Frédéric Pillet: LACEWORK, from code to cloud
With a background in computer engineering, Frédéric Pillet is passionate about new technologies and innovative approaches such as DevOps and zero trust. A former employee of Dynatrace and Splunk, he recently joined Lacework, attracted by the new perspectives its solution opens up for cloud security.
Cloud security and its challenges
Contrary to what one might think, the subject of cloud security is not entirely the responsibility of the security team.
Indeed, right from the introduction on the presentation of cloud security issues, Frédéric sets the tone by drawing a clear line between what we know about security and the emerging field of cloud security.
Firstly, the risks that differ due to an extensive, evolving attack surface that is not always immediately apparent.
The importance lies in controlling and reducing exposure within your cloud infrastructure.
Next, a context in which a security team, often small, faces a multitude of risks while constantly trying to determine where to focus its efforts. The goal is not to pile problem upon problem, but to unify tools and methods.
A desire to reduce costs in a "dollar-hungry" environment while simplifying the daily lives of teams through consolidation, which tends to make security more robust and sustainable.
A collaboration that affirms that cloud security is a team sport where going it alone is a big mistake. Security is not an expert in the cloud, so you have to fight with the right weapons. The cloud brings a lot of automation and allows controls to be moved upstream without slowing down developers' work (integration of analytics into pipelines).
Finally, detection, because it is impossible to cover all risks and it is inevitable that every company will be attacked at some point. In response to this, behavioral analysis is essential in this type of environment.
Covering all security needs
From Build to Run, several needs are highlighted:
Code security, or identifying all assets and detecting misconfigurations, compliance violations, or code vulnerabilities during the integration phase, is essential.
Vulnerability management, which carries out the core mission of discovering vulnerabilities in hosts and containers from design to execution.
The security posture, which uses risk assessment to identify all assets, detect misconfigurations, and compliance violations through multi-cloud monitoring.
Threat detection, which detects malicious behavior by continuously analyzing all user and cloud entity behavior (machine learning).
LACEWORK Solution
From the outset of the LACEWORK solution presentation, we quickly understand that it is positioned as a response to the challenge of vulnerability management by integrating a CNAPP ( Cloud Native Application Protection Platform) approach.
The goal is to bring clarity to vulnerability visibility and management, as well as to correct the most risky vulnerabilities upstream in the production chain (shift left approach).
CNAPP, CWPP & CSPM
Frédéric's demonstration takes us through a use case that scans the vulnerabilities of an Infrastructure as Code project and its workload (Host, Node k8s, Containers), introducing the CWPP (Cloud Workload Protection Platform) feature.
A dashboard summarizing the scan results clearly highlights areas of concern (identification of high vulnerability, CVE Score, risk management). On the one hand, vulnerability noise is reduced through cloud data correlation, and on the other hand, risks are identified and explained through a combination of public and commercial vulnerability data sources.
This combination results in an explanatory and educational text on the criteria identified, enabling initial management questions to be answered: What is the vulnerability? How can I resolve it?
In addition, beyond vulnerability management, the dashboard allows us to display alerts related to the security posture adopted by our cloud provider.
The solution will enable us to define a desired state in terms of cloud security via a list of best practices (S3 bucket not open in public flow, connection to an AWS account with a non-root user, etc.) and examine the Cloud Provider's log data in order to flag any deviant behavior.
This is known as CSPM ( Cloud Security Posture Management), which offers a multitude of benefits such as greater visibility in identifying security risks, improved regulatory compliance (GDPR, HIPAA, etc.), risk reduction, and better collaboration between security and operations teams thanks to a centralized platform.
Lacework AI
Finally, as the icing on the cake, LACEWORK has developed a GenAI (generative artificial intelligence) assistant, more commonly known as the Vulnerability Chatbot Assistant.
This Chatbot Assistant, powered by generative AI, will simplify the understanding and processing of compliance alerts, thereby promoting a proactive approach to risk management through simple correspondence.
Quite impressive, but LACEWORK doesn't stop there! Generative AI tools are only effective when using reliable data. Lacework has created a unique architecture (hosted on-premises) that allows it to manage the immense volume, velocity, and variety of cloud data to detect known and unknown threats.
The combination of information generated by Lacework Polygraph's machine learning and LLM assistance technology therefore offers customers a significant advantage, enabling them to achieve better results faster.
Cyril Cuvier: NEUVECTOR, secure your deployments before and during execution
With over 10 years of experience as a systems administrator in production and cloud architecture, Cyril then crossed over to "the dark side of the force with manufacturers," taking on pre-sales and sales roles for VMware at DELL Technologies, then as a solution architect at Lenovo, before joining SUSE France in a pre-sales role focused on DEVOPS topics.
NEUVECTOR Solution
A technician through and through, Cyril looks beyond the challenges and various security requirements to focus primarily on presenting the NEUVECTOR solution and its powerful capabilities in securing containers in real time and throughout their lifecycle.
Risk profiling & vulnerability management
Like these competitors, NEUVECTOR will enable users to benefit from the security posture management adopted by their Cloud Service Provider (CSPM) by providing, through robust tools, assurance of container compliance through the automation of security audits and the generation of detailed reports (risk scores), facilitating the maintenance of current compliance standards (PCI, HIPAA, etc.).
Cloud Workload Protection Platform
The solution also offers scanning of all types of workloads and registries, detecting vulnerabilities in cloud environments and enabling critical risks to be prioritized in order to block attack vectors.
Ease of integration
Leveraging the experience of Rancher (SUSE), NEUVECTOR offers seamless integration with CI/CD tools and container orchestration solutions, enabling smooth workflow automation and easy implementation and enforcement of security policies throughout the development cycle.
However, NEUVECTOR stands out and excels in the field of intrusion detection and prevention, and it is on this subject that Cyril offers us a scenario in a context that is familiar to us all.
Real-time container security
To put this into context, Cyril suggests drawing an analogy between real-time container security and managing security at a nightclub! (An opportunity to hit the dance floor in a professional setting).
Like a nightclub bouncer, who operates on the principle that there is no such thing as zero risk at night and that zero trust is the rule, he summarizes what he calls "automated behavioral-based zero trust" in three distinct rules, namely:
Discover: identifies application behavior (learning mode)
Monitor: alerts you to the first abnormal behavior of an application
Protect: rejects any abnormal behavior from an application
Once the context has been explained, Cyril moves on to a demonstration that will allow us to see in real time how this principle is applied to container security.
Admission Control
Just as a nightclub manager would do, a list of rules validating or denying entry authorization (control rules) is communicated in advance. The example given for this configuration is:
Refusal of any deployment containing unscanned images
Mandatory scan of the Docker registry
Rule for admission control based on CVE scoring (Common Vulnerability Scoring)
Once the rules have been established, we will be able to refine our configuration by adding a rule that will reject any CVE score that is high, and a number of CVEs, just as in a nightclub where the manager wants to apply a specific admission rule.
To return to our analogy, no basketball and no groups of more than 6 people!
Discover
Once the briefing is over, each bouncer takes up their position and opens their eyes wide to enter behavior learning mode.
Thanks to an advanced detection system, the solution continuously scans network traffic and container activities, as well as inspecting processes within containers.
When analyzing behaviors, this step allows us to create authorized behavior rules for containers. Once advanced discovery and rules have been recorded (e.g., no curl on URL from the identified Pod), we move on to the monitoring step.
Monitoring
This step will, upon detection of behavior that deviates from the learned rules, create a security event for this behavior and categorize this newly learned rule as a Warning.
Example: a curl on a URL from the Pod.
Our bouncer alerts us to any unusual behavior and stands ready to take action!
Protect
Our party is in full swing and our bouncer is at the height of his concentration, ready to quarantine any deviant behavior already detected.
NEUVECTOR offers a full stack defense strategy that not only secures network traffic, but also inspects and controls processes within containers. It is this multi-layered approach that guarantees comprehensive security, blocking abnormal behavior.
Example: the return of the execution of a curl from the Pod
Since this behavior has already been detected and identified as deviant, as soon as it appears, the curl process is blocked and the container carrying this process is quarantined to prevent the vulnerability from spreading.
Analyze
NEUVECTOR offers the ability to view authorized or blocked connections and identify suspicious behavior through a detailed view of network traffic between your containers, where violations are highlighted with color codes (Network Map).
We also highlight the ability to list all our assets (namespaces, pods, services), create and manage custom rules for containers, and assess the security risks associated with your images, nodes, or containers via a dedicated dashboard displaying vulnerabilities. pods, services), create and manage custom rules for containers, assess the security risks associated with your images, nodes, or containers via a dedicated dashboard displaying vulnerabilities, manage incorrect configurations and other issues, and finally verify container compliance with specific standards such as PCI-DSS (Payment Card Industry Data Security Standard) or HIPAA (Health Insurance Portability and Accountability Act).
This scenario shows us that managing the security of our containers in real time is no easy task and, above all, a matter of split seconds!
NEUVECTOR meets this need precisely, setting itself apart in a remarkable way.
Conclusion: DevOps D-DAY 2023, the challenge of securing the cloud
The years go by, and each one is less like the last at the Velodrome. The DevOps philosophy and methodology has given way to its counterparts FinOps and DevSecOps, just as euphoria has given way to seriousness.
Gone are the days when novelty seemed devoid of problems and complexity. Now it's time to take stock and make sure we're no longer taken advantage of, as some have learned the hard way.
The emergence of the cloud quickly confronted us with new issues in terms of security and resource management, highlighting the need to adapt to the new practices governed by this cloud-based continent.
As with any discovery of new lands, the work undertaken requires new rules and new tools in order to make the most of what we knew how to do on our old continent.
This year's DevOps Day 2023 perfectly reflects this beginning of change, as well as the feedback from several years of Cloud Exploitation with robust proof of concept (shift left, think automation, CNAPP) and the emergence of new centralized tools (NEUVECTOR, LACEWORK) that respond to the challenges of security and Cloud cost reduction.
However, this edition also shows a decline in interest in DevOps philosophy and its application, which can only be a hindrance if culture does not keep pace with technology.
