We are excited to be launching a new series of blog posts from members of the FireTail executive team, starting off this month with an update on the evolution of cloud security from FireTail Cofounder and CEO Jeremy Snyder.
Before FireTail, I had a career of 25 years in IT and cybersecurity. I started as a hands-on-keyboard practitioner for a couple of early SaaS companies and a video game company, before transitioning into product and customer-facing roles. I’ve continued my cybersecurity journey through a long stint leading sales, business development and sales engineering at DivvyCloud, and then in M&A at Rapid7 during the pandemic.
In late 2021, I took the leap to create FireTail with my Cofounder Riley Priddle as we saw the growing need for an API security platform due to the accelerated rate of API development in cloud-native applications, modernization and digital transformation..
Staying up to date with the cyber security landscape is super important, so we read a variety of publications, such as The Bleeping Computer, Security Boulevard, Portswigger Blog, the AWS Feed, DataBreaches.net, and Dark Reading, as well as industry analyst reports. This helps us keep up with current trends and continue to understand the threat landscape as well as the evolution of customer needs.
Cloud security is one of the fastest-evolving areas and it can be hard to keep up, but we at FireTail are here to help.
In 2021, I came up with a 4-quadrant model of the core areas of cloud security. The Y axis separates pre-production from production, so the left two quadrants are test, development and staging, while the right two are in the production stage. This model helps provide a layout of where the breaches are happening.
You’ll notice the technical stack on the vertical axis, building up from the core infrastructure layer (compute, storage, network), and then moving up into operating system, or its equivalent in container and serverless environments, with the application and API layers still above that.
I spoke about this in more detail at fwd:CloudSec Boston 2022- watch the talk here. Fun fact - despite being unlisted, this is one my most viewed and most shared pieces of content ever on YouTube.
As you go up the stack, most of the components have or are getting strong coverage. However the API is often the most external, public-facing component, and we felt that there was no existing, effective solution to defend against the threats that the data from our breach tracker showed us. According to Gartner, 90% of web-enabled applications will have more attack surface area in exposed APIs rather than in any other layer. In many cases, APIs are improperly configured and lack the necessary tooling, telemetry or security - either in the left-hand (pre-production) or right-hand (production) stage.
Historically, we saw many breaches occur in the bottom right quadrant, production infrastructure and this is why earlier cloud security solutions focused on this use case - monitoring and assessing the security configurations of production infrastructure resources.
The model was inspired by core use cases of cloud exposures that had occurred up to that point. But the CapitalOne breach of 2019, one of the largest breaches from recent years, changed a lot of the thinking around cloud security, and the need for more complete end-to-end, top-to-bottom visibility, understanding and correlation.
The methodology, scale and scope make it infamous, and the breach was sensationalized by the hacker herself publishing information about the exact ways she was able to exploit multiple, chained vulnerabilities.
This figure from Association for Computing Machinery’s (ACM) journal illustrates the most likely way that the hacker was able to use a misconfigured web application firewall to gain access to a virtual machine, its metadata, the identity role assigned to the machine, and through all this, finally to the credit card application data and more.
This type of figure is known as attack path analysis, a security analysis technique that identifies and assesses the paths an attacker could use to exploit vulnerabilities in an organization's systems and networks.
Huge vulnerabilities like this one at CapitalOne demonstrate the need for stronger correlation between various components of infrastructure, like their linkages and how access to resource A might inadvertently grant access to resource B.
Security strategies have historically focused on single attack surface points, which gives teams a limited view of vulnerabilities across the technology stack. Cybersecurity vendors are increasingly embracing a multi-layered approach, but it requires a huge investment to bring together the right data, with the right data analysis into a unified platform.
Nikesh Arora, CEO of Palo Alto Networks, recently discussed this need for “platformization.”
Two other interesting observations around this consolidation:
Where are we now in 2024?
As per Gartner’s prediction five years ago, APIs have become the most-targeted attack surface for bad actors. I admit that even starting FireTail in late 2022, I didn’t see the data to support that prediction, but someone from Gartner helpfully reached out to me to show that while APIs are not always the initial breach vector, APIs are leveraged in more than 90% of cyber attacks. The top breach of 2023 - moveIT software - illustrates this point.
Understanding the evolution of cloud security, and knowing that most modern API development is happening on cloud platforms, has helped to inform our vision towards providing end-to-end API security that can be easily integrated into cloud security, application security and other security platforms. We support the vision of correlating data from multiple sources to provide better security outcomes for customers.
Stay tuned for more information on our upcoming integrations. Oh, and if you’d like FireTail to partner with you, please contact us.