CyberWire Daily - What’s a CNAPP: Cloud-Native Application Protection Platform? [CyberWire-X]
Episode Date: February 19, 2024In this episode of CyberWire-X, N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Tim Miller, Technical Marketing Engineer for Panoptica, Cisco's Cloud Application Security solu...tion, (Panoptica is the result of Cisco's incubation engine (Outshift) for new products and markets), and Kevin Ford, Esri’s CISO. They discuss the complexity reduction need that Cloud-Native Application Protection Platforms (CNAPPs) provide. Outshift by Cisco is our CyberWire-X episode sponsor. To learn more about Cloud-Native Application Protection Platforms, check out Panoptica’s website at https://panoptica.app and consider attending the Cisco Live EMEA in Amsterdam, February 5-8, 2024. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, N2K's Chief Security Officer and the CyberWire's Chief Analyst and Senior Fellow.
And today, we're talking about CNAPs, Cloud Native Application Protection Platforms.
And that is a mouthful. After the break, we'll take a deep dive look
about this relatively new complexity reduction tool and why you should consider deploying one.
Come right back.
Panoptica, Cisco's cloud application security solution, provides end-to-end lifecycle protection for cloud-native application environments.
It empowers organizations to safeguard their APIs, serverless functions, containers, and Kubernetes environments.
Panoptica ensures comprehensive cloud security, compliance, and monitoring at scale, offering deep visibility,
contextual risk assessments, and actionable remediation insights for all of your cloud assets.
Get more information on Panoptica's website, panoptica.app.
Today at the CyberWire Hash Table, I'm joined by Tim Miller, the technical marketing engineer at Panoptica,
Cisco's cloud application security solution, discovered and acquired by their new products and markets incubation engine called OutShift just last year, and Kevin Ford, the CISO at Esri, and a veteran Hashtable discussion member.
I started out by asking Tim to give a high-level description of what these scene apps are and how they might be useful. When we deploy our cloud-native apps in the cloud, you know, we've got
all these different layers that we have to prepare before we even, you know, start running that application.
Deploying cloud accounts, configuring them, giving the access, the network topology.
You know, if I'm using AWS terminology, VPCs have to be constructed, subnets, the whole kit and caboodle,
all the way up to actually then the services that we're going to
consume building in kubernetes cluster and such so all of those things have settings all those
things have security concerns and so a c-nap platform is designed to look at every single
layer that goes into building your application including the build process. So the expression we see in Gartner all the time is code to cloud, right?
So it's literally from when developers are writing the code
to how you're deploying and operating and monitoring it in the cloud.
So when I first started thinking about this topic,
I was thinking CNAP is just another version of a firewall,
but that's not really what it is at all, is it?
It's not doing protection.
Is it more just configuration management?
Is that it?
That's certainly where the industry started.
And I'd say up until the past year, yeah, it's been primarily focused, I'll say, on posture assessments,
pulling down all those configs, doing posture assessment from seven different ways to Sunday, as the expression
goes, right? But recently, detection and response has gotten a lot of traction in this space as
well. So now we're going beyond just how it's configured and daily scans using what we would
call in the industry an agentless approach to actually needing to start building in agents,
deploying agents, and instrumenting the cloud platforms, the services,
and getting telemetry from them so we can detect incidents going on.
So, Kevin, you've been a CISO of a company called ERSI. Is that how you pronounce it?
ESRI. Environmental Systems Research Institute. Yeah.
ESRI. That's the reason I asked, man.
And you've been there for almost three years now.
And according to the website, you guys build geographic information system software for location intelligence and mapping,
something the marketing people call the science of where, which I just love.
What a great tagline that is.
And you guys have been deploying the CNAP platforms for a while.
So can you give us a sense of how you guys are deployed architecturally without giving any details away?
And then how these kind of platforms benefit you guys and why you like them so much?
Sure, yeah.
So I think to understand this CNAP space, you kind of have to understand where we've been a little bit historically with the cloud.
I have to understand where we've been a little bit historically with the cloud.
If you look back a decade or more ago, we were kind of in cloud architectures that resembled more of a data center in the cloud with virtualization.
But as we moved forward and started to develop and adopt cloud-native solutions, things like APIs, containerization, Docker containers, that sort of thing,
we needed new types of security software to secure all of that.
So, you know, a CNAP is kind of a collection of a lot of different capabilities associated with securing these cloud-native applications that we use to build our products,
to build our corporate environment, those sorts of things.
And so we use them largely for container security,
looking at container workloads, making sure those are secure.
We use them to help understand the posture of our clouds,
how the network is deployed,
how the various aspects of each of our cloud environments are deployed.
And it's actually really helpful also to cross the bridges
between our multi-cloud environments, right?
So where in the past we were using potentially vendor-specific tools,
for instance, the tools that AWS comes with or the tools that Azure comes with,
now we can use a CNAP platform to bring that all under one pane of glass.
And that's also been very effective for us.
That's what I was going to ask.
And that's the kind of marketing line for these things,
is that you can use one platform and configure multiple cloud environments.
But is it really that easy, Kevin? I mean, I want to configure a container in AWS.
I also want to configure a container for security-wise, you know, in Azure, let's say.
Okay.
Is it really just use the CNAP and it knows how to configure those things in those environments?
Yeah, it's not exactly that easy, right?
If it was, they'd be selling these like hotcakes.
There is some work that needs to go into integrate all of this, but we're talking about a tremendously
large suite of capabilities that these things have.
Where we were looking at separate tools in the past for, you know, container security,
for endpoint detection and response in the cloud,
for virtualized things,
for entitlement management, you know,
and understanding our access model.
You know, all of this stuff can be done with CNAP.
And I would hate to say that we're using
every aspect of a CNAP, right?
There are certainly things that we still do
in different technologies,
but more and more, I think we find ourselves
moving into the CNAP world
and trying to centrally manage it.
Tim, it feels like this is a platform
that kind of bridges the gap
between manual configuration that we all used to love to do and some sort of automatic CICD pipeline that the IT guys like to do.
This platform allows us to automate some of the things that we would screw up if we had to do them over and over again manually.
Am I wrong about that?
Is that the right way to say that?
No, that is the right way to say it,
especially on the code side of that code to cloud, right?
So we need to instrument those pipelines
so that these tests are automated.
And so these CNAP platforms have that capability
of running security tests as part of a pull request,
a merge event, for example,
or whenever the day's over and they're just committing their code
before they log out at night.
So all of these tests can be triggered,
and there's a whole suite of these tests from things like linting,
for example, to make sure it meets certain code standards and you're doing
best practice from a software editing,
for lack of a better phrase, a software editing
perspective, all the way through actually identifying security problems. Some of these
things embed into their integrated development environments, their IDEs, and then some of them
are just in the source code management platforms where they check in the code. So it's really all
about getting that automation.
And then, of course, to Kevin's point,
aggregating that information up into a central platform
that then the security teams have the breadth of information
and the developers can access it too, right?
They have this breadth of information
about their holistic security posture
across that entire spectrum of stack, you know, that entire stack that
defines their application.
So, Kevin, let me drill down on that a bit, right?
So, can we use these CNET platforms as like an intelligence platform?
Because you're connecting to all these applications in the cloud.
I'm collecting telemetry, let's say, like we used to do in the old days for
the hardware platforms.
Can you use it like that?
Is that one use case for it?
Potentially.
You know, I think still probably you're going to be looking, if you're looking at, for instance,
threat intelligence, you're still probably going to be looking at piping that into a
SIM.
piping that into a SIEM.
Now, some of the CNAP platforms may have kind of a native SIEM-like experience. But if you're a larger organization and you value the business logs
and the intelligence from around the business,
you're still probably going to be using a central SIEM
to evaluate things like workload protection.
There is some meaningful data to be gleaned here around uptime
and how my cloud load is looking and that sort of thing.
It's not a souped-up XDR platform.
That's not what this is.
So it's not that.
We're not connecting APIs and things.
What's the difference between what a CNAP platform is and an XDR platform?
Well, I think the important point, and to key off what Kevin said, it's the CNAP platform's
really focused on cloud-based applications, cloud-native applications. So an organization
isn't, there are some, don't get me wrong, but most organizations aren't going to be only in the cloud.
They're going to have resources outside of that that really a CNAP today, who knows where these things are going because they're evolving very quickly.
But today, CNAP is not going to cover everything.
SIEM is a great example of that, right?
There's a whole lot of telemetry from other parts of the business that need to go into the SIEM perspective and get
the rich intelligence a SIEM can provide, right? CNAPs certainly feed into that, but they're not
going to be your end-all be-all CNAP destination, primarily because there's also a crap ton of data
in there, right? So most of these CNAPs are SaaS-based offerings, and you're going to struggle to find most of the
CNAP vendors hosting that much data. In fact, I'd like to say most of us try and shy away from
storing as much customer-specific data in the cloud, because then we become the targets of
attack vectors, right? We become an attack vector for your environment. So we like, you know, from
a CNAP perspective to come in,
do whatever intelligence in your cloud environment, right? So when we're doing
container scans, for example, we're going to do those container assessments in your environment.
So any private access to the registry stays local. You know, any sensitive information that might be
on that container that we discover,
we're going to flag as being there, but we're not necessarily going to export the raw data and then
potentially compromise your account. So all that to say, it's a piece of the puzzle. XDR is
certainly something that CNAP platforms can export to or be a part of as well. I know my particular one does, you know, with the
ones that the XDR and SecureX here at Cisco, we're integrating with those kind of platforms and
others could too. So Tim, one clarification point, a crap ton of data. Is that the technical term
we're using for that? Yeah, it's slightly a larger amount than a truckload versus, you know,
a station wagon full of tapes, you know, show my age here, yeah.
Kevin, though, I mentioned firewalls at the beginning of this. It feels like when all the
firewall vendors went to the cloud and built software firewalls like Cisco and Checkpoint and Palo Alto Networks and Fortinet and all those guys, it feels like this is something those platforms would eventually do.
Is the software firewall merging with a CNAP platform or are we going to keep these two things separate?
Yeah, I don't know that I see the firewall itself merging with the CNAP platform or things like CASB.
But it is kind of in that same realm of your complete breakfast as far as it's concerned as your cloud security.
You're going to want to have those things as well.
Now, this is more if you focus at kind of at the application stack, trying to push identifying vulnerabilities or even, you know, malware or hidden secrets in your code, in your dependencies and making sure it doesn't make its way up into the cloud.
And then also monitoring the workloads while they're in the cloud. Right.
and then also monitoring the workloads while they're in the cloud, right?
And so one of the things you said that actually kind of resonated to me, Tim, is that, yeah, this can potentially be seen as maybe part of a complete XDR solution, right?
Particularly when we get into the area of workload protection, workload analysis,
that sort of thing, where we're not just looking for configuration issues, but we're actually starting to get into the abilities of, you know, looking at system calls and scrutinizing
those. So it's not just about misconfigurations anymore. We can also start to look at, you know,
what our workloads are doing in either serverless or container environments. And that's very important.
And that gives us kind of the same lens that we get from more traditional XDR technologies,
like EDRs that feed into XDR. These things are Swiss Army knives of capability. They can do
lots of things. My personal favorite of this is just the reduction of complexity, especially if you're in a multi-cloud environment.
That's what would appeal to me if I was considering buying one of these tools.
But what's your favorite thing that CNAP does that you think is very valuable?
Certainly bringing everything into one, I hate to say it, single pane of glass, right?
Yeah.
Bringing all of this information together is certainly key.
But honestly, if you don't do it right, if you're not doing more than that, right?
I can have 12 different risk engines generating alerts from detection and response to workload protection to vulnerabilities from the pipeline.
I could have pages and pages of red. So the goal
of a CNAP is not only just to bring it together, but to bring context to it. So the real promise
and the real value is when you're prioritizing these risks, looking at them in their context so
that you can identify those things that you need to remediate first
because every one of those risk engines is going to give you a prioritized list from its myopic
perspective right so cves you know they have cvs scores right and you know they're all nine point
well i won't say they are all but most of them are 9.8 how do i tell these 109.8s from those
109.8s right and there's products out there that
help you to do that from just a vulnerability perspective and some telemetry from the internet
but you know if that workload's not public if it's behind you know if it's private access and
you've done a whole lot of mitigating controls to make sure nobody can get to it do i need to make
that my first priority or is the public facing one the one I need to
mitigate, right? So the real value that CNAPs bring, especially when you're dealing with attack
path analysis, is to look at those in their context and prioritize your risks. And that's
really where CNAPs shine. If they do that attack path analysis right and prioritize it well, then
that's gold for a SecOps engineer. So double down on that for me, Tim, because you and I talked
about that in the pre-work before we started recording. Explain to me what attack path
analysis is in the context of a CNAP. What does that mean? Sure. To continue that thought of
these risk engines, right? I've got all these different
things that will do a posture assessment, look at misconfigurations and things like that.
The detection and response will give me alerts from API security. I'm looking at the traffic,
looking at the traces that are generated by those REST API calls and getting
sensitive data detection and things like that. All these alerts are parts of your application.
And really what attack path analysis is about is putting the MITRE ATT&CK framework to work, right?
We know there's all these techniques and tactics, right?
And so how do I move laterally through an environment?
As the owner of that environment, I see it all, right?
And so can I use this tool, can I use the CNAP to look at these misconfigurations and look at the various vulnerabilities and stitch together a path through my environment from public access to, you know, crypto mining?
public access to, you know, crypto mining.
A CNAP can find open pathways across the intrusion kill chain that you may not know that you had.
Exactly.
We know what PandaBear's attack path is because of the MITRE ATT&CK framework.
Does it tell us that you're open to PandaBear
or are we still waiting for that to happen in a CNAP environment?
So you can write specific queries to look for that particular tag.
You have to do that yourself at this point.
Yeah.
Right.
So you either do it or, you know, the community has written it for, you know, there's popular
CNAPs out there.
So there's a body of work that enthusiasts have put out there.
Or if your attack path analysis is algorithmic,
and you give it kind of the basic framework for that attack, it can find that plus variations of
it. So you can do very specific queries and look for that specific thing. And if you've got it,
then you'll find it. But if there's variations to that attack that develop, you're going to miss
those until you write those specific queries. And that's where attack path analysis that use algorithmic or
generic query approaches, that's where they'll shine in that they'll not only find what you're
specifically looking for, but they know how to be generic enough from an algorithm perspective to
find those things or find variations of it and find things you're not looking for.
So, Kevin, do you think there's a world in the future where the vendors will provide,
they'll suck in the attack path from, say, Panda Bear and say, hey, you're wide open to this,
as opposed to them, customers having to figure out themselves?
Because that's what I would want as a CISO.
I want them to, they got the intelligence team.
They should be able to tell me that, right?
Yeah, I don't know if I think that's where it's going.
That's where I hope it's going.
That kind of high-level context is really important for a security manager or a CISO.
It's the MITRE ATT&CK framework, and there's one for cloud as well,
is a very, very powerful tool of understanding
the stepping stones to getting hacked and making sure that when we talk about shifting left,
we're cutting off the ability of an attack as close to the entry point as possible.
So, you know, a CNAP can do a lot of things that can help us understand and identify the steps along the attack path.
Things like understanding specific vulnerabilities that a particular threat vector would use.
Understanding, I talked a little bit about the posture and infrastructure of my underlying cloud account, how things are engineered, not just within the workloads, but, you know, all the supporting infrastructure and things also like entitlement management, understanding who can get to what from where, right?
That can really help you understand what the potential for lateral movement is as well.
So there are a lot of handy tools in there that can help with that cloud attack framework and evaluating that.
I would love to see a company put together an attack map, something that's more of a stepping stone chart that I could bring the CEO in or CIO in point and say, hey, you know, this is where we have an issue. So the attacker can walk across
this path and this path, but, you know, we've blocked this path and they can't go anywhere.
That's always been my dream to be able to just kind of show that. So I think there are a lot
of tools in CNAP that can help us illustrate that. But I'd love to actually see a company put one of
those together as a visual. It would be pretty cool.
The last time I checked the MITRE ATT&CK framework, there was about 150 active campaigns that they're tracking, mostly nation state. They don't really track criminal groups that well, but if you talk
to Microsoft or you talk to anybody else, like the FBI, they think there's about 100 active cybercrime groups. So if we
could have built into the CNAP all those attack paths and let it tell us that, hey, you guys are
open to 25 of these attacks, that would be very useful, I think. Right? So that's my dream too,
Kevin. That's what I'd love to see. Tim, since ChatGPT first came out at the end of 2022, we broadcast out of the state of Maryland.
And by Maryland state law, we're not allowed to even record a podcast unless we talk about the implications of large language models, machine learning, and the future of AI.
So where do you see all that fitting in to the CNET platform?
Well, the first easy step, I think,
is because there's so much capability in there,
so many of those risk engines that feed data in,
custom reporting is hard to do, right?
Some vendors are doing fairly well at it,
some not so much,
but I think that is probably the easiest benefit.
And we see that
already coming out. You know, we're going to announce something here soon. Competitors have
as well. So the ability to basically have an AI bot to help me navigate the platform, right?
Doing simple things like show me, you know, the five latest, you know, vulnerabilities that showed up in my, you know, in my environment
overnight. Yeah. So, so that, that nice AI bot type of chat ops approach to your platform,
except backed by natural language processing, right? You know, the whole benefit of, you know,
conversational interactions with my CNET platform. Yeah, not a Terminator sentient being,
but the large language models will help us
navigate the CNAP platform more efficiently.
Is that what you're saying?
More humorously call it the C3PO of AI, right?
So it'll be this nice little bot
to help you navigate all the different aspects
of your platform.
Kevin, what's your take on this?
You have to weigh in on the AI discussion.
So what do you think?
Yeah, it seems like I'm always talking about AI these days.
Yeah, within security tools, not just within Synapse,
we're starting to see the emergence of AI bots
and exactly the way Tim described it
is they're kind of helpers for a particular suite of tools.
And so they're of, I would say, of mixed effectiveness.
It depends on what your organizational security workflow is.
If you have analysts working directly in those tool sets, it can be very helpful.
But if you're a large organization or an organization that generally relies on SIM tools,
you know, you have multiple of those sorts of suites of tools, right? And so that becomes kind
of less helpful. That doesn't mean it's not a value add for the product. You can, you know,
if you see something in a SIM tool and decide to go under the hood with any one of these,
you know, particular security tools, you can use that AI to
help an analyst who is generally someone who, you know, sits in the SIM tool level,
understand what they're looking for in that deeper security tool level. So,
it just really depends on your workflow and, like I said, how you interact with the security tools.
So, guys, we're getting to the end of this.
If you could give the audience one takeaway
about why they should be using a CNET platform, let's say,
what would it be?
I would say that the easiest takeaway here
is that there's far too much complexity
in deploying just a single web service to a cloud.
I mean, just you're dealing with at
the bare minimum, a dozen different services you have to configure. And that's the most basic
application you can deploy. And quite frequently, we see hundreds, you know, just when I deploy
Kubernetes cluster, my list has 35 different services that go into deploying a Kubernetes
service. It's extremely complex.
It's too much for a single human or a team of humans to keep in mind
all the different ways that I can move laterally through that system.
So you have to have it.
It's table stakes for operating applications in the cloud.
So it does a lot of things, but probably the number one, according to you, Tim,
is its complexity reducer. I'll just give that the Twitter line the number one, according to you, Tim, is it's complexity reducer.
I'll just give that the Twitter line, all right?
How about you, Kevin?
Man, I'm just going to jump on what Tim said to begin with.
Yeah, reducing complexity, that's huge for us.
You know, being able to use a tool to essentially manage all this is a really big step in the right direction.
all this is a really big step in the right direction.
I'll also say that before CNAP was coined as a term,
a lot of these functionalities existed.
They're just kind of getting packaged into this larger CNAP suite.
So if you're someone who's cost-conscious,
which I think all of us are, bundle and save.
Get yourself a CNAP.
Don't buy all these things individually.
We're seeing that consolidation happening.
All the vendors are acquiring different startups
to build out that portfolio
because data security is a big one
where we're seeing acquisitions happen in 2023.
So yeah, it's a growing space and you're just going to see that functionality continue to consolidate in a CNAP platform.
I used to be one of those guys, you know, that I'd always want the very best tool, the shiny object.
Let me have a thousand of those things.
But as I've gotten older, I don't have the energy to manage that.
So give me something easy.
It may not be the best tool, but at least it gets the job done.
And like you said, the complexity is a lot lower, right?
So I appreciate that.
Well, I have learned a lot about CNAVs, more than I did before we started this program.
So I appreciate you guys coming on and helping this.
But before I let you go, I always like to give the audience, point them in the direction of good content.
Anything interesting you've been reading, Tim,
that you want to point people to?
I've been catching up on all the state of affairs for 2023.
Because it's the end of the year and new year.
Yeah, yeah, yeah.
Yes, that's right.
And so the GitLab State of DevSecOps was a very interesting read,
specifically about how AI is helping software development.
There's a lot of interesting insights in there.
Perfect. How about you, Kevin?
Yeah, if you're a federal contractor, you should be aware of the new CMMC proposed rule is out.
So if you want to dig through hundreds of pages of legalese, do that.
But we talked a lot about the MITRE ATT&CK framework,
and I'm a big fan of that, as you can probably tell.
And so something I've been digging through recently
is the MITRE ATT&CK evaluations around different security tools.
It's a pretty nice site they put together,
and then you can actually go and find some real neat third-party dashboards also.
So something probably every CISO
should be aware of. I've been reading Andy Greenberg's Traces in the Dark book, probably
the best cybercrime book I've read in the last decade. And it pretty much blows away any idea
that we had that crypto stuff was anonymous. The good guys know how to break all that. I'll just
say that. And it's a fabulous story. So everybody should go out and read Traces in the Dark. Well, boys, we did a good job here.
Thanks for coming on the show. And we'll talk to you all later.
We'd like to thank Tim Miller, the technical marketing engineer at Panoptica,
Cisco's cloud application security solution, and Kevin Ford, the CISO at
Esri, for helping us get our arms around this relatively new security tool that might help you
reduce the complexity within your security stack. And we'd like to thank Panoptica for sponsoring
the show. Finally, to learn more about cloud-native application protection platforms, consider
attending the Cisco Live
EMEA conference in Amsterdam in just a few weeks, February 5 through 8. The conference URL is in
the show notes. This has been a production of the CyberWire and N2K, and we feel privileged that
podcasts like CyberWireX are part of the daily intelligence routine of many of the most influential
leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people.
We make you smarter about your team while making your team smarter.
Learn more at intuk.com.
Our senior producer is Jennifer Iben.
Our sound engineer is Trey Hester.
And I'm Rick Howard.
Thanks for listening.