Cloud Native ChannelAWS Security LIVE! Modernizing Cloud Native Applications
This episode of Security LIVE! with Giovanni Rodriguez, Product Manager with Aqua Security, discusses how Serverless containers like AWS Fargate have become cornerstones of modern cloud native applications, offering unparalleled convenience and scalability with AWS hosts, Ryan Orsi and Rob Hale.
Transcript
Hello, and welcome to AWS Security Live. My name is Rob Hale. I'm coming from you coming at you from the UK.
We are a biweekly show every other Wednesday, which we come online at, I think it's eight to nine Pacific time. Ryan's gonna correct me if I've got his time zone wrong. But right now, we're in British summertime. It may not look outside, but it is. So we're four o'clock till five or if you're one of our European, continental, friends, then you're coming at us at five o'clock, Central European summer summertime. So, I'm joined by my, my esteemed colleague, Ryan. Do you wanna introduce yourself?
Thank you, sir Rob. Yes. Hello, everybody. Ryan Orsi here, together with Rob Hale in the AWS Partner Network, running a team called Cloud Foundations and Advanced Services. We get to play with all sorts of new technology and develop new products and help go to market resources out there for all things security with AWS partners.
Awesome. And we're we're not alone. You know, although we can just talk to someone as it were.
We're we also have special guests.
So, who we got today?
Drum roll. Drum roll. Drum roll. Gio. Hello, sir. Hello? With security. Welcome to security live.
Thank you. Thank you.
Be before before we we need to say hi hello to the audience, I just wanna explain this little jar over here, the the swear jar. At reinforce, Rob and Himantu and Margo, the other cohosts of Security Live, we, we had a physical jar. But right now, we're gonna do it virtually with you. That's the acronym swear jar, and Rob and I are perfect humans. We we never make a mistake, so we never use an acronym, and we and and and not follow it up with the definition. So if you, you'll have a little g in there, if you make an acronym swear.
Keeps keeps it interesting.
Anyway, sir, would you like to introduce yourself to the audience?
Yes. Giovanni Rodriguez. Everyone calls me Chiyo. I am a technical product manager for Aqua Security, and my main focus is on the cloud security, AWS, space.
Awesome. And Aqua, a cloud native company. Can you tell us a little bit more about Aqua, how you started and and and, I mean, how you help customers?
Yeah. So Aqua started as a container security company back when Docker and Kubernetes were starting to gain popularity. And, from there as the cloud evolved, as Kubernetes evolved, as containers evolved, we've also evolved. So, as you probably know, the container security or the container world has moved towards serverless.
Now that's the bigger technology that's going out now. So as the containers have evolved and the security and the the the shared responsibility model, we've also evolved with it. So, you know, we started with just container security. We moved into, Kubernetes, and now we also offer Fargate and what we call cloud native.
So Fargate, ECS, these are cloud native technologies, and, you know, we this is our bread and butter. Right? This is what we do.
And folks watching Feel feel free to feel free to hit, Geo with with some questions as well as we go. Sorry, Rob. Keep going.
Yeah. We want we want loads of questions. And and, actually, this is something that whenever I talk to customers around, they're always looking at how do we help the business get to, you know, the endpoint, get to serverless and and containers. And and often, you know, kind of a lot of your view is on the the lift and shift from let's get into into cloud. But, really, what the what the application owners wanna do is they wanna get to, to serverless. They wanna get to containers, and cloud native services so they can make use of the the schooling and that's available to make them more agile and and and more efficient. So I think having, partners that help you do that is super important for a security team as well in making that happen.
Yeah. Absolutely.
You know, there's a lot of challenges, especially with the customers that we deal with, on premise customers that are moving out to the cloud and starting their cloud journey, even customers that are more mature in the cloud. But what we see is, as you move and you go from, let's say, Kubernetes and you wanna evolve and mature and move to a serverless technology, the security isn't the same. Right? So there are a lot of different challenges that get posed as you migrate, mature, move as a shared responsibility model changes as well. Right? Servers versus serverless.
Well, let's actually Interesting. Let's actually peel that back a little bit.
So common conversation Rob and I have in our teams, like, every day.
Mhmm.
Okay. In the traditional sense, monolithic application style, there's an executable. It has libraries. It's running.
It's pull it's it's running in memory. And any any, like you know, there's logs coming off of it or traces coming off, and you can monitor it. It's it's it's right there. It runs right here.
Here it is. This is how much memory it's consuming, how much storage it's consuming. It's connected to this database. I know everything about it.
Right?
Now trans move to the the, you know, modern serverless and container, you know, application development where a container is executing, like, a serverless call or vice versa, and something some resource spins up for a microsecond and disappears.
Right. So it's it's that it's that fact, the ephemeral nature of serverless container based application design and development that people people hear that statement and they say, what are you talking about? How am I ever going to keep consistency with application observability and traces, of course, like the performance of the app? And on the security side, you know, who's accessing it? What was it what what identity accessed it when? What what did they access? What did they issue a command to this application if if it's an input into the app?
What what what do you say, sir, Gio, from Aqua here about that? How do you calm people down? How do you calm their nerves down?
Yeah. So we have, our, you know, we're really big in the security container security space, so we have a lot of patents. Yeah. We have a couple different patents.
We do have what we call our micro enforcer, which is the Fargate or cloud native, container enforcer. And that basically can run as a sidecar, can run, you know, natively inside of the application or the container, and that's monitoring all the network traffic. So as you start to abstract away from, you know, being in the system, being in the server, monitoring the logs, doing all of that, you still wanna make sure that you're secure. Right?
You wanna make sure that the application doesn't have vulnerabilities, the vulnerabilities aren't being triggered, people aren't accessing your your container or your application or, you know, anything. So with our micro enforcer, we're actually monitoring all of the network traffic. We're monitoring all the calls in and out of the container. You know?
Because you don't have access to the host, doesn't mean that you're still that you're fully secure. Right? You need to also be able to monitor what's happening inside of the container.
That's really you you mentioned a couple of things there, but you mentioned, you know, distinction between two areas. One was having an agent, so an agent based approach. The other was sidecar. Can you explain the the kind of differences between those for our audience, but also where where you might use them? What what might be more suitable for for which environment?
Right. So so an agent you're gonna wanna use in a traditional Kubernetes environment, something where you have access to the host and you could be monitoring the host. The agent actually works as, like, a separate container that's, inside of the Kubernetes cluster, and it's monitoring and and accessing and looking at the metrics, looking at logs, looking at, who's accessing what, identities, permissions, networking.
And the sidecar approaches for environments where you don't have access to the host, where you don't have access to the underlying infrastructure, but you still wanna be able to monitor what's going on. So the sidecar kinda acts like a secondary container, and it becomes kind of the entry point. So it's almost like a man in the middle in between the network and the outside coming into the container itself for the application that's being run.
What I love about what you just said, Gio, is security concepts in your talk track there, they're familiar.
Even in the monolithic application style, it's familiar, but the app is being broken apart into all these different serverless functions. Containers are scaling up and scaling down. They they they're created one minute. They disappear the next.
But still, you wanna know the traffic. You wanna know the calls. You wanna know the identity of what made the call. You wanna know date, time stamps.
You know? You wanna know you wanna know as much as you can about that. It's it's all available to you when you use something like like Aqua. I think that's that's a that's a key, like, superpower that you y'all bring to the table.
I will I will say that we we go past that. Right? So it's not just a visibility play. I think what makes us unique in the industry and what we do, that's very special is our blocking capabilities and what we call our vShield or vulnerability shield.
So with our blocking capabilities, we can actually block malicious behavior, malicious activity from even happening, which is very important because, you know, even if you have an application that you think is secure, you're in, an AWS account that's hardened. Right? There still can be issues or there still can be malicious network calls or things that happen. So we're able to actually block malicious behavior from happening.
Right? And the second thing is our vulnerability shield. So we're we can actually if you we see that there's a vulnerable package in your system that's not being used, we can actually put a shield on top of that to ensure that that vulnerability doesn't actually even get triggered, that that that vulnerable package doesn't even get installed. Right?
That's another pattern that we a pattern pending that we have, in our system. So, you know, when you're talking about vulnerability management, which is a big topic nowadays, especially with, again, going back to the shared responsibility and you get into serverless, really, when you talk about serverless in the shared responsibility model, the customer's main responsibility are the vulnerabilities.
Main responsibility are the vulnerabilities. Right? You you know, because the the the host is covered and because you've hardened the account and everything else, the only thing that can be exploited are the vulnerabilities or the packages inside of the system. Right?
That's the main entry point. So with our vulnerability shield, it helps with the vulnerability management because as you get to the point where you find that you have hundreds or thousands of vulnerabilities, some of them might be very critical, high, you know, some might be low, medium. But the idea is you're not gonna get all vulnerabilities that same day. Right?
So do you either not ship your application and wait till you fix all the vulnerabilities? Right? It's Now The reality situation.
Now we're getting into it. Yeah. Now we're getting into it. Actually, Gio, one of our audience members with the coolest coolest handle, Schizophrenic web developer asks, how do you detect if a malicious if it's malicious traffic or legitimate traffic? Is it traffic, or is it a payload of a call? Yeah.
So so we're not necessarily you know, we do networking, but we aren't a network company. Right? We aren't a a true network security company. So what we're doing is we're doing behavior analysis. We're looking at, signatures, and we're looking for signature based attacks. We're looking for specific pattern patterns, things like that that are happening in memory in the runtime.
This is this is what we're really detecting and trying to block.
What do you what can you block?
What can we block?
That's Like, what's the blocking control mechanism? Do you use access to a container or do you for a identity, or do you disconnect it from your Yes.
So it's let's say, the there's, a message coming through or, a call coming through that's that we deemed malicious, we can block the call. We can block the container from taking actions that it shouldn't be taking.
We can stop, you know, certain in memory actions from taking place as well. So, again, it's more on the blocking, but then the going back to the vulnerability shield as well, it's also stopping, let's say, remote exploitable vulnerabilities from actually triggering because the pack vulnerable package wouldn't even be installed, so there's no way of accessing it. Great example would be like Log four j.
Right?
Very popular happened a few years ago. Right? So that's that's a a logging mechanism that's pretty much used for debugging. So if you're not debugging and you don't need it, you know, there's no reason for really having it in your system.
So we make sure that that doesn't even get installed in your system so that someone can't take advantage of the package of being in your in in in this.
So you're reducing the you're reducing the attack surface at the same time as helping the customer to make use of of or or make sense of all of the reams of of vulnerability reports they have.
So you can reduce that pile down, but then you're also making sure that actually you don't have, you know, unwanted or unneeded processes running, and the package is being put.
And that's super Yeah.
Right. And when we talk about what we do, it's not just on the runtime side. Right? We do manage the entire application life cycle. So we have our supply chain tool, which actually scans the container images, can block container images from actually being deployed.
Then we also have our dynamic threat analysis DTA. I said the acronym afterwards.
Geo.
I was getting a lot of time.
Very smooth.
Yeah. So, we have our dynamic threat analysis. That's another patent that we have. Right? So, you know, it's not enough to just statically scan the container image.
Right? Because what we've seen and from our team Nautilus, we what we noticed is that fifty two percent of the cloud native attacks happen in memory. Right? So static static analysis isn't gonna actually show that.
So we have our dynamic threat analysis. It's like a multifaceted. The first thing is static analysis on the container image. Second is creating and helping you, validate your golden image.
Right? So you have now you have your golden image. You put it into a dynamic thread analysis. You're kinda like a sandbox container.
It allows it to run, sees what's happening. If everything looks great, everything's good. Now you validated your golden image. Let's put it into, production, into the runtime.
Right? And then now we continue to continuously monitor the runtime as well.
What in that dynamic threat analysis sandbox environment, are you matching or looking at, like, the typical cybersecurity kill chain of, like, a malware campaign where this looks like reco this looks like reconnaissance activity. They're looking for what doors and windows are open. This looks like a pay payload distribution. This looks like command and control callouts. Is is that kinda cool?
So we have a team Nautilus. They do all they do is research. And what they're looking for is behavioral attack like, they're doing behavioral analysis for on attacks, incidents, things like that. And they basically create what we call behavioral signatures. And we're monitoring and we're we're looking for those signatures. And then if we see anything that matches what we're looking for, we consider that to be we call them incidents.
Well, that's a whole lot cooler than just network traffic inspection Yeah. For our schizophrenic web developer.
So, yeah. Aqua, we consider ourselves to be a CNAP solution. That's a cloud native application platform protection.
You're just not gonna give it to me, are you, Gio? I'm just gonna have a blank.
It's been very bad about Sledge also. Yeah.
Yeah. So that means we we cover the entire life cycle. We cover from the pipelines and your, CICD. We we look at your container images.
We're monitoring it in the run time, and then we also look at your cloud posture as well. Right? So we're CSPM, cloud native cloud security posture management. We're looking at the misconfigurations.
Basically, the hardening of the AWS account as well. Right? So we're basically looking at everything outside and inside.
I was gonna ask you because you made you made the you made the statement that customers are primarily responsible in the AWS share responsibility for security model. Security in the cloud, you you defined as primarily, like, the bulk of that responsibility is vulnerabilities of the applications that they're putting in there.
But what about I think that you just mentioned it now. The configuration of AWS services, configuration of third party tools and products they're they're launching inside of it, whether it's a machine image or or a SaaS solution, software as a service solution. Almost got myself there.
Misconfiguration.
I hear it's a big problem. I mean, that's that's something you guys address as well. And misconfiguration as as determined by who. Right? Like, what's the best who's who's the source of the best practice of how you should or should not configure something?
Yeah. So this is actually where I started my journey in, in the cloud and in, cybersecurity. So I started on a small startup called Cloudsploit. All I did was misconfiguration management and scanning, and Aqua quickly, acquired us as part of, you know, the maturity model.
We started with the on prem. As we moved to the cloud, we realized that just protecting the application in the cloud isn't enough. Right? You need to actually protect the configurations and how the cloud is configured altogether.
So, they I became part of an acquisition. This is all I've been doing. This has been my bread and butter since I started. So, you know, it's it's a big, it's a big challenge.
Right? So as we've seen, I think, over over seventy percent of the cloud native attacks that have been happening, that lead to major intrusions have happened because of common misconfiguration, something as simple as, permission, or just, let's say, a public access, configuration. So we take that very seriously. Right?
So, you know, we make sure that your AWS count is as hardened as possible. Right? And that in itself is important, but it's not enough. Right?
Because it I think in this idea of the shared responsibility when you're moving from on premise to the cloud, you think that just hardening the AWS account because that's the part that is the shared responsibility or responsible for hardening your own AWS account, they AWS does a good job of giving you a very blank slate and lets you, customize and be as dynamic as possible. So that customization often leads to misconfiguration just because customers don't understand necessarily what configurations are best. So what we do is we are using, AWS best practices. Right?
We are leveraging OS, so we're leveraging all of the major compliance frameworks and standards, and then we do our own research. Right? Our again, going back to our team Nautilus, our team Nautilus is basically looking at different ways to or different ways that misconfigurations in your cloud environment could lead to, intrusions.
Something as simple as, you know, a a a lack of permission and then being able to do a what do they call it?
Sorry. Are you thinking are you thinking, elevated permissions? Right.
Are you thinking lateral Per escalation.
There we go. Per Yeah. Lateral attack, privilege escalation. Exactly. Those types of things. Right? So we do, like, a holistic, check if if we're talking about Fargate or serverless.
Right? Then, you know, we're also looking at how you've configured it, what are the networking pieces around it, who who who has access to what? Who can access your Fargate? Where can your access Fargate access?
You know, different things like that. Making sure that you've, you know, configured your cloud and you've hardened your cloud correctly.
Well, Ed, I don't know how Rob, how how you feel about this too, but a hardened AWS environment drifts it drifts with new people coming into an org new people coming into an organization, new requirements and applications coming into that environment. It always drifts. I I just think I mean and, Rob, do you do you agree with that?
Yeah. Absolutely. And you see, you know, from when we've been talking through this, if you're a customer and you run Kubernetes on on prem, when you're gonna migrate that into the cloud, and then you're probably gonna go to Fargate. Right? So if you look at the, you know, the the evolution of that with the shared responsibility model, on prem, you're responsible for everything. You know, move to EKS, so Elastic, Kubernetes Service, or even ECS, on on AWS.
And you then have the shared responsibility model, and and what most customers are now doing is they're moving to Fargate. They're they're moving the the the shared responsibility. You know, responsibility learning is is moving up a little bit.
And and so what Acura is doing is you're helping customers to get from on prem into a, you know, a more managed service, and you're really, helping them to move fast but keep control of the things that they're responsible for. You know, things like run time and and and obviously the configuration.
Because it's when I when I work with customers and they're trying to keep on top of of what's going on, particularly from a security operations perspective, they need to have guardrails. You can't move fast about guardrails and everything around, serverless and containers is all around speed and agility. So you absolutely have to have guardrails. But, really, what you'll be monitoring is exceptions to those guardrails. You're not having to look at absolutely everything. But I love the fact that you're continually helping customers from on prem, you know, all the way into, you know, potentially a managed container service.
Right. And and the shared responsibility model, you know, everyone sees it as static. Right? It's either on premise or in the cloud, and then you're in the cloud, it's like a fifty fifty.
The reality isn't fifty fifty, and it's very dynamic. Every service can have a different shared responsibility. Right? And especially when you start talking about servers versus serverless.
And I think what has happens as well is the the people who are very mature in the shared responsibility model, who have hardened their cloud very, very well, have very secure cloud, Feel that false sense of security where I can just do whatever I want because no one's gonna be able to remote access, or no one's gonna be able to attack me, or no one's gonna be able to access it because the house or my cloud has the security guard and has the doors closed and has right? But you don't realize that there could be, someone into the house. Maybe someone tunnels in from under. Right?
You don't you don't you don't know what you don't know. Right? So that false sense of security that kind of that you've fall into, especially when you start getting into service applications, Lambda is probably a prime, candidate for this as well, right, where you just feel like AWS is handling everything for me. I I shouldn't have anything to worry about.
Well, it hey.
We we partner with cyber insurance companies too, Gee. I don't know if you know that. There's a cyber insurance competency you can look up at online, folks. But, you know, we get involved in those incident response situations where it's looking back at something someone had a bad day, and we're looking back.
And your point about someone tunneling in, I mean, this is like an a metaphor. We don't actually be, like, VPN tunneling into your cloud account. But, in in the run time of, like, the applications that are actually running. I think that's what's very, very important and your superpower of being able to block, as you said, block malicious looking activity.
I love that you're you call them team Nautilus there at Okta. Yep. Yep. Is is studying, say, kill chain kind of behavior about on different kind of campaigns, malware campaigns.
That is very cool.
I think that's part of your definitely your secret sauce you're bringing to to the table. Because that that's unique per customer environment, and your tool is is able to adapt is able to adapt to that. What else should should folks be looking out from AquaXile? We just pasted in the the link to the to the demo.
That's one thing. Definitely go take a look at it, folks. So you have to kinda see this to really get into it. So, besides looking at it, what else should people look for?
We're also at the New York Summit. I I don't know if this is hosted live at the New York Summit, but go see us. Right? Because go, go talk to us.
We didn't cover that, didn't we? Robin is is live at the New York Summit. Yeah. If you're looking for, for market ends in a room somewhere near Ryan, then he might have the only working one.
Absolutely.
You know? I talked to Raymond Ganske.
He's, he's representing Aqua at the New York Summit.
Where's where's Waldo? I'm, like, right right by the, the Javits Center in a in a AWS building. So you can find me. We could we could talk. We'd have a little coffee up here on the sixteenth floor.
Yeah. Yeah. You mentioned earlier, Jay, around, sorry. When you Jay, you mentioned around, you know, a lot of stuff you're doing is is is is cloud native, and and that that's super important. That doesn't just go into the foundational services. So when when customers are using more cloud native services like, ECS or EKS or or, Fargate, they also tend to be using cloud native security tools as well. Can you talk a little bit around how you're integrating with maybe some of those tools?
Yeah. So we, we do integrate with, you know, tools like Security Hub, things like that. But, you know, we I I can I see us as a as a complement to those other tools? Right? So Security Hub and some of the other tools that AWS offers help you get an understanding of what's going on, but, again, it doesn't go inside of the application. It doesn't really dive deep into it.
You know, we we also work closely with, ECR. Right? We're able to go into ECR, read, scan the host container images, things like that. So we work close with the AWS cloud native security tools, but I would say we we complement them.
And what we do is we add consistency. I know there's AWS focused, but, you know, for all the different cloud providers, we add that level of consistency where each cloud provider might do things a little bit different. At the end of the day, it's, underlying infrastructures are very similar. But, you know, the names, the conventions, everything might be feel a little different.
So what we do is try to add a sense of normalcy to, to your different, you know, wherever you're hosting your, your containers or your applications.
I mean, that's super important customers as well because, you know, wherever you are on your cloud journey, you typically got a hybrid environment at some stage. You might be on multiple clouds or you might just we'll be running Kubernetes clusters, you know, on prem. So you've gotta have that from a security perspective, you've gotta have that consistency of controls and consistency of monitoring across your whole stack. Otherwise, you know, you you're opening, or leaving, doors open or or blind spots that, you know, potentially someone could exploit something.
And I will That's super important.
And the last thing I'll say about just that specifically is each cloud has their shared responsibility model, managed a little differently. Right? So, you know, it's either you're an expert in each cloud provider and their shared responsibility model, or you work with a vendor like Aqua where we can help you kind of keep that consistency and normalcy across your different cloud environments and on prem, obviously.
Speaking of controls, this man has the highest degree of self control that we've had any guest on the show, Rob. My swear jar is blank. It's sadly blank.
With I I I won't oh, oh, should I should I trip? You mentioned OWASP, and I just didn't say anything because I can't actually Oh, yeah.
You got me on one. Yeah.
You got me on one.
Oh. But I I can't I can't correct you because I can't I can't actually remember what else stands for.
I'm looking it up right now.
It's just that awesome. Right? That's that's what it is. Almost.
I'll, I'll take the I'll take the mark, and then I'll tell you what it's called.
It's called the Open World Wide Application Security Project.
There we go. We do that.
We do that.
I'll take the g. I'll take the g, though.
Take the g.
Oh my gosh. Gee. Well, hey, maybe that's the fewest number. I mean, we've had our own executives in charge of these products, and it's just we we use the acronym swear jar because it forces us all to make sure we're communicating clearly Right.
Right, to the audience, to ourselves, amongst everybody. We find that acronyms, when you assume, everyone understands we're on the same page, that's where, you know, we start to lose folks. So, hey. It's really good, so you you brought that to the table.
And, Gio, before we let you go, just one quick question. What's the last thing you ordered on Amazon dot com?
Oh, so I've been, exercising a lot, and, it's very silly. But, I've been exercising a lot, and we have this rule in my house where we don't bring the shoes inside the house. So Okay. I bought it's it's like slippers for your shoes so that if I wanna come in really quickly, I don't have to take off my shoes, put them back on, take off. So it's something you put on your shoe, you come in, do whatever you need to, and then you go right back out.
Fantastic. Reminded me that's reminded me of, if anyone's ever been into into data centers, tylenol suits and the little shoe things that you have to put on. Yeah. Yeah. Easy. Right. That's the nightmare of my past.
Yeah. Yeah.
It it it's like that, but it's, it lasts longer. Right? You don't have to replace them every day or whatever.
Fantastic. Well, Gio from Aqua Security. Thank you for joining us on Security Live.
Rob, and we'll be back, in a couple weeks. See you folks next time. Hello. Thanks, everyone.
We are a biweekly show every other Wednesday, which we come online at, I think it's eight to nine Pacific time. Ryan's gonna correct me if I've got his time zone wrong. But right now, we're in British summertime. It may not look outside, but it is. So we're four o'clock till five or if you're one of our European, continental, friends, then you're coming at us at five o'clock, Central European summer summertime. So, I'm joined by my, my esteemed colleague, Ryan. Do you wanna introduce yourself?
Thank you, sir Rob. Yes. Hello, everybody. Ryan Orsi here, together with Rob Hale in the AWS Partner Network, running a team called Cloud Foundations and Advanced Services. We get to play with all sorts of new technology and develop new products and help go to market resources out there for all things security with AWS partners.
Awesome. And we're we're not alone. You know, although we can just talk to someone as it were.
We're we also have special guests.
So, who we got today?
Drum roll. Drum roll. Drum roll. Gio. Hello, sir. Hello? With security. Welcome to security live.
Thank you. Thank you.
Be before before we we need to say hi hello to the audience, I just wanna explain this little jar over here, the the swear jar. At reinforce, Rob and Himantu and Margo, the other cohosts of Security Live, we, we had a physical jar. But right now, we're gonna do it virtually with you. That's the acronym swear jar, and Rob and I are perfect humans. We we never make a mistake, so we never use an acronym, and we and and and not follow it up with the definition. So if you, you'll have a little g in there, if you make an acronym swear.
Keeps keeps it interesting.
Anyway, sir, would you like to introduce yourself to the audience?
Yes. Giovanni Rodriguez. Everyone calls me Chiyo. I am a technical product manager for Aqua Security, and my main focus is on the cloud security, AWS, space.
Awesome. And Aqua, a cloud native company. Can you tell us a little bit more about Aqua, how you started and and and, I mean, how you help customers?
Yeah. So Aqua started as a container security company back when Docker and Kubernetes were starting to gain popularity. And, from there as the cloud evolved, as Kubernetes evolved, as containers evolved, we've also evolved. So, as you probably know, the container security or the container world has moved towards serverless.
Now that's the bigger technology that's going out now. So as the containers have evolved and the security and the the the shared responsibility model, we've also evolved with it. So, you know, we started with just container security. We moved into, Kubernetes, and now we also offer Fargate and what we call cloud native.
So Fargate, ECS, these are cloud native technologies, and, you know, we this is our bread and butter. Right? This is what we do.
And folks watching Feel feel free to feel free to hit, Geo with with some questions as well as we go. Sorry, Rob. Keep going.
Yeah. We want we want loads of questions. And and, actually, this is something that whenever I talk to customers around, they're always looking at how do we help the business get to, you know, the endpoint, get to serverless and and containers. And and often, you know, kind of a lot of your view is on the the lift and shift from let's get into into cloud. But, really, what the what the application owners wanna do is they wanna get to, to serverless. They wanna get to containers, and cloud native services so they can make use of the the schooling and that's available to make them more agile and and and more efficient. So I think having, partners that help you do that is super important for a security team as well in making that happen.
Yeah. Absolutely.
You know, there's a lot of challenges, especially with the customers that we deal with, on premise customers that are moving out to the cloud and starting their cloud journey, even customers that are more mature in the cloud. But what we see is, as you move and you go from, let's say, Kubernetes and you wanna evolve and mature and move to a serverless technology, the security isn't the same. Right? So there are a lot of different challenges that get posed as you migrate, mature, move as a shared responsibility model changes as well. Right? Servers versus serverless.
Well, let's actually Interesting. Let's actually peel that back a little bit.
So common conversation Rob and I have in our teams, like, every day.
Mhmm.
Okay. In the traditional sense, monolithic application style, there's an executable. It has libraries. It's running.
It's pull it's it's running in memory. And any any, like you know, there's logs coming off of it or traces coming off, and you can monitor it. It's it's it's right there. It runs right here.
Here it is. This is how much memory it's consuming, how much storage it's consuming. It's connected to this database. I know everything about it.
Right?
Now trans move to the the, you know, modern serverless and container, you know, application development where a container is executing, like, a serverless call or vice versa, and something some resource spins up for a microsecond and disappears.
Right. So it's it's that it's that fact, the ephemeral nature of serverless container based application design and development that people people hear that statement and they say, what are you talking about? How am I ever going to keep consistency with application observability and traces, of course, like the performance of the app? And on the security side, you know, who's accessing it? What was it what what identity accessed it when? What what did they access? What did they issue a command to this application if if it's an input into the app?
What what what do you say, sir, Gio, from Aqua here about that? How do you calm people down? How do you calm their nerves down?
Yeah. So we have, our, you know, we're really big in the security container security space, so we have a lot of patents. Yeah. We have a couple different patents.
We do have what we call our micro enforcer, which is the Fargate or cloud native, container enforcer. And that basically can run as a sidecar, can run, you know, natively inside of the application or the container, and that's monitoring all the network traffic. So as you start to abstract away from, you know, being in the system, being in the server, monitoring the logs, doing all of that, you still wanna make sure that you're secure. Right?
You wanna make sure that the application doesn't have vulnerabilities, the vulnerabilities aren't being triggered, people aren't accessing your your container or your application or, you know, anything. So with our micro enforcer, we're actually monitoring all of the network traffic. We're monitoring all the calls in and out of the container. You know?
Because you don't have access to the host, doesn't mean that you're still that you're fully secure. Right? You need to also be able to monitor what's happening inside of the container.
That's really you you mentioned a couple of things there, but you mentioned, you know, distinction between two areas. One was having an agent, so an agent based approach. The other was sidecar. Can you explain the the kind of differences between those for our audience, but also where where you might use them? What what might be more suitable for for which environment?
Right. So so an agent you're gonna wanna use in a traditional Kubernetes environment, something where you have access to the host and you could be monitoring the host. The agent actually works as, like, a separate container that's, inside of the Kubernetes cluster, and it's monitoring and and accessing and looking at the metrics, looking at logs, looking at, who's accessing what, identities, permissions, networking.
And the sidecar approaches for environments where you don't have access to the host, where you don't have access to the underlying infrastructure, but you still wanna be able to monitor what's going on. So the sidecar kinda acts like a secondary container, and it becomes kind of the entry point. So it's almost like a man in the middle in between the network and the outside coming into the container itself for the application that's being run.
What I love about what you just said, Gio, is security concepts in your talk track there, they're familiar.
Even in the monolithic application style, it's familiar, but the app is being broken apart into all these different serverless functions. Containers are scaling up and scaling down. They they they're created one minute. They disappear the next.
But still, you wanna know the traffic. You wanna know the calls. You wanna know the identity of what made the call. You wanna know date, time stamps.
You know? You wanna know you wanna know as much as you can about that. It's it's all available to you when you use something like like Aqua. I think that's that's a that's a key, like, superpower that you y'all bring to the table.
I will I will say that we we go past that. Right? So it's not just a visibility play. I think what makes us unique in the industry and what we do, that's very special is our blocking capabilities and what we call our vShield or vulnerability shield.
So with our blocking capabilities, we can actually block malicious behavior, malicious activity from even happening, which is very important because, you know, even if you have an application that you think is secure, you're in, an AWS account that's hardened. Right? There still can be issues or there still can be malicious network calls or things that happen. So we're able to actually block malicious behavior from happening.
Right? And the second thing is our vulnerability shield. So we're we can actually if you we see that there's a vulnerable package in your system that's not being used, we can actually put a shield on top of that to ensure that that vulnerability doesn't actually even get triggered, that that that vulnerable package doesn't even get installed. Right?
That's another pattern that we a pattern pending that we have, in our system. So, you know, when you're talking about vulnerability management, which is a big topic nowadays, especially with, again, going back to the shared responsibility and you get into serverless, really, when you talk about serverless in the shared responsibility model, the customer's main responsibility are the vulnerabilities.
Main responsibility are the vulnerabilities. Right? You you know, because the the the host is covered and because you've hardened the account and everything else, the only thing that can be exploited are the vulnerabilities or the packages inside of the system. Right?
That's the main entry point. So with our vulnerability shield, it helps with the vulnerability management because as you get to the point where you find that you have hundreds or thousands of vulnerabilities, some of them might be very critical, high, you know, some might be low, medium. But the idea is you're not gonna get all vulnerabilities that same day. Right?
So do you either not ship your application and wait till you fix all the vulnerabilities? Right? It's Now The reality situation.
Now we're getting into it. Yeah. Now we're getting into it. Actually, Gio, one of our audience members with the coolest coolest handle, Schizophrenic web developer asks, how do you detect if a malicious if it's malicious traffic or legitimate traffic? Is it traffic, or is it a payload of a call? Yeah.
So so we're not necessarily you know, we do networking, but we aren't a network company. Right? We aren't a a true network security company. So what we're doing is we're doing behavior analysis. We're looking at, signatures, and we're looking for signature based attacks. We're looking for specific pattern patterns, things like that that are happening in memory in the runtime.
This is this is what we're really detecting and trying to block.
What do you what can you block?
What can we block?
That's Like, what's the blocking control mechanism? Do you use access to a container or do you for a identity, or do you disconnect it from your Yes.
So it's let's say, the there's, a message coming through or, a call coming through that's that we deemed malicious, we can block the call. We can block the container from taking actions that it shouldn't be taking.
We can stop, you know, certain in memory actions from taking place as well. So, again, it's more on the blocking, but then the going back to the vulnerability shield as well, it's also stopping, let's say, remote exploitable vulnerabilities from actually triggering because the pack vulnerable package wouldn't even be installed, so there's no way of accessing it. Great example would be like Log four j.
Right?
Very popular happened a few years ago. Right? So that's that's a a logging mechanism that's pretty much used for debugging. So if you're not debugging and you don't need it, you know, there's no reason for really having it in your system.
So we make sure that that doesn't even get installed in your system so that someone can't take advantage of the package of being in your in in in this.
So you're reducing the you're reducing the attack surface at the same time as helping the customer to make use of of or or make sense of all of the reams of of vulnerability reports they have.
So you can reduce that pile down, but then you're also making sure that actually you don't have, you know, unwanted or unneeded processes running, and the package is being put.
And that's super Yeah.
Right. And when we talk about what we do, it's not just on the runtime side. Right? We do manage the entire application life cycle. So we have our supply chain tool, which actually scans the container images, can block container images from actually being deployed.
Then we also have our dynamic threat analysis DTA. I said the acronym afterwards.
Geo.
I was getting a lot of time.
Very smooth.
Yeah. So, we have our dynamic threat analysis. That's another patent that we have. Right? So, you know, it's not enough to just statically scan the container image.
Right? Because what we've seen and from our team Nautilus, we what we noticed is that fifty two percent of the cloud native attacks happen in memory. Right? So static static analysis isn't gonna actually show that.
So we have our dynamic threat analysis. It's like a multifaceted. The first thing is static analysis on the container image. Second is creating and helping you, validate your golden image.
Right? So you have now you have your golden image. You put it into a dynamic thread analysis. You're kinda like a sandbox container.
It allows it to run, sees what's happening. If everything looks great, everything's good. Now you validated your golden image. Let's put it into, production, into the runtime.
Right? And then now we continue to continuously monitor the runtime as well.
What in that dynamic threat analysis sandbox environment, are you matching or looking at, like, the typical cybersecurity kill chain of, like, a malware campaign where this looks like reco this looks like reconnaissance activity. They're looking for what doors and windows are open. This looks like a pay payload distribution. This looks like command and control callouts. Is is that kinda cool?
So we have a team Nautilus. They do all they do is research. And what they're looking for is behavioral attack like, they're doing behavioral analysis for on attacks, incidents, things like that. And they basically create what we call behavioral signatures. And we're monitoring and we're we're looking for those signatures. And then if we see anything that matches what we're looking for, we consider that to be we call them incidents.
Well, that's a whole lot cooler than just network traffic inspection Yeah. For our schizophrenic web developer.
So, yeah. Aqua, we consider ourselves to be a CNAP solution. That's a cloud native application platform protection.
You're just not gonna give it to me, are you, Gio? I'm just gonna have a blank.
It's been very bad about Sledge also. Yeah.
Yeah. So that means we we cover the entire life cycle. We cover from the pipelines and your, CICD. We we look at your container images.
We're monitoring it in the run time, and then we also look at your cloud posture as well. Right? So we're CSPM, cloud native cloud security posture management. We're looking at the misconfigurations.
Basically, the hardening of the AWS account as well. Right? So we're basically looking at everything outside and inside.
I was gonna ask you because you made you made the you made the statement that customers are primarily responsible in the AWS share responsibility for security model. Security in the cloud, you you defined as primarily, like, the bulk of that responsibility is vulnerabilities of the applications that they're putting in there.
But what about I think that you just mentioned it now. The configuration of AWS services, configuration of third party tools and products they're they're launching inside of it, whether it's a machine image or or a SaaS solution, software as a service solution. Almost got myself there.
Misconfiguration.
I hear it's a big problem. I mean, that's that's something you guys address as well. And misconfiguration as as determined by who. Right? Like, what's the best who's who's the source of the best practice of how you should or should not configure something?
Yeah. So this is actually where I started my journey in, in the cloud and in, cybersecurity. So I started on a small startup called Cloudsploit. All I did was misconfiguration management and scanning, and Aqua quickly, acquired us as part of, you know, the maturity model.
We started with the on prem. As we moved to the cloud, we realized that just protecting the application in the cloud isn't enough. Right? You need to actually protect the configurations and how the cloud is configured altogether.
So, they I became part of an acquisition. This is all I've been doing. This has been my bread and butter since I started. So, you know, it's it's a big, it's a big challenge.
Right? So as we've seen, I think, over over seventy percent of the cloud native attacks that have been happening, that lead to major intrusions have happened because of common misconfiguration, something as simple as, permission, or just, let's say, a public access, configuration. So we take that very seriously. Right?
So, you know, we make sure that your AWS count is as hardened as possible. Right? And that in itself is important, but it's not enough. Right?
Because it I think in this idea of the shared responsibility when you're moving from on premise to the cloud, you think that just hardening the AWS account because that's the part that is the shared responsibility or responsible for hardening your own AWS account, they AWS does a good job of giving you a very blank slate and lets you, customize and be as dynamic as possible. So that customization often leads to misconfiguration just because customers don't understand necessarily what configurations are best. So what we do is we are using, AWS best practices. Right?
We are leveraging OS, so we're leveraging all of the major compliance frameworks and standards, and then we do our own research. Right? Our again, going back to our team Nautilus, our team Nautilus is basically looking at different ways to or different ways that misconfigurations in your cloud environment could lead to, intrusions.
Something as simple as, you know, a a a lack of permission and then being able to do a what do they call it?
Sorry. Are you thinking are you thinking, elevated permissions? Right.
Are you thinking lateral Per escalation.
There we go. Per Yeah. Lateral attack, privilege escalation. Exactly. Those types of things. Right? So we do, like, a holistic, check if if we're talking about Fargate or serverless.
Right? Then, you know, we're also looking at how you've configured it, what are the networking pieces around it, who who who has access to what? Who can access your Fargate? Where can your access Fargate access?
You know, different things like that. Making sure that you've, you know, configured your cloud and you've hardened your cloud correctly.
Well, Ed, I don't know how Rob, how how you feel about this too, but a hardened AWS environment drifts it drifts with new people coming into an org new people coming into an organization, new requirements and applications coming into that environment. It always drifts. I I just think I mean and, Rob, do you do you agree with that?
Yeah. Absolutely. And you see, you know, from when we've been talking through this, if you're a customer and you run Kubernetes on on prem, when you're gonna migrate that into the cloud, and then you're probably gonna go to Fargate. Right? So if you look at the, you know, the the evolution of that with the shared responsibility model, on prem, you're responsible for everything. You know, move to EKS, so Elastic, Kubernetes Service, or even ECS, on on AWS.
And you then have the shared responsibility model, and and what most customers are now doing is they're moving to Fargate. They're they're moving the the the shared responsibility. You know, responsibility learning is is moving up a little bit.
And and so what Acura is doing is you're helping customers to get from on prem into a, you know, a more managed service, and you're really, helping them to move fast but keep control of the things that they're responsible for. You know, things like run time and and and obviously the configuration.
Because it's when I when I work with customers and they're trying to keep on top of of what's going on, particularly from a security operations perspective, they need to have guardrails. You can't move fast about guardrails and everything around, serverless and containers is all around speed and agility. So you absolutely have to have guardrails. But, really, what you'll be monitoring is exceptions to those guardrails. You're not having to look at absolutely everything. But I love the fact that you're continually helping customers from on prem, you know, all the way into, you know, potentially a managed container service.
Right. And and the shared responsibility model, you know, everyone sees it as static. Right? It's either on premise or in the cloud, and then you're in the cloud, it's like a fifty fifty.
The reality isn't fifty fifty, and it's very dynamic. Every service can have a different shared responsibility. Right? And especially when you start talking about servers versus serverless.
And I think what has happens as well is the the people who are very mature in the shared responsibility model, who have hardened their cloud very, very well, have very secure cloud, Feel that false sense of security where I can just do whatever I want because no one's gonna be able to remote access, or no one's gonna be able to attack me, or no one's gonna be able to access it because the house or my cloud has the security guard and has the doors closed and has right? But you don't realize that there could be, someone into the house. Maybe someone tunnels in from under. Right?
You don't you don't you don't know what you don't know. Right? So that false sense of security that kind of that you've fall into, especially when you start getting into service applications, Lambda is probably a prime, candidate for this as well, right, where you just feel like AWS is handling everything for me. I I shouldn't have anything to worry about.
Well, it hey.
We we partner with cyber insurance companies too, Gee. I don't know if you know that. There's a cyber insurance competency you can look up at online, folks. But, you know, we get involved in those incident response situations where it's looking back at something someone had a bad day, and we're looking back.
And your point about someone tunneling in, I mean, this is like an a metaphor. We don't actually be, like, VPN tunneling into your cloud account. But, in in the run time of, like, the applications that are actually running. I think that's what's very, very important and your superpower of being able to block, as you said, block malicious looking activity.
I love that you're you call them team Nautilus there at Okta. Yep. Yep. Is is studying, say, kill chain kind of behavior about on different kind of campaigns, malware campaigns.
That is very cool.
I think that's part of your definitely your secret sauce you're bringing to to the table. Because that that's unique per customer environment, and your tool is is able to adapt is able to adapt to that. What else should should folks be looking out from AquaXile? We just pasted in the the link to the to the demo.
That's one thing. Definitely go take a look at it, folks. So you have to kinda see this to really get into it. So, besides looking at it, what else should people look for?
We're also at the New York Summit. I I don't know if this is hosted live at the New York Summit, but go see us. Right? Because go, go talk to us.
We didn't cover that, didn't we? Robin is is live at the New York Summit. Yeah. If you're looking for, for market ends in a room somewhere near Ryan, then he might have the only working one.
Absolutely.
You know? I talked to Raymond Ganske.
He's, he's representing Aqua at the New York Summit.
Where's where's Waldo? I'm, like, right right by the, the Javits Center in a in a AWS building. So you can find me. We could we could talk. We'd have a little coffee up here on the sixteenth floor.
Yeah. Yeah. You mentioned earlier, Jay, around, sorry. When you Jay, you mentioned around, you know, a lot of stuff you're doing is is is is cloud native, and and that that's super important. That doesn't just go into the foundational services. So when when customers are using more cloud native services like, ECS or EKS or or, Fargate, they also tend to be using cloud native security tools as well. Can you talk a little bit around how you're integrating with maybe some of those tools?
Yeah. So we, we do integrate with, you know, tools like Security Hub, things like that. But, you know, we I I can I see us as a as a complement to those other tools? Right? So Security Hub and some of the other tools that AWS offers help you get an understanding of what's going on, but, again, it doesn't go inside of the application. It doesn't really dive deep into it.
You know, we we also work closely with, ECR. Right? We're able to go into ECR, read, scan the host container images, things like that. So we work close with the AWS cloud native security tools, but I would say we we complement them.
And what we do is we add consistency. I know there's AWS focused, but, you know, for all the different cloud providers, we add that level of consistency where each cloud provider might do things a little bit different. At the end of the day, it's, underlying infrastructures are very similar. But, you know, the names, the conventions, everything might be feel a little different.
So what we do is try to add a sense of normalcy to, to your different, you know, wherever you're hosting your, your containers or your applications.
I mean, that's super important customers as well because, you know, wherever you are on your cloud journey, you typically got a hybrid environment at some stage. You might be on multiple clouds or you might just we'll be running Kubernetes clusters, you know, on prem. So you've gotta have that from a security perspective, you've gotta have that consistency of controls and consistency of monitoring across your whole stack. Otherwise, you know, you you're opening, or leaving, doors open or or blind spots that, you know, potentially someone could exploit something.
And I will That's super important.
And the last thing I'll say about just that specifically is each cloud has their shared responsibility model, managed a little differently. Right? So, you know, it's either you're an expert in each cloud provider and their shared responsibility model, or you work with a vendor like Aqua where we can help you kind of keep that consistency and normalcy across your different cloud environments and on prem, obviously.
Speaking of controls, this man has the highest degree of self control that we've had any guest on the show, Rob. My swear jar is blank. It's sadly blank.
With I I I won't oh, oh, should I should I trip? You mentioned OWASP, and I just didn't say anything because I can't actually Oh, yeah.
You got me on one. Yeah.
You got me on one.
Oh. But I I can't I can't correct you because I can't I can't actually remember what else stands for.
I'm looking it up right now.
It's just that awesome. Right? That's that's what it is. Almost.
I'll, I'll take the I'll take the mark, and then I'll tell you what it's called.
It's called the Open World Wide Application Security Project.
There we go. We do that.
We do that.
I'll take the g. I'll take the g, though.
Take the g.
Oh my gosh. Gee. Well, hey, maybe that's the fewest number. I mean, we've had our own executives in charge of these products, and it's just we we use the acronym swear jar because it forces us all to make sure we're communicating clearly Right.
Right, to the audience, to ourselves, amongst everybody. We find that acronyms, when you assume, everyone understands we're on the same page, that's where, you know, we start to lose folks. So, hey. It's really good, so you you brought that to the table.
And, Gio, before we let you go, just one quick question. What's the last thing you ordered on Amazon dot com?
Oh, so I've been, exercising a lot, and, it's very silly. But, I've been exercising a lot, and we have this rule in my house where we don't bring the shoes inside the house. So Okay. I bought it's it's like slippers for your shoes so that if I wanna come in really quickly, I don't have to take off my shoes, put them back on, take off. So it's something you put on your shoe, you come in, do whatever you need to, and then you go right back out.
Fantastic. Reminded me that's reminded me of, if anyone's ever been into into data centers, tylenol suits and the little shoe things that you have to put on. Yeah. Yeah. Easy. Right. That's the nightmare of my past.
Yeah. Yeah.
It it it's like that, but it's, it lasts longer. Right? You don't have to replace them every day or whatever.
Fantastic. Well, Gio from Aqua Security. Thank you for joining us on Security Live.
Rob, and we'll be back, in a couple weeks. See you folks next time. Hello. Thanks, everyone.
Watch Next
