4 Comments

Amazing summary. Totally agree on ASPM + CADR (ideally both at runtime).

To address your last paragraph, I personally believe that the people who are obsessed with CNAPP often don't fully understand insecure code (or any code) and that with port 443 wide open inviting attackers in the front door, there's insecure code waiting to be exploited on the other end ... it's the path of least resistance and the most challenging to fix (partly because it involves developers getting involved). Why else would the Verizon DBIR indicate in 2023 that 80% of security incidents involve insecure software?

Expand full comment

You have a blog post written on CADR, is CADR like XDR again? Because XDR was this snake oil where you took a log event from a firewall, from a cloud and tried to link them to together which makes 0 sense. Is CADR the same , where you take a log event from CDR, ADR and combine them? This would never work. A cloud event is different from an application event

Expand full comment

Most of the value is connecting the application context with the workload context, both can be done with eBPF - for example tools like Oligo or Raven showing if a library is trying to execute code, or ARMO or Upwind showing the API call that triggered a specific process.

The cloud layer works because we can also know what roles are attached to those workloads, and watch for anomalous access patterns that are pretty easily identifiable, such as creating a new IAM account. So whereas the firewall and workload was linking logs together which I agree doesn't work because the telemetry is too dispersed, with cloud roles and the workloads using them I believe we can see all of these connections well enough to establish a complete picture.

Expand full comment

Google’s decision to acquire Wiz for $30 billion seems like a questionable move. Wiz was a strong choice for CSPM (Cloud Security Posture Management) when it first emerged, especially with its security graph for risk analysis. However, in today’s market, most vendors have integrated CSPM with similar graph-based capabilities, making such a high valuation hard to justify.

We initially chose Wiz because we operated in a multi-cloud environment (AWS & Azure), but managing two clouds became impractical due to complexities in billing, architecture, and operations. As a result, we consolidated on Azure and transitioned to using Microsoft Defender, which is native to the platform, ultimately replacing Wiz.

That said, CSPM remains important for cloud customers. Our SOC, for instance, still struggles with handling runtime security events in the cloud compared to traditional on-prem app firewalls. However, while CSPM is valuable, paying $30 billion for a single vendor in this space seems excessive.

Expand full comment