Hey James, How can we bring together Platform Security engineers and Secops? Traditionally the two personas operate in silos. This makes threat investigation and forensics difficult. I would love to hear how to integrate runtime threat detection in CNAPP products to provide value to CNAPP consumers. Is this through more context and correlation, or do we need to think of new workflows in CNAPP?
That's a huge challenge because on the runtime side especially there's normally a giant technical gap between a junior soc analyst and a platform engineer. That's why I view a huge priority for these runtime cloud providers (what I call CADR) to provide enough context to allow those two people to have a meaningful conversation with on another.
It's also why I'm generally anti-cnapp, for cloud native architecture I think ASPM (all the code) and CADR (all the runtime) enable the best conversations to be had!
I struggle to differentiate CADR from CWPP. What should the workflows be between ASPM and CADR/CWPP? Is it adding context(though correlation of cloud workloads threats) to CSPM/Asset Inventory for risk prioritization, including remediation (Terraform/HELM file updates)? How should we view CADR in conjunction with posture and risk prioritization to enable platform security engineers and app developers?
I think part of the challenge with CWPP has been that the context is very isolated - for example alerting that a new process started on a container. It's almost impossible for anyone to figure out by itself if that was malicious or not. So to me, CDR should be adding the cloud context into CWPP (like what Wiz Defend has done), and CADR is adding application context. So instead of "this process started" it might be "there was a command injection on this service which led to a process starting which then scraped AWS credentials"
That runtime data should also fit into the ASPM picture, as it has data on what functions are executing, which can help prioritize if a vulnerability is actually exploitable in your environment or not.
Of the pure-play runtime vendors, which would top your list? We've had the unfortunate experience of being on CrowdStrike's cloud SKU since '21 and it's been horrible. We adopted it mostly for runtime given our MDR engagement with the Complete team. We're actively exploring Orca and Wiz at the moment for CNAPP and mid POC the Defend product dropped. It's a bit too earlier for me to consider given the recent release (v1), but your article did make me think more about exploring a pure-play runtime vendor.
But in general the ones most competitive here are: Armo, Upwind, Sweet, sysdig, and aqua. Spyderbat and Operant are also good, but more strictly focused on the runtime without the infrastructure part
At Aqua we were the first to have an agent to protect Windows containers - since 2016(!) - and we still have it, and it obviously also works on Windows servers that don't run containers. So no, Sysdig and Sweet are not the only ones to have Windows agents.
Hey James, How can we bring together Platform Security engineers and Secops? Traditionally the two personas operate in silos. This makes threat investigation and forensics difficult. I would love to hear how to integrate runtime threat detection in CNAPP products to provide value to CNAPP consumers. Is this through more context and correlation, or do we need to think of new workflows in CNAPP?
That's a huge challenge because on the runtime side especially there's normally a giant technical gap between a junior soc analyst and a platform engineer. That's why I view a huge priority for these runtime cloud providers (what I call CADR) to provide enough context to allow those two people to have a meaningful conversation with on another.
It's also why I'm generally anti-cnapp, for cloud native architecture I think ASPM (all the code) and CADR (all the runtime) enable the best conversations to be had!
I struggle to differentiate CADR from CWPP. What should the workflows be between ASPM and CADR/CWPP? Is it adding context(though correlation of cloud workloads threats) to CSPM/Asset Inventory for risk prioritization, including remediation (Terraform/HELM file updates)? How should we view CADR in conjunction with posture and risk prioritization to enable platform security engineers and app developers?
I think part of the challenge with CWPP has been that the context is very isolated - for example alerting that a new process started on a container. It's almost impossible for anyone to figure out by itself if that was malicious or not. So to me, CDR should be adding the cloud context into CWPP (like what Wiz Defend has done), and CADR is adding application context. So instead of "this process started" it might be "there was a command injection on this service which led to a process starting which then scraped AWS credentials"
That runtime data should also fit into the ASPM picture, as it has data on what functions are executing, which can help prioritize if a vulnerability is actually exploitable in your environment or not.
Of the pure-play runtime vendors, which would top your list? We've had the unfortunate experience of being on CrowdStrike's cloud SKU since '21 and it's been horrible. We adopted it mostly for runtime given our MDR engagement with the Complete team. We're actively exploring Orca and Wiz at the moment for CNAPP and mid POC the Defend product dropped. It's a bit too earlier for me to consider given the recent release (v1), but your article did make me think more about exploring a pure-play runtime vendor.
Hey Chris, happy to talk about it in more detail if it's helpful because it's so architecture and team dependent and my hands on time is pretty varied: https://app.lemcal.com/@jamesberthoty/looking-for-product?back=1
But in general the ones most competitive here are: Armo, Upwind, Sweet, sysdig, and aqua. Spyderbat and Operant are also good, but more strictly focused on the runtime without the infrastructure part
At Aqua we were the first to have an agent to protect Windows containers - since 2016(!) - and we still have it, and it obviously also works on Windows servers that don't run containers. So no, Sysdig and Sweet are not the only ones to have Windows agents.
https://www.aquasec.com/news/aqua-security-announces-support-windows-2016-containers/
I updated it, the Twistlock agent (according to docs) only supports Windows containers and not hosts for what it's worth.