Interviews | June 13, 2023

Cloud Attacks Will Drive New Risk Management Approaches

Armis | SentinelOne | Sysdig | Tenable

Curtis Simpson


Q1. What are the key challenges organizations face in achieving comprehensive asset visibility? How should they be addressing these challenges?

Digital transformations are driving the explosion of assets being connected to business networks. It’s predicted that the number of IoT devices worldwide will reach 75.44 billion by 2025. The number of connected assets goes far beyond IoT devices alone, however, and includes IT, cloud, connected medical devices (IoMT), operational technology (OT), industrial control systems (ICS), 5G, etc.

There are two main categories of connected assets – those that are managed and those that are unmanaged. Managed assets, like PCs, servers and mobile devices, have a managed security agent already installed. Unmanaged assets—connected medical devices and technologies, operational technology (OT) such as PLCs or HVAC systems, etc.—have Internet connectivity and operate on business networks, but have no managed security agent.

It’s anticipated that the number of unmanaged assets alone will surpass 50 billion devices by 2025, so it’s critical that organizations and security teams be aware of this distinction. Otherwise, unmanaged devices can create blind spots in the network, ultimately introducing opportunities for exploitation and business impact.

If you can’t see an asset, you can’t protect it. That’s why asset visibility and security is both foundational and critical to an organization's security stack - it takes into account security for all assets.

With increased visibility into all connected assets within the attack surface, security teams are empowered with an updated asset inventory, enabling them to keep a continuous, real-time pulse on what’s connected as new devices are brought online and old assets are disconnected from the network. This level of insight is essential to securing these endpoints, as it enables security teams to better manage impactful risk and vulnerabilities, helping them to effectively prioritize as needed to disconnect or quarantine suspicious or malicious devices before cyberattackers can exploit these assets to move around the network and impact the business.

Q2. What role do you envision machine learning and artificial intelligence technologies playing in enabling better asset visibility in the future?

Threat detection engines leveraging machine learning and artificial intelligence are already enabling the passive detection, identification monitoring of all connected assets and the ability to detect when a device is operating outside of its normal “known good” baseline. This deviation can be caused by a device misconfiguration, a policy violation, abnormal behavior such as inappropriate connection requests or unusual software running on a device, or threat intelligence that indicates that the device has been compromised.

These capabilities are already helping to enable previously unparalleled continuous visibility into the assets we have in our environments, how these assets power our business, and where they’re acting abnormally and/or maliciously. In turn, these continuous contextual insights are empowering security teams to respond more quickly to mitigate this risk to their attack surface.

In the future, the rapid growth of artificial intelligence technology will be at the core of the continued evolution of asset intelligence solutions and in particular, facilitating rapid downstream actions based on such intelligence. AI capabilities will continue fueling the real-time research into and discovery of new malicious tactics, techniques, and campaigns such that the opportunity for bad actors to operate unnoticed will continue to diminish. Subsequently, intelligence will continue to expand further into effective mitigation and remediation guidance or automated actions that can be executed with confidence based on the combination of ML and AI capabilities at scale.

This continued evolution will not only help with further curating the asset-related intelligence of greatest importance to the security, technology, and company missions but also in empowering materially orchestrated security programs with little room for disruption. It is the technology empowered asset intelligence movement that will ultimately enable the continuous resiliency programs of tomorrow and AI and ML will remain at the core of its rapid progression.

Q3. What does Armis have in store for customers at Black Hat USA 2023? What can they look forward to seeing and hearing from your company at the event?

We’re looking forward to Black Hat USA - it’s another great opportunity to connect in person with customers, partners and our extended Armis colleagues. We have a lot to offer attendees visiting our booth. We’ll be on-site giving product demos, sharing different presentations, offering giveaways, and more.

We’re actively working on projects that speak to industry trends and the most pressing cybersecurity, technology, and business challenges that we help our customers solve so you’ll have to visit us at the event to learn more.

Of course, we love speaking alongside our customers and to all attendees about the business value that we help customers unlock at scale across all industries and sectors and how these capabilities are truly enabling and optimizing the ongoing transformation with continuous operations in mind. We can’t wait to introduce new and exciting topics and content; we’ll see you there.

Sandy Venugopal


Q1. You were recently appointed CIO at SentinelOne after a four-year tenure in that role at Uber. What are your immediate priorities at SentinelOne?

SentinelOne is a pioneer and leader in cybersecurity and I’m excited and inspired by the growth trajectory the company is on and the opportunity to scale our business and teams globally to support it. My immediate priorities are to listen and learn from my team, peers and stakeholders to figure out what is working well, what could be better and what their priorities are. Armed with these insights, my team and I will focus on the revenue-generating engine at SentinelOne and ensure data and automation is being used to drive efficiency and scale and that current platforms and teams are set up to deliver the highest level of business impact and customer value.

We’ll also work to drive greater security, productivity and efficiency in the rest of our business by ensuring that we have strong security fundamentals across our operations and create a culture that balances security and productivity. And we will grow an engineering mindset within our IT and Data teams and invest in AI and automation capabilities to drive fundamental transformations with our partners.

Q2. What can/should CIOs do to enable a cybersecurity culture in their organization that promotes continuous learning, collaboration and agility?

The key to building a cybersecurity culture lies in educating the workforce about the constantly evolving threat landscape and providing the tools to prevent and mitigate risks. The message shouldn’t be “take this training because you have to" but “here’s what is happening in the world around us and here’s how you can help us deal with it effectively so that we in turn can help our customers and business thrive." To enlist their support, CIOs must emphasize what employees can do versus what they cannot do and the impact their actions can have. For example, by following the right security practices in your day-to-day work, you can ensure protection of company assets. By understanding and adhering to data privacy and security practices, you can earn and build customer trust.

Q3. What is SentinelOne's focus going to be at Black Hat USA 2023? What can customers expect to hear from the company at the event?

AI is among the most disruptive technologies of our time and presents an incredible opportunity for companies of all sizes. SentinelOne is a pioneer and leader in the space, and we’ll be focused on helping customers understand how we can help them unleash its power and control all aspects of enterprise security - from visibility to response - with unmatched speed and efficiency. Those who stop by our booth can see our solutions in action and hear first-hand from our customers and partners about the value they are delivering. On Wednesday, the SentinelLabs team will be in Black Hat Theater B to share their insights on the evolving threat landscape as well as cutting-edge strategies that organizations can use to protect themselves.

Jamie Butler
Head of Runtime Protection & Resp. Strategy


Q1. What are the biggest challenges organizations face when it comes to balancing the benefits of containerization and cloud-native architectures with the security measures needed to mitigate evolving risks?

The power of cloud is clear but comes with new challenges. Organizations should think differently from traditional EPP/EDR and forensic playbooks. Here are the challenges:

Granularity of visibility and detection coverage

Vulnerability scanning of the underlying OS and packages is often the first step taken to secure environments. The perceived risk can be daunting and inaccurate. Teams need to understand what packages are actually in-use and prioritize remediations for the most relevant threats. This is modern attack surface management. Next, consider the configuration of the deployments. Not only is it the configuration of the cloud resources, containers, and clusters, but also identities and permissions.

Logs are crucial in cloud. Many services and components only offer telemetry as logs, such as services for IAM, MFA, control plane APIs for PaaS, and serverless workloads. However, logs may not contain exactly what was accessed or executed in serverless functions. Attackers target serverless to find credentials and other data. Looking at logs in isolation and reviewing periodically isn’t enough. The fast analysis of logs and ability to correlate log data with other data sources like runtime security events can be the difference between early detection and a breach.

Everyone wishes cloud and application logs are enough; however, you need an agent for the granularity and correlation required for proper detection.

Investigation and forensics

During an incident, an alert or few security events are not satisfactory to resolve its full scope. In a traditional enterprise, the impacted devices still exist and can be interrogated or forensically examined. With cloud-native architectures, this isn’t the case. Organizations must acknowledge the temporal nature of containers, and the relationship between containers and to their hosts when resolving an incident. Scanning base container images pre-deployment is necessary but not sufficient. Recording runtime container activity enables forensic investigation after a container is gone but requires cloud-native tooling. Disk and memory detection is powerful in container security, as with enterprise security, but this visibility is difficult to gain.

In cloud, all the interconnected pieces from source code repositories, image registries, CI/CD pipelines, admission controllers, configurations, and the identity management for those things to interact become crucial to the investigation. A simple mistake in one can lead to total compromise.

Response and remediation

Traditional EPP/EDR response playbooks include quarantining an endpoint, killing processes, and deleting files. Playbooks change in cloud-native settings. Quarantining a container won’t help if there are thousands of copies running. The response needs to remediate the vulnerability in the container base image or the application code. Killing a container is less useful if your cloud orchestration service is going to restart it with the same flaw present.

Q2. When looking at the current and emerging threat landscape, what trend concerns you the most? What kind of changes should organizations be making to their security posture to prepare for it?

The traditional security approach involves looking in from the outside. As cloud architectures and containers become commonplace, this paradigm needs to change. Remote code exploits will always be a serious threat, but the amount available is decreasing and their value is increasing. The attack surface is changing, with DevOps pipelines and other cloud services making up more of an organization's operations.

Attackers are becoming more profit focused and taking advantage of cloud innovations. Cryptocurrencies were a boon to attackers as they enabled a simpler and safer way to conduct transactions and leverage their compromised assets at massive scale. Cryptojacking is popular because it generates money without the risk involved in attacks like ransomware.

The evolving technology landscape increasingly leads attackers to approach targets from different angles, like the software supply chain. Modern architectures are built upon layers of different software packages, many of which may not be under your direct control. SolarWinds and Log4j are the most famous examples, but open source projects are being increasingly targeted. Organizations will need to increase their awareness of what software is being used in their stack and if it holds malicious artifacts. This requires both static and runtime inspection to detect.

The most concerning is that attackers are getting much more skilled in understanding weaknesses in over-permissive configurations and how they relate to different resources, and their speed from initial discovery to full compromise is increasing. Cloud-savvy attackers will drive new approaches to risk management.

Q3. What can customers at Black Hat USA 2023 expect from Sysdig in terms of product demonstrations, discussions on emerging threats, educational sessions etc., at the event?

Sysdig will be at booth 1350. You should stop by to discuss these things with me and the team. Being rooted in runtime, Sysdig’s differentiator is the insight we get from production environments that enables real-time end-to-end cloud security. I also think it’s great that the Sysidg Threat Research Team will be in booth discussing their latest cloud research, the attack patterns they are discovering in the wild, and how you should prepare your team for a new wave of cloud threats. They would be happy to chat about the challenges or unknowns you are experiencing. Think you’re a threat detection expert? You can also test your knowledge and win cool prizes with our threat simulator.

I mentioned the overwhelming noise from vulnerabilities and the lack of visibility developers have into their environment. Our engineers will be in the booth giving Sysdig demos and talking through best practices. In case you didn’t know, Sysdig created open source Falco, the runtime cloud security tool with more than 60 million downloads. The creators of Falco will be on site, as well as our open source team, talking about how to roll your own runtime security, if that is more your pace.

We also have several talks, on stage and in our booth. We are still waiting on the schedule, but I know my colleague, Anna Belak, a former Gartner Analyst and now the Director of our Office of Cybersecurity Strategy, will be talking about the past, present, and future of cloud security, including the impending need for consolidation.

The Sysdig social media channels will highlight all of our activities at Black Hat, so be sure to follow on Twitter and LinkedIn to get the latest.

Glen Pendley


Q1. Tenable recently released a research report on how generative AI is changing security research. How exactly is Tenable leveraging/planning to leverage generative AI and large language models in its technologies?

For years, Tenable has embraced AI and machine learning to enhance models around asset criticality assessment, in prioritization techniques and other methods to differentiate our offerings and add valuable insight for customers. We see enormous potential in leveraging generative AI to enhance user experience and tech support. This summer, we’ll unveil new analytics features that leverage large language models to drive a better user experience and enable our customers to interact with their vast amounts of preventive security data, helping them make more informed decisions.

In addition, several of our researchers have created tools leveraging large language models to create efficiencies in everyday security research processes such as reverse engineering, code debugging, web app security and visibility into cloud-based tools. We’ve made these tools publicly available to the research community and free to download via GitHub.

Q2. What opportunities does Tenable see in the emerging market for data security posture management (DSPM) tools and services? What are the company's plans in this regard?

A cloud-native application protection platform (CNAPP) offers organizations a way to innovate in the cloud with confidence, a value we’ve embraced at Tenable.

Data security posture management (DSPM) is one of the many critical components that is converging into one mass CNAPP market, rather than a standalone market on its own. While DSPM serves a critical function, it is best to be viewed holistically to better understand where risk resides. To address the cloud security needs of the future, we continue to innovate and expand the features and capabilities of Tenable Cloud Security.

Q3. What does Tenable have planned for customers at Black Hat USA 2023? What do you expect customers will want to hear from Tenable at the event?

Tenable will have a large presence at Black Hat USA 2023, including big plans for the booth, exciting opportunities to interact with our team of experts onsite and learn more about the Tenable One platform, which had not yet been launched at last year’s event.

The Tenable One Exposure Management Platform unifies discovery and visibility into all assets and assesses exposures and vulnerabilities across the entire attack surface. This helps organizations focus and prioritize efforts to prevent likely attacks and reduce cyber risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources, containers, web apps and identity systems. It builds on the speed and breadth of vulnerability coverage from Tenable Research and adds comprehensive analytics to prioritize actions and communicate cyber risk.

Since the launch of Tenable One in October 2022, we've been working tirelessly to deliver more value to customers, ingest more data within the platform, leverage generative AI to drive innovation and enhance existing capabilities.

Sustaining Partners