►
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
All
right,
hi,
everyone
welcome
to
today's
webinar,
hosted
by
Deep
fence.
Today's
topic
is
understanding
attack,
pass
the
key
to
alert,
fatigue
reduction
and
better
remediation,
I'm,
Ryan,
Smith,
head
of
product
and
solutions
and
defense.
Today,
with
me,
I
have
sham
Krishna
Swami.
Our
chief
technology
officer
welcomes
Trump,
appreciate
you
joining
us
today.
Hey
then
hello,
everyone,
foreign.
A
Security
challenges
that
companies
face
when
they
move
into
hybrid
multi-cloud
environments
or
even
single
Cloud
environments,
because
the
landscape
of
those
environments
has
changed
drastically,
whether
it's
the
types
of
infrastructure
and
hosting
services
available
to
you,
whether
it's
the
differentiation
between
is
paths
and
SAS
within
the
cloud,
whether
it's
the
just
demands
of
the
different
hosting
requirements.
You
might
have
this
new
complexity,
Within
These,
Cloud
environments,
whether
it
comes
from
infrastructure
complexity
or
application
complexity
has
caused
us
to
need
new
detection
methods
for
what
we're
deploying.
A
So
this
has
led
to
Tool
proliferation
within
the
cloud
environments.
Enterprise
security
teams
have,
on
average
75
security
tools
that
they
they've
bought.
I'm
sure
you
know
you
could
go
through
the
categories
of
workload,
protection,
firewalls,
caspies,
cspm
tools.
Then
you
quickly
realize
how
many
tools
you
have
within
your
own
security
ecosystem
and
budget
it
and
all
of
these
tools
are
spouting
off
alerts
to
the
tune
of
greater
than
500
public
Cloud
security
alerts
daily
that
are
reviewed
by
stocks.
A
So
these
tools
are
proliferating,
not
only
these
alerts,
but
you
know
people
have
to
respond
to
these.
They
have
to
either.
You
know
ensure
that
they're
not
false
positives.
They
have
to
validate
the
alert
they're
seeing
and
because
teams
have
limited
resources,
limited
time,
limited
money,
limited
subject,
matter,
expertise
of
those
resources,
they're
missing
alerts
right
because
they're
having
to
swivel
chair
between
75
apps
they're
having
to
review
those
with
the
limited
staff
that
they
have
in
55
percent
of
organizations
have
reported
missing
key
alerts
in
security
incidents,
either
daily
weekly
or
hourly.
A
It
doesn't
just
impact
our
security
posture,
though
it
impacts
our
resourcing
and
our
people
and
our
efficiency
within
our
security
operations
in
dealing
with
different
types
of
alerts.
So
62
percent
of
organizations
have
said
that
alert
fatigue
has
caused
turnover
for
them
within
their
sap,
and
we
already
know
that
security
engineer.
Sock
professionals.
A
All
of
these
other
key
functions
of
the
sock
go
underserved
because
we're
just
dealing
with
alerts
all
day.
So
not
only
are
we
dealing
with
alerts
all
day,
but
this
causes
burnout
fatigue
turnover,
but
there's
hope
here
right.
The
statistics,
the
research,
the
data
indicate
that
with
proper
risk
prioritization
and
what
we
mean
by
that
is
not
just
identifying
vulnerabilities
but
evaluating
them
according
to
their
exploitability
within
the
environment.
A
97
of
alerts
that
we
get
from
our
security,
tooling
can
be
reduced
so
that
you
know
30
hours
a
week
turns
into
one
hour
a
week
of
alert,
triage
training,
and
it
opens
up
so
much
more
potential
for
our
security
teams
to
contribute
in
positive
ways
to
our
security
risk
and
compliance
posture
that
we
didn't
have
before.
So
we're
really
excited
to
kind
of
dive
into
this
topic
a
little
bit
today,
but
you
know
we
think
cloud
security
needs
a
little
bit
of
a
reset
because,
as
we've
seen
alert
fatigue
is
off
the
charts.
A
It's
actively
hurting
your
security
resources
and
teams.
Unfortunately,
adding
more
tools
and
more
software
to
the
equation
doesn't
seem
to
help.
It
just
creates
more
silos,
more
fragmentation
within
our
security
alerting
and
our
detection
and
response,
and
so
how
do
we
really
Break?
Free
of
this
sisyphean?
Endeavor
of
you
know
rolling
up
the
hill
right
with
with
all
of
these
things,
and
that
brings
us
to
kind
of
the
topic
of
today's
webinar,
which
is
that
with
attack
path,
identification
management,
analysis,
Etc,
I.E,
adding
more
context
to
the
security
scans
and
results.
A
We're
getting
in
our
environment
ultimately
leads
to
better
risk
reduction
and
the
ability
to
remediate
those
alerts
with
the
proper
controls.
So
you
can
better
situate
how
your
controls
are
performed
in
in
where
they're
needed
within
the
environment,
so
you're
effectively
spending
your
security
resources,
whether
those
be
technology,
resources
or
people
resources.
A
Defense
approaches
this
issue
of.
How
do
we
identify
attack
paths
by
creating
what
we
call
to
be
the
threat
graph
in
what
the
defense
threat
graph
is
for
us
and
it's
available
across
our
product.
Suite
is
runtime
context
or
security
observability
within
your
environment,
and
what
we
mean
by
that
is
we
don't
just
scan
your
environment,
for
where
risk
is,
even
though
we
identify
what
vulnerabilities
you
have
where
you
might
have
malware
within
the
environment,
expose
Secrets
within
that
environment
or
even
misconfiguration
issues
that
could
lead
to
Cloud
breaches.
A
But
we
add
what
we
know
about
the
runtime
context
of
the
deployment
of
that
application
in
the
cloud,
whether
that
be
netflow
information
who's.
Talking
to
who
you
know
what
that
looks
like
to
create
for
you,
which
of
those
vulnerability.
These
malware
seek
exposed.
Secrets,
configurate
misconfigurations
is
actually
exploitable
by
a
threat,
actor
and
identifying
and
helping
you
map
the
actual
attack
path.
They
would
take
to
exploit
that
vulnerability.
A
So
the
example
we
always
give
is
and
Sean's
going
to
show
this
later
in
the
demo
is,
you
might
have
two
machines
on
the
network
that
are
both
infected
with
a
zero
day
like
log4
show
in
log
4J
like
we
were
all
worried
about
last
last
Christmas
time,
and
you
know
when
you're
thinking
about
remediating,
an
environment
that
might
have
thousands
of
instances
of
log4
shell,
like
our
customers,
it's
important
to
know
which
instances
are
actually
attackable.
So
what
defense
would
do
in
that
scenario,
is
evaluate.
A
So
what
this
does
is
when,
in
a
zero
day
scenario,
when
you're
scrambling
to
remediate
your
environment
find
out
whether
you've
been
hit
already
or
not,
it
allows
you
to
prioritize
where
to
put
protections
where
to
put
remediation
efforts
where
to
suspend
your
people,
resources
remediating
those
assets
and
not
focus
on
the
97
of
other
instances
that
have
that
vulnerability,
but
aren't
exploited
exposed
or
attackable
in
a
way
based
on
how
a
threat
actor
would
use
a
particular
tactic
technique
procedure.
A
This
also
allows
you
to
remediate
those
attack
paths
which
brings
us
full
circle
to.
How
does
this
allow
better
remediation?
Well,
in
those
scenarios
we
can
put
appropriate
controls
and
coverage
on
the
assets
that
have
that
attack
Vector
available
in
these
choke
points.
You
know
ultimately
do
that
we're
going
to
come
back
to
that
screen
these
two
screens
here,
but
I
wanted
to
kind
of
go
into.
You
know
how
this
reduces
alert,
fatigue
and
Remediation,
and
then
we'll
go
into
a
little
bit
of
how
we
do
it
on
the
previous
screens.
A
Nodes
part
images
within
those
things,
then
we
can
eliminate
those
types
of
attacks,
and
this
is
pretty
typical-
almost
project
management
behavior
that
it
allows
security
operations
teams
to
undertake
right
project
management
teams
have
different
weighting.
The
mo
one
of
the
most
common
is
wish.
If
right,
smallest
effort,
greatest
impact
is
what
that
tries
to
do,
and
so,
if
we
can
evaluate
our
high
value
Target
it's
within
the
environment.
A
By
identifying
these
attack
vectors,
then
our
remediation
efforts
ultimately
become
that
smallest
effort
with
the
biggest
impact
of
security
coverage
and
risk
within
our
environment,
and
so
this
ultimately
leads
to
better
remediation
within
the
environment.
What
we
call
security
observability,
because
you
get
real-time
visibility
of
those
assets
in
a
continuous
assessment
of
their
security
posture
based
on
that
runtime,
real
context,
which
allows
you
to
make
better
management
decisions.
Project
management
decisions
around
resource
allocation,
whether
that
be
where
do
I
put
certain
security
controls.
Where
do
I
have
to
spend
on
security
controls.
A
Now
that
controls
come
often
in
a
consumption
model,
where
do
I
need
to
Target
my
people?
Resources
when
I
do
patching
efforts
when
I'm
looking
at
remediation
efforts
or
forensics
in
response
in
a
zero
day
scenario
where
I've
already
been
impacted
or
exploited,
and
ultimately
it
helps
us
ensure
compliance,
because
all
of
this
is
continuous
rather
than
point
in
time,
static,
snapshots
of
our
environment,
so
it
allows
better
upkeep
of
these
things.
A
In
real
time,
so
once
again
like
what
is
the
key
to
security,
observability
attack
path,
identification
well
for
us,
it's
these
four
pillars
that
really
converge,
and
unless
you're,
adding
these
four
contextual
pillars
to
your
environment,
then
you're
just
getting
vulnerabilities
ranked
by
severity
and
cspn
results
or
I
think
by
severity
and
you're.
A
Seeing
all
of
these
things
in
different
platforms
that
you're
having
to
swivel
the
chair,
it's
like
putting
together
pieces
of
a
puzzle
but
you're
missing
like
four
pieces
right
in
the
end,
you're
gonna
have
an
incomplete
picture
of
the
you
know,
true
coverage
of
the
attack
or
what
happened,
because
these
these
data
points
are
going
to
be
in
different
systems:
they're
not
going
to
have
the
same
context
associated
with
what's
happening
in
the
environment,
they're
going
to
be
at
different
points
of
time.
So
for
deep
fence.
A
We
we
really
need
to
always
think
about
measuring
and
contextualizing
the
attack
surface
of
the
environment
with
network
flow
information,
Cloud
metadata
vulnerability,
cspn
malware
scan
results,
putting
all
of
this
within
a
singular
platform
and
system
evaluating
what
comes
in
and
what
goes
out
of
an
environment.
So
this
is
true
traffic
analysis
and
deep
packet
inspection,
but
targeted
deep
packet
inspection
because
doing
deep,
backended
inspection
across
all
north
south,
all
East
West.
A
All
the
time
would
be
not
only
resource
and
time
and
money
intensive
on
your
infrastructure
systems,
but
it
just
wouldn't
be
effective
from
you
know,
prioritizing
how
we
spend
our
security
resources
so
that
analysis
of
what
comes
in
what
goes
out
allows
us
to
identify.
What's
changed
within
the
cloud:
the
applications
themselves,
the
traffic,
the
process,
Behavior
and
better
lead
to
security
decisions.
So
defense
ultimately
provides
you
a
platform
built
on
context,
and
you
know
we
kind
of
talked
about
alert
fatigue
earlier
in
the
conversation.
A
This
is
why
alert
fatigue
happens
in
the
first
places,
because
all
of
these
fundamental
controls
data
analysis,
things,
environment
coverage.
All
of
that
complexity
needs
to
be
housed
within
a
singular
platform,
a
singular
system
that
ultimately
allows
us
to
provide
better
security,
observability
attack
path,
identification
and
then,
ultimately,
remediation
and
coverage
of
the
digital
attack
surface
within
our
Enterprise
environments.
A
The
last
thing
I'll
cover
is,
you
know
we,
you
know,
we've
talked
about
the
alert
fatigue
benefits
97
reduction,
which
helps
you
know
ultimately
converge
along
these
items
right,
which
is
you're
spending
less
triaging,
that
30
hours
a
week
becomes
an
hour
a
week,
so
for
your
average
sock,
employee,
you're
saving
fifteen
hundred
dollars
a
week
of
people
cost
just
on
that.
A
When
you
total
up
this,
you
know
cost
savings,
whether
it
be
by
consolidating
all
of
those
critical
Cloud
alerts
and
contextual
data
points
into
a
singular
platform
or
the
people
cost
associated
with
managing
kind
of
the
alert
fatigue
that
comes
from
traditional
Cloud
security
systems.
You've,
you
know,
platforms
that
approach,
risk
risk
reduction
with
attack
path.
Analysis
ultimately
can
save
245
business
days
on
average,
roughly
three
hundred
thousand
dollars
a
year
and
that's
significant,
particularly
in
tougher
Economic
Times.
A
When
we're
thinking
about
Roi
of
our
security
decisions,
you
know,
we
really
think
that
approaches
are
down
attack
path.
Analysis
are
important
to
cost
and
time
analysis
as
well
and
I'm
going
to
dive
into
a
demo,
but
I
do
think.
We
have
one
question
which
was
just
around
sources
for
the
statistics
and,
yes,
we
can
provide
the
sources
there
in
the
notes
of
the
PowerPoint
when
we
send
out
the
slides.
So
you
know
that's
various
research
from
various
studies,
but
each
of
those
are
outlined
in
the
notes.
A
So
now
we
kind
of
wanted
to
shift
today's
webinar
to
a
demo
around
how
attack
path
analysis
affects
remediation
and
Sean's,
going
to
show
kind
of
two
systems
within
defense
and
the
differences
between
why
attack
path.
Analysis
is
important
over
to
you.
B
Thank
you,
Ryan,
hello,
everyone
thank
you
for
joining
us
today.
We
did
hear
and
talk
about
what
is
attack
path
and
why
is
it
important
how
it
is
built
right
now?
Let's
look
at
this
attack
path
from
a
different
perspective
of
what
do
we
do
with
it
next
right
now
that
we
have
built
an
attack
path.
Now
that
we
have
looked
at
various
vulnerabilities,
Secrets,
malware's,
Club
scans,
the
scans
within
cloud
services?
What
do
we
do
with
it?
Next?
What
do
we
want
to
do
with
it?
B
What
I'm
going
to
do
now
is
I'm
going
to
share
my
screen
and
we're
going
to
look
at
attack
path
within
our
platform
and
we're
going
to
go
ahead
and
see
what
would
happen
if
somebody
is
trying
to
kind
of
take
advantage
of
some
of
the
exposed
vulnerabilities
of
somebody
you're
trying
to
exploit
those
vulnerabilities
house
that
we
can
protect
ourselves
when
someone
tries
to
start
those
vulnerabilities.
B
B
Now
to
see
this
attack
path
in
a
little
bit
more
detail,
let's
go
over
and
look
at
some
of
the
other
results
that
feed
into
this
entire
path.
For
example,
here
is
a
set
of
vulnerabilities
that
are
available
to
us
from
various
vulnerable
scans,
in
particular,
we're
going
to
take
the
vulnerability
scan
cells
for
some
of
the
container
to
illustrate
this
attack
path.
Let's
take
vulnerability
scans
on
our
WordPress
MySQL,
a
sample
log
force
a
vulnerable
application.
B
So
when
we
take
the
vulnerability
scans
of
this,
what
we
do
is
as
a
first
step.
We
look
at
these
vulnerability
scans
result
and
then
their
CV
score
their
readability.
What
Ryan
explained,
as
a
previous
part
in
the
discussion
around
I
have
a
vulnerability.
Is
it
really
exploitable,
which
would
mean
that
there
need
to
be
a
multiple
set
of
factors
for
this
vulnerability
to
be
actually
exploited?
B
B
African
very
well
see
our
love,
the
vulnerabilities,
just
by
adding
context,
just
by
being
able
to
understand
the
nature
of
our
vulnerability,
we
are
able
to
bring
it
down
to
a
number
where
we
can
understand
what
is
it
that
we
need
to
fix?
First
now
this
is
for
vulnerabilities.
Similarly,
we
take
between
the
secrets,
We
Begin,
the
referrals
for
various
Cloud
again
to
build
out
the
sub
aircraft.
B
Now,
just
a
while
ago,
we
just
discussed
about
the
results
of
various
vulnerabilities
and
those
results
being
feeling
fed
into
this
attack.
Here's
a
sample
here,
as
you
can
see,
there
is
a
container
here
where
this
is
a
sample
container,
where
we
see
that
there's
a
bunch
of
vulnerabilities
which
have
been
identified
as
being
exploitable
and
which
have
a
thought
to
be
exploited
now.
The
reason
why
this
container
features
here,
but
not
the
other
MySQL
the
WordPress
containers,
is
simply
because
of
the
fact
that
those
vulnerabilities
are
not
directly
exploitable
now.
B
In
addition
to
this
this
platform,
the
defense
platform
is
also
able
to
understand
context
here,
which
means
that
the
vulnerabilities
that
exists
within
this
container
can
be
is
reached
to
another
container,
which
is
a
h,
a
proxy
container
right,
so
which
means
that
the
vulnerabilities,
not
only
is
this
platform
being
able
to
add
another
context.
The
runtime
context
is
also
meaningful
here
in
a
way
that
how
can
this
vulnerabilities
be
exploited?
What
is
the
path
to
this?
B
Vulnerability
is
being
exploited,
and
that
gives
us
more,
and
this
runtime
observation
gives
us
an
ability
to
plot
this
for
all
the
users
of
the
sclerable,
so
that
they
can
focus
those
that
really
matter
so
now,
as
we
saw
here,
we
did
have
vulnerabilities
on
few
other
containers,
but
the
mere
fact
that
those
vulnerabilities
are
not
reachable
or
they
belong
to
a
different
class
of
exploitability.
We
were
able
to
build
out
this
attack
right.
So
now
we
have
built
this
paragraph
We
have
looked
at
the
various
within
our
environment.
B
We
have
added
a
runtime
context
into
all
this
to
get
here.
So
here
comes
the
next
important
part,
which
is
what
do
we
do
with
this
right
now?
The
most
obvious
thing
here
is:
we
have
provided
a
tool
for
the
security
operations
to
start
the
remediation
processes,
but
then
again
over
the
course
of
this
remediation.
As
most
of
us
know,
remediation
is
not
a
one
day
on
time
effort.
It
is
a
continuous
process.
B
So,
during
this
continuous
process,
how
do
we
make
sure
or
how
do
we
ensure
that
the
vulnerabilities
that
do
exist
in
the
system
are
not
exploited,
and
this
is
where
the
runtime
fees
of
the
platform
comes
into
play?
What
happens
is
follows
right.
Brian
spoke
about
being
able
to
focus
and
Target
our
efforts
of
being
able
to
understand
what
comes
in
and
what
goes
on
within
the
whole
infrastructure
right.
B
So
what
we
can
do
is
we
go
back
here
and
we
look
at
those
systems
that
have
the
container
that's
running
in
when
we
start
the
east
western
North
South
traffic
analysis
on
that,
don't
act!
Okay,
you
can
always
use
the
various
apis
that
we
provide
within
this
platform
to
be
able
to
perform
the
same
East,
West
and
north
south
deep
packet
inspection
right.
B
So
let's
take
a
quick
look
at
what
we
mean
when
we
do
say
mean
the
Eastchester
North
earlier
on
that
I
have
spoke
about
being
able
to
Target
our
reference.
So
what
we
do
is
we
look
at
the
various
processes
within
our
system.
We
choose
those
policies
that
are
receiving
traffic
and
we
start
the
whole
East
West
a
lot
for
basically
what
comes
in
and
what
goes
on
the
two
important
pillars
of
the
whole
security
observability
on
those
process
that
really
matter
as
a
sample.
B
B
Right
I
am
getting
a
payload
that
is
purely
an
SQL
injection
attack.
These
are
the
various
categories:
classification
within
the
whole
runtime
scenario.
Now
that
we
have
started
this
whole
East
Western,
also
packet
inspection.
That
would
help
us
to
build,
and
that
would
help
us
to
understand
the
various
alerts
are
various
events
that
happen
in
our
system.
That,
for
example,
helps
us
to
look
at
very
low
level,
payloads
that
come
into
our
system
like
this.
That
I
have
shown
here
right.
B
So
now
what
happened
was
we
built
the
attacker?
We
then
started
the
east
west
Knoxville
packet
inspection,
and
we
are
able
to
see
such
low
level
information
on
what's
going
on
and
the
various
attempts
to
exploit
your
issues
or
those
vulnerabilities,
Secrets,
small
words
or
complaints
configurations
within
our
infrastructure
right
now
going
above
and
beyond
this,
we
would
also
like
a
platform
like
this
to
be
able
to
protect
ourselves
from
these
kind
of
exploitation.
B
To
that
extent,
we
help
those
facts
from
very
maturity
policy.
Here's
a
sample
security
policy
that
is,
that
within
the
system
that
helps
to
understand,
for
example,
since
how
you've
had
the
capital
security
policy,
where
you
say
that
if
a
malicious
payload
is
observed
within
the
network,
please
go
ahead
and
block
the
standard
of
the
traffic
to
this
network
right
we
are
able
to
set
various
security
policies
and
I'm
just
going
to
quickly
show
an
attempt
to
exploit
one
such
vulnerability.
B
Now
we
did
see
the
law
enforceable
vulnerability
coming
up
in
our
attack
path.
We
also
saw
some
previous
attempts
to
be
able
to
exploit
the
attacker,
and
here
is
a
security
policy
that
we
have
set.
That
will
stop
any
such
attempt
to
exploit
the
variable
that
vulnerability.
So
let
me
go
ahead
and
run
an
exploit
and
we
will
see
how
we
are
able
to
block
the
text,
so
I
have
to
hear
us
exploit
that
is
prepared.
B
Let
me
just
quickly
show
the
contents
that
we
explore.
It's
a
standard,
log4j
exploit
and
I'm
going
to
start
text
now,
once
I
start,
the
exploit
I
will
see
that
there's
a
kind
of
a
response
that
I
get
here,
and
you
will
see
that
I
further
communication
attempts
to
this
server
has
been
completely
blocked.
B
For
example,
if
I
were
to
do
a
curve
again
to
the
same
IP
address,
I
would
see
that
I
am
being
blocked
here,
because
a
protection
policy
has
been
set
and,
as
you
see
here,
the
IP
address
has
been
blocked
for
the
next
time.
Here
is
a
log
that
just
came
into
my
system.
A
protection
policy
has
been
set
and
it
has
been
entered
right.
So
this
is
the
whole
sequence
that
we
can.
We
are
able
to
where
we
are
able
to
prioritize
our
remediation
efforts,
and
we
are
also
able
to
prioritize
our
protection
methods.
A
Perfect
appreciate
that
Sean
thank
you
for
contextualizing
for
us
everything
that
we
talked
about
previously.
It's
always.
You
know,
at
least
from
my
perspective,
better,
to
see
those
things
in
action,
rather
than
just
see
a
bunch
of
stats
and
slides
slides
about
it.
A
Now
you
know
we're
largely
loved
by
our
community.
We
have
over
5000
Stars
across
our
products
on
GitHub,
if
you'd
like
to
go
into
our
GitHub
and
store
any
of
our
repos
we'd
appreciate
that
love
and
support
from
our
community.
If
you
thought
what
you
saw
was
cool
here
today,
otherwise
you
can
get
started
with
our
products.