Is Instant Breach Detection Possible in Cloud Workloads? – Executive Interview with Jack Kudale, CEO of Lacework
What shortcomings do you see with current cloud security solutions regarding breach detection?
JK: At the macro level, our industry faces two really big problems. First, it takes way too long to find and remediate breaches. Every day a breach goes undiscovered or unpatched is a day too long. And second, we haven’t done a very good job of addressing breaches based on insider threats. Now, my perspective on what constitutes an insider threat is pretty broad. Any attack that uses any employee, vendor, or contractor credentials – even when those credentials were stolen – is really an inside job and should be treated that way.
So why does it still take so long to find and remediate breaches? Our current tools are too dependent on policies, rules, and logs which are hard to maintain and not very effective. Correlating logs to investigate anomalies is complex and labor intensive. Policies fail because it’s impossible to anticipate an attacker’s next move. Remediation is no better, as breach investigators must comb through tangles of log entries and piles of notifications to fix vulnerabilities. Existing security tools and practices just aren’t agile or effective enough for today’s cloud environments.
And what about insiders? Frankly, the cloud has made that problem worse. In our drive to deliver applications as fast as coders can write them, organizations tend to relax internal controls to reduce developer roadblocks. As a result, east-west traffic has fewer and fewer constraints and virtually no oversight. That can have disastrous consequences.
Your company Lacework just launched. Can you give a background, and how you wanted to go about solving the issues with current security solutions?
JK: Our founders are security and analytics experts, and they had a clear picture of the security challenges in the cloud. They realized that every datacenter, workload, user, container, application and process has its own truth. And they also realized that data analytics and machine learning technologies were becoming powerful enough to capture and work with that truth on a very large scale.
Lacework co-founders Vikram Kapoor, Sanjay Kalra and Sam Pullara banded together to create the industry’s first zero-touch cloud workload security solution with a goal of detecting breaches instantly. We’re based in Mountain View and funded by Sutter Hill Ventures, and we’re thrilled to bring our product into general availability this week through both our website and Amazon Web Service marketplace.
How does Lacework Polygraph work to detect breaches?
JK: If you came home from work to find your house with a broken window, or your front door open, you’d immediately suspect someone had broken into your house. In essence, Polygraph is watching for those broken windows or open doors in the data center. But the house I come home to is much smaller than the one Polygraph watches. Polygraph monitors each of the millions of characteristics, relationships, and behaviors of workloads, applications, containers, and users and immediately raise the red flag when anything’s amiss.
Polygraph does this by building and maintaining a deep temporal baseline that gives context for any deviations from normal behavior. Machine learning automates baseline maintenance, and analytics technologies establish the boundaries of normal behavior for the data center.
What are some of the benefits an organization can expect from Polygraph?
JK: Polygraph dramatically reduces the time it takes to detect and remediate breaches in the cloud. We are constantly watching over cloud activities and comparing them to the established baseline. So there’s no waiting for a new policy to be developed and deployed before you’re protected. You’re protected all the time, from every security event.
Our deep temporal baseline is also a really powerful way to protect against the myriad vulnerabilities caused by human weakness and error. We don’t rely on identity, permissions, patches, or perfect configurations for protection. We simply need to know what the system usually does. If, for example, Mary from Accounting suddenly fires up a program that contacts an external command and control server, that’s the broken window that tells us we have a problem. If Steve on the development team launches an unauthorized instance of Jenkins to make his daily code builds easier, it doesn’t really matter if he configured it correctly. But we’ll report the new application and we’ll flag any unusual connections it makes.
We do all of this automatically and without the overhead of policies or log analysis. The time to value is nearly instant, and our customers tell us they’ve gone from spending 2 to 3 hours a day tweaking and developing policies to 15 minutes a day reviewing Polygraph reports. When it’s time to investigate a security incident, our advanced visualization engine provides a playbook detailing the entire cyber kill chain on one pane of glass. We rescue security professionals from countless hours poring over log files and piecing together attack timelines.
How fast can your solution be deployed, and what type of management involved?
JK: Once installed Polygraph automatically sets to work so our customers start seeing results within hours — the time to value is truly unprecedented and our new GUI invites exploration and discovery. Also, with the zero-touch platform there’s no project management aspect to constantly manage. Each host gets its own Polygraph agent that runs on the hour to provide information about processes and traffic using metadata.
Any success stories you can share of current customers using Polygraph?
JK: Yes, definitely. To share a couple examples, we had a large networking company website running a WordPress instance that was hacked. With Polygraph, they detected the intrusion on day zero and remediated it before a breach occurred. We had another cloud services company with a rogue continuous integration server running. PEN testers there compromised the CI system and began moving laterally through the network. Polygraph saw the whole thing, from the rogue user to the PEN tester exploits. We’re proud to count companies like Wavefront, Snowflake Computing, Jitterbit and Verizon as customer and early testing partners, and we’ve already had great feedback so far on both time to deployment and detection times.
What types of companies do you see benefiting from this solution?
JK: Our target currently is large enterprises with a hundred or more VMs in a public cloud environment.
Anything else you’d like to share about where you see the company and product going in the future?
JK: Now that we’re out of stealth mode, we’re ready to serve the DevSecOps and CISO communities by driving the mean exploit detection time to less than a day. And we’ll deliver the precise and timely investigative tools that our customers need to permanently and definitively remediate vulnerabilities.