In this episode of Navigating Forward, Mike Halstead and Roshan Soni from Launch Consulting speak with Jiong Liu, Senior Director of Product Marketing at Wiz, about cloud security. They cover recent trends in cloud threats and attack patterns, along with the increasingly complex nature of the attacks and the challenges of just keeping up with all of the data, tools, and environments that exist within an organization. They also touch on how this increases the complexity of a security team's work — and how it necessitates a mindset that security is a team sport that must include dev and DevOps teams, plus security champions across the organization.
To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.
Follow Jiong Liu at https://www.linkedin.com/in/jiong-liu/
Follow Mike Halstead at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow Roshan Soni at https://www.linkedin.com/in/roshan-soni/
In this episode of Navigating Forward, Mike Halstead and Roshan Soni from Launch Consulting speak with Jiong Liu, Senior Director of Product Marketing at Wiz, about cloud security. They cover recent trends in cloud threats and attack patterns, along with the increasingly complex nature of the attacks and the challenges of just keeping up with all of the data, tools, and environments that exist within an organization. They also touch on how this increases the complexity of a security team's work — and how it necessitates a mindset that security is a team sport that must include dev and DevOps teams, plus security champions across the organization.
To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.
Follow Jiong Liu at https://www.linkedin.com/in/jiong-liu/
Follow Mike Halstead at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow Roshan Soni at https://www.linkedin.com/in/roshan-soni/
00:00:00:00 - 00:00:29:29
Narrator
Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyberattacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating Forward, security and business experts from Launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, we’ll discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward, the Cybersecurity series.
00:00:49:03 - 00:01:23:01
Mike Halstead
Welcome to Navigating Forward’s cybersecurity series, where we dive deep into the intricate world of cybersecurity and come out with the knowledge you need to move your business forward. I'm your host, Mike Halstead. Today, I will be exploring a critical topic that affects businesses, organizations, individuals alike – the importance of cloud security. With the rapid advancement of technology, cloud computing has become an integral part of our lives, from storing our personal data to hosting mission critical applications for businesses. The cloud offers unparalleled convenience and scalability.
00:01:23:04 - 00:01:41:05
Mike Halstead
However, as with any digital platform, security concerns are paramount. Today, we will embark on a journey to uncover why cloud security should be a top priority for individuals and business. We’ll explore the potential risk and vulnerabilities that exist in the cloud and discuss the proactive measures you can take to mitigate those risks.
00:01:41:05 - 00:01:52:19
Mike Halstead
I'm delighted to be joined by our special guests, Jiong Liu, Senior Director of Product Marketing at Wiz and my partner, Roshan Soni, Managing Director for Cloud and Software Engineering at Launch Consulting Group.
00:01:52:19 - 00:02:06:11
Mike Halstead
First, a little bit of myself. I lead the Cybersecurity sector at Launch Consulting. Prior to Launch, I had a long career at an international bank with the last 11 years being a cybersecurity executive. I love traveling the world, trying a new food and drink and meeting with my industry peers. Roshan, quick introduction on yourself.
00:02:08:03 - 00:02:23:18
Roshan Soni
Thanks, Mike. As Mike mentioned, I currently lead our cloud and software engineering capabilities at Launch. I spent the last 20 or so years in the technology space working a lot hands-on within cloud, data, and applications. And whatever time I have, I spend with my family, a lot of yard work, mostly just around the house.
00:02:29:21 - 00:02:30:14
Mike Halstead
Thanks Roshan. And Jiong, our special guest, a little bit on your background any passions you want to share with us?
00:02:34:21 - 00:02:58:22
Jiong Liu
Thanks for having me. So, I'm Jiong Liu I’m Product Marketing at Wiz. I'm really passionate about helping organizations realize the benefits of the cloud in a very secure manner. So currently leading up messaging, positioning, product launches, all that good stuff at Wiz. And actually prior to that was over at Okta also helping organizations adopt cloud securely as well.
00:02:58:22 - 00:03:12:21
Unknown
And Mike, similar to you, I in my free time love traveling and in particular enjoying the local delights, food-wise and drink-wise in the international destinations I go to.
00:03:12:21 - 00:03:31:20
Mike Halstead
For sure – I had to add the drink side of it because that is also important. But great, sounds like you’re the perfect guest for this. So, let’s just jump right into it then. So, the cyber threat landscape is constantly changing on a very frequent basis. What would you say that kind of recent trend of the cloud space and why we should be concerned about those?
00:03:21:21 - 00:03:58:03
Jiong Liu
Yeah, so as you mentioned, the cloud is constantly evolving and actually our research team put together a report recently on some of the top trends that they were seeing, specifically around the threats that they see in the cloud and they came up with for, you know, really notable trends and high-profile kind of attack patterns that we saw recently.
00:03:58:03 - 00:04:30:01
Jiong Liu
So, the first one was really around API security. You may recall last year there was a pretty large-scale breach over at Optus, amongst others, where it was really just a, you know, misconfigured API endpoint that didn't require authentication. And an attacker took advantage of and ultimately ended up stealing thousands of their customers’ records. And this is something that, you know, we see pretty frequently in the news.
00:04:30:03 - 00:04:50:18
Jiong Liu
You know, even in my Okta days, this was something that we saw as well because you had a lot of developers, they’re moving super-fast. You know, they want to expose APIs because that's how you move faster. That's how they're building modern applications. But it really is just a very simple mistake, honestly, that can be taken advantage of and expose really, the crown jewels in an organization. The second big threat that our research team surfaced was really the Lapsus$ attacks that we saw as well. Right. This hit a ton of really high-profile organizations last year. Samsung, Nvidia, Cloudflare, Microsoft, amongst others. And, you know, it's not like this was a very, very advanced band of attackers potentially.
00:05:19:27 - 00:05:52:13
Jiong Liu
Right. The rumors are this is probably some teenagers that are out there, but they attacked a lot of these big companies. And, you know, some of the commonalities that we saw across there was it really was an initial compromise of a user. And once they had taken over that user's identity, they were able to actually escalate their privileges into other parts of the environment and find additional information that they would then extricate.
00:05:52:15 - 00:06:18:26
Jiong Liu
And so, you know, some of the learnings that we have from that is in some ways you have to assume initial access, right? And from there, what else can that person get into? And so again, you know, simple, simple mistake that ultimately led to a much larger outcome. The third cloud threat that we saw is, again, something that we hear about in the news almost on a weekly basis at this point.
00:06:18:26 - 00:06:46:16
Jiong Liu
Right. Data exposure. And it's kind of surprising that it continues to be such a common path that we see. Right. And again, it's not like small companies that are subject to this. There's Microsoft recently exposed to 250 million customer records. I think Amazon also exposed a ton of different records for everyone that was using their Prime video services.
00:06:46:18 - 00:07:33:07
Jiong Liu
These are really large organizations, and it really just highlights the fact that this is a very difficult attack pattern to actually stop because finding them is actually pretty difficult. And the velocity of attacks that organizations are going through is really at an unprecedented velocity. And again, our research team found that, you know, just if you have a bucket that is out there in the wild and it might have records, customer records in it, if it's exposed and if it's referenced in a GitHub repo from the time of exposure to the time that it's actually discovered by an attacker is really only 7 hours on average.
00:07:33:14 - 00:08:02:12
Jiong Liu
So, the speed at which some of these risks are being taken advantage of is also really, really unprecedented. And then the fourth one that our research team highlighted was really the supply chain risk. I think we all remember SolarWinds, which is kind of one flavor of the supply chain risk where around identity based. But there's also a lot of, you know, software-based ones as well that we're starting to increasingly see.
00:08:02:14 - 00:08:33:18
Jiong Liu
And so, when I think about, you know, these risks that are out there, what's notable, right, is they often times are really, really difficult to spot in an organization because of a couple of different factors. One is it's no longer just, hey, I found an exposed asset and I'm going to, you know, exfiltrate that data and then, you know, publish it to the world.
00:08:33:20 - 00:08:58:07
Jiong Liu
They're getting increasingly complex in terms of the how they are exploited. So oftentimes it's some sort of initial access and then there's oftentimes lateral movement or privilege escalation where an attacker is able to actually break out of that initial point of entry and get to the crown jewels. Right. So, we saw that, you know, with Lapsus$, it wasn't just about that initial identity.
00:08:58:07 - 00:09:26:05
Jiong Liu
It was the privilege escalation then to something else. We see that in the news all the time. A lot of the data exposure, it's actually difficult to detect because, you know, they might exploit some vulnerability on a machine, but then they move laterally within the environment. Right. They're able to figure out how do we break out of this virtual machine or this application that we found our way into and find things that are actually really, really important in the environment elsewhere.
00:09:26:07 - 00:09:49:03
Jiong Liu
So could be like crown jewels, like your customer data. Could be an admin identity that really has, you know, keys to the kingdom. And I think it's because of the complexity of this sort of attack path that is why these things are so scary and so hard to find because, you know, you might be talking about like different layers of your cloud environment as well.
00:09:49:10 - 00:10:07:21
Jiong Liu
And so, a lot of the tooling that we have in place today is not necessarily equipped to look for, you know, these complex attacks, ones that take advantage of multiple layers of the cloud and, you know, where the entry point is very different than the end state.
00:10:07:21 - 00:10:29:12
Mike Halstead
Great. Yeah, that that's, it's interesting how a lot of these are similar type attacks from the past, right. Pre-cloud and you know following kind of the whole security hygiene but it's also the complexity that the cloud creates as you said, the multiple layers in how you know, the bad actors are following technology, which is the cloud. So now that's obviously a new attack area for them. Roshan, want to get on to that?
00:10:36:22 - 00:11:04:26
Roshan Soni
Yeah, definitely. No, it was interesting the 7 hours really caught me because you have the cloud, which is so easy to stand up and configure, but it's very tough to stand up and configure securely. Right. And so, you have organizations, startups, all sorts of people trying to stand up their own cloud instance. And then, if they do it the right way, then you know, within, they’re okay, but like if they have something misconfigured within 7 hours they leave for the day. I mean it's going to be attacked, right. Crazy to think about that stat right there because it's just so quick.
00:11:14:16 - 00:11:47:07
Jiong Liu
Yeah, and yeah, in the first example right, the API security one, it really is just that one error, right. Someone misconfigured one configuration setting and it left the API exposed. Like they probably did not intend to do that. Certainly, hopefully did not intend to do that. So, it really underscores the fact that, you know, the attack surface is growing super rapidly and it's not just the controls that you might have had when you were, you know, more on the on prem world.
00:11:47:07 - 00:12:14:14
Jiong Liu
They dissipate because anyone could make that configuration in error and really also at any point in time because even if you look at our cloud providers, they're constantly releasing more and more functionality via API. Like I was reading in the in the news recently that I think AWS now has like over 10,000 configurations that you can do via API. And so, it's really just a single one that can lead to one of these breaches.
00:12:20:10 - 00:12:40:14
Mike Halstead
Yeah, for sure. So, talking about the attack surface, let’s dig into that a little deeper. And so, many firms are on their migration journey to cloud. You know, some are further ahead than others. What are the different types of cloud environments? And what do you see as the pros and cons to running in each of those environments? This is more from a kind of a security perspective.
00:12:40:14 - 00:12:58:29
Jiong Liu
Yeah. So, we see organizations sort of like at every stage of their cloud journey. There's organizations that are earlier on where they're really just in that migration standpoint and they're just even thinking about, you know what do I have? Where do I want to move it to?
00:12:58:29 - 00:13:25:08
Jiong Liu
Do I want to just do some sort of like lift and shift, for example, or do I want to refactor the app and build a cloud natively? And we see a mix of that, right. And oftentimes it depends on, you know, what is the, what is the application in question, right? If it's super important and critical to your business, you can't have any downtime associated with it.
00:13:25:10 - 00:14:03:25
Jiong Liu
You know, choosing the less disruptive path is oftentimes going to be the easiest path to getting that application to the cloud versus if you have something that is, let's say you have an innovation team that is focused on. Right, they can leapfrog into cloud native approaches, things that leverage containers or Kubernetes or serverless approaches. And yeah, I was actually just talking to a Gartner analyst a week ago and he said you know pretty much every customer he talks to now at this point has some form of Kubernetes in their environment.
00:14:03:28 - 00:14:40:25
Jiong Liu
So, it is oftentimes really a mixture of different things and that, again, becomes even more complex for organizations to manage from a security standpoint, because you have these environments that are heterogeneous, right? And you want to encourage that as a security team. You don't want to be the person that says, no, you can't adopt containers because that's a surefire way that someone is going to go adopt containers and so you'd rather be the, the good cop there and help them along, help to educate them from a security standpoint.
00:14:40:25 - 00:14:47:08
Roshan Soni
It’s the innovation, right? If they can’t innovate then how are you going to grow? You have to give them their freedom.
00:14:47:08 - 00:15:04:04
Jiong Liu
And it's even worse than that, right. It's not that it's not that they're going to stop because you said no as a security team. Right? They're going to do it no matter what. It's either you can either get on board with then and help put guardrails around it, or you're kind of cut out of the equation.
00:15:04:04 - 00:15:24:25
Mike Halstead
There's not one size fits all right if I’m understanding it correctly. And so, it's a case-by-case basis. You know, depending on where they're at in maturity, where they are, what data are they putting out, what are they hoping to get out of it? You know, what type of a platform and even cloud provider that they would use.
00:15:24:25 - 00:15:46:20
Jiong Liu
Exactly. There's so many different flavors of Kubernetes nowadays. And in many ways, Kubernetes is kind of like its own cloud within a cloud at this stage. And so, it becomes more difficult for security to really understand all of these things, because they're not necessarily developers themselves. So, you need to bring on people with different skill sets.
00:15:46:20 - 00:16:09:29
Jiong Liu
And historically speaking, you know, from a security standpoint, oftentimes when devs bring on these new tools that help them move faster, you had to then explore a different tool for it as well, right? Like if okay, now we have a containerized environment, we need to go investigate some container security tools. Now we have serverless all throughout our environment.
00:16:10:01 - 00:16:35:06
Jiong Liu
We now need to go investigate another serverless technology to help us secure those environments. And so, then that just adds to the complexity of what security teams have to manage. And this also leads to greater attack surface as well, because, you know, the risks in a containerized environment are oftentimes not just contained within the containerized environment itself.
00:16:35:06 - 00:17:00:08
Jiong Liu
Right? It could be, it could, you could have a container could have a secret in it, for example, that actually has a key to your AWS cloud, right. To a different environment. And so, you're starting to see these different like cross cloud or cross cloud layer risks that crop up as well. Again, it's just more that a security person has to learn about and be prepared for.
00:17:00:08 - 00:17:10:26
Mike Halstead
So, this this next question is a bit loaded but it's really around how does a firm know the extent of data that's in the cloud and when should they be concerned about it?
00:17:10:26 - 00:17:42:21
Jiong Liu
That's definitely quite the loaded question. I think, I think the obvious answer is they should always be concerned about it. I mean, in many ways, you know, we've had all of these different eras of you know, shadow IT in the past decade or two and it really is shadow data now that is one of the top concerns of organizations because it's so simple, right, to replicate a database or to move data from one place to another.
00:17:42:23 - 00:18:09:02
Jiong Liu
And again, like it's not necessarily the case that a developer is trying to skirt the rules, but if they want to go test out a new database service that AWS has just released, like, they have that power on their own, like, yes, it's cool, it's new, I want to go test it out. And oh, I happened to have this data lying around over here in this other application that I own.
00:18:09:08 - 00:18:35:06
Jiong Liu
So let me just try it with this new service. And all of this is now done without, you know, some sort of centralized control in many organizations. And as a result, you just see, you know, data multiplying all over the place. And oftentimes, you know, you don't have a single team that therefore has that visibility all over the place.
00:18:35:09 - 00:19:10:21
Jiong Liu
So, it's definitely a huge problem for organizations and it's also a huge problem in the sense that it spans teams. Right? Like security teams might be concerned. Dev teams might be concerned. You also have a lot of data teams that are concerned about this, both from a security standpoint and also from a privacy standpoint. And so, because you have all these different teams, you have different responsibilities and roles and different lines that you might have drawn in the sand, so it becomes an even harder problem to say this is a problem and you, this team, owns it.
00:19:10:21 - 00:19:37:26
Mike Halstead
Yeah, it's interesting how easy it is, right, not only from your own personal device but in a business environment and to put data out there and not really even know it right, and without doing proper third-party due diligence that, oh by the way, you may have some of your company's data sitting in the cloud called unprotected or you know, it creates a huge dilemma.
00:19:37:26 - 00:20:09:21
Jiong Liu
Exactly, it's just a proliferation of data that could be really anywhere in your environments. And in many ways, it's similar to the problem that we talked about earlier with just overall cloud cyber threats that we're seeing where the attack surface is just growing. You know, on one hand, it might be because our cloud providers are giving us so many options around misconfigurations that we could do. But here, this is another one of just, you know, there's the resources themselves, right? We can proliferate on our own.
00:20:09:21 - 00:20:29:05
Jiong Liu
And there is a category that is starting to emerge. It's called the Data Security Posture Management space or DSPM, that we've been seeing. It’s very nascent. I think Gartner says maybe in the next three years, 20% of organizations will adopt it.
00:20:29:07 - 00:20:54:08
Jiong Liu
But the goal of it is really to sort of address this problem head on around where is your shadow, where's your shadow data, how do we identify it? And not just, you know, identify that it's out there, but also classify it, right? Like, is this PII, is this PHI or PCI? You know, because that's the more sensitive data that you should be worried about.
00:20:54:08 - 00:21:03:15
Roshan Soni
You know, a lot of our clients, if we're starting our data initiative or our data governance project with them, our first question will be, well, do you have documentation? No.
00:21:03:17 - 00:21:22:27
Roshan Soni
And so, they have stuff that's out there where this one person has it, working on it and they're the ones to go to if, if they if you need access to that data and that database. And so, you have things like that that are all over the place, even on the cloud and it's, it's just that massive area.
00:21:22:28 - 00:21:30:05
Roshan Soni
No one's walking through it and looking at things. Right. It's, it's something has to manage it. Really usually helps there.
00:21:30:05 - 00:21:53:16
Jiong Liu
It reminds me of this customer we talked to years ago where they had this one developer who had his own machine and he had like all sorts of things on it, like keys to everything, right? Admin account access. He had customer data on it and it's not like he was doing it to be shady.
00:21:53:19 - 00:22:10:07
Jiong Liu
It was just for his own personal use. So, like, hey, I want to use this whenever I build applications and test them QA them. And but the thing is, he would actually turn off the box whenever he was not using it, right? So, you know, in his mind he was like, oh, this is how I make it safe, right?
00:22:10:09 - 00:22:28:27
Jiong Liu
I turn it off when I don't use it, but it's still out there. And so, what was interesting was their traditional security tools didn't catch it because it's only looking for things that were on. So that was that an interesting kind of loophole that we saw.
00:22:28:27 - 00:22:55:06
Mike Halstead
So, you touched on it a little bit with the data security posture, something that's in existence and going to be more probably mandated down the road but with the attack surface, with the amount of configurations with, you know, the multilayer that we've spoken about and number of attacks that are happening, what are the best practices for securing the cloud environments?
00:22:55:06 - 00:23:00:09
Jiong Liu
Yeah, so there's a few different things, right? And they happen at kind of different altitudes.
00:23:00:09 - 00:24:03:24
Jiong Liu
I would say, you know, one of the best practices that we're really starting to see form out there is recognizing the fact that securing a cloud environment cannot be only the responsibility of a security team. Right. Because the cloud is so decentralized that ownership is sort of all over the place, you have to have security champions across your organization and you really have to think about cloud security as, you know, a team sport that spans security, your dev teams, your DevOps teams. They have to work hand in hand to understand and control risks across the pipeline. And, you know, I was at a meeting, at RSA not too long ago, and what was interesting was I was talking to a few different CISOs, and they put it so well. They said our cloud security program, our goal is it's a product within our organization that we really want the developers to use, right?
00:24:03:24 - 00:24:35:06
Jiong Liu
And so, I thought that was such a good way of putting it, because your devs are your frontline, right? They're the ones that are making the choices around, you know, the types of infrastructure that you're bringing in, as well as all of the technologies that you're running in your cloud as well. And so, if you can educate them, if you can bring them in as part of an extended member of your security team, that I think is one of the key best practices that organizations can have.
00:24:35:09 - 00:24:58:06
Jiong Liu
Now, maybe taking it a step, you know, deeper into like, well, how do you actually do that? Because, you know, devs are not security people. They have their own tools; they have their own processes. They don't do security every hour of the day. You know, some of the key things that we're seeing is, number one, is the visibility.
00:24:58:08 - 00:25:28:11
Jiong Liu
Oftentimes security teams talk about things in a very different way than a development team, and they process things in a very different way as well. Right. Security teams have all sorts of different alerts that they're looking at and triaging and risks that they're managing, whereas devs are just, you know, they're trying to move fast. And so, one of the key things is establishing a shared understanding of the cloud environment and not talking about it in a lot of like jargon terms that a dev might not understand.
00:25:28:18 - 00:26:04:22
Jiong Liu
Right? Here's a virtual machine, here's, you know, who has access to that resource. You know, here's what that role also gives you access to. Is it publicly exposed? You know. So, making it a lot more simple and normalized. And again, just having the same understanding of visibility across the entire environment. And that visibility has to be unconditional because if a dev, you know, spins up a new Kubernetes environment or new Kubernetes cluster, they can't, you can't rely on them to tell the security team for the security team to have visibility.
00:26:04:29 - 00:26:37:27
Jiong Liu
Right. Like, you just have to know as it's brought online. And that type of, you know, visibility without having to bother anyone, I think is super critical in the cloud. The second thing that, you know, we've seen a lot is organizations oftentimes, you know, they want to embark on a shift left strategy. I mean, obviously that's, you know, a key goal because fixing things earlier in the pipeline is obviously much less costly than it is later on.
00:26:38:00 - 00:27:02:11
Jiong Liu
But it's hard to do that if you don't already have that relationship between your security and dev teams. And like if they're not friends, as a dev, like, why would you ever let security fail one of your builds? Right? And so, I think one of the key things is you really have to develop that trust. You have to develop that partnership first.
00:27:02:18 - 00:27:20:20
Jiong Liu
And we see that happening best at actually starting in the production environment. Like if we can work through that together, understand the critical risks, work through them and understand what policies we should put in place there. It's a lot easier then to shift that left versus just starting left.
00:27:20:20 - 00:27:29:29
Mike Halstead
Makes sense. There's been a lot of discussion lately around we'll call the AI movement. What do you see as the challenges that AI presents in the cloud security space?
00:27:29:29 - 00:27:59:28
Jiong Liu
Yeah, there's a few different challenges, right? I think one is, you know what else does a cloud security team now have to worry about. And then the second is how does it impact kind of like how they run their programs on a day-to-day basis. So, on the first one, I think the biggest challenge, of course, is that people are putting a lot of data into these Gen AI platforms.
00:27:59:28 - 00:28:28:21
Jiong Liu
And you don't necessarily have control again over what data they're putting into it. It's really actually an extension of the problem we just talked about recently around the shadow data, right? Like, hey, here's this cool new tool that's going to help me so much in my day-to-day job. Like, yes, of course I'm going to go use it and of course I'm going to give it information that helps me to do my job because, you know, I may not know, oh, this was like PII data.
00:28:28:21 - 00:28:50:02Jiong Liu
Like if I'm a, you know, a dev, like, I may not even know what PII stands for, personally identifiable information and I may not know, even like all of the privacy regulations for why this is problematic, for why feeding it into an AI. And so I think that adds on just more layers of complexity, more things that you have to worry about.
00:28:50:02 - 00:30:19:07
Jiong Liu
It's just a greater attack surface that we have to worry about. And then on the second side, you know, in many ways, like AI and ML have been around for quite a long time, there are some great tools that are out there that leverage it within the technology. One of the things that, you know, we found as we were exploring AI and ML, and especially as we were thinking about how we built our platform, is that if we use AI frequently or ML, AI and ML, in a solution for cloud security to showcase like, hey, this is a risk in your environment, it can be tricky when you're trying to build that trust, especially between the security and development teams, because it feels like a black box in a way, right? The explanatory factor is harder when you use AI and ML in that, in that particular format. And we found that, you know, especially to get that trust and make sure that we are all seeing the same information and having the same takeaways from it, it was actually a lot easier for us to go with a heuristics based approach saying, hey, we think or this is a critical risk in your environment because we can show you that this container is actually publicly exposed to the Internet and it has a critical exploitable network vulnerability that is on it.
00:30:19:09 - 00:30:41:13
Jiong Liu
And also, hey, this machine has a secret key that is on it that it would allow you to then move laterally in the environment. Right. So being like very factual about, hey, this is why we found something and why it is in fact a problem was very important for us, especially in order to get that adoption outside of just the security team.
00:30:41:13 - 00:30:56:15
Mike Hallstead
And it goes back to the basics, it’s still always important to get a baseline, right. Using AI or not, you still need that baseline so then you can see your deltas and changes and address those.
00:30:56:15 - 00:31:33:10
Roshan Soni
Back to our previous conversation around data. I mean you have developer just trying to play around with ChatGPT that comes up, right. If anyone's seen that interface you just start typing text in there, but you want, you see what it can do with data and copy and paste it from something right in front of you. And hey, maybe you exposed some client data or maybe exposed, you know, you know any forms of PII, whether it just be a name or address or something like that. So, stuff like that just opens things up and now it's part of the model and we have no idea what’s being done with that data behind the scenes, right?
00:31:33:10 - 00:31:53:21
Jiong Liu
Yeah, absolutely. And I think, you know, I heard this analogy the other day and I think it kind of sums it up well as you know, what we're doing here, especially with the cloud and all of the advancements that are happening is we're building, we're moving from like, you know, horse drawn carriage to a car now to like a train and maybe a plane.
00:31:53:23 - 00:32:16:11
Jiong Liu
Right. And it all allows us to unlock new capabilities, allows us to unlock new business models and allows us just to move a lot faster. And we can't have security just be like, oh, no, we're not going to, you know, make these like transformational shifts in our business. It's more about like, oh, no, you need seatbelts, right?
00:32:16:11 - 00:32:24:21
Jiong Liu
And you need your airbag, right? Like what are those security controls that we can put in to make moving faster safer for all of us.
00:32:24:21 - 00:32:36:13
Mike Halstead
So, one last question for you, Jiong, and I'd love to find out a little bit around Wiz products and the capabilities that you guys have and how it helps the cloud.
00:32:36:13 - 00:33:44:17
Jiong Liu
Yeah. So, Wiz is a cloud security platform. We've actually only been around for about three years now. And, you know, we're very lucky in that we had a founding team that came from Microsoft. Right. They were building all of the internal and external security products for Microsoft. And they saw firsthand the challenges of cloud and securing the cloud that we've been talking about over the course of today. And they recognized that, hey, this complexity, this growing attack surface, the fact that we really need to bring together more than just security teams, but also the dev teams, right, everyone that’s building in the cloud together to secure it. They realized we need an approach that really simplifies cloud security and takes a platform approach to it. So, if you look at traditional tools that are out there, right, they looked at risks in silos and they looked at parts of the infrastructure in silos as well. So, container security had its own tool, serverless security had its own tool and so on.
00:33:44:24 - 00:34:14:22
Jiong Liu
And you had, you know, vulnerability management tools that only looked at vulnerabilities. You had CSPM tools that really just looked at configuration issues. You had Kin tools that which only looked at identity, and it didn't give you that full picture of what an attack path into your cloud environment would actually look like and therefore didn't allow you to really prioritize what was going to be the most important for your security teams to address quickly.
00:34:14:29 - 00:34:43:21
Jiong Liu
And so that's really what Wiz does is we have this agentless approach to scanning your cloud environment and it allows us to build essentially a security architecture graph of the entire environment that serves as that foundational visibility for everyone that builds and secures the cloud. And from there, we map on the different risk factors all in that same platform and allows us to prioritize those attack paths.
00:34:43:24 - 00:35:12:09
Jiong Liu
And beyond just that, it also allows you to map who owns the infrastructure onto that as well. So, if you do find an attack path into the cloud that leads to, let's say, sensitive data, you know actually which dev team is responsible for that part of the infrastructure. And so, you can surface it directly to them in a timely manner, show them all of the evidence and the context for why it is an issue.
00:35:12:14 - 00:35:21:08
Jiong Liu
And that allows them to take action quickly. Right. It empowers them to resolve those issues in a self-service manner.
00:35:21:08 - 00:35:30:22
Mike Halstead
Excellent. Well, I do know that that at RSA, you had a quite busy booth and it was either the interest in the technology or the fact is the Wizard of Oz, or both.
00:35:30:22 - 00:35:32:03
Jiong Liu
Yes, hopefully both.
00:35:32:03 - 00:35:47:14
Mike Halstead
Great. Well, thanks Jiong, and thanks Roshan. And thanks, everyone, for joining us for today's episode of Navigating Forward the Cybersecurity Series. Come back next week to get pointers for next steps on your cyber roadmap. I will be talking about security compliance and why that is important.
00:35:47:14 - 00:36:01:12
Mike Halstead
Just a reminder that cybersecurity is 80% good habits and hygiene. But to start improving your health, you need a baseline. To learn more how to develop your organization's future state of cybersecurity, go to launchconsulting.com/cyber. Thank you everyone.