Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
At Cushman & Wakefield, a global real estate services firm, keeping up with the constant change in its cloud environments had started to become untenable. With so much new technology — and the fact that cloud resources are continually in flux — “our security team could not keep pace without something providing overarching monitoring,” said Erik Hart, CISO of Cushman & Wakefield.
In short, there was just too much complexity.
Last fall, the firm added a new cybersecurity vendor to gain the visibility needed to rein in the complexity in the cloud. The cloud security vendor that Cushman & Wakefield selected was Wiz. In addition to providing broad visibility, Wiz unifies a number of different cloud security capabilities, deploys quickly (thanks to its agentless approach) and enables customers to prioritize threats, according to Raaz Herzberg, head of product at Wiz.
“The cloud is the best tool that’s been created for engineering teams — and businesses are moving faster than ever as a result,” Herzberg said. “However, it creates an entirely new level of complexity for security teams. Finding tools to simplify this is top of mind for CISOs.”
For Cushman & Wakefield, the firm has now standardized on Wiz, which has enabled the firm to reduce its complexity — and ultimately, improve its protection.
“The more complex we make things, the more opportunities there are for misses,” Hart said. “As we see today, so many breaches are occurring because of configuration issues. The user didn’t know what they did — or did not do. Cloud environments are becoming so feature-rich and a lightning pace it is hard for anyone to keep up.”
Reducing complexity through a unified cloud platform, on the other hand, “empowers our cloud teams to do more and be confident in what they set up,” he said.
As businesses continue to navigate the consequences of moving to the cloud, the underlying complexity of cloud environments is among the most considerable adjustments for security teams. Security tools that weren’t developed with the cloud in mind are struggling to meet customer needs. Often this leads to an overload of alerts and false positives — alert fatigue — for many companies.
Meanwhile, the shortage in available security talent has further constrained companies’ ability to address the complexity in the cloud. That’s leading more businesses to consider adopting unified cloud security platforms to bring numerous capabilities together in one place, while aiming to reduce the alerts and prioritize the real threats.
The new cloud-native world
“With this shift to the cloud, the goal of the CISO becomes enabling and supporting digital innovation rather than holding it back,” Calatayud said. “But unleashing the true power of the cloud calls for a solid foundation in security.”
However, as large enterprises increasingly move toward cloud-native environments, the need to constantly grapple with complexity is quickly becoming the norm as well, explained Tyler Shields, CMO of JupiterOne.
Part of the complexity derives from the reality that developers, infrastructure teams and systems builders will tend to use “whatever tools and systems are best suited to build the business,” Shields said.
“This is a necessity to meet the speed of modern business,” he said. “Because of this, most enterprises are facing additional difficulty and complexity because of many different cloud services provider systems and environments.”
Another factor contributing to the complexity, says Pete Nicoletti, field CISO at Check Point Software, is the fact that many cloud providers are looking to “lock in” customers to their service.
“What has happened now is each provider offers native tools — but their capabilities and management interface and efficacy is different for each cloud provider, making it difficult and complicated,” Nicoletti said. “Customers desire a consistent security and compliance posture across all the cloud platforms that is simple to use.”
Thus, while managing one application and its data in a single cloud environment may be fairly simple, managing dozens of applications in multiple cloud environments with disparate management tools is “nearly impossible,” said Ishpreet Singh CIO at Qualys.
“Without careful planning and the right tools, companies can spend more time managing cloud infrastructure than benefiting from it,” Singh said.
Ultimately, organizations need to manage security risk in the cloud without slowing down innovation, says Loris Degioanni, founder and CTO of Sysdig.
“By selecting a single security platform that addresses all of the cloud environments they need to secure, complexity is significantly reduced,” Degioanni said. “The security platform does the work of adapting to the different environments, rather than asking the security team to manage different techniques and tools.”
Easing alert fatigue
For businesses such as online lending marketplace LendingTree, a key to tackling cloud security complexity is the ability to reduce the alerts coming in. For that, the firm has seen massive improvements through working with cloud security platform Lacework for the past three years, says senior security architect John Turner.
Prior to deploying Lacework, LendingTree was averaging 190 alerts per day from various tools, requiring roughly 10 hours per day for triage and escalation, Turner said. To make matters worse, roughly 70% of the alerts were false positives — and only about 20 per week needed to be referred to engineering teams for remediation, he said.
Traditional security systems require extensive tuning, generate many false positives and are not based on peer analysis groups, said Kate MacLean, senior director of product marketing at Lacework. Lacework’s Polygraph technology takes a different approach – using deviation from a temporal baseline to detect changes in behavior, MacLean said.
This approach reduces the need to write and tune rules, and results in just a handful of meaningful alerts, she said. Alerts are either due to a desired change, misconfiguration or malicious activity. The Lacework Polygraph Data Platform then scores the alerts based on severity and threat, by analyzing data from individual servers at the datacenter-level, MacLean said. Polygraph makes detection more precise, as the comparison is done with similar entity peers and the entity itself over time, she said.
For LendingTree, the result was that “within a short time after rolling out Lacework, we cut the alert volume by 90% and cut the investigation time to roughly five minutes per alert,” Turner said.
Prioritizing security threats
Agero, a major provider of white-label roadside assistance, has had a similar experience through working with security operations firm Arctic Wolf, according to Agero CISO Robert Sullivan.
With Agero’s complex, multicloud environment that generates massive quantities of security data, “how do you look at all that data coming in, in real-time, and sort through what would be anomalous behavior?” Sullivan said.
Working with Arctic Wolf has helped to answer that question, he said.
Arctic Wolf provides customers with a unified approach to management, detections and analysis across all cloud assets, said chief product officer Dan Schiappa. Notably, the Arctic Wolf offering combines both artificial and human intelligence in order to deliver a “concierge-level” security service to customers. With this, customers only receive security tickets for issues that’ve already been triaged and addressed by this combined intelligence, Schiappa said.
“It is the human element that must take the observations, context and narrative generated by the security operations platform, triage and verify the activities that took place, and provide remediation guidance,” he said.
The result is that rather than “thousands of noisy alerts,” customers can receive as few as two to three tickets a week — highlighting only the legitimate threats, Schiappa said.
Connecting the dots
Undoubtedly, understanding which cloud risks are a real threat — and sorting through the noise to not miss critical issues — is a huge challenge, says Jack Roehrig, head of security and compliance for virtual tutoring site BookNook.
In 2020, BookNook turned to Orca Security, whose agentless “SideScanning” technology collects data from cloud environments, provides full visibility of cloud environments and connects the dots in security alert data to enable risk prioritization, according to Orca CEO and cofounder Avi Shua.
To reduce cloud complexity, one of the key capabilities offered by Orca is the ability to build an attack path, Shua said. With Orca Attack Path Analysis and Business Impact Score, organizations are automatically directed to the highest-priority exposed assets or critical vulnerabilities that would put their cloud assets — and business — most at risk, he said.
Since deploying Orca, Roehrig said, BookNook has used the platform for detecting signals throughout the company’s cloud estate and prioritizing the risk of vulnerabilities. Crucially, Orca has shown how the issues “can connect to each other to create dangerous attack paths that lead to crown jewel data,” he said.
Talent shortage hampers cloud security
The ability to reduce complexity in the cloud is also increasingly critical at a time when security talent is severely constrained.
In 2021, cryptocurrency exchange Klever began using Palo Alto Networks’ Prisma Cloud offering to help tackle the security issues in the cloud. And that’s been critical to bolstering its security team, says Vinícius Lima, head of security and compliance at Klever.
For instance, reducing complexity for cloud security professionals improves efficiency and job quality, according to Ankur Shah, senior vice president for Prisma Cloud at Palo Alto Networks. By eliminating blinds spots, adding consistent policy controls and automating remediation, security teams can spend less time configuring policies and managing tools — and more time improving the posture and security of their environments, Shah said.
At Klever, “if we didn’t have Prisma Cloud, consequently we would have to expand the team a lot — which is very complicated precisely because of the shortage of talent in security,” Lima said.
Healthcare staffing app IntelyCare has found the same thing, says Larry Viviano, director of information security for the company. If IntelyCare had not deployed a platform from Ermetic, the company would’ve needed to add at least two or three additional security staff members in order to manually manage its cloud security.
Ermetic offers automated monitoring, risk detection and prioritization, as well as least-privilege policy generation, says Ermetic cofounder and CEO Shai Morag. The platform enables teams — including those not familiar with cloud security — to quickly perform tasks that would typically take weeks or months to complete manually, Morag said.
At IntelyCare, Viviano said that in a single day, he was able to fix nearly 80 items by himself in the company’s cloud environment, using Ermetic’s auto-remediation capabilities.
“That would have translated into probably two or three weeks of work — if we even had the visibility to know about that inside of AWS,” he said.
Migrating to the cloud
Energy firm World Fuel Services foresaw some cloud security challenges ahead even before setting out, in mid-2020, to migrate out of 22 data centers worldwide and into AWS and Microsoft Azure.
“We fully understood that this initiative required a robust cloud security operating model that would also accelerate the migration,” said Shawn Bowen, CISO for World Fuel Services. “We also realized right away that securing the cloud would be a major challenge given its complexity. Reducing this complexity was definitely one of our top priorities.”
In particular, the cloud has different security risks and controls compared to data centers, Bowen said. While some of the basics are similar, the identity and data protection controls are vastly different, he noted.
In order to give the company’s security team an accurate and complete view of the risks across its cloud, World Fuel Services chose to deploy cloud protection platform Sonrai Security.
Sonrai offers technology — including through its “identity graph” — that provides a unified experience for querying all entitlements and permissions to resources across the public cloud, according to Eric Kedrosky, CISO at Sonrai Security.
Having a unified platform for cloud security reduces complexity because it enables an organization to identify the true risk of a workload, in the context of how each individual part interacts with the other, Kedrosky said.
This capability has proven to be crucial for World Fuel Services as it migrated to the cloud, Bowen said. Sonrai “gives us the risks and remediation advice, and distributes alerts to the right teams,” he said.
Ultimately, when it comes to cloud security, “reducing complexity is a necessity,” Bowen said. “Security teams were already overburdened, but now must keep up with the speed of digital transformation that the business requires — which is the main impetus for operating in the cloud.”
But if done right, businesses can potentially achieve better security in their cloud environments than they ever could in the traditional data center, he said.
That’s possible, Bowen said, through leveraging the capabilities of the cloud itself to help drive security — allowing businesses to manage their risks “at the speed and scale of the cloud.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.