¶ Sarit's Background and the Goal of Unifying Security Context
Unsupervised Learning is a podcast about trends and ideas in cybersecurity, national security, AI, technology and society, and how best to upgrade ourselves to be ready for what's coming. All right, well, welcome to unsupervised learning. Ethan. Yeah. Can you give a little bit of background about yourself and what you're working on?
Yes. So I'm Sarita Jara and project management for application security. And SBM is part of Cortex Cloud in Palo Alto Networks. I can kind of come from a background of engineering and product, uh, from several, uh, different areas. Uh, mostly
in the last years, cloud security and application security. Um, I always say that I come to the application security space from handling or kind of using all these different tools of application security and trying to write or have the right experience for both developers and security people to kind of, I don't know if to laugh, but at least like security to be able to actually, uh, solve the problem for the security people and not have so
much problems on the production, production, uh, sites, but also make sure developers understand what they need to fix and why they need to fix it.
Okay. That's great. And I was looking at the, um, at the site in the platform prior to joining. It seems like it's it's becoming quite cohesive with all the different pieces. And I heard, uh, somewhere else that you're looking to, like, unify into, like a single data lake, which is something that I'm really excited about. I would love to hear more about that.
So basically, uh, Palo Alto Networks had a product called Prism Cloud, which handled cloud security or, and also application security,
¶ Building a Single Data Lake for Cloud, SOC, and AppSec
another product called cortex that handled the, the Siem and the SoC sock side of things. And, um, in the last few months, we actually merged these two into one data lake, in which you can do everything. All the information you need is just residing in one data lake, whether these are attacks coming from the SOC or, uh, cloud posture findings or application security ones. And think about the potential of having everything within the same data lake
like in one click. You can ask questions that in the past, it wasn't as simple to do that because the information reside on different systems. You don't necessarily have the context. And if you think about application security, in this sense, the thing that application security, uh, lacks the most is the context. Like I see so many things, which is not good, but I don't know if they are really going to production or they're going to be exploitable.
Are they going to be used by my application? So one of the things in application security is that you have just too many issues. Usually developer just either ignore them or they get mad. On the security people because they block them or on an on every build or PR and you kind of there is no balance in understanding, okay. These are the things that need to be fixed. And when we introduce uh, cortex cloud and then we will introduce uh, aspm as well. We actually say we bring
everything together. You don't need to, uh, you know, look at different things, whether you have different scanners, whether you have different, uh, version control or different CI, CD systems. Uh, if you want to see whether you have different clouds, if you want to see everything, you can come to our environment, come to our solution and have the platform you need for, uh, um, everything within the same place, it means that we give the context. We get, we
get from the cloud. It's not just, you see things for application for for the code side of things, but you see things that are code side. But then they are connected into the cloud one and the cloud one are being connected to the SOC one. So it's actually one system that covers everything that a security person cares about with regards to how you see things within, within cloud. And we also acknowledge the fact that cloud is, uh, is growing very fast and application to cloud is growing
very fast. AI is bringing, you know, bunch of more code into the, into, uh, the environment. Many of our colleagues been written by different, uh, models. All of these things also bring security issues, and they don't solve the problem of having a lot of problems before production. But
¶ From Noise to Clarity: Fixing the Prioritization Problem in AppSec
what we bring to this one is saying you have a lot of risk. We will help you to prioritize them, but not just to prioritize them, but also to prevent them. Because most of the solutions say, I will prioritize everything for you, which is great, but the funnel keeps growing. You know, you cannot kind of manage it. And what we are saying, we will allow you to actually do a much more flexible and recommended prevention. How do I do the right guardrails within my pull request? How do
I do the right guardrails within my build? And this is using all the things we know from production and from the actual runtime environment, whether it's actually deployed, whether it's open to the internet, whether it's had an access to sensitive data, all the questions you can think of on how my application will go will look in production. This is something that we have natively because we have everything on the data lake and the potential is huge.
Yeah, that is absolutely wonderful. I'm so excited to hear this. Um, I was wondering, like, who's going to kind of move in this direction first? This is very exciting. So a good example of this, um, that I always go to, um, I was at Robinhood doing, uh, vulnerability management and, um, application security. I was in charge of those two groups
during log4j2. And so what everyone had to do was get their spreadsheets ready and start pulling down manual lists and trying to cross-reference where in the actual technical infrastructure it is. Okay, which app is that? Okay. Who actually owns that app? Who do I actually ping to try to go out here and I'm like, what we actually need is a single place where this stuff is located that actually understands. Is this live right now? Is it is it a system that's running, or is it a
system that we could turn on? Um, what version of the actual application or the library is enabled? Right. Because it could be that one of the versions is vulnerable and one of them isn't. Right. Who's the owner? All of these things. So like asset management just being natively built into it, understanding ownership, being natively built into it, um, just really exciting. So so do you have also like the,
¶ Using Business Context to Drive Risk-Based Decisions
the business understanding potentially that you could bring in. So for example, we're worried about these things because we're in this particular industry. We're in this particular country. Um, we are particularly concerned about the exfil of particular data because
we're in defense or something like that. Um, which to me is really interesting because it can automatically do what we've been trying to do in information security for so long is prioritization of Vulns before we're using vulnerability information to prioritize vulns. But when we should, what we should have been doing is saying no. What are our actual assets? What do we actually care about as a business that automatically does it for you if you have that context?
So very good question. And just reiterating about log for J. Yes, it usually comes at the worst case being Christmas on the on the log for J one. Uh, and um, it's a, it's a good example because people mostly didn't understand where they're where they look for Jay is actually located, like where they use the actual, uh, vulnerable, uh, package
or the version actually. And whether it's just on the code or also in production and all of these different things are super, uh, um, complicated when you have to do it, um, when you have to do it in, you know, in, uh, in a lot of stress and you already know that there is an exploit, uh, available and people try to exploit. So, so it's super, uh,
I would say too late in the process. And you mentioned another thing which is super important, trying to figure out from the cloud, uh, who is the owner.
Is.
Good, but it's, it takes too much, like it's too much to too long to understand. Who is the owner? Uh, you probably the developer already did like several other things between now and then. Uh, and it's, uh, it's really kind of, if you think about it, you try not to block to be able to make the developer velocity, uh, very fast, but in the end, because you kind of bother him with problems from production, you kind of bring him tasks that were not planned originally to be solved.
So while you try to make the developer velocity, uh, fast, you actually make it slower by trying to figure out who is the owner. And, uh, owners tend to not be that simple of understanding who the one, you know, when you see a CV within a package, like, who is the one that's that's only the last one that changed. Uh, the the fight may change like different version. The one that actually added this package into the, into, uh, the code.
So it can be a lot of different owners. And when you are close to the code, it's much easier to understand who is the owner because he's the committer of the things and he can block things before even going into production. Going back to your question about the business, uh, impact of things, and also, uh, what we can say about the industry or the industry are in. So one. Yes. One of the things we always say about SVM is the is that it's kind of connect the business with
the security. If you think about all the evolution of the different, uh, SVM stuff, it's always about infrastructure, about network, about identity, about data, but application is about actually connecting. What the customer knows about is application and the honoring the business owner, the criticality of the the business, the fact that, for example, I can later understand whether this
¶ True App Ownership, Developer Velocity, and Aligning with Business Impact
application is, uh, mostly vulnerable, for example, for um, for data theft. So probably try to, uh, to harden it based on this type of, uh, of, um, of, uh, kind of what application is doing versus what are the potential of being exploited within. And this is something we're also going to add more, uh, in the future and trying to understand what is the application inside and allow you to bring the relevant guardrails to to help you solve this, uh, problem. So, yes, business is a very
important part. We are going to make sure it's going to be very, uh, aligned with what we do on the security side. I think application is the first time it's actually connects everything. And when we talk about application, and this is one of the things which is super, uh, exciting about what we are doing, is that while in other places you can define application for the code, you can define application for the runtime. What we do is say we don't care what you where you start to
build your application. You can start from the runtime. You can start from the code. The system will automatically enrich everything up for you and actually connect all the relevant assets into one, uh, into one application. And you mentioned something which is also, uh, important. Um, if you think about, uh, whether am I like, for example, you said I want to find all, all the places I have, look for, look for J. Think about a repository that you didn't scan.
Yeah.
So you don't even know if it's if you have this problem or not. And one of the things we invest in our solution is making sure that you have a good visibility of what you are actually doing. Yeah. Because if I see a risk and I don't know what is the coverage, then the risk may not be correct. So it's not it's not the right place to go.
Yeah. So so for that piece are you talking about like continuous discovery. Continuous like, um, monitoring external attack surface to just like be aware and then bring that into the context into the data lake if it's not already there.
So it's already it's already there. It's part of the solution having the attack surface as well. Um, as I mentioned, we kind of brought all these different, all these different models, different signals, signals into the same place. And then beside providing insight by our self to our customers, we also allow the customers to query things they care care about. They can kind of do it via the graph, or they can do it via like our query language and
they can query basically everything. You know, one of the discussion is that if you think about the amount of different things we have within the system, whether it's the SOC environment, the Appsec persona, the runtime, the posture management, they can create something that will be kind of an
¶ Continuous Discovery and Bringing External Signals Into One View
overlap kind of overlay of everything. The system brings some of its own, but it's also open for the for everyone that wants to query it. So very exciting. And we have a lot of, uh, uh, super cool things that are planned as part of our SPM solution. I really believe that if we think about the next generation application security and how it connects within the cloud and the fact that everything is super fast, this is the
way to go, kind of connect between the things. Bring insights. Um, you know, I think, uh, one of the things we see is that people don't have, like, they don't want to search within, uh, a search engine. They prefer to
ask a question. Yes. And in my opinion, one of the things we are doing on the ASP team is trying to give the answers instead of kind of let you go into different tables or different places to look for your information, but rather give you insights on what the things you can do and the recommendation on how
to prevent it. And you know, in theory, I would like to make sure that we have a very good prevention in which what you see in cloud was only created in cloud and not something that was kind of created by code.
Mhm. Yeah. That's really interesting. So I mean what I see kind of happening from this is like you could roll this out and suddenly you all of a sudden your users are way larger than the security team. Because this is so vastly important to the entire company because they likely don't have a place, a universal place, to go and ask questions. And what you what you're likely to end up with, uh, as you know, is like, you're going to have the best asset management in the
company is going to be this tool. So people who aren't even thinking security necessarily, they're going to be like, I need the current list of this. What's facing the internet? Like lots of different users could potentially need this.
And again, in the context of the business, like, yes, these assets that are part of my application, it's not just an asset. I can know that this asset is part of an application and the application is owned by someone. This is the business owner of it. This is the one that needs to fix things. Um, we're also talking
¶ Why App Grouping and Context-Rich Policies Increase Velocity
about the option to kind of group things based on applications. So you can see that you can see based on the permission you have, the application you want to see. And all of this is is coming into the context, the code context, the cloud context, the things we have from the runtime and also the one we give from a get from the business application. So yes, you are correct.
This data lake in a way is our secret for this is and the, um, the things we do with the data, which is based on AI and the ability to actually learn from the data, is what will make the what makes the, the the solution, um, to be, uh, such an, uh, a potential for, as you mentioned, like security people. In the end, they cannot chase, uh, risks. They need someone to be able to, uh, fix things before they do that. They don't do policies today because
it's hard. Because it's not because developers tend to, uh, say, no, you just blocked us. We cannot bring velocity. We cannot bring more, uh, um, application into, you know, more business value to our customers. And we want to say no, if, you know, if you do it right and you do the right guardrails and you will do prevention in mind, but in, in a way that you have all the context. Then your velocity will be increased and not decreased.
Yeah, I am really excited about this. So so what I've been telling everybody is so, um, customers or whoever is asking, they want to know what AI is going to do for attackers and what specifically they're going to try to build. And what I'm telling everyone is, um, that thing that I sent you, that USC thing is that attackers are going to build unified context for targets.
So what they are going to do is they're going to send out agents, they're going to find your list of employees, they're going to pull all their social media, um, they're going to find all your DNS, they're going to pull all your domains and your subdomains, and they're going to start pulling all those different assets. Um, and then they can start interrogating them for open ports and blah, blah, blah. So they are essentially building a unified data lake for
you as the target. And then the next time they have a new target, they go and do the exact same thing. And then they have agents that say, okay, given the context that you have, how do we attack? What social engineering campaign do we write? What, uh, you know, exploit, do we launch on this application? So my my whole thing to everyone is attackers are building this to attack you.
¶ How Attackers Are Already Building Their Own Unified Context (UEC)
You need to have a better version for yourself. And I just absolutely love. Yeah, I absolutely love that that, you know, you have such a prominent company in Palo Alto actually doing this and doing this quickly. I thought it was going to take much longer. I'm really, really happy to hear this.
Yes. So it's actually already available. Uh, it's already on the same platform. Um, which is kind of the data lake is there. We're just adding more and more content into it. And, um, I really believe that while this
data lake improves, uh, cloud posture Posterior improves SOC. It also improves appsec to be able to really, you know, um, make sure you don't get into production and wait for a lot of time to kind of get the fix, understand who is the person, try to figure out if it can fix the issues and deploy back and then, uh, you know, do testing and then deploy back, kind of shorten this, uh, cycles and making sure that, uh, we will provide you with all the information you need to
remediate stuff, but also make sure you prevent in the future similar, uh, similar problems.
Yeah, it's really powerful. So tell me again, all the different controls that we have in the platform. So you have the ability to, um, monitor incoming code and like, inspect and reject, like, what are the other control points that you have based on something that you see in the lake?
Yes. So we have a lot of, uh, different controls. We start from the ID like the developer Environment. When it writes the code, it can see everything we know within that. Of course, it's limited to what is currently editing, but this is the first time you will find the system and the inputs and the outputs and inputs. The second one will be when you try. Well, there is another one before the commit, but it's very special to specific use cases. Uh, this the second one will be
when you do the pull request. This will be the second one. We can, uh, check and kind of enforce. The other one is just monitoring and understanding what it is. But you can enforce things when you go into the PR and say, I don't want to, uh, do critical CVE for, uh, a repo that goes to production. And I know this one is, uh, open to the network. The third one will be around build. I can do, uh, uh, block the builds, put it as a step in the CI and have all the context of understanding, uh, on
what I'm actually blocking. And, of course, you have all the different monitoring of having like the periodic scanning on a branch and on history. So you have a lot of things you can do and get all this information, and you also have the option to do some of
¶ Prisma's Control Points: IDE, PR, CI/CD, Image, Admission Control
it on the image side of things and even in the future. Also for admission control, if you do do it for, uh, um, this kind of, uh, of, um, uh, software. So we have different options to guard. So put the guardrails in place. And as mentioned before, um, we are we are we are a great believer in platformization and the open the option to actually, uh, pull information from different other scanners so we don't limit ourselves to the
things that come only from our system. We actually collect everything we have from the different, um, it can be different application security solutions. It can be, uh, different version control. It can be different CI, CD systems. We collect everything in and uh, provide our enrichment. So it's very important
for us not, you know, to give the value. Even before you use the scanners, make sure that you have all the value in the enrichment, the option to create applications, all this coverage, things I talked, I talked about and give value to our to our customers, I would say in minimal time.
¶ Bringing In Data From External Scanners and Enriching Coverage
Yeah that's really powerful. And then other components in the ecosystem are also adding to the data lake. Right. So you also have that richness.
So uh, so let's start from the beginning. The first one will be the code that we bring into, uh, the, the lake, the, the code finding. I would say different code finding can be open source, first party, uh, code, uh, secrets misconfiguration, all of these things APIs. The second one will be, uh, everything we bring, uh, from the CI CD systems, uh, and the version control like posture management. Think about the fact that I see, uh, a secret on a version control. It's not, um, it's not protected
by by, uh, let's say, um, MFA, for example. So this also kind of where the, the code goes into is also another signal. We have all the, the signals of the cortex cloud, as we say, the identity, the data, the network, the infrastructure, everything we have, which is part of a solution for setup. And then all the things we have from our endpoints, from our agents within the cloud and all the things we have from the attackers perspective for the SOC. So everything you can think of
in this area is through our to our environment. It's a very big data lake with a lot of options to do the query.
That's really powerful. So you can like you can build basically an entire program off of constructing a really high quality set of questions, and then and then basically have the answers to those questions trigger different, uh, pipeline or workflows.
Exactly. And also kind of, uh, um, lead users to improve their security posture by creating the right journey. Because we have all these different information, we can kind of guide them to say, if you want to do in this place, do that one and then, uh, do it, uh, in, in kind of a stages of phases.
Um, well, sorry, this is super, super exciting. I'm going to go and actually research a lot more about this. Um, and I can't wait to see updates. Where can people learn more about the platform and what you're releasing and what's already released?
So our so, uh, everything that we already released is in our site. And the second one will be about our announcement. Announcement of the new product, uh, going on on the 25th July.
Oh, great. Yeah, we will, uh, look forward to that. And, uh, yeah.
¶ Ecosystem Signals, Query Language, and Intelligent Workflow Automation
Anything else you want to add?
No, I think I just want to say that I'm super exciting. As I mentioned, kind of coming back to my background, I feel that this is part of my mission to make developers and security, like, more friendly to each other and kind of make sure the developer doesn't see security as something that they need to, uh, something they need to do or ignore, but actually have this, this as part of their workflow and make sure security have all the information to be able to do the right security decisions.
Awesome. Well, I think this will definitely move us in that direction. Thanks for your time.
Thank you very much.
¶ Closing Thoughts: Security and Developers Working Together
Unsupervised learning is produced on Hindenburg Pro using an SM seven B microphone. A video version of the podcast is available on the Unsupervised Learning YouTube channel, and the text version with full links and notes is available at Amazon.com newsletter. We'll see you next time.