Cloud Security Is Not A Patchwork; How Lacework Approaches Security Differently

Security is the top priority for companies moving their workloads to the cloud. However, security solutions are often a lot of patchwork of different solutions glued together. In contrast, Lacework has created a platform from the ground up to offer a much more efficient and tightly integrated solution. So, how different is Lacework from incumbents like Aqua Security, Palo Alto Networks, or Threatstack? What unique value does it bring to the ecosystem? Let’s get answers to some of these questions.

Learn more about Lacework

Guest: Dan Hubbard, CEO of Lacework
Sponsor: Lacework

[expander_maker]
Here is a lightly edited transcript of the interview

Swapnil Bhartiya: Hi, this is Swapnil Bhartiya and we have with us Dan Hubbard, CEO of Lacework. Security is no longer an afterthought. It has become a number one priority for companies and we are seeing a lot of movement happening. So, what I do want to know from you is that, first of all, what is Lacework and how different is it from players like Palo Alto Networks, Aqua Security, Threatstack? Even VMware is acquiring a lot of companies that are focusing on security in this space. So talk about it.

Dan Hubbard: Lacework, we wake up every morning really thinking about how we can help our customers secure their workloads and their infrastructure and all their applications in the cloud. And we believe that it is such a challenge that you need to focus your entire company and everything you do in your company around that. We also have seen over the years that security companies have consolidated into larger players. Some of them, we’ll call them the incumbents, and what they do is they typically wrap and roll a bunch of things together, and they kind of put duct tape and glue on it, put a big marketing brand around it and then call it a platform. We’re a little bit different in that we created the product and the technology from a platform in the beginning and from the ground up, we really built it off of distributed systems at scale.

What that allows us to do, essentially, is to create, ingest, analyze, store, and query data at really high volumes. And doing that in the cloud as a SAS service is really critical. The areas that we’re a little bit different, the first one is we’re very different in that we do a broad set of things. So we span multiple categories, things like compliance for the cloud, configuration for the cloud, anomaly detection, build time, runtime, Kubernetes containers, breach detection. So we do a lot of things, so that’s what we call breadth. And then we’re also very deep within each of those categories through a core technology we have called the polygraph, which allows us to find and identify things without you having to provide care and feeding for the system itself. Lastly, we fit into your modern DevOps work, your life cycle.

So it’s one platform. You don’t have to stitch all these APIs together across different things. It’s one UI that allows you to look at all the data and look at the context and the efficacy of all that data. But also, we plug into things like JIRA and your metrics and monitoring systems like app dynamics and New Relic. And of course, things like PagerDuty. So we fit inside your system so you don’t have to actually alter that in some way. One single platform and then amazing efficacy and context without you having to write really complex rules and maintain those over time.

Swapnil Bhartiya: You touched upon a lot of things there. I want to understand a bit about, if you can a little bit, what is a polygraph?
Dan Hubbard: The polygraph is a technology that we created a number of years ago. And the great thing about the polygraph is that it learns about your infrastructure over time. So you can think of your infrastructure, essentially as a very large application. I mean, the cloud itself is just a big programmable application that allows you to do really complex things really easily at scale and it’s very, very powerful. And with that, you can do things that are maybe mistakes or people can penetrate and use your infrastructure, or the infrastructure you’re on, for bad purposes. So the polygraph itself abstracts all of that stuff and it builds models over time and looks at the state change over time to determine if something is a risk or a threat to your business, based off of anomalies and behaviors of things like API calls or processes or applications or network traffic or configurations within your infrastructure.

Swapnil Bhartiya: Lacework has a very strong focus on cloud-native and Kubernetes. Can you talk about how unique or different are the challenges for the cloud native work versus when you look at traditional workloads and how Lacework as you already mentioned, there is no patchwork? You are not applying plasters everywhere. It’s a very well-integrated solution. And that’s what we need in this space so talk about that.
Dan Hubbard: Yeah, so a couple of years ago, people couldn’t even spell Kubernetes. Now everybody is deploying, managing, talking about, looking at migrating, or planning to use Kubernetes in some way. It’s a very powerful system. When deployed, it abstracts a lot of the hard kind of plumbing that you otherwise may have to do around things like monitoring and auto-scaling within the infrastructure. And what we do is we give you visibility into all of your Kubernetes infrastructures. And then we build these models and we have known bad models and known risk models that map to things like PCI, SOC 2, nest and best practices. And then we have things that are the unknown.

The unknown are bad practices or mistakes or things that have elevated the risk within your company. Like you’ve opened a pod to the internet or your management server doesn’t have a password and someone’s connecting to it. And the most important, and the most powerful thing about our platform is we just don’t do Kubernetes, or we don’t just do containers. We do all of your cloud security. So we can do things like stitch together things like your cloud trail information or your GCP audit logs and your configuration data and your non-Kubernetes workloads and your container workloads and your Kubernetes data, and put all that together. Because if you don’t put it all together, then you only have one piece of this very complex puzzle. And it’s hard to solve that.

Swapnil Bhartiya: One more thing is that we live in this multi-cloud world, so if your customer or user is leveraging different clouds, do you support that multi-cloud, hybrid cloud strategy or you are kind of stuck to one cloud?
Dan Hubbard: No, it’s super important to our customers. I think now a little more than 75% of all of our customers in N plus one clouds. And it’s not typically that they have the same application spanning multiple clouds. That doesn’t happen that frequently. What it is, is that one business unit, one application, one pass service maybe, or one way that they’re doing compute in another group is different. And that has meant that they’ve got different applications spanning multiple clouds. And what we do is, because we support AWS, GCP, Azure, and then any flavor of Kubernetes, you can roll all that data and we’ll ingest all of that data across multiple clouds and surface it as one thing. Now we’ll give you the context. Hey, you’re failing at compliance in AWS, or you have a breach within your Azure infrastructure. We’ll tell you the context, but it’s all in one platform. So you can’t really secure or claim to be a cloud security provider if you’re not going across multiple clouds if you’re going to solve big problems for your customers.

Swapnil Bhartiya: Then you’re also making an announcement today, which is the new host vulnerability monitoring. Can you talk a bit about what it is and what are the new features, which will benefit DevOps teams?
Dan Hubbard: Yeah, so we’re a SAS service and when we release features, that automatically just goes out to all of our customers. You don’t have to upgrade or add patches or anything for our stuff. And the feature that we’ve added is host vulnerability scanning and the ability to alert and identify vulnerabilities within your infrastructure. Previously, we had what’s called build time vulnerability scanning, where we look at your repos and look at your infrastructure as code and determine if your containers and your infrastructure before you actually pushed it live, had vulnerabilities. And that’s really important. But what is actually more important is, once you push that workload or that configuration live to the cloud, you want to know if you have vulnerabilities that are actually inside your infrastructure. And then what we do is we pair the vulnerabilities with the infrastructure data we know.

So we call this the difference between vulnerabilities and being vulnerable. So if you have an important vulnerability that is in build time, that’s important. Now you push it to runtime, that’s really important, but now it becomes really critical. Let’s say, if you change a security group and now that port is open on the internet and then someone connects to it or is scanning. And then, of course, if someone exploits that vulnerability and then breaches you and moves within your infrastructure, you really want to know about that. So it really completes the picture all the way from build time to runtime and from vulnerabilities to identifying if you’re vulnerable. And if, of course, you’ve had a problem where a breach.

Swapnil Bhartiya: What is the shared responsibility model? Can you talk about that?
Dan Hubbard: Yeah. The shared responsibility model is fairly well known. It’s talked about by all three of the cloud providers. It essentially says that the cloud providers are responsible for things like the physical data centers, the hardware, the compute, the physical network, access to it, the hypervisor, and then everything else above that or above the stack is the responsibility of the customer. And the easiest way to think about is if you can configure it, you’re responsible for it.

We often also talk about sometimes the shared responsibility model or shared irresponsibility model within companies because what’s happening right now is people, especially in cloud migrations, and as they move towards the cloud, there’s a little bit of finger-pointing that’s going on, where the DevOps people are saying “We’re not responsible for this.” The security people are saying “We’re not responsible for it. We don’t run this infrastructure. They can do all these powerful things.” So, we really tell our customers, think about obviously your providers and how that applies, but also think within your company, who is not responsible and what is that collaboration or that organizational framework and apply that along with the architecture that you’re deploying for securing your infrastructure in the cloud.

Swapnil Bhartiya: Now, we have talked about the company. We have talked about how you’re helping the customers. Can you give me a quick brief about what kind of services, if you can, like kind of the product portfolio and how it looks like.
Dan Hubbard: Yeah. So the product itself is relatively simple in the way we kind of package and price it. Essentially, we say, if you operate inside of AWS, GCP, and Azure, our product will allow you to protect and secure that infrastructure. There are many different ways to slice that and, depending on the maturity level of your organization, where you land is different. Many say B2B, SAS, startups that are starting to get customers, they land in compliance because it’s a sales enablement tool. A lot of their customers are saying “Hey, how secure is this infrastructure? I’m going to put my data in there. How do you know it’s secure?” So, compliance and best practices are really critical there so we have a part in helping you be compliant across those three clouds and within Kubernetes and your configuration. Then we have the ability to look at your infrastructure as code all the way from build time, your containers and your infrastructure, how are you deploying your code and everything is infrastructure as code in the cloud before you build it. And that’s a very dev centric view.

And then, as we talked about before with vulnerabilities, we now can translate that into the runtime. What are the applications that are running? How do you map those applications? What’s the behavior of those applications? Have you had a misconfiguration or a bad practice that has led to a breach? So for us, it’s really about comprehensive cloud security that allows you to identify, of course, the risks but also the threats. And the unique thing about the cloud and technologies like containers and things like Kubernetes is that the speed and the velocity of change is very, very quick. There’s not really a point in time where you can say we have this, or we have that. It’s really ephemeral. Things are changing and going up and down all the time. The network’s encrypted. The IP addresses are changing continually. So you have to have a near real-time view of what’s happening in order to adapt and, obviously, to have real good context and efficacy.

Swapnil Bhartiya: Who is your typical customer? Can you talk about that?
Dan Hubbard: Yeah. So we’re lucky enough to have a great growing list of customers. The customer’s range… you can kind of oversimplify it, but there is definitely an overlap of companies that were born in the cloud. They’re typically less than six or seven years old, never, ever owned hardware, don’t own a data center. They’re a little more forward-thinking in the way that they are developing their applications and pushing them.

And then there’s companies that are migrating to the cloud. They had a traditional data center, and maybe they moved one project over, they bought a company and they live in the cloud, but they’re looking to migrate and they have what’s called a cloud first initiative, which means every net new application is moving to the cloud. In both cases, the pain points are relatively similar in that they need compliance, GRC, configuration, audit visibility, and, of course, breach protection across both, but the common aspect across whether you’re in the cloud today and born in the cloud or migrating, or have just parts in the cloud is really how do I move at light speed, how do I move at a pace, but still continue to run a safe and secure environment that can protect the data and, obviously, the customer’s data that you’re storing and using in the cloud.

Swapnil Bhartiya: So looking at this change of landscape, what is your prediction for cloud security?
Dan Hubbard: Yeah, so first off you only just have to look at the trends of what’s happening in the time that’s compressed based off of, obviously, unfortunately, COVID and what’s going on in the world where companies have often talked about digitization, they’ve talked about things like cloud migration or utilizing the cloud, or using applications and technologies as a competitive advantage. Now that time has compressed, the three year, two-year projects are now six months or one-year projects, and people are having to move really, really quickly and many times, due to business existential threats, other times just strategically, they want to move that forward.

And you see that in the results of obviously AWS, GCP with Google, and with Azure, and the amount of compute storage and applications, and just that revenue that’s growing. What I’m seeing is that there’s really a sea change in the customer base. And there’s a sea change in the way that technology is being delivered. It’s really about, obviously, software as a service. It’s not about hardware, it’s not about software, it’s about services, and it’s about allowing and enabling those customers and those prospects in the market to really focus on what is super, super important to their businesses, not building huge security teams, not managing massive amounts of security infrastructure, leaving it to services like Lacework. And I really believe it’s going to be critical for us to coexist with the cloud providers, of course, but also open source tools. Kubernetes is a great example. Docker is a great example of that. The Linux ecosystem is obviously really huge, but also into operating with things like metrics and monitoring and, and DevOps tools.

And this dev sec ops movement that’s been talked about a lot, that’s also really starting to contract in time and people are really starting to figure out how do we get to a place where maybe the SISO is more governance and tooling, and then the dev and the security nuts and bolts is built into the dev teams. And we do that in a way that allows us to move quickly, but still maintain security over time. So lots of great stuff that’s happening. I think it’s a great time to kind of rethink how we do security. And a lot of the tenants in the cloud are actually quite a bit better than they’ve been in the past with this whole defense in-depth thing that’s been going on for years.

Swapnil Bhartiya: I think we are looking at kind of golden age of security and in a positive way, not in a negative way, a lot of [inaudible 00:15:33] there, but when we talk about all these changes that are happening yet also noticing a lot of consolidation is happening though. Big companies, a lot of acquisition is also going on there. What does this mean for a company like Lacework?
Dan Hubbard: Yeah, so security has often been a place of consolidation. You go to RSA and you see 200 new vendors every year. And the problem, and the interesting thing from a business perspective, is most of these companies have built features that belong in a broader platform. And they may be happy with raising a little bit of money and going and selling their company for a hundred or $150 million, and then they become part of something else. And so those kind of building blocks over time have been things like part of your endpoint, antivirus, or EDR or XDR or part of your gateway or your firewall, or your network infrastructure, or maybe part of an authentication system in some way. I believe that this is so different in the cloud that actually you need a standalone product. You need something that is just entirely focused on this problem set, and it’s not part of another pillar. This is the pillar. This isn’t part of a firewall. This isn’t part of your authentication. This isn’t part of your endpoint. This is actually something on its own that needs to be standalone. It needs to operate on its own.

Now it needs to work with other parts, of course, but I think it’s pretty critical that the company… I think the company is going to be most successful is one that focuses the best on this. You know, a lot of people also have been burned over the years of one company going out and buying three or four parts and putting them together and then innovation stops and there’s infighting about which UI wins, which API is out there. You’ll see multiple logos on different pages all over the place. And the end result is that it’s not great for customers. The customers want you to move as fast as the market’s moving. So I think really focusing on this is going to be critical. And, personally, I think this is such a large opportunity, a large TAM that a company will be created, one or two minimum, that will be standalone publicly traded companies down the road.

Swapnil Bhartiya: Dan, thank you so much for taking your time out today and talking about security and I look forward to talk to you again.
Dan Hubbard: Thank you very much. I enjoyed the conversation.
[/expander_maker]

Cloud Security Is Not A Patchwork; How Lacework Approaches Security Differently

Latest Episodes

CNCF Graduate KEDA Makes It Easier To Autoscale Kubernetes Applications

LF Europe To Democratize Generative AI | Gabriele Columbro

Cyber Resilience Act Could Be Utterly Harmful For Europe | Hilary Carter – Linux Foundation

Has DevOps Lost its Luster? | Interview With Progress VP Of Strategy Mark Troester

There Is A Misconception That The Cloud Makes Security Easier | Dan Benjamin – Dig Security

You may also like

Latest Episodes