What’s a CNAPP: Cloud-Native Application Protection Platform?

Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, N2K's Chief Security Officer and the CyberWire's Chief Analyst and Senior Fellow. And today, we're talking about CNAPPs, Cloud Native Application Protection Platforms. And that is a mouthful. After the break, we'll take a deep dive look about this relatively new complexity reduction tool and why you should consider deploying one. Come right back. [ Music ] [ Music ] Today at the CyberWire "Hash Table," I'm joined by Tim Miller, the Technical Marketing Engineer at Panoptica, Cisco's cloud application security solution, discovered and acquired by their new products and markets incubation engine called Outshift just last year, and Kevin Ford, the CISO at Esri and a veteran "Hash Table" discussion member. I started out by asking Tim to give a high-level description of what the CNAPPs are and how they might be useful.

Tim Miller: When we deploy our cloud-native apps in the cloud, you know, we've got all these different layers that we have to prepare before we even, you know, start running that application: deploying cloud accounts, configuring them, giving the access, the network topology, you know, if I'm using AWS terminology, VPCs have to be constructed, subnets, the whole kit and caboodle all the way up to actually then the services that we're going to consume, building a Kubernetes cluster and such. So all of those things have settings. All those things have security concerns. And so a CNAPP platform is designed to look at every single layer that goes into building your application, including the build process. So the expression we see in Gartner all the time is code to cloud, right? So it's literally from when developers are writing the code to how you're deploying and operating and monitoring it in the cloud.

Rick Howard: So when I first started thinking about this topic, I was thinking CNAPP is just another version of a firewall. But that's not really what it is at all, is it? It's not doing protection. Is it more just configuration management? Is that it?

Tim Miller: That's certainly where the industry started. And I'd say up until the past year, yeah, it's been primarily focused, I'll say, on posture assessments, pulling down all those configs, doing posture assessment from, you know, seven different ways to Sunday, as the expression goes, right? But recently, detection and response has gotten, you know, a lot of traction in this space as well. So now we're going beyond just how it's configured and daily scans using, what we would call in the industry, an agentless approach to actually needing to start building in agents, deploying agents, and instrumenting the cloud platforms, the services, and getting telemetry from them so we can detect incidents going on.

Rick Howard: So, Kevin, you've been a CISO of a company called Ersi. [phonetic] Is that how you pronounce it, Ersi?

Kevin Ford: ESRI. Environmental Systems Research Institute. Yeah.

Rick Howard: Esri. That's the reason I asked, man. [Laughs] And you've been there for almost three years now. And according to the website, you guys build geographic information systems software for location intelligence and mapping, something the marketing people call the science of where, which I just love. What a great tagline that is. And you guys have been deploying the CNAPP platforms for a while. So can you give us a sense of how you guys are deployed architecturally, without giving any details away, and then how these kind of platforms benefit you guys and why you like them so much?

Kevin Ford: Sure, yeah. So I think to understand this CNAPP space, you kind of have to understand where we've been a little bit historically with the cloud. If you look back a decade or more ago, you know, we were kind of in cloud architectures that resembled more of a data center in the cloud with virtualization. But as we moved forward and started to develop and adopt cloud-native solutions, things like APIs, containerization, docker containers, that sort of thing, we needed new types of security software to secure all of that. So, you know, a CNAPP is kind of a collection of a lot of different capabilities associated with securing these cloud-native applications that we use to build our products, to build -- to build our corporate environment, those sorts of things. And so we use them largely for container security, looking at container workloads, making sure those are secure. We use them to, you know, help understand the posture of our clouds, how the network is deployed, how the various aspects of each of our cloud environments are deployed. And it's actually really helpful also to cross the bridges between our multi-cloud environments, right? So where in the past we were using potentially vendor-specific tools, for instance, the tools that AWS comes with or the tools that Azure comes with, now we can use a CNAPP platform to bring that all under one pane of glass. And that's also been very effective for us.

Rick Howard: That's what I was going to ask. And that's the kind of marketing line for these things is that you can use one platform and configure multiple cloud environments. But is it really that easy, Kevin? I mean, I am -- I want to configure a container in AWS. I also want to configure a container for security-wise, you know, in Azure, let's say. Okay. Is it really just use the CNAPP and it knows how to configure those things in those environments?

Kevin Ford: Yeah, it's not exactly that easy, right? If it was, we'd be selling these like hotcakes. [both laughing] There are, you know, there is some -- there is some -- some work that needs to go in to integrate all of this. But we're talking about a tremendously large suite of capabilities that these things have, you know, where we were looking at separate tools in the past for, you know, container security for endpoint detection and response in the cloud for virtualized things, for entitlement management, you know, and understanding our access model. You know, all of this stuff can be done with CNAPP. And I would hate to say that we're using every aspect of the CNAPP, right? There are certainly things that we still do in different technologies. But more and more, I think we find ourselves moving into, you know, the CNAPP world and trying to centrally manage it.

Rick Howard: Tim, it feels like this is a platform that kind of bridges the gap between manual configuration that we all used to love to do and some sort of automatic CICD pipeline that the IT guys like to do. This platform allows us to automate some of the things that we would screw up if we had to do them over and over again manually. Am I wrong about that? Is that the right way to say that?

Tim Miller: No, that is the right way to say that, especially on the code side of that code to cloud, right? So we need to instrument those pipelines so that these tests are automated. And so these CNAPP platforms have that capability of running security tests as part of, you know, a pull request, you know, a merge event, for example, or whenever, you know, the day is over and they're just committing their code, right, before they log out at night. So all of these tests can be triggered. And, you know, and the -- there's a whole suite of these tests from things like linting, for example, to make sure it meets certain code standards and you're doing best practice from a software editing, for lack of a better phrase, a software editing perspective, all the way through, you know, actually identifying security problems. You know, some of these things embed into their integrated development environments, their IDEs. And then some of them are just in the source code management platforms where they check in the code. So it's really all about getting that automation. And then, of course, to Kevin's point, aggregating that information up into a central platform that then the security teams have the breadth of information, and the developers can access it too, right? They have this breadth of information about their holistic security posture across that entire spectrum of stack, you know, that entire stack that defines their application.

Rick Howard: So, Kevin, let me drill down on that a bit, all right? So can we use these CNAPP platforms as like an intelligence platform because you're connecting to all these applications in the cloud? I'm collecting telemetry, let's say, like we used to do in the old days for the hardware platforms. Can you use it like that? Is that one use case for it?

Kevin Ford: Potentially. You know, I think still probably you're going to be looking, if you're looking at, for instance, threat intelligence, you're still probably going to be looking at piping that into a SIM. Now, some of the CNAPP platforms may have kind of a native SIM-like experience. But if you're, you know, a larger organization and you value the business, you know, logs and the intelligence from around the business, you're still probably going to be using a central SIM to evaluate things like workload protection. There is some meaningful data to be gleaned here around, you know, uptime and how, you know, how my cloud load is looking and that sort of thing.

Rick Howard: It's not a souped-up XDR platform. That's not what this is. So it's not that. We're not connecting APIs and things. What's the difference between what a CNAPP platform is and an XDR platform?

Tim Miller: Well, I think the important point, and, to key off what Kevin said, it's the CNAPP platform is really focused on cloud-based applications, cloud-native applications. So an organization isn't, I mean, there are some, don't get me wrong. But most organizations aren't going to be only in the cloud. They're going to have resources outside of that, that really a CNAPP today, who knows where these things are going because they're evolving very quickly, but today, CNAPP is not going to cover everything. SIM is a great example of that, right? There's a whole lot of telemetry from other parts of the business that need to go into the SIM perspective and get the rich intelligence a SIM can provide, right? CNAPPs certainly feed into that, but they're not going to be your end-all, be-all CNAPP destination, primarily because there's also a crap ton of data in there, right? So that's, you know, most of these CNAPPs are SaaS-based offerings. And you're going to struggle to find most of the CNAPP vendors hosting that much data. In fact, I'd like to say most of us try and shy away from storing as much customer-specific data in the cloud because then we become the targets of attack vectors, right? We become an attack vector for your environment. So we like, you know, from a CNAPP perspective, to come in, do whatever intelligence in your cloud environments, right? So when we're doing container scans, for example, we're going to do those container assessments in your environment. So any private access to the registry stays local. You know, any sensitive information that might be on that container that we discover, we're going to flag as being there. But we're not necessarily going to export the raw data and then potentially compromise your account. So, all that to say, it's a piece of the puzzle. XDR is certainly something that, you know, CNAPP platforms can export to or be a part of as well. I know my particular one does, you know, with the ones that the XDR and SecureX here at Cisco. We're integrating with those kind of platforms, and others could too.

Rick Howard: So Tim, one clarification point, a crap ton of data. Is that the technical term we're using for that? [ Laughing ]

Tim Miller: Yeah, it's slightly -- slightly a larger amount than a truckload versus, you know, a station wagon full of tapes. You know, show my age here, you know.

Rick Howard: Kevin, though, I mentioned firewalls at the beginning of this. It feels like when all the firewall vendors went to the cloud and built software firewalls like Cisco and CheckPoint and Palo Alto Networks and Fortinet and all those guys, it feels like this is something those platforms would eventually do. Is the software firewall merging with a CNAPP platform, or are we going to keep these two things separate?

Kevin Ford: Yeah, I don't know that I see the firewall itself merging with the CNAPP platform or things like CASB. But it is, you know, it is kind of in that same realm of your, kind of your complete breakfast, as far as it's concerned, as, you know, your cloud security. You're going to want to have those things as well. This is more if you focus at kind of at the application stack, trying to push identifying vulnerabilities or even, you know, malware or hidden secrets in your code, in your dependencies, and making sure it doesn't make its way up into the cloud. And then also monitoring the workloads while they're in the cloud, right? And so one of the things you said that actually kind of resonated to me, Tim, is that, yeah, this can potentially be seen as maybe part of a complete XDR solution, right? Particularly when we get into the area of workload protection, workload analysis, that sort of thing where we're not just looking for configuration issues, but we're actually starting to get into the abilities of, you know, looking at system calls and scrutinizing those. So it's not just about misconfigurations anymore. We can also start to look at, you know, what our -- what our workloads are doing in either serverless or container environments. And that's very important. And that gives us kind of the same lens that we get from more traditional XDR technologies like EDRs that feed into XDR.

Rick Howard: These things are Swiss Army knives of capability. They can do lots of things. My personal favorite of this is just the reduction of complexity, especially if you're in a multi-cloud environment. That's what would appeal to me if I was considering buying one of these tools. But what's your favorite thing that a CNAPP does that you think is very valuable?

Tim Miller: Certainly bringing everything into one, I hate to say the -- hate to say it, you know, a single pane of glass, right? Yeah. Bringing all of this information together is certainly key. But honestly, if you don't do it right, if you're not doing more than that, right -- I can have 12 different risk engines, you know, generating alerts from, you know, detection and response to workload protection to vulnerabilities from the pipeline. I could have pages and pages of red. So the goal of a CNAPP is not only just to bring it together but to bring context to it. So the real promise and the real value is when you -- when you're prioritizing these risks, you know, putting, you know, looking at them in their context so that you can identify those things that you need to remediate first because every one of those risk engines is going to give you a prioritized list from its myopic perspective, right? So CVEs, you know, they have CVSS scores, right? And, you know, they're all nine point -- Well, I won't say they are all, but most of them are 9.8. How do I tell these hundred 9.8s from those hundred 9.8s, right? And there's products out there that help you to do that from just the vulnerability perspective and some telemetry from the internet. But, you know, if that workload is not public, if it's behind -- you know, if it's private access and you've done a whole lot of mitigating controls to make sure nobody can get to it, do I need to make that my first priority? Or is the public-facing one the one I need to mitigate, right? So the real value that CNAPPs bring, especially when you're dealing with the attack path analysis, is to look at those in their context and prioritize your risks. And that's really -- that's really where CNAPPs shine. If they do that attack path analysis right and prioritize it well, then that's gold for a SecOps engineer.

Rick Howard: So double down on that for me, Tim, because you and I talked about that in the pre-work before we started recording. Explain to me what attack path analysis is in the context of a CNAPP. What does that mean?

Tim Miller: Sure. To continue that thought of these risk engines, right? I've got all these different things that will do a posture assessment, look at misconfigurations, and things like that. The detection and response will give me alerts from API security. I'm looking at the traffic, looking at the traces that are generated by those REST API calls, and getting sensitive data detection and things like that. All these alerts are parts of your application. And really, what attack path analysis is about is putting the MITRE ATT&CK framework to work, right? We know this. You know, there's all these techniques and tactics, right? And so how do I move laterally through an environment? You know, I have -- as the owner of that environment, I see it all, right? And so can I use this tool? Can I use this CNAPP to look at these misconfigurations and look at the various vulnerabilities and stitch together a path through my environment from public access to, you know, crypto mining?

Rick Howard: A CNAPP can find open pathways across the intrusion kill chain that you may not know that you had.

Tim Miller: Exactly.

Rick Howard: We know what Panda Bear's attack path is because of the MITRE ATT&CK framework. Does it tell us that you're open to Panda Bear? Or are we still waiting for that to happen in a CNAPP environment?

Tim Miller: So you can write specific queries to look for that particular attack.

Rick Howard: You have to do that yourself at this point. Yeah.

Tim Miller: Right. So you either do it or, you know, the community has written it for, you know, there's popular CNAPPs out there. So there's a body of work that -- that enthusiasts have put out there. Or if your attack path analysis is algorithmic, you know, and you give it kind of the basic framework for that attack, it can find that plus variations of it. So don't -- So you can do very specific queries and look for that specific thing. And if you've got it, then you'll find it. But if there's variations to that attack that develop, you're going to miss those until you write those specific queries. And that's where attack path analysis that use algorithmic or, you know, generic query approaches, that's where they'll shine in that they'll not only find what you're specifically looking for, but they know how to be generic enough from an algorithm perspective to find those things you're -- or find variations of it and find things you're not looking for.

Rick Howard: So, Kevin, do you think there's a world in the future where the vendors will provide, they'll suck in the attack path from, say, Panda Bear and say, hey, you're wide open to this, as opposed to them, customers having to figure out themselves? Because that's what I would want as a CISO. I want them to -- They got the intelligence team. They should be able to tell me that, right?

Kevin Ford: Yeah, I don't know if I think that's where it's going. That's where I hope it's going. That kind of high-level context is really important for a security manager or a CISO. It's the MITRE ATT&CK framework, and there's one for cloud as well, is a very, very powerful tool at understanding the stepping stones to getting hacked and making sure that when we talk about shifting left, we're cutting off the ability of an attack as close to the entry point as possible. So, you know, a CNAPP can do a lot of things that can help us understand and identify the steps along the attack path, things like understanding specific vulnerabilities that a particular threat vector would use. Understanding, I talked a little bit about the infrastructure and posture, so understanding the posture and infrastructure of my underlying cloud account, how things are engineered, not just within the workloads, but, you know, all the supporting infrastructure. And things also like entitlement management, understanding who can get to what from where right? That can really help you understand what the potential for lateral movement is as well. So there are a lot of handy tools in there that can help with that cloud attack framework and evaluating that. I would love to see, you know, a company put together a attack map, something that's more of a stepping stone chart that I could, you know, bring the CEO in or CIO in, point and say, hey, you know, this is where we have an issue. So the attacker can walk across this path and this path, but, you know, we've blocked this path, and they can't go anywhere. That's always been my dream to be able to just kind of show that. But so I think there are a lot of tools in CNAPP that can help us illustrate that. But I'd love to actually see a company put one of those together as a visual. It would be pretty cool.

Rick Howard: The last time I checked the MITRE ATT&CK framework, there was about 150 active campaigns they're tracking, mostly nation-state. They don't really track criminal groups that well. But if you talk to Microsoft or you talk to anybody else, really, like the FBI, they think there's about 100 active cybercrime groups. So if we could have built into the CNAPP all those attack paths and let it tell us that, hey, you guys are open to 25 of these attacks, that would be very useful, I think, right? So that's my dream, too, Kevin. That's what I'd love to see. Tim, since ChatGPT first came out at the end of 2022, we broadcast out of the state of Maryland, and by Maryland state law, we're not allowed to even record a podcast unless we talk about the implications of large language models, machine learning, and the future of AI. So where do you see all that fitting in to the CNAPP platform?

Tim Miller: Well, the first easy step, I think, is because there's so much capability in there, so many of those risk engines that feed data in, custom reporting is hard to do, right? Some vendors are doing, you know, fairly well at it, some not so much. But I think that is probably the easiest benefit. And we see that already coming out. You know, we're going to -- we're going to announce something here soon. Competitors have as well. So the ability to basically have an AI bot to help me navigate the platform, right, doing simple things like show me, you know, the five latest, you know, vulnerabilities that showed up in my, you know, in my environment overnight, you know. So that nice AI bot type of chat ops approach to your platform, except backed by natural language processing, right, you know, the whole benefit of, you know, conversational interactions with my CNAPP platform.

Rick Howard: Yeah, not a Terminator sentient being, but the large language model to help us navigate the CNAPP platform with more efficiently. Is that what you're saying?

Tim Miller: More humorously call it the C3PO of AI, right? [Howard laughs] So it'll be this nice little -- this nice little bot to help you navigate all the different aspects of your platform.

Rick Howard: Kevin, what's your take on this? You have to weigh in on the AI discussion. So what do you think?

Kevin Ford: Yeah, it seems like I'm always talking about AI these days. Yeah, within, you know, within security tools, not just within CNAPPs, we're starting to see the emergence of AI bots, and exactly the way Tim described it is they're kind of helpers for a particular suite of tools. And so they're of, I would say, of mixed effectiveness. It depends on what your -- what your organizational security workflow is. If you have analysts working directly in those tool sets, it can be very helpful. But if you're a large organization or an organization that generally relies on SIM tools, you know, you have multiple of those sorts of suites of tools, right? And so that becomes kind of less helpful. That doesn't mean it's not a value add for the product. You can, you know, if you see something in a SIM tool and decide to go under the hood with any one of these, you know, particular security tools, you can use that AI to help an analyst to, it's generally someone who, you know, sits in the SIM tool level, understand what they're looking for in that deeper security tool level. So it just really depends on your workflow and, like I said, how you interact with the security tools.

Rick Howard: So guys, we're getting to the end of this. If you could give the audience one takeaway about why they should be using a CNAPP platform, let's say, what would it be?

Tim Miller: I would say that the easiest takeaway here is that there's far too much complexity in deploying just a single web service to a cloud. I mean, just, you're dealing with, at the bare minimum, a dozen different services you have to configure. And that's the most basic application you can deploy. And quite frequently, we see hundreds. You know, just when I deploy a Kubernetes cluster, my list has 35 different services that go into deploying a Kubernetes service. It's extremely complex. It's too much for a single human or a team of humans to keep in mind all the different ways that I can move laterally through that system. So you have to have it. It's table stakes for operating applications in the cloud.

Rick Howard: So it does a lot of things, but probably the number one, according to you, Tim, is its complexity reducer. I'll just give that the Twitter line, right? How about you, Kevin?

Kevin Ford: Man, I'm just going to jump on what Tim said to begin with. Yeah, reducing complexity, that's huge for us. You know, being able to use a tool to essentially manage all this is a really big step in the right direction. I'll also say that, you know, before CNAPP was coined as a term, a lot of these functionalities existed. They're just kind of getting packaged into this larger CNAPP suite. So if you're someone who's cost-conscious, which I think all of us are, bundle and save.

Rick Howard: Mm-hmm.

Kevin Ford: Get yourself a CNAPP.

Rick Howard: Exactly right.

Kevin Ford: Don't buy all these things individually. Yeah, so.

Tim Miller: We're seeing that consolidation happening. All the vendors are acquiring, you know, different startups to build out that portfolio because, you know, data security is a big one where we're seeing acquisitions happen in 2023. So, yeah, it's -- it's a growing space, and you're just going to see that functionality continue to consolidate in a CNAPP platform.

Rick Howard: I used to be one of those guys, you know, that I'd always want the very best tool, the shiny object. Let me have a thousand of those things, right? But as I've gotten older, I don't have the energy to manage that, so give me something easy. It may not be the best tool, but at least it gets the job done. And, like you said, the complexity is a lot lower, right? So I appreciate that. Well, I have learned a lot about CNAPPs, more than I did before we started this program. So I appreciate you guys coming on and helping this. But before I let you go, I always like to give the audience, point them in the direction of good content. Anything interesting you've been reading, Tim, that you want to point people to?

Tim Miller: I've been catching up on all the state of, you know, state of affairs for 2023.

Rick Howard: Because it's the end of the year and new year? Yeah, yeah, yeah?

Tim Miller: Yes, that's right. And the GitLab State of DevSecOps was a very interesting read, specifically about, you know, the AI -- how AI is helping software development. There's a lot of interesting insights in there.

Rick Howard: Perfect. How about you, Kevin?

Kevin Ford: Yeah, if you're a -- if you're a federal contractor, you should be aware of the new CMMC proposed rule is out. So, if you want to dig through hundreds of pages of legalese, do that. But we talked a lot about the MITRE ATT&CK framework and I'm a big fan of that, as you could probably tell. And so something I've been digging through recently is the MITRE ATT&CK evaluations around different security tools. It's a pretty nice site they put together. And then you can actually go and find some real neat third-party dashboards also, so something probably every CISO should be aware of.

Rick Howard: I've been reading Andy Greenberg's Tracers in the Dark book, probably the best cybercrime book I've read in the last decade. And it pretty much blows away any idea that we had that crypto stuff was anonymous. The good guys know how to break all that. I'll just say that. It's a fabulous story, so everybody should go out and read Tracers in the Dark. Well, boys, we did a good job here. Thanks for coming on the show, and we'll talk to you all later. [ Music ] We'd like to thank Tim Miller, the Technical Marketing Engineer at Panoptica, Cisco's Cloud Application Security Solution, and Kevin Ford, the CISO at Esri, for helping us get our arms around this relatively new security tool that might help you reduce the complexity within your security stack. And we'd like to thank Panoptica for sponsoring the show. Finally, to learn more about cloud-native application protection platforms, consider attending the Cisco Live EMEA Conference in Amsterdam in just a few weeks, February 5 through 8. The conference URL is in the show notes. This has been a production of the CyberWire and N2K. And we feel privileged that podcasts like "CyberWire-X" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people, who make you smarter about your team while making your team smarter. Learn more at N2K.com. Our senior producer is Jennifer Eiben, our sound engineer is Tré Hester, and I'm Rick Howard. Thanks for listening. [ Music ]