So we are able to sort of overlay this in a in a, in a graphical format and give you sort of meta data and details for every portion of that atomic incident.
So whether it's understanding what that workload is, what issues that workload has or what sensitive data is in the storage bucket, you're able to sort of get that context at with a single click.
Now i talked about a dna in a few slides back when you have an incident. We also overlay what is the application context of the resources which are impacted as part of that incident? So whether it's a container image or whether it's a storage bucket, like what applications or micro services are these supporting, we automatically discover that which also helps you identify the owner that can actually go fix that problem or the owner of that particular asset that needs to be looped in like one of the things that things we hear from end users all the time establishing that ownership for problems and assets becomes a major challenge.
And then so you know, a lot of these issues, but how do you go remediate these issues? That's a major challenge, but we provide that sort of right there in the way when you visualize these risks.
Now, you know, for folks in the room who are in dev ops who are getting bombarded by security or if you're in security and giving issues to people who actually go remediate. One of the biggest points of friction is they just give you the information and provide you no context on how to go fix it, right? And that becomes a major challenge. Like where is this issue? How do i go fix it? Why is it important? All of that issues including detailed recommendation steps is what you need to be able to be successful in your, in your remediation.
Now, i talked about the fact that remediation is is far more important. You need to demand that your solutions need to enable you to do remediation and not just prioritization. So we have approached this in two different ways, right? From a remediation standpoint, you can either fix a particular issue in the cloud or you can fix it in code.
So let's talk about the cloud aspect first, right? So let's say you have a misfigure, we have provided automation where you can say, all right, you know what either i want to go click the button called fix in cloud or i just want to set a policy where if a certain type of issue is found, just automatically go remediate that issue, right? Like why make me come into the console and analyze? Like i already know that this is an issue. I already know you can fix it. I've given you the delegated permission, just go ahead and fix it for me, right?
So it helps you build remediation. It helps reduce your mean time to remediate, which is a key metric that i know everyone is focused on. And then if you don't want to do auto remediation and just send it to the right folks that it gives you all the context that eventually the dev ops teams need to go remediate these issues.
The next way we think about remediation is fixing cloud, right? So let's say if you have a known vulnerability on an internet exposed asset, right? What if you could automatically say that hey, if a critical vulnerability is found on an internet exposed asset, i automatically want a pull request assigned to the right developer because i can trace that issue from run time back to exactly where it came from in which package from which report or which i file and i want that issue automatically assigned to them so they can review it, they can merger and they can right now, if you don't have this automation built in, you're essentially downloading csv s throwing it over to your dev ops team and then they're like, what the hell do i do with this? I think this becomes a mounting challenge.
So solutions that help you provide that right context and just automate this process is what is really going to help you have a better handle on your risk.
Now another issue that we have tackled. And this is a thing we released recently is around vulnerability management, right? Like vulnerability management as a space maybe is not as, as cutting edge, but it's still something that we have to deal with every single day. And the biggest challenge is there are just too many vulnerabilities. Like how do i go remediate all these vulnerabilities? It's not even possible. A lot of these vulnerabilities don't even have patches available. So what do i do with it? Right.
So we created two things. Number one is we created a way to hyper prioritize and not just prioritize based on critical risk or a standard cvss score, but really prioritized based on what could turn into a breach at this moment, right? So we take in all the vulnerabilities, whether it's coming from your registry images or run time or it's coming from, you know, sc scans in your, in your source code, we can say, all right, you've got all these critical and highs within that. A subset of these are actually exploitable. A subset of those are actually patch and within the patch ones, even though that could be a large number, these are the ones actually impacting packages which are in use in run time, which means like this is the shit could go wrong. Now, you need to go fix that now, right? So that's the level of hyper prioritization.
Now, the next thing and if, if all of you remember the morning of lo four j, right? Sounds like morning after christmas. But the morning of lock four j, everybody got this question here. Are we vulnerable? Where is lock four j? Where all can i find lock four j? Right. And i remember i was at a, at that time and even we as an organization was struggling because everybody has information and all these disparate systems and you have to merge all of this together.
So we created a capability in which i'll show you a graph called the unified vulnerability management where you can search for any vulnerability. And it will tell you exactly where that vulnerability exists in your code repositories in your images and your running instances in production. If you could get that visibility and that traceability from a cloud all the way back to code that could be super, super powerful.
So we talked about sort of prioritizing and remediating a lot of the latent risks from mis confected vulnerabilities attack paths, which are a combination of issues and so on. Now, let's talk about actual stuff that has gone wrong or is going wrong, which is incidents in your environment and how can you mitigate? Right.
So we sort of detect threats in sort of three large buckets. Number one is we run deep analytics using behavioral modeling, user entity analysis, machine learning, even bringing in intelligence from our unit 42 team. And we are looking at sort of your cloud configuration and your audit trails your network and flow logs, we ingest a trillion flow logs on a daily basis, your web and a p traffic because we have a full featured app and api security capability and all the dns logs. And we are trying to sort of stitch together the context to see. Is there user behavior that we see that looks suspicious and anomalous? Right. And does that indicate a specific pattern of something that has already happened or is happening at this point in time? So that's, that's number one that we constantly surface those threats and anomalies.
Number two is when you have your actual application workloads, right? I mean, you have container images which has a lot of third party dependencies which could have malware or crypto miners and and or it could have vulnerabilities zero day or known vulnerabilities which are being exploited. So we have agents, very lightweight agents which are, which are both host container and service server less aware, which can look at actual lateral movement or if the malware is trying to break out of the container and attack the host or if there is anomalous behavior of the container, which has not been observed before you can detect all those threats. And we use machine learning and anomaly detection.
But the other thing which end users use a lot is our behavioral modeling, right? So you can say, all right, i've got this container, this is a known good image. This is how the container should behave. And you can make our system learn that good behavior and say that at a network level, at a process level, at a ip level on where it's supposed to communicate. If it deviates from that baseline, if that baseline is so well established, then i want to take punitive action or i want to get alerted on it and so on, right? And you can manually go teach the system on what that expected behavior is. You can do allow listing and block listing and so on.
And then the last sort of set of capabilities is your layer seven attacks, right? So, i mean, you could have an application which has an a p interface or an actual web interface on 443 that's exposed
How do you detect against the top 10 which is a bunch of port scanning, reconnaissance, injection vulnerabilities or all the way to bots trying to attack your infrastructure. It could be credential abuse, it could be just bots which are scraping data from a product page or a pricing page. It could be just bots trying to do a denial of service attack. Although I would say it's much better to deal with denial of service at the edge of the internet using a CDN versus doing it right next to the app. But we do have capability that can detect against DOS attacks.
And then the last one is any kind of API abuse, right? We did a research paper on BOLA attacks, you know, using AI to detect those that was quite fascinating but any kind of abuse against your APIs which is abusing the actual behavior of the API we can detect as well. So anything that a standard solution can do.
So in summary, you can investigate all your issues, you can look at all the context, you can get all the details and analytics and then you can drive the response, whether it's fixing in code or fixing in cloud.
The one thing that we are thinking about and I know that deploying agents is not something that people do very lightly or typically automate in wartime. But what if we observe malicious activity on a workload and we can provide a way to automatically go deploy an agent, enable that behavioral profiling and then give you a profile to now go block. That's something we haven't done yet automatically. It's still a process that you need to go through and deploy manually. But we are thinking about that as the next step in our fixing cloud journey.
OK. So you have the visibility, you have prioritized, you have either remediated or mitigated. The next thing is you want to expand your investigative capabilities and try to understand what else could be going on in your environment based on what you have already seen and remediated or seen and mitigated.
So we have a very powerful search and investigate capability where both using our own query language or using natural language, you can ask it questions and it will give you that answer and render it in a graphical format, right? So you can ask a show me two instances which are internet exposed, which have a specific CVSS score or higher vulnerability and which has an overly permissive IAM role or some combination of that. And it will render you all that information in a graphical format. So then you can investigate and understand exactly where that issue is and also investigate the blast radius of that issue that if someone exploits a particular instance, where else can they go?
This is also the place and the screenshot if you can see on what you see up there is you can say, hey, where all do I have vulnerability X right? CVE blah blah blah, right? What you see on the screen? Essentially it'll render back and say that particular CVE exists in these code repositories in these container images in your environment and in these runtime instances.
So in a single shot, something that could take you days or weeks to find out because your systems are all disconnected and not sharing any context. You can do that with this go to cloud intelligence layer.
Now, today, we largely only support our first party information which means that you have to ingest or you have to be using our scanning and our CICD and our vulnerability scanning and our runtime and so on. On the, on the vulnerability side, there are two partners that we do ingest data of which is Qradar and Tenable. And we are looking at expanding in areas because we all realize that look as much as we want everyone to buy everything from Palo Alto that doesn't happen. There are incumbent vendors deeply entrenched in different parts of the app life cycle and you want to leverage your existing investments.
So we are constantly looking at how we can bring in third party intelligence. So that when you are asking these questions or trying to visualize risk or understand risk, it's stitching together, not only data that we find, but also what we import from third parties as well. So that's a very powerful sort of call it enterprise search and investigate capability across everything that we see and you can ask it complex logic and so on.
OK? The fourth thing that we've been working on and this is like super exciting. I just love this capability is our AI Copilot, right? And you can go see a demo of it. I believe it's on our booth in the expo hall as well. And we are thinking about AI in general in sort of three buckets, right? In two categories and three buckets.
So one is your precision AI which has existed for a long time, machine learning statistical models, circadian patterns, et cetera, et cetera. And we have been using it and we continuously use it to give you better security outcomes, whether it's detecting threats, automatically detecting blast radius, etcetera, etcetera.
The 2nd and 3rd bucket is how do we use generative AI which is relatively newer to really give you a much better user experience, right? So there are two aspects we are focused on. Number one is how can the copilot be sort of a sidekick, a very smart intelligent sidekick to help you efficiently automate operations, give you answers to things you want to know about your environment, right? And the second set is if you just want to know something about the product today, you would have to go to documentation, go find that use case and then go read through it. But what if you could just ask a very simple question? Hey, how does Prisma Cloud integrate into ServiceNow rather than going and finding this 66 clicks deep into the documentation? If you could just ask that question and get a very specific response and a link to where, where you can find it in the documentation? Wouldn't that be a powerful thing that makes your experience much better?
So that's what we are focused on with our AI Copilot capability. So let me sort of show you a demo and this is actually in production now. So AI Copilot it manifests across throughout the product. You can bring it up, doesn't matter where you are. But let's say you ask it a simple question. Am I vulnerable to Log4j? And you can ask the same question in multiple different ways, we are able to extract that simple language and extract the intent of the question.
So you can say, do I have Log4j? Where all do I have Log4j is Log4j in my environment, etc etc. So you ask that question, you instantly get information on where Log4j is running. So the same thing that you were looking in your Search and Investigate capability or the same thing you can get from your vulnerability dashboard, you can just ask a very simple question, right?
Like one of the things that our CEO Nir has challenged us is like, look, he thinks in five years, a lot of companies will not have a fixed UI you can just ask questions like you ask Google or Bard or Perplexity or any of those engines and it'll dynamically generate the UI that you are after. And this is what it's sort of the early beginnings of that is right?
So you ask it a question, it tells you exactly where it's running. We have also included capabilities where you can say, just click on a button and say, explain this graph to me or explain the risk. Like what am I looking at? And it will sort of explain that in simple English. So you can even if you're not familiar with the product as much, you can really understand it.
So once you get the answer and the advice, then you can say, all right, I want you to go remediate all of this now, remediating all of it is not a nuclear option. It just means that. All right, I want you to go issue Jira tickets or ServiceNow, tickets or automation or a pull request so that this like everybody who needs to go do something about it throughout the app life cycle goes, does something about it and essentially you could fix it right from the AI Copilot from code all the way to the cloud.
So the fixing part and remediating part is still under development. That's why I have the asterisk there. But in terms of giving you that visibility on exactly where that vulnerability is in your environment across the life cycle, the AI Copilot can do it for you.
The last thing I want to talk about is that obviously like, you know, you, you visualize risk, you prioritize you remediate and you go through that life cycle day in and day out. But it's very important to understand how you are doing as an organization, right? So I mean dashboards and graphs are nothing special. Every product has it. You can visualize trend lines over time. Is your risk going up or is your risk going down, you can do the same thing in the different phases of the app life cycle.
But what sort of where we are taking this next is we have created a concept called collections, which means that you can report the same thing that you see at an aggregate level across different constructs. So for example, what you see at the bottom of that, that screenshot, it says, hey, show me all the risks and how they are being burned down different through the app life cycle for application.
So rather than you having to export it and then sort it and create this grouping to then report up and say, hey, these are the way application teams are doing or different business units are doing, you'll be able to do that natively out of the box. So this could become a celebration thing across teams or this could become your wall of shame depending on how you want to use it in your organization. But this gives you instant visibility on how you are doing through your app life cycle with the risk and the different trends and incidents and attack vectors and so on and so forth.
So, you know, in conclusion, like I'm sure that you folks have either invested or you're looking at investing in different kinds of security posture management and runtime and look there are other, there are a lot of good products out there in the market. At the end of the day, what I would say is you, you've got to look at a strategy where your solutions are providing the intelligence to each other. They are providing the right context because prioritization is not good enough anymore, right? You have to have solutions that put you on a path and enable you to do rapid remediation.
Now, uh you know, one of the other things i wanted to flash is that, you know, we have been sort of doing this for a little over six years now and having, you know, having done this for this long, it gives you a lot of sort of battle tested feedback. So in terms of, you know, whether it's a trillion flow logs that we ingest every day and we run our models on or 13 million plus containers that we protect today and which gives us in deep insight into the different malware crypto miners or vulnerability exploits that are happening or whether it's 2 million plus IAM permissions that give us a lot of understanding like we've, you know, we've been around the block and done this for a while to know sort of what kind of solutions will really help you in, in reducing your risk and stopping breaches in the future.
So with that, thank you very much. Please stop by the Palo Alto booth booth 832 and you can see a demo of any of these capabilities as live production. that i talked about. Thank you.
扫一扫
1432
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
