Cloud Native ChannelThe Top 7 Cloud Native Security Myths Debunked
In cloud native security, persistent myths and misconceptions can mislead teams and weaken the protection of modern cloud environments. This webinar, “The Top 7 Cloud Native Security Myths Debunked,” will uncover the truth behind the most common misunderstandings and provide proven strategies to strengthen your container security, Kubernetes security, and overall cloud security posture.
We will challenge widely held beliefs, from the false assumption that cloud native workloads do not require specialized security strategies to the misplaced reliance on traditional security tools for protecting containers and microservices. Attendees will learn how to address these gaps and adopt best practices for securing applications, workloads, and infrastructure in dynamic cloud native environments.
This expert-led session will feature real-world examples, actionable guidance, and insights into the evolving threat landscape, empowering your organization to build a resilient cloud native security strategy that protects against modern attacks.
We will challenge widely held beliefs, from the false assumption that cloud native workloads do not require specialized security strategies to the misplaced reliance on traditional security tools for protecting containers and microservices. Attendees will learn how to address these gaps and adopt best practices for securing applications, workloads, and infrastructure in dynamic cloud native environments.
This expert-led session will feature real-world examples, actionable guidance, and insights into the evolving threat landscape, empowering your organization to build a resilient cloud native security strategy that protects against modern attacks.
Transcript
Good morning. Good afternoon. Good evening, everyone, and welcome to security session on the top seven cloud native security myths.
I'm Joe Murphy, and I'm absolutely delighted to have you all here with us today. Before we dive in, let's take a brief moment, outline what we're gonna be covering today. So these misconceptions ranging from software supply chain security, to the adequacy of traditional security tools, it can very often lead organizations astray. So today, we'll separate back from fiction and empower you with the knowledge needed to fortify your cloud infrastructure effectively.
Our speakers today, they bring a wealth of experience and knowledge to the table. They'll be sharing real real world examples, expert insights and actionable advice to help you navigate the complexities of cloud native security with confidence.
And as a reminder, this session is being recorded. A copy of the recording will be sent via email, but you can always revisit right here on LinkedIn and please engage in the conversation, submit your comments as that it really always makes for a great dialogue. In fact, Let's go ahead. Let's get it going right now.
Where's everybody joining us from today? Let us let us know in the chat. So team without further ado, let me introduce our wonderful speakers who will take it away. We have Aaron Stefan, our principal product marketing manager, and Maja Barriar, our vice president of product marketing.
So that's enough for me. Yeah. Over to you.
Thank you, Joe. Let's get started.
The first myth we want to discuss is the misconception about the importance of software supply chain security.
Some might say it isn't crucial to a cloud native strategy.
Now, before we jump in, Mayha, can you explain a little bit about what software supply chain security is?
Of course. Well, the supply chain and software supply chain security refers to the entire process involved in the creation and delivery of software.
Now software supply chain secure security is still a relatively new security practice becoming more and more popular in recent years as the software development process becomes more complex, incorporating numerous dependencies and third party components.
Let's take a further look into why software supply chain security is so crucial.
Awesome. I think you have some examples to share. Right?
Yep.
Software supply chain security is a critical component of a cloud native security strategy because cyber attackers are continuously evolving their tactics and targeting all stages of the software supply chain. By exploiting vulnerabilities within the supply chain, attackers can compromise software products steal sensitive data, and even disrupt critical services.
Now, Mega, would you agree that really there's been no bigger cyber security trend over the last several years than the rise and, tax related to software supply chain?
Completely agree. In fact, Gartner predicts that by twenty twenty five, almost half of all global organizations will be impacted in some way by a supply chain attack.
And lots let's not forget. Right? Some of the popular software supply chain attacks of the last few years, you know, Casa BSA solar winds, for example.
Yep. Great point, and we'll cover those in more depth in the coming slides. If the rise in software supply chain attacks isn't enough, compliance requirements and legislation are. In May twenty twenty one, you might remember Erin, the Biden Administration issued executive order one four zero two eight. And this order was in response just a series of significant cybersecurity incidents that highlighted vulnerabilities in the US software supply chain and other critical infrastructure.
This order aims to strengthen the nation's cybersecurity defenses across federal agencies and the private sector with a particular focus on improving the security of software supply chains.
While there are no hard deadlines for complying with this order, there are milestones on assessments, on development of plans, and initial steps towards implementing the order's goals that need to be demonstrated.
Yeah. That makes a lot of sense, man. And rate exactly that. If the government is getting involved in requirements for software supply chain. I'd say it's a pretty big deal. I think, you know, it's really critical because the security and the integrity go of our software products, they're so far reaching. And they have implications not just on our organizations, but customers and really potentially national security.
Exactly. Well, let's consider this myth busted.
I agree.
So let's take a look at myth number two. And so we're focusing we're focusing solely on application security. Ensure, or excuse me, application code, ensure security. And this is really a great one.
Right? Because we know shifting left is so important. That's what we just talked about. But what we wanna clarify here is it's just one piece of the puzzle.
Yes. Exactly.
Code scanning is very important.
And employing technologies such as static application security testing known as SaaS, desktop for composition analysis is crucial.
These technologies each with a specific purpose form an essential part of the application security ecosystem.
However, The journey to securing a cloud native application involves more than just adopting a shift left approach where we embed security early in the software development life cycle.
Do you wanna examine this myth further?
Yeah.
I think we should do it.
K.
So Since code scanning happens pre production, what happens is it's not taking into account any of the cloud risks or real time threats of our running applications.
Which creates gaps in our cloud native protection strategy?
Yep. Exactly. And so what we know, right, is that the landscape it's continuously evolving. I think that's the first line of every blog that you're gonna read about, cloud security. Right? Because these new vulnerabilities and these attack vectors, they're merging every day. And so what happens is that if we focus only on the application code, We might not address the novel or sophisticated attacks that are exploiting other aspects of our technology stack and not to mention the human elements of our organization.
Right. And what about compliance?
Another really great point. Right? Compliance with regulatory frameworks and standards, you know, things like GDPR, HIPAA, PCI, all of this involves more than just secure coding practices.
So it's recommending, you know, security controls that go beyond application code, you know, or how we manage our vulnerabilities, how we're preventing against malware, are we checking our inventory of all of our cloud resources?
And really what we need is to have a solution that's offering a runtime protection commo component and the cloud account misconfigurations. All of this are e is equally critical.
Yep. That's right. Because you also have to think about zero days. Right?
Exactly. I mean, really good point. Zero days are continuous continuing to rise. And doing some research in this presentation, you know, Google and its its last zero day announcement found forty one in the wild zero day attacks that were detected and disclosed.
So what you're saying is that application code scanning plus runtime provides the necessary safeguard for protecting cloud native applications. You've got it.
I think we can call the Smith busted.
I love it. This is fun.
Okay. I'm really excited about this one.
Alright. Well, let's jump in. Image scanning and agentless workload scanning guarantee compliance.
Yeah. But before we bust this myth, I think what we need to do, we're talking about a lot of scanning, right, in these first few slides. So I think we just have to talk a little bit more about the differences between what image scanning is and what agentless scanning is. I agree. Take it away.
So when we first talk about image scanning, what image scanning is is it's done pre production. Right? It's a really critical step in a holistic container security strategy because it's helping to identify security issues within those images, right, within those container images. And what it does is by identifying those those potential issues, it's helping our devsec ops team or a developer team to take those corrective measures before we go ahead and deploy those containers.
Okay. An agentless scanning?
Agentless scanning is a little different. Right. What's happening with agentless scanning, it's our method of performing those security scans post production environment. So what we're doing here is it's operating at the orchestration level and we're looking to assess our, you know, vulnerabilities, miss misconfigurations, potential compliance issues, and really any other security concerns.
Okay. So what you're saying is that agentless scanning is a great way to take inventory of all your cloud accounts and to help you understand your known risk. Right?
Yes. You've got that right. It's really important. This known risk. So let's talk about why these tools aren't enough.
K.
So it's really important to know their critical methods. Right? Their their pieces of a very large cloud native security puzzle, and they're helping organizations to identify these known risks exactly that your vulnerabilities, your misconfigurations.
Yeah. Well, especially with misconfigurations accounting for ninety nine percent of cloud security failures. That's Yeah.
It's a It's a huge you're exactly right. A huge amount. But the problem with scanning, right, is that it fails to provide any type of proactive protection.
And so, yes, we know there's many, many different compliance frameworks. There's many different regulatory, appearances, right, especially depending on geography. But those requirements, they have varying rules regarding how you manage your vulnerabilities, what the security monitoring look like. How are you responding to incidents. And it's really important to understand that scanning alone, it's not providing the holistic compliance cloud native security strategy.
Right. And that's because scanning methods don't directly address issues related to access privileges, or in memory malware or you can see your day vulnerabilities.
Yeah. And not to mention right. Today's attackers, they're smart. They know the tools that we have in place. They're designing these attacks to evade agentless detection.
And for example, right, that you many of you may heard us in previous webinars talk about our phenomenal, cloud native threat research team, Aquonautilus.
And so in their last year's, threat report, they noticed they uncovered a fourteen hundred percent increase in wireless attacks last year. And why this is so impactful is because these types of malware attacks, they're significantly designed to evade an agentless scan detector.
Well, okay.
So what should be done to comply with regulatory frameworks So, really, what you need, not just for compliance, right, but for a holistic cloud native security strategy is a runtime agent.
So that runtime agent, it's going to ensure those strong security controls that protect your workloads against threats and attacks in real time. Right? The only true way to ensure you meet your compliance requirements is to have protection across the environment. It's that complete full application life cycle approach. A solution that's integrating scanning. Right? Because we know how important scanning is, but it's integrating it with that real time workload protection and monitoring.
So I think with this one, we can move on and we can call the Smith bust it. What do you think may have?
I agree. Okay. Alright. Well, let's go to the next one. So in the last myth, we talked about known risks. See?
Yeah. So what we mean by known risks, right? I made this point of few slides earlier is the known risks are our misconfigurations, our vulnerabilities, the things that we know are gonna happen that we have to go and prioritize.
Well, this brings us to our next myth about vulnerabilities only being exploited in production.
Yeah. And there's this common misconception, right, that that you can only exploit vulnerabilities in production. They're only critical in the runtime environment. And, I mean, yes, vulnerabilities in production environment, they're particularly concerning, right, because they have direct user access.
They're exposed to the internet. You know, they have huge potential impact on your business operations. I mean, who on this call remembers log for a day. Right?
Yeah. But vulnerabilities can be exploited at any phase of the software development life cycle.
That's right. Well, let's take a closer look at that. Okay.
So attackers could exploit vulnerabilities at any point in the software life cycle. We just talked about that. And the way they take advantage of that is basically they gain initial access, they escalate privileges, or even move laterally within an organization.
And oftentimes they target non production environments to gain this access and steel sensitive data, as well as establish a foothold for further attacks.
Yeah. And that's what happened. I mean, we talked about solar winds and Cassay earlier, but that's what happened with the infamous solar winds attack. Right?
Absolutely.
It was one of the most sophisticated and consequential supply chain attacks because attackers were able to insert malicious code into Solarwinds Orion software during the development phase. And then the compromise software was weaponized and distributed to approximately eighteen thousand customers.
Including government agencies and Fortune five hundred companies. And this is just one example of how vulnerabilities in the development process can lead to widespread compromises in production environments.
So if we think back to our first myth on software supply chain security, solar winds is a perfect example of why software supply chain is a critical component of vulnerability management.
Yeah. Exactly. I love this example too. Right? These these high profile, these examples that we saw blasted all over the news at the time.
So I think it's really, I mean, it's really safe to say, Maheal. Right? That vulnerability management, it has to occur at every step of the life cycle. Yep.
That's absolutely right. So I think we call this one busted. We can move on to number five. We're flying through these, man.
These are these are some good myths we've got to uncover.
For sure. So let's shift gears a bit now and talk about shift right and run time protection. What do you think, Erin?
Yeah. I think it's a great idea. I like the the little play on words there. Shift gears to shift right.
So, really, I think this is important because traditional agents of the past, right? We've we've heard this, we've heard this about endpoint agents, they're clunky, they're disruptive, they're causing performance issues. I mean, a whole slew of issues. Right?
Yep. And also they have a reputation for slowing down production and even causing apps to fail.
Yeah. But I think the most important part here is that's those are agents of the past, traditional agents of the past. So what we really wanna do, we really wanna explore in today's conversation is the importance of runtime security. Right?
It's such a critical part. We talk so much about scanning. Again, one piece, another piece is runtime security. And in order to do that, we need to talk a little bit about the advance advancements that have been made in agent based technology.
Let's do it. K.
So modern agents, the agents of today. Right? They're designed to be more weight, they're designed to be efficient, and they're designed to have this minimal impact on system performance. They utilize technology like EVPS So the value of e b p f is it's going a level deeper.
Right? It sits right in the kernel level so that you have that visibility, but it's also low friction. It's lightweight. It's taking some of that concern of these bulky, clunky, disruptive agents out of the picture.
The approach really is to reduce those performance issues with those heavier agents and offer a more efficient and seamless, seamless security process.
An effective run time security, what do you think, Erin? Does it offer more than just blocking a tax in progress?
Yeah. I think that's a huge part of this that we wanna highlight. Right? Cause it's not just the fact that it's runtime security is disrupted because of agents, but it's also, I think, this common misconception that you hear run time in your oh, block.
It's it's automatically gonna do something that I don't want it to do. And if we block and we stop, that could have impact on other things. And especially your developer teams. Right?
If you're on the call and and you're on the security team, right, your developers don't want that to happen. But what we have to convince them of is that run time stopping attacks. It's just one it's a it's a big value add. Right?
But it's just a subset of capabilities.
An effective run time solution, it's really multi step. It's multi layered because what it's first doing is it's helping to reduce the attack surface. It's providing those prevention or those hardening controls to restrict any type of access to prevent the lateral movement. Right?
The least privilege, you know, the concept of least privilege ensuring that only those that have access can do what they need to do and that the container only performs the intended functions it's supposed to, perform. Right? And so runtime solution, yes, stopping, but also hardening, and also detecting. And so what we really need to know is that an effective runtime solution that's providing that identification, that prioritization and that stopping of, sophisticated threats from executing and run time.
Well, you're right about the sophisticated threats because I think cyber threats are becoming more and more complex, sophisticated, and attackers are now using tactics that easily evade traditional security measures.
Yep. Exactly. And we talked about this right earlier, but I think one of the stats we wanted to pull up here too is, again, from with t nautilus is within one hour, just a single hour, an attacker can scan the internet and exploit a zero day vulnerability. And not to mention, like we said, they're going to great lengths to conceal their methods of detection.
And so runtime security, again, it's not just stopping and disrupting production. It's really, really important because it's the critical step in protecting, detecting, and mitigating the exploit of unknown vulnerabilities, right, those zero days, and also all those attacks that are designed to, you know, bypass pre runtime defenses.
And between that and the fact that agents have improved, they're more modern, they're less intrusive, they're lightweight. This is really enhancing the overall user experience, and efficiency, but at the same time still delivering that proactive protection against those sophisticated threats.
Well, sounds like this myth is bustin. I agree.
Alright. Well, Aaron, Now why don't you talk to me a little bit about container orchestration tools?
What are they? Why is there a misconception that they provide security out of the box?
Yeah. It's a really great question, man. One that, especially in cloud native, right, especially aqua, you know, been doing this over eight years. This is something that we come into contact with a lot and really, again, container orchestration tools. Right? Kubernetes, Docker Swarm. These are excellent tools because they're providing the efficiency and the scalability to manage the container.
But what they aren't is they are not silver bullets for security. They're their primary role really is to automate the deployment, the scaling, the management of containerized application, because they are complex.
But don't they offer some baseline security controls?
Yeah. They do. They do. I mean, they're great for sort of these initial features, right, that can hand security, things like, you know, secrets management or network policies, but they don't automatically secure containers against all threats.
And, you know, we just talked about how sophisticated these threats are, but not to mention that is these tools can be very complex. So these security enhancements, they're not out of the box. Right? They have to be configured properly.
And that takes time. Right? You have to understand the ins and outs that resources, you know, education.
And so it it it makes it a little a little more confusing, not as straightforward as maybe some may think.
Okay. Well, let's untangle this myth a little bit more. I think it has a little bit more depth to it.
Yeah. I agree. Let's go into it.
So what we know about containers, right, all of you, especially if you're building or using containers to build your cloud native applications today, they're very complex. They're different. They bring a lot of benefits, right, of of the cloud.
But because they're dynamic and complex by nature, I mean Makes them difficult to secure.
Exactly. Exactly. And this complex, complexity, right? It's only increasing as we scale bigger and broader. And not to mention you bring in the, you know, your hybrid or multi cloud environments. Right? There's so much to take into consideration.
And, you know, those orchestration tools alone, they can't do that.
Right. So this is why you need a dedicated container security solution.
Exactly. You got it. I mean, container security, what that's doing, it's really comprising everything from the applications inside the container. To the infrastructure they run on, to how they're protected and run time.
A holistic container security solution is so important because you know, it really depends on deploying these automated controls across the life cycle. So from inception all the way through into run time, right, that development, the deployment, and runtime. And these tools, they're they're really great. They they have their purpose, right, this management to be able to safeguard but they're not security solutions.
And so you need a solution that's gonna automate those image scans. Right? That's gonna have those checks predeployment, making sure that everything is aligned appropriately.
And then all the way through to run time, we just talked about all the value that run time can really bring.
Right. Well, that makes perfect sense. So what you're saying essentially is container orchestrates orchestrators are great. But a dedicated container security solution is absolutely critical because of all the things that are sort of quote, quote, quote, missing from what an orchestration tool can protect you against. And that I think leads us nicely into our last myth.
I know. I can't believe it. How are we already through to the last myth? This is going so fast, but I mean, truly, we talk about traditional security tools.
Right, ma'am? I mean, shouldn't they be enough. Right? Shouldn't what you have in place today.
You know, it was security tools are expensive. Right? And and it takes time to implement and have them on your, you know, as part of your stack. So shouldn't they be good enough to to protect against what we need for containers?
Are they really even that different?
Well, we just talked about how container security is a sort of a specialized area, but really to understand this better, it's also important to realize that cloud native applications have revolutionized the way we build and deploy applications. So it's it's been an a journey, and it's been a fast one, right, with containers at core of cloud native applications.
That's one piece, but also that container adoption has been growing rapidly.
And, of course, that around that is Gartner, expects that ninety percent of global organizations will be running containerized applications in production by twenty twenty six.
Wow. That's huge. I mean, and that's happening quickly. That's a rise faster than, you know, VMs and bare metal from what I understand. Right?
Absolutely. And it all goes back to sort of the efficiency and scalability that cloud native applications bring to the table. What's even more interesting is that these modern applications are primarily built using open source packages and third party components. So, if you think back to how applications were built, I don't know, several years ago. You can almost think about it today as application development being, the form of assembling code, and not so much as writing the code from scratch. And that's that's a huge efficiency win there, but it also brings, you know, new challenges.
Yeah. Yeah. I mean, so this is why. Right? When we say containers are elastic, they're femoral.
They're designed to be more agile. Right? Is what we mean. Right? They're they're different than our traditional more monolithic applications.
Right?
Absolutely. And that's the benefit of using containerized applications.
But with all these benefits, come security challenges.
And because of this, it requires a very different approach to protection than what a traditional VM or an endpoint device would require.
Okay. I can't believe I'm about to say this, but I think we're ready to bust our our last myth.
Let's do it. Great.
So as we talked about a couple minutes ago, the femoral and elastic nature of containers, the distributed network, the complex architecture container based applications running in both multi cloud and hybrid cloud environments Wait.
I think I think I know that how you're gonna finish this one. Containers are gonna require a different approach.
Absolutely.
But not only that, the unique security risks for containers need to be addressed at every stage of the application life cycle.
So it's not just runtime, it's not just code, it's everything.
Effective container security truly relies on deploying automated controls, from every step of the journey.
And it also requires unifying teams across development and security.
So repurposing existing technology and retrofitting it for containers is not a good idea. Yeah.
And that's like your traditional EDRs.
Right? Like, that's that's what you mean when you say this sort of retrofitting. Right? It's it's taking a an endpoint agent and thinking you can put it on a VM or in a container.
Yeah. And the challenge with that approach is is these these endpoint security solutions that are traditional and very effective in certain situations, but when it goes to cloud native security per se and how applications are developed and how they keep their dynamic and they keep changing and they scale up and they scale down with the business needs.
It's just not gonna work. Right? It's, it's, it doesn't provide the coverage.
It doesn't cover all of the scope.
And it certainly doesn't leave you feeling that you're protected, no matter what either on the vulnerability side or on the zero day or the malware side. So, definitely want to make sure that your as you're modernizing your applications, also modernizing your approach to, cloud security.
Yeah. That's an excellent point, and it makes total sense. So I hate to say it, but I think we've successfully busted our final myth.
I agree. Well, we're here. I think myth busting is fun. I had a lot of fun doing this. What do you think, Erin?
I know. I had a lot of fun. I think this is my favorite aqua webinar I've done so far. What do you think, Joe?
I think it went by way too fast, but it was it was interesting.
First, let me say huge fan of the myth busters TV show. So debunking any myth, especially these these cloud native security myths has been, incredibly fascinating. And Aaron may have, we both did a a fantastic job shedding light on these misconceptions.
Don't you think audience?
Let's, let's give them a a round of applause so thank you.
Thank you both.
Of course.
So, now for some some exciting news, We're we're thrilled to announce that we're gonna be releasing a a brand new top nine cloud native security myths guide.
It's gonna dive a little deeper into the intricacies of cloud security providing you all with insights and the strategies to to stay ahead of these evolving threats. So Stay tuned for the release and remember to download your copy, to bolster your your cloud security arsenal.
Erinil.
Two more myths. Two more myths that we didn't cover today. So any any thoughts on what they are, I'm curious that the audience has any, any guesses, but definitely keep your eye out for that one.
Definitely. And to the audience, if if you're planning to attend RSA and and San Fran in May, swing by our booth, tell them Joe sent you, Joe Aaron, and may have sent you and grab some swag and and some other treats.
But Yeah.
Yeah. Thank you all for being part of this session. You know, keep questioning, keep learning, keep securing your your cloud environments with confidence.
Awesome. Let let's do another one soon, Joe. Yeah.
And we'll be at RSA. Mahean, I will both be at RSA. So if we're there, come stop by the booth, we'll be excited to say hello and talk more about these myths.
Yeah.
Then we'll know what the the other two secret myths are on it.
It admits. Yep. Alright. Well, thanks everybody. You've been, great. Thank you so much.
Thank you both. So until next time, everybody. Stay safe. Stay curious. Stay cool. We'll see you later.
Bye, guys.
I'm Joe Murphy, and I'm absolutely delighted to have you all here with us today. Before we dive in, let's take a brief moment, outline what we're gonna be covering today. So these misconceptions ranging from software supply chain security, to the adequacy of traditional security tools, it can very often lead organizations astray. So today, we'll separate back from fiction and empower you with the knowledge needed to fortify your cloud infrastructure effectively.
Our speakers today, they bring a wealth of experience and knowledge to the table. They'll be sharing real real world examples, expert insights and actionable advice to help you navigate the complexities of cloud native security with confidence.
And as a reminder, this session is being recorded. A copy of the recording will be sent via email, but you can always revisit right here on LinkedIn and please engage in the conversation, submit your comments as that it really always makes for a great dialogue. In fact, Let's go ahead. Let's get it going right now.
Where's everybody joining us from today? Let us let us know in the chat. So team without further ado, let me introduce our wonderful speakers who will take it away. We have Aaron Stefan, our principal product marketing manager, and Maja Barriar, our vice president of product marketing.
So that's enough for me. Yeah. Over to you.
Thank you, Joe. Let's get started.
The first myth we want to discuss is the misconception about the importance of software supply chain security.
Some might say it isn't crucial to a cloud native strategy.
Now, before we jump in, Mayha, can you explain a little bit about what software supply chain security is?
Of course. Well, the supply chain and software supply chain security refers to the entire process involved in the creation and delivery of software.
Now software supply chain secure security is still a relatively new security practice becoming more and more popular in recent years as the software development process becomes more complex, incorporating numerous dependencies and third party components.
Let's take a further look into why software supply chain security is so crucial.
Awesome. I think you have some examples to share. Right?
Yep.
Software supply chain security is a critical component of a cloud native security strategy because cyber attackers are continuously evolving their tactics and targeting all stages of the software supply chain. By exploiting vulnerabilities within the supply chain, attackers can compromise software products steal sensitive data, and even disrupt critical services.
Now, Mega, would you agree that really there's been no bigger cyber security trend over the last several years than the rise and, tax related to software supply chain?
Completely agree. In fact, Gartner predicts that by twenty twenty five, almost half of all global organizations will be impacted in some way by a supply chain attack.
And lots let's not forget. Right? Some of the popular software supply chain attacks of the last few years, you know, Casa BSA solar winds, for example.
Yep. Great point, and we'll cover those in more depth in the coming slides. If the rise in software supply chain attacks isn't enough, compliance requirements and legislation are. In May twenty twenty one, you might remember Erin, the Biden Administration issued executive order one four zero two eight. And this order was in response just a series of significant cybersecurity incidents that highlighted vulnerabilities in the US software supply chain and other critical infrastructure.
This order aims to strengthen the nation's cybersecurity defenses across federal agencies and the private sector with a particular focus on improving the security of software supply chains.
While there are no hard deadlines for complying with this order, there are milestones on assessments, on development of plans, and initial steps towards implementing the order's goals that need to be demonstrated.
Yeah. That makes a lot of sense, man. And rate exactly that. If the government is getting involved in requirements for software supply chain. I'd say it's a pretty big deal. I think, you know, it's really critical because the security and the integrity go of our software products, they're so far reaching. And they have implications not just on our organizations, but customers and really potentially national security.
Exactly. Well, let's consider this myth busted.
I agree.
So let's take a look at myth number two. And so we're focusing we're focusing solely on application security. Ensure, or excuse me, application code, ensure security. And this is really a great one.
Right? Because we know shifting left is so important. That's what we just talked about. But what we wanna clarify here is it's just one piece of the puzzle.
Yes. Exactly.
Code scanning is very important.
And employing technologies such as static application security testing known as SaaS, desktop for composition analysis is crucial.
These technologies each with a specific purpose form an essential part of the application security ecosystem.
However, The journey to securing a cloud native application involves more than just adopting a shift left approach where we embed security early in the software development life cycle.
Do you wanna examine this myth further?
Yeah.
I think we should do it.
K.
So Since code scanning happens pre production, what happens is it's not taking into account any of the cloud risks or real time threats of our running applications.
Which creates gaps in our cloud native protection strategy?
Yep. Exactly. And so what we know, right, is that the landscape it's continuously evolving. I think that's the first line of every blog that you're gonna read about, cloud security. Right? Because these new vulnerabilities and these attack vectors, they're merging every day. And so what happens is that if we focus only on the application code, We might not address the novel or sophisticated attacks that are exploiting other aspects of our technology stack and not to mention the human elements of our organization.
Right. And what about compliance?
Another really great point. Right? Compliance with regulatory frameworks and standards, you know, things like GDPR, HIPAA, PCI, all of this involves more than just secure coding practices.
So it's recommending, you know, security controls that go beyond application code, you know, or how we manage our vulnerabilities, how we're preventing against malware, are we checking our inventory of all of our cloud resources?
And really what we need is to have a solution that's offering a runtime protection commo component and the cloud account misconfigurations. All of this are e is equally critical.
Yep. That's right. Because you also have to think about zero days. Right?
Exactly. I mean, really good point. Zero days are continuous continuing to rise. And doing some research in this presentation, you know, Google and its its last zero day announcement found forty one in the wild zero day attacks that were detected and disclosed.
So what you're saying is that application code scanning plus runtime provides the necessary safeguard for protecting cloud native applications. You've got it.
I think we can call the Smith busted.
I love it. This is fun.
Okay. I'm really excited about this one.
Alright. Well, let's jump in. Image scanning and agentless workload scanning guarantee compliance.
Yeah. But before we bust this myth, I think what we need to do, we're talking about a lot of scanning, right, in these first few slides. So I think we just have to talk a little bit more about the differences between what image scanning is and what agentless scanning is. I agree. Take it away.
So when we first talk about image scanning, what image scanning is is it's done pre production. Right? It's a really critical step in a holistic container security strategy because it's helping to identify security issues within those images, right, within those container images. And what it does is by identifying those those potential issues, it's helping our devsec ops team or a developer team to take those corrective measures before we go ahead and deploy those containers.
Okay. An agentless scanning?
Agentless scanning is a little different. Right. What's happening with agentless scanning, it's our method of performing those security scans post production environment. So what we're doing here is it's operating at the orchestration level and we're looking to assess our, you know, vulnerabilities, miss misconfigurations, potential compliance issues, and really any other security concerns.
Okay. So what you're saying is that agentless scanning is a great way to take inventory of all your cloud accounts and to help you understand your known risk. Right?
Yes. You've got that right. It's really important. This known risk. So let's talk about why these tools aren't enough.
K.
So it's really important to know their critical methods. Right? Their their pieces of a very large cloud native security puzzle, and they're helping organizations to identify these known risks exactly that your vulnerabilities, your misconfigurations.
Yeah. Well, especially with misconfigurations accounting for ninety nine percent of cloud security failures. That's Yeah.
It's a It's a huge you're exactly right. A huge amount. But the problem with scanning, right, is that it fails to provide any type of proactive protection.
And so, yes, we know there's many, many different compliance frameworks. There's many different regulatory, appearances, right, especially depending on geography. But those requirements, they have varying rules regarding how you manage your vulnerabilities, what the security monitoring look like. How are you responding to incidents. And it's really important to understand that scanning alone, it's not providing the holistic compliance cloud native security strategy.
Right. And that's because scanning methods don't directly address issues related to access privileges, or in memory malware or you can see your day vulnerabilities.
Yeah. And not to mention right. Today's attackers, they're smart. They know the tools that we have in place. They're designing these attacks to evade agentless detection.
And for example, right, that you many of you may heard us in previous webinars talk about our phenomenal, cloud native threat research team, Aquonautilus.
And so in their last year's, threat report, they noticed they uncovered a fourteen hundred percent increase in wireless attacks last year. And why this is so impactful is because these types of malware attacks, they're significantly designed to evade an agentless scan detector.
Well, okay.
So what should be done to comply with regulatory frameworks So, really, what you need, not just for compliance, right, but for a holistic cloud native security strategy is a runtime agent.
So that runtime agent, it's going to ensure those strong security controls that protect your workloads against threats and attacks in real time. Right? The only true way to ensure you meet your compliance requirements is to have protection across the environment. It's that complete full application life cycle approach. A solution that's integrating scanning. Right? Because we know how important scanning is, but it's integrating it with that real time workload protection and monitoring.
So I think with this one, we can move on and we can call the Smith bust it. What do you think may have?
I agree. Okay. Alright. Well, let's go to the next one. So in the last myth, we talked about known risks. See?
Yeah. So what we mean by known risks, right? I made this point of few slides earlier is the known risks are our misconfigurations, our vulnerabilities, the things that we know are gonna happen that we have to go and prioritize.
Well, this brings us to our next myth about vulnerabilities only being exploited in production.
Yeah. And there's this common misconception, right, that that you can only exploit vulnerabilities in production. They're only critical in the runtime environment. And, I mean, yes, vulnerabilities in production environment, they're particularly concerning, right, because they have direct user access.
They're exposed to the internet. You know, they have huge potential impact on your business operations. I mean, who on this call remembers log for a day. Right?
Yeah. But vulnerabilities can be exploited at any phase of the software development life cycle.
That's right. Well, let's take a closer look at that. Okay.
So attackers could exploit vulnerabilities at any point in the software life cycle. We just talked about that. And the way they take advantage of that is basically they gain initial access, they escalate privileges, or even move laterally within an organization.
And oftentimes they target non production environments to gain this access and steel sensitive data, as well as establish a foothold for further attacks.
Yeah. And that's what happened. I mean, we talked about solar winds and Cassay earlier, but that's what happened with the infamous solar winds attack. Right?
Absolutely.
It was one of the most sophisticated and consequential supply chain attacks because attackers were able to insert malicious code into Solarwinds Orion software during the development phase. And then the compromise software was weaponized and distributed to approximately eighteen thousand customers.
Including government agencies and Fortune five hundred companies. And this is just one example of how vulnerabilities in the development process can lead to widespread compromises in production environments.
So if we think back to our first myth on software supply chain security, solar winds is a perfect example of why software supply chain is a critical component of vulnerability management.
Yeah. Exactly. I love this example too. Right? These these high profile, these examples that we saw blasted all over the news at the time.
So I think it's really, I mean, it's really safe to say, Maheal. Right? That vulnerability management, it has to occur at every step of the life cycle. Yep.
That's absolutely right. So I think we call this one busted. We can move on to number five. We're flying through these, man.
These are these are some good myths we've got to uncover.
For sure. So let's shift gears a bit now and talk about shift right and run time protection. What do you think, Erin?
Yeah. I think it's a great idea. I like the the little play on words there. Shift gears to shift right.
So, really, I think this is important because traditional agents of the past, right? We've we've heard this, we've heard this about endpoint agents, they're clunky, they're disruptive, they're causing performance issues. I mean, a whole slew of issues. Right?
Yep. And also they have a reputation for slowing down production and even causing apps to fail.
Yeah. But I think the most important part here is that's those are agents of the past, traditional agents of the past. So what we really wanna do, we really wanna explore in today's conversation is the importance of runtime security. Right?
It's such a critical part. We talk so much about scanning. Again, one piece, another piece is runtime security. And in order to do that, we need to talk a little bit about the advance advancements that have been made in agent based technology.
Let's do it. K.
So modern agents, the agents of today. Right? They're designed to be more weight, they're designed to be efficient, and they're designed to have this minimal impact on system performance. They utilize technology like EVPS So the value of e b p f is it's going a level deeper.
Right? It sits right in the kernel level so that you have that visibility, but it's also low friction. It's lightweight. It's taking some of that concern of these bulky, clunky, disruptive agents out of the picture.
The approach really is to reduce those performance issues with those heavier agents and offer a more efficient and seamless, seamless security process.
An effective run time security, what do you think, Erin? Does it offer more than just blocking a tax in progress?
Yeah. I think that's a huge part of this that we wanna highlight. Right? Cause it's not just the fact that it's runtime security is disrupted because of agents, but it's also, I think, this common misconception that you hear run time in your oh, block.
It's it's automatically gonna do something that I don't want it to do. And if we block and we stop, that could have impact on other things. And especially your developer teams. Right?
If you're on the call and and you're on the security team, right, your developers don't want that to happen. But what we have to convince them of is that run time stopping attacks. It's just one it's a it's a big value add. Right?
But it's just a subset of capabilities.
An effective run time solution, it's really multi step. It's multi layered because what it's first doing is it's helping to reduce the attack surface. It's providing those prevention or those hardening controls to restrict any type of access to prevent the lateral movement. Right?
The least privilege, you know, the concept of least privilege ensuring that only those that have access can do what they need to do and that the container only performs the intended functions it's supposed to, perform. Right? And so runtime solution, yes, stopping, but also hardening, and also detecting. And so what we really need to know is that an effective runtime solution that's providing that identification, that prioritization and that stopping of, sophisticated threats from executing and run time.
Well, you're right about the sophisticated threats because I think cyber threats are becoming more and more complex, sophisticated, and attackers are now using tactics that easily evade traditional security measures.
Yep. Exactly. And we talked about this right earlier, but I think one of the stats we wanted to pull up here too is, again, from with t nautilus is within one hour, just a single hour, an attacker can scan the internet and exploit a zero day vulnerability. And not to mention, like we said, they're going to great lengths to conceal their methods of detection.
And so runtime security, again, it's not just stopping and disrupting production. It's really, really important because it's the critical step in protecting, detecting, and mitigating the exploit of unknown vulnerabilities, right, those zero days, and also all those attacks that are designed to, you know, bypass pre runtime defenses.
And between that and the fact that agents have improved, they're more modern, they're less intrusive, they're lightweight. This is really enhancing the overall user experience, and efficiency, but at the same time still delivering that proactive protection against those sophisticated threats.
Well, sounds like this myth is bustin. I agree.
Alright. Well, Aaron, Now why don't you talk to me a little bit about container orchestration tools?
What are they? Why is there a misconception that they provide security out of the box?
Yeah. It's a really great question, man. One that, especially in cloud native, right, especially aqua, you know, been doing this over eight years. This is something that we come into contact with a lot and really, again, container orchestration tools. Right? Kubernetes, Docker Swarm. These are excellent tools because they're providing the efficiency and the scalability to manage the container.
But what they aren't is they are not silver bullets for security. They're their primary role really is to automate the deployment, the scaling, the management of containerized application, because they are complex.
But don't they offer some baseline security controls?
Yeah. They do. They do. I mean, they're great for sort of these initial features, right, that can hand security, things like, you know, secrets management or network policies, but they don't automatically secure containers against all threats.
And, you know, we just talked about how sophisticated these threats are, but not to mention that is these tools can be very complex. So these security enhancements, they're not out of the box. Right? They have to be configured properly.
And that takes time. Right? You have to understand the ins and outs that resources, you know, education.
And so it it it makes it a little a little more confusing, not as straightforward as maybe some may think.
Okay. Well, let's untangle this myth a little bit more. I think it has a little bit more depth to it.
Yeah. I agree. Let's go into it.
So what we know about containers, right, all of you, especially if you're building or using containers to build your cloud native applications today, they're very complex. They're different. They bring a lot of benefits, right, of of the cloud.
But because they're dynamic and complex by nature, I mean Makes them difficult to secure.
Exactly. Exactly. And this complex, complexity, right? It's only increasing as we scale bigger and broader. And not to mention you bring in the, you know, your hybrid or multi cloud environments. Right? There's so much to take into consideration.
And, you know, those orchestration tools alone, they can't do that.
Right. So this is why you need a dedicated container security solution.
Exactly. You got it. I mean, container security, what that's doing, it's really comprising everything from the applications inside the container. To the infrastructure they run on, to how they're protected and run time.
A holistic container security solution is so important because you know, it really depends on deploying these automated controls across the life cycle. So from inception all the way through into run time, right, that development, the deployment, and runtime. And these tools, they're they're really great. They they have their purpose, right, this management to be able to safeguard but they're not security solutions.
And so you need a solution that's gonna automate those image scans. Right? That's gonna have those checks predeployment, making sure that everything is aligned appropriately.
And then all the way through to run time, we just talked about all the value that run time can really bring.
Right. Well, that makes perfect sense. So what you're saying essentially is container orchestrates orchestrators are great. But a dedicated container security solution is absolutely critical because of all the things that are sort of quote, quote, quote, missing from what an orchestration tool can protect you against. And that I think leads us nicely into our last myth.
I know. I can't believe it. How are we already through to the last myth? This is going so fast, but I mean, truly, we talk about traditional security tools.
Right, ma'am? I mean, shouldn't they be enough. Right? Shouldn't what you have in place today.
You know, it was security tools are expensive. Right? And and it takes time to implement and have them on your, you know, as part of your stack. So shouldn't they be good enough to to protect against what we need for containers?
Are they really even that different?
Well, we just talked about how container security is a sort of a specialized area, but really to understand this better, it's also important to realize that cloud native applications have revolutionized the way we build and deploy applications. So it's it's been an a journey, and it's been a fast one, right, with containers at core of cloud native applications.
That's one piece, but also that container adoption has been growing rapidly.
And, of course, that around that is Gartner, expects that ninety percent of global organizations will be running containerized applications in production by twenty twenty six.
Wow. That's huge. I mean, and that's happening quickly. That's a rise faster than, you know, VMs and bare metal from what I understand. Right?
Absolutely. And it all goes back to sort of the efficiency and scalability that cloud native applications bring to the table. What's even more interesting is that these modern applications are primarily built using open source packages and third party components. So, if you think back to how applications were built, I don't know, several years ago. You can almost think about it today as application development being, the form of assembling code, and not so much as writing the code from scratch. And that's that's a huge efficiency win there, but it also brings, you know, new challenges.
Yeah. Yeah. I mean, so this is why. Right? When we say containers are elastic, they're femoral.
They're designed to be more agile. Right? Is what we mean. Right? They're they're different than our traditional more monolithic applications.
Right?
Absolutely. And that's the benefit of using containerized applications.
But with all these benefits, come security challenges.
And because of this, it requires a very different approach to protection than what a traditional VM or an endpoint device would require.
Okay. I can't believe I'm about to say this, but I think we're ready to bust our our last myth.
Let's do it. Great.
So as we talked about a couple minutes ago, the femoral and elastic nature of containers, the distributed network, the complex architecture container based applications running in both multi cloud and hybrid cloud environments Wait.
I think I think I know that how you're gonna finish this one. Containers are gonna require a different approach.
Absolutely.
But not only that, the unique security risks for containers need to be addressed at every stage of the application life cycle.
So it's not just runtime, it's not just code, it's everything.
Effective container security truly relies on deploying automated controls, from every step of the journey.
And it also requires unifying teams across development and security.
So repurposing existing technology and retrofitting it for containers is not a good idea. Yeah.
And that's like your traditional EDRs.
Right? Like, that's that's what you mean when you say this sort of retrofitting. Right? It's it's taking a an endpoint agent and thinking you can put it on a VM or in a container.
Yeah. And the challenge with that approach is is these these endpoint security solutions that are traditional and very effective in certain situations, but when it goes to cloud native security per se and how applications are developed and how they keep their dynamic and they keep changing and they scale up and they scale down with the business needs.
It's just not gonna work. Right? It's, it's, it doesn't provide the coverage.
It doesn't cover all of the scope.
And it certainly doesn't leave you feeling that you're protected, no matter what either on the vulnerability side or on the zero day or the malware side. So, definitely want to make sure that your as you're modernizing your applications, also modernizing your approach to, cloud security.
Yeah. That's an excellent point, and it makes total sense. So I hate to say it, but I think we've successfully busted our final myth.
I agree. Well, we're here. I think myth busting is fun. I had a lot of fun doing this. What do you think, Erin?
I know. I had a lot of fun. I think this is my favorite aqua webinar I've done so far. What do you think, Joe?
I think it went by way too fast, but it was it was interesting.
First, let me say huge fan of the myth busters TV show. So debunking any myth, especially these these cloud native security myths has been, incredibly fascinating. And Aaron may have, we both did a a fantastic job shedding light on these misconceptions.
Don't you think audience?
Let's, let's give them a a round of applause so thank you.
Thank you both.
Of course.
So, now for some some exciting news, We're we're thrilled to announce that we're gonna be releasing a a brand new top nine cloud native security myths guide.
It's gonna dive a little deeper into the intricacies of cloud security providing you all with insights and the strategies to to stay ahead of these evolving threats. So Stay tuned for the release and remember to download your copy, to bolster your your cloud security arsenal.
Erinil.
Two more myths. Two more myths that we didn't cover today. So any any thoughts on what they are, I'm curious that the audience has any, any guesses, but definitely keep your eye out for that one.
Definitely. And to the audience, if if you're planning to attend RSA and and San Fran in May, swing by our booth, tell them Joe sent you, Joe Aaron, and may have sent you and grab some swag and and some other treats.
But Yeah.
Yeah. Thank you all for being part of this session. You know, keep questioning, keep learning, keep securing your your cloud environments with confidence.
Awesome. Let let's do another one soon, Joe. Yeah.
And we'll be at RSA. Mahean, I will both be at RSA. So if we're there, come stop by the booth, we'll be excited to say hello and talk more about these myths.
Yeah.
Then we'll know what the the other two secret myths are on it.
It admits. Yep. Alright. Well, thanks everybody. You've been, great. Thank you so much.
Thank you both. So until next time, everybody. Stay safe. Stay curious. Stay cool. We'll see you later.
Bye, guys.
Watch Next
