AWS re:Invent 2022 - Context is everything: CNAPP revolution to secure AWS deployments (PRT254)

AWS re:Invent 2022 - Context is everything: CNAPP revolution to secure AWS deployments (PRT254)

AWS re:Invent 2022 - Context is everything: CNAPP revolution to secure AWS deployments (PRT254)

Organizations want to securely migrate to the cloud, reduce risk, innovate faster, and accelerate mergers and acquisitions without security concerns. Staying ahead in this era of rapid cloud adoption requires you to rethink your security approach. In this session, learn how organizations of every size are adopting Wiz’s agentless security solution to get complete visibility across all their AWS services (Amazon EC2 instances, AWS Lambda functions, Amazon EKS, and more), prioritize the most critical risks using a security graph, and build partnerships with developers to harden their cloud security posture. This presentation is brought to you by Wiz, an AWS Partner.

Learn more about AWS re:Invent at https://go.aws/3ikK4dD.

Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

#reInvent2022 #AWSreInvent2022 #AWSEvents


Content

0.33 -> - Thank you very much for joining us today
2.43 -> for a session about
5.19 -> context in cloud security
7.11 -> and how it can revolutionize your cloud security journey
11.55 -> for your AWS deployments, of course.
14.49 -> So we have a packed agenda.
16.23 -> We actually gonna touch first on the challenges
19.2 -> that we're seeing across any customer
21.18 -> that starts using the cloud or already in the cloud
24.03 -> and grows into the cloud,
25.53 -> and then we're gonna talk about a new approach
28.23 -> that helps these organizations actually revolutionize
32.31 -> and streamline the way they do security.
35.13 -> And then we are honored to have John Visneski,
39.45 -> CISO for MGM Studios, to join us for a fireside chat
43.62 -> to discuss on his experience
45.63 -> and his organization's experience into cloud,
48.553 -> and then we're gonna open up the stage for Q&A.
51.75 -> So you have a mic here, and a mic
53.82 -> that will be running around, and feel free to ask
57.45 -> any question in the end.
60.15 -> So let's start with Wiz, a little bit about the company.
64.26 -> Wiz is really defining cloud security.
66.3 -> We are relatively new company.
67.86 -> We exist less than three years,
69.87 -> but in this short time, we are actually one
73.2 -> of the fastest growing software company ever.
76.38 -> We are securing millions of cloud workloads daily,
79.68 -> and we actually are trusted by more than a third
83.31 -> of the Fortune 100 companies
85.62 -> alongside hundreds of other customers from all shapes,
88.86 -> sizes, verticals, and geographies.
91.86 -> The one thing that is common to all of these organizations
94.56 -> is, of course, that they are using cloud
96.18 -> in order to build their business, transform their business,
98.935 -> and continue and innovate.
101.22 -> Now,
102.51 -> the thing is that all of them are actually experiencing
106.98 -> the same challenges as they start using the cloud.
110.34 -> And when we ask customers and we are trying to understand,
113.077 -> "What are the things that are challenging
114.93 -> your security organization when you start using
117.75 -> the cloud more and more?" we see three main challenges
121.26 -> that we're gonna talk about them.
122.73 -> One is really the complexity of the environments.
125.49 -> So some organizations are using one cloud,
128.55 -> some may use more, but you also have clouds within a cloud.
131.64 -> You have Kubernetes, you have VMware running within AWS.
135.45 -> You have different architectures.
137.22 -> Think about VMs, of course,
139.68 -> but you also have PaaS services, containers,
142.59 -> Kubernetes, serverless containers like Fargate,
145.65 -> serverless functions, and they're all working
148.47 -> with each other in order to deliver
150.66 -> one single cloud application that you need to secure.
153.529 -> The problem is that each architecture today
156.12 -> requires a very different approach for the security team
159.39 -> into how do we think about securing it.
161.64 -> That's a lot of complexity there,
163.56 -> but that's only the beginning.
165 -> The second challenge is really around how do we think
167.7 -> about the risk in the cloud environment.
171.09 -> So we all know that we need to scan for vulnerabilities,
173.79 -> we need to scan for configuration,
175.92 -> but actually, is this enough?
178.14 -> Of course not.
178.973 -> We need need to take all of this signal, and we need,
180.9 -> then, to think about what do we actually prioritize.
183.96 -> And then we need to address some very tough question.
186.48 -> What is the likelihood of this vulnerability
188.79 -> actually being exploited?
190.47 -> What is the exposure of this resource?
193.53 -> And will this determine the likelihood of the risk?
196.35 -> But then, we also need to think about the impact.
198.6 -> If this resource gets compromised,
201.24 -> what will the threat actor have access to?
204 -> What are the permissions? What are the secrets?
206.13 -> What are the high value assets or the sensitive data
210.15 -> that will be accessible from that resource?
212.25 -> That's the impact analysis.
213.9 -> The problem is that everything is very manual today
216.84 -> within security and the traditional tools
218.94 -> that are being used.
220.5 -> The third challenge is how to operationalize it at scale.
223.23 -> When we think about scaling the cloud security, the program,
227.37 -> we need to think first about how do we gain visibility
230.07 -> to any cloud that we are running, any cloud application.
233.01 -> Second, we need to think about how do we actually deploy
237.12 -> a very fragmented suite of tools,
239.22 -> and then we need to create this remediation process,
243.06 -> not one, not dozen,
244.44 -> but sometimes hundreds of different teams
246.12 -> that deliver to the cloud.
248.34 -> So these are the challenges,
249.837 -> and the problem is that the traditional security tools
252.45 -> are simply not helping us to identify these risks
255.69 -> that we want to identify first.
257.88 -> They're scanning, and they can find many different things,
261.33 -> but again, they don't address the basic question.
264.208 -> Like in this diagram, the basic question that we are asking
267.93 -> in terms of risk is, "Is this VM actually exposed
270.69 -> to the internet or not?
272.1 -> Can someone from the internet try to exploit it or not?"
275.25 -> Instead, what we have,
276.27 -> we have scanners that are scanning independent resources.
279.48 -> They like the context.
280.68 -> They generate a lot of noise that, then,
283.17 -> it actually creates sometimes and doesn't even increase
287.4 -> the key security metrics.
289.23 -> It actually helps us create noise,
291.45 -> so we need to work for the tooling.
294.06 -> So we need to see through that noise
295.74 -> and identify what's important and what's not.
299.13 -> What we see is actually a lot of misconfigurations
302.25 -> that we can't make sense of.
304.11 -> We need to basically see what is one,
306.96 -> whether this VM is exposed or not, but we're seeing
309.45 -> many misconfigurations that doesn't tell us.
312.99 -> The same thing happens with vulnerabilities.
315.36 -> Every other week, we've got yet another vulnerability
317.79 -> that is exploitable, and we've got many instances
320.76 -> of that vulnerability in the environment.
322.77 -> And we're asking our teams, "How do we prioritize
325.23 -> the most important ones?"
326.85 -> And the teams get a list of all the instances
329.7 -> that have this vulnerability, and now they need
331.47 -> to contextualize it and prioritize.
333.6 -> So they need to look at the workload,
335.13 -> they need to look at the cloud configuration,
336.87 -> they need to look at the business context.
339.09 -> And only when they create the full context,
342.42 -> then, they can have an intelligible answer.
344.79 -> We're saying, "We've found this vulnerability
347.01 -> on this resource.
348.33 -> It is very important because this resource,
350.7 -> we happen to identify that it is internet facing.
353.67 -> It has access to a key
356.94 -> that is exposed,
358.32 -> and this key is actually paired with a service account
361.77 -> that has access to a bucket.
363.33 -> And guess what?
364.17 -> This bucket contains sensitive data.
366.3 -> So if this vulnerability actually gets exploited,
369.72 -> we are in a very serious problem, so let's fix it first."
372.66 -> This is a level of context that you want to have
374.88 -> to every single misconfiguration, every single vulnerability
378.3 -> that you see in your environment.
379.8 -> But unfortunately, what security teams are seeing today
383.94 -> is at least a dozen different tools
386.52 -> that each one focuses on one part of the risk.
390.18 -> It can be different types of risks,
392.94 -> like vulnerabilities assessment tools
395.04 -> will scan for vulnerabilities,
397.11 -> CSPMs will scan for misconfigurations,
400.08 -> CIEMs will look for misconfigurations
402.9 -> in the infrastructure entitlements,
405.06 -> the cloud identities that we use,
407.64 -> and we have tools for different architectures.
409.92 -> We have a container security solution,
411.93 -> a VM security solution, a serverless security solution,
415.86 -> and we even have tools that scan the runtime environment,
419.58 -> post-deployment, but also pre-deployment.
421.89 -> You have IaC scanning, container scanning,
424.5 -> secret scanning.
425.7 -> They're all looking at the same cloud application.
428.25 -> But now, we, as security teams,
430.05 -> need to do the mesh of all the signal,
433.53 -> which obviously doesn't work, doesn't scale well.
437.16 -> Basically, we have a new market,
438.66 -> Gartner called it CNAPP,
439.8 -> cloud native application protection platform,
442.71 -> that is actually implementing all of these capabilities.
447.51 -> And that's what we did with Wiz.
449.13 -> We implemented every single capability,
451.83 -> but instead of doing it as a suite or in silo,
454.59 -> we did it as one single product.
457.14 -> When we do it as one single product,
459.63 -> we can unlock a whole lot of new value to customers.
463.14 -> First, you get frictionless visibility
465.84 -> to any cloud environment that you have.
468.6 -> Any architecture, completely agentless.
472.2 -> Connect an API and you gain full visibility.
474.9 -> No friction to the teams.
476.94 -> Second, we are not only scanning
479.43 -> for vulnerabilities misconfigurations,
482.19 -> we're actually doing the extra mile of correlating
484.74 -> all of this signal on a graph database
488.25 -> powered by AWS Neptune,
490.8 -> that we are using it in order to contextualize
494.04 -> and correlate so we can see through the noise,
496.89 -> provide context on every finding that we have,
499.83 -> and then prioritize it accordingly.
502.68 -> And the third thing,
503.85 -> once we achieve this level of accuracy, guess what?
507.12 -> You can let the engineering teams in.
510.24 -> You can provide them access.
511.38 -> You can democratize the view on the AWS resources
514.023 -> that they are using and the risks that are attached to them.
517.74 -> And this is the process of democratizing security,
520.17 -> not only to the security teams,
521.659 -> but across anyone that builds through the cloud.
525.24 -> So how do we do this? In four simple steps.
528.33 -> The first one is really an agentless connector
530.49 -> to your cloud environment.
532.77 -> It's a cloud role, we connect to the cloud APIs,
535.86 -> and we scan everything that runs in your cloud.
538.86 -> Second, we perform deep cloud assessment.
541.92 -> We can think about the traditional scanners
544.02 -> like we talked about, vulnerabilities,
545.94 -> misconfigurations, malware, data scanning,
548.85 -> but we also have a cloud risk engine
551.13 -> that can understand the more complex types of risks.
554.7 -> For instance, what is really exposed?
557.58 -> What are the lateral movement paths?
559.47 -> What are the excessive permissions?
561.93 -> And then we also benefit from the already existing tools
566.64 -> that you have in the environment.
568.16 -> AWS Macie, GuardDuty, CloudTrail,
572.07 -> other third-party tool.
573.42 -> We ingest all of this signal,
575.34 -> and then instead of bombarding you with this,
577.77 -> we actually correlate it on the graph.
580.02 -> The graph is the thing that really allows us
583.17 -> to remove the noise and identify
585.54 -> what we call toxic combinations.
587.7 -> Toxic combinations are
591.09 -> one resource that has multiple different issues with it,
595.59 -> that combined together, it creates a full attack path.
598.62 -> The full attack path is a critical risk,
601.23 -> and this is how we can uncover what is actually important
604.83 -> to do in your cloud environment to reduce the risk
607.35 -> and see the noise.
608.7 -> And then you are ready to start and hardening
611.1 -> and reducing the risk in your cloud environment.
613.05 -> You have an accurately prioritized list,
615.03 -> and you can integrate it to your processes,
617.1 -> whether these are Jira, ServiceNow, ticketing systems,
620.52 -> whether it's auto remediating into the cloud,
622.83 -> completely automated or single click,
625.11 -> and you can even implement it in the pipeline.
627.18 -> You can use CIC or the Wiz CLI in order to scan images,
631.11 -> infrastructure as code, and other artifacts
633.36 -> before they are even getting to your cloud environment.
638.34 -> And let's go into the details.
640.05 -> First, the agentless visibility.
642.507 -> The agentless visibility, actually,
644.34 -> what it allows you to do is to connect the cloud role.
646.8 -> The cloud role is read-only.
648.36 -> It connects with the cloud AWS APIs,
651.06 -> and it starts by analyzing all of the cloud configuration.
654.06 -> But then, we're actually using an additional set of APIs
657.84 -> to analyze the actual workloads.
659.7 -> So if these are VMs, we can analyze the snapshots.
662.7 -> If these are containers running on these VMs,
665.13 -> from these snapshots, we can actually analyze
667.95 -> the containers running on any VM
669.9 -> that you have in the environment.
671.49 -> If these are target containers, we can get their ID
674.82 -> for the image, and pull it directly from the ACR.
677.82 -> If it's serverless function like Lambda,
679.8 -> we can basically pull the code and scan it.
682.26 -> In fact, with a single API connector,
684.51 -> we can scan every single piece of code
686.58 -> that runs in your cloud environment.
688.23 -> And it literally takes you minutes to connect.
690.42 -> We support more than 60 different AWS services,
693.72 -> all with that one single connector,
695.58 -> including all of the code that they are running.
698.58 -> Now that we've established this type of visibility
702.57 -> to your environment, we can run for you
704.46 -> a whole set of scanners.
706.68 -> We talked about the vulnerability scanning,
708.9 -> the malware scanning, the data scanning inside data assets,
712.56 -> and the configuration scanning
714.12 -> of any resource that you have in the cloud.
717 -> And we are also doing the advanced analysis.
719.73 -> I wanna pause for a second and take a few examples
722.46 -> on how the graph is used, not only to correlate the signals,
726.06 -> but also to run an advanced analysis.
728.76 -> We talked about the misconfigurations on network exposure.
732.21 -> I'll show you how Wiz actually is doing it very differently.
735.51 -> What we are doing, after we are correlating
737.52 -> everything on a single graph, all of the network topology,
741.33 -> all of the routing routes, all of the security groups,
744.15 -> all of the gateways, the load balancers,
746.31 -> peering, everything is in one single graph.
749.73 -> And then we are actually running a flow analysis
752.19 -> that shows us all of the technically open ports
755.94 -> that you have in your cloud environment.
758.07 -> URLs, everything that is open network-wise,
761.61 -> basically, Wiz will be able to identify.
764.55 -> Is this enough?
765.87 -> It's much better than any other CSPM tool out there,
768.48 -> but it's not enough, because we want to achieve
770.55 -> 100% accuracy.
772.74 -> How do we do this?
773.88 -> Everyone, how many of you received an alert
776.52 -> with an RDP open on a Linux machine?
779.61 -> It happens.
781.11 -> Is it open? Technically, yes.
783.27 -> Is it risky? Not really.
785.16 -> How can we avoid it?
786.63 -> So basically, Wiz is running an active validation.
789.72 -> We are actually scanning from the outside,
792.42 -> and we are actually saying, "This port is active.
795.51 -> It's open.
796.343 -> This RDP is actually not open on the Linux."
799.23 -> And then we can even take it a step deeper.
801.42 -> We can identify the protocol, and we can scan the HTTP.
805.32 -> Let's say it's a web application,
806.7 -> we can identify what's running there.
808.47 -> Is it unauthorized? Is it HTTP okay?
811.35 -> And this is how you get 100% accuracy
813.81 -> on what is your actual cloud exposure.
816.42 -> No one knows it today.
817.5 -> It's unbelievable, but Wiz can identify it
819.75 -> as soon as you connect it to your cloud environment,
822.06 -> everything across any architecture.
824.28 -> And that's just one example.
826.32 -> The next example is actually around escalation path.
830.19 -> How do I know what is effective permissions
834.54 -> that I'm granting to every single entity
836.88 -> across my cloud environment?
839.16 -> It's very complex.
840.75 -> Cloud identity allows us to do fantastic things.
844.86 -> It allows us to assume roles,
846.09 -> it allows us to put conditions,
847.5 -> allows us to scope the access, but what is the end result?
852.75 -> Wiz is running a very similar analysis
854.88 -> to the thing we've seen with the networking
857.13 -> on identities as well.
859.02 -> So we can identify whether a resource has an exposed AWS key
864.99 -> and whether this key is tied to an admin role
867.99 -> that have cross-account access to another machine
870.87 -> that can assume another role, that can assume another role
874.02 -> with access to sensitive data.
875.76 -> That's exactly what threat actors are after,
878.22 -> and that's what Wiz can identify before they even try it.
881.7 -> We can show the network exposure, the permissions
884.88 -> across any resource that you have in the cloud
886.89 -> as soon as you connect Wiz.
888.99 -> And that's powerful because, then,
890.91 -> we can take all of these deep insights
892.98 -> and correlate them on the graph.
894.327 -> And now, we just need to look for this attack path.
898.38 -> Do we have an exposure to a resource that is vulnerable
901.592 -> and has a lateral movement path to a data asset
904.77 -> that has sensitive data in it?
907.17 -> And this is how Wiz becomes accurate.
911.1 -> When we show you that there is this attack path, it exists.
914.67 -> It's not a heuristic, it's not based on events,
917.34 -> it's there.
918.173 -> You can go and you can fix it
919.5 -> before anyone else can find it.
921.57 -> And that's powerful because it allows you to not only use
926.1 -> all of the different security findings from Wiz, AWS,
929.76 -> but also correlate this risk, have one prioritized list
932.82 -> and send these high-fidelity alerts
934.95 -> to the engineering teams.
936.27 -> Guess what? They will thank you.
937.89 -> They will say, "Oh, we haven't realized
939.66 -> that this is actually what's happening.
940.98 -> Let's fix it."
941.94 -> And that changes the whole discussion.
944.88 -> Now, let's see a few example.
947.01 -> This is a real example of what Wiz can identify.
949.92 -> Until now, we have this diagram,
952.26 -> but this is what the Wiz product actually shows you.
954.69 -> We scan an environment, and you get an alert
956.85 -> where the alert will show you, "Here is a topology
960.12 -> in the networking that exposes this resource.
963.39 -> Here is a key that we found. Guess what?
965.16 -> On this resource also,
966.15 -> there is an exploitable vulnerability.
968.34 -> And through that key, we can assume a few roles
971.55 -> all the way to sensitive data in a bucket."
974.64 -> And everything is native.
975.96 -> We don't need any other, you don't need to deploy anything
978.84 -> except for the Wiz role on your cloud environment.
983.31 -> But we also can ingest from other signal.
986.1 -> There is a fantastic integration with Amazon GuardDuty
989.82 -> where we can actually ingest all of the different findings
994.83 -> that GuardDuty found from events, from network flows
1000.14 -> in your cloud environment.
1001.22 -> All of the alerts.
1002.45 -> And then what we can actually do on the alerts
1005.36 -> is the same thing that we did with vulnerabilities.
1008 -> We can contextualize them for your SecOps teams.
1010.85 -> And we can say, "Hey, look at this SSH brute force alert.
1014.57 -> We get thousands of them every day.
1016.55 -> But guess what?
1017.383 -> You have one machine in the environment
1019.22 -> that has password authentication enabled,
1022.19 -> it has a weak password, and guess what?
1024.62 -> It can also assume an admin role in your account."
1027.2 -> So out of these thousands of SSH brute force alerts,
1030.35 -> this one is actually critical,
1032.09 -> and Wiz can immediately show you this through the graph.
1035.99 -> Now,
1038.21 -> there are infinite ways.
1039.237 -> That's the beauty about the graph.
1040.85 -> There are infinite ways in which we can analyze the data.
1043.88 -> We can do the same secret scanning
1046.07 -> and just apply it on buckets.
1048.17 -> And guess what?
1049.003 -> We can scan every bucket that you have in the environment,
1051.26 -> especially the publicly exposed ones,
1053.78 -> identify if there is a secret there
1055.58 -> and show you the effective exposure
1057.56 -> that that secret creates.
1059.3 -> So if there is a bucket with a critical key,
1061.67 -> Wiz can find it for you.
1063.38 -> And it's not noise, because same thing that we analyze
1066.08 -> for networking, we analyze on secrets.
1068.42 -> And we can show you what is effective permissions
1072.23 -> that every secret has.
1075.26 -> And same thing that we do in PaaS, in VMs,
1078.86 -> applies in the same manner to any architecture you choose.
1082.94 -> And that's the beauty about it.
1084.2 -> Until today, as security teams,
1086.06 -> we always chased what the engineering teams were doing.
1089.217 -> "Now, they chose to use the CS target.
1091.64 -> Great, we need to find a solution.
1093.44 -> Oh, they are using serverless functions.
1095.12 -> Oh, now we need to onboard it."
1097.13 -> Now, what Wiz can actually give you
1098.95 -> is the same level of visibility across any architecture
1102.41 -> your cloud teams basically choose, and you're not behind.
1105.77 -> You're actually far ahead of them.
1108.23 -> And you can secure any type of architecture that you want
1110.72 -> with the same tooling.
1111.92 -> The graph will look exactly the same.
1115.88 -> Now that we have achieved this level
1117.95 -> of high-fidelity alerting, the ability to identify
1120.83 -> these toxic combinations in your cloud environment,
1123.92 -> now is the time to build a cloud security program
1127.4 -> that will engage with every single team
1130.01 -> that delivers the chips to the cloud.
1133.01 -> This is where magic happens
1135.05 -> because this is where the wheels start to turn.
1138.44 -> And this is where you can see
1139.97 -> and scale out your cloud security program.
1142.16 -> From a cloud security program that is maintained
1144.71 -> by the security team, you can finally scale out
1147.32 -> to every team that is delivering to the cloud.
1149.48 -> How do we do this?
1151.07 -> Wiz has an ultra powerful arbach module at the core.
1154.67 -> Every single resource that we see is identified
1157.97 -> with the business owners of that resource,
1160.34 -> either by tagging, by accounts,
1162.44 -> by clusters, by namespaces.
1165.5 -> You name it, CMDBs.
1167.93 -> We are stamping into every single resource
1170.99 -> and every single finding who owns this resource.
1174.59 -> And what you actually can do, you can delegate access
1177.59 -> to every developer in your organization,
1179.99 -> and based on SSO access and groups that you already have,
1184.46 -> they can be provisioned with access to Wiz,
1186.68 -> but they will see only the resources that they own.
1191.15 -> And now you're seeing everything as security,
1193.49 -> they're seeing their resources,
1195.05 -> and you have this shared view of what are the risks
1197.66 -> that they should fix.
1198.95 -> And you have the view of their entire organization,
1201.11 -> they see what they need.
1202.79 -> And this drives a whole different behavior
1205.01 -> because now you can actually ask them,
1207.927 -> "How would you remediate this in your cloud environment?
1210.56 -> You want a message into your select channel?
1212.45 -> Yeah, you can do it.
1213.32 -> It's not up to me, it's up to you.
1215.21 -> Do you want to integrate it to a Jira project? Great.
1217.465 -> Do you want to integrate into ServiceNow? Also great.
1220.1 -> You want to automate the response
1221.45 -> directly into your cloud environment?
1223.16 -> Also great. You can do it."
1224.66 -> You have basically delegated and empowered them
1227.96 -> to run a security operation based on high-fidelity issues
1233.54 -> that you found through Wiz.
1235.91 -> And this ability to run a cloud security program
1240.08 -> and working with hundreds of organizations,
1242.6 -> but this is where things start to click.
1245.21 -> This is where security, you know,
1247.853 -> you see it happening,
1249.68 -> and now you start to see how engineering teams
1252.74 -> are actually accountable for the risks
1254.36 -> and they are reducing this
1255.77 -> because they are naturally incentivized to fix this
1258.62 -> because this is not noise, this is the actual thing.
1262.88 -> Now, the other thing that you get
1265.58 -> by engaging with the engineering teams
1267.77 -> is that now you have the ability to embed security
1272.21 -> into their development processes.
1274.22 -> So Wiz provides you with a Wiz CLI.
1276.17 -> The Wiz CLI can be embedded by the engineering teams
1278.87 -> into their processes, locally in the pipelines,
1281.45 -> in the registries, and it can basically scan
1284.15 -> every artifact they are about to ship to the cloud
1288.17 -> but prevent non-compliant vulnerable configurations
1292.4 -> from getting there in the first place.
1294.47 -> And this is how you shift to the left securely.
1296.93 -> You start from the right, you gain trust,
1299.27 -> and then you start embedding yourself into the left,
1301.76 -> achieving more and more prevention at the pipeline.
1304.85 -> And now you have the trust of the engineering teams,
1307.04 -> and that's what get the things going.
1308.57 -> Because if you try just to embed controls on the left,
1311.75 -> in the pipeline, usually,
1313.43 -> like the misconfigurations issue,
1315.17 -> just noise, friction, and it doesn't work well,
1317.81 -> it doesn't scale well.
1319.01 -> But when you come from the right, you see the issues,
1321.05 -> and now they are naturally incentivized to scan it.
1323.39 -> Fantastic.
1324.44 -> They will embed it, and they will thank you.
1328.64 -> And in the end, the experience for customers
1333.29 -> is very simple.
1334.58 -> You need to connect Wiz to a cloud environment.
1336.86 -> It takes you minutes. It's a cloud role.
1338.87 -> We talked about it.
1339.92 -> We'll see some
1343.43 -> screenshots on how it works like in Wiz.
1346.4 -> But once you have done it, after these few minutes,
1348.68 -> Wiz will do the rest of the work.
1350.21 -> We will scan your environment, we will correlate,
1352.58 -> we will prioritize, and what you will see next
1355.52 -> is actually all of the issues prioritized by their risk
1359.45 -> across anything that runs in your cloud.
1362.21 -> This will be easy to see through because everything
1365.99 -> is humanized in the sense that it has clear explanations,
1369.98 -> it has a clear graph that explains the attack path,
1373.25 -> and it has a clear call to action.
1375.95 -> And then we democratize the program.
1378.44 -> Then you get it to the different teams.
1381.59 -> This is how it begins, right?
1383.54 -> It's a basic cloud role that you provision to your cloud.
1386.6 -> We have two deployment modes.
1388.16 -> We have a full SaaS mode
1389.63 -> that gets you up and running in seconds
1391.25 -> everything from the Wiz cloud,
1392.6 -> and we have an outpost mode that is actually running
1396.2 -> all of the analysis within your cloud
1398.27 -> if you have regulatory requirements and so on
1401.06 -> that require you to do so.
1402.89 -> So this is how every organization can set up Wiz,
1406.55 -> with this simple screen.
1409.25 -> Second, we map the entire inventory.
1412.4 -> This is the architecture.
1415.04 -> Every single resource, whether it's PaaS,
1417.29 -> whether it's a iOS,
1418.82 -> whether it's software running on this iOS,
1420.65 -> whether it's container, whether it's serverless functions,
1423.14 -> whether it's Log4J, everything will be mapped,
1425.997 -> all of the inventoried across your cloud environments.
1429.516 -> And you can click on each one of those,
1431.96 -> and you can actually see everything on the Wiz graph.
1435.95 -> And the Wiz graph, there are many visualization tools
1440.796 -> that show you a graph, but the Wiz graph is unique
1443.81 -> because it allows you to search through that graph
1447.65 -> and ask about different conditions.
1449.84 -> So you can say, "Show me all of the Amazon Linux machines
1453.491 -> that are running on containers or VMs
1456.2 -> that are also internet-exposed."
1458.03 -> You can correlate it with vulnerabilities,
1460.07 -> with secrets, with data access, and so on.
1463.49 -> But Wiz has already done it as well.
1465.23 -> We have out-of-the-books, hundreds of rules
1467.84 -> that our threat research team continuously adds
1470.66 -> based on what we understand collectively,
1473.6 -> are the risks that we need to remediate in the cloud,
1476.81 -> and you get it mapped, not only to your cloud environment,
1481.25 -> but also to all of the different frameworks
1484.1 -> that you need to comply with, whether it's SOC,
1488.06 -> HIPAA, GDPR,
1489.876 -> PCI, CIS, all of these are baked into Wiz,
1493.97 -> and you don't need to work towards it.
1495.32 -> You just plug it in and you get the heat map
1497.6 -> of your entire compliance environment, and guess what?
1501.14 -> On the left, you can see the project.
1503.93 -> The project is how we call the business units.
1506.69 -> So every single business unit now gets their own score.
1509.99 -> And again, it's fully automated.
1511.61 -> You didn't need to work towards it.
1513.74 -> Just saying, "What is a project in your organization?"
1520.4 -> This is where the magic happens,
1522.29 -> because this is a prioritized list of issues.
1524.81 -> You connect Wiz, you go get your coffee,
1528.14 -> you come back an hour later,
1529.46 -> and you get this list of issues immediately.
1532.76 -> Each row here represents a toxic combination.
1535.7 -> This is an attack path, and it is tied to a severity
1539.3 -> based on the likelihood and impact of that attack path.
1544.13 -> And it works across all of the different environments
1546.92 -> that you connected Wiz, but it's one single list.
1550.73 -> It doesn't matter whether it's sensitive data
1553.22 -> that is exposed, a vulnerability,
1555.56 -> a lateral movement path, a misconfigured identity.
1558.35 -> Everything, you have one single queue
1560.45 -> that now the engineering teams can read from
1562.52 -> and see what is the most important thing they should fix
1565.34 -> if they have one hour to invest in their security posture.
1568.94 -> And from here, you can see that the details are fantastic.
1572.87 -> On every single issue, you get a brief description
1575.93 -> saying why is it important.
1577.97 -> But then you get a slice of the graph that shows you,
1581.217 -> "This is the attack path.
1582.98 -> We actually correlate it."
1584.18 -> So think about it as searching
1585.8 -> on one specific attack path in your cloud environment
1588.86 -> and then presenting it to your dev teams and saying them,
1591.507 -> "Here is the attack path. Fantastic."
1593.96 -> This is why it's important.
1595.76 -> And this is out of the books,
1597.56 -> automated, just works.
1599.78 -> And you can create these queries yourself,
1601.907 -> and this controls yourself.
1603.23 -> So if there are specific conditions
1605.33 -> that you want to look for and toxic combinations
1607.85 -> that maybe are important for you and do you want to add,
1610.7 -> you can do it as well.
1613.52 -> We can identify, for instance,
1615.56 -> the previous one, sorry,
1617.69 -> the previous one is the example that we've seen
1620.72 -> on a publicly exposed VM that assumes
1623.63 -> global admin permissions, including sensitive data access.
1627.65 -> The next one is actually the ability to identify keys,
1631.76 -> but one other characteristic of the graph
1634.85 -> is that it actually accounts
1636.56 -> for all of the different accounts that you connect it.
1639.53 -> So instead of looking at one, in a silo,
1643.43 -> in every single account, Wiz is actually using
1646.25 -> one single graph to represent all of the risks together.
1650.39 -> What it allows us to identify is,
1652.7 -> actually, if you have a developer that left
1655.64 -> a cloud key to production in your dev environment,
1658.82 -> Wiz will identify it and will tell you,
1660.657 -> "This is a cross-account, and guess what?
1662.78 -> This leads from your dev environment
1665.39 -> to your production environment
1666.89 -> and no one confide it, otherwise,
1669.71 -> only through the single graph approach."
1674.27 -> And Wiz provides all of this,
1676.88 -> aggregate it in different ways, and you can create reports
1679.91 -> and generate a compliance reports and connect to it
1683.72 -> using APIs and pull all of the data,
1686.15 -> but the really important thing, that in the end,
1688.25 -> you also have dashboards by domain.
1691.22 -> So we will show you everything you need to know
1693.32 -> on improving your vulnerabilities,
1696.17 -> or your cloud entitlements, or your data,
1699.74 -> or threat center.
1702.23 -> We have the threat center team that basically monitors
1705.74 -> for all of the known cloud threats.
1708.11 -> And once we see a new cloud threats,
1709.88 -> we bake in into the portal,
1711.987 -> "Here is your exposure
1713.51 -> to this specific high-profile threat."
1716.09 -> And what we hear from customers is that they read about it
1719.02 -> in the news, and before they even check in Wiz,
1721.58 -> it's already there.
1722.913 -> We are really monitoring for all of these threats
1726.35 -> so when you wake up and you get the question
1729.02 -> from the board or whoever, "Are we exposed to it?"
1732.29 -> you go to your Wiz portal and you have an answer.
1734.51 -> You don't need to work towards it, out of the books.
1737.36 -> And that's the threat center.
1739.67 -> And in the end, Wiz fits is one product,
1742.97 -> but it fits into many different categories
1745.7 -> in the security architecture.
1747.47 -> It fits into a CSPM,
1749.27 -> it fits into a workload protection tool,
1751.34 -> it fits into a CNAPP that basically augments it
1754.22 -> with data scanning, cloud detection
1756.56 -> and response capabilities, attack path analysis,
1759.29 -> and also the inventory.
1761.18 -> We also provide DevSecOps tools with CLI
1763.991 -> that you can embed into the CI/CD,
1767 -> and we integrate with many other solutions.
1770.48 -> In the end, the value is simple:
1774.23 -> immediate risk mitigation and immediate cost reduction,
1777.86 -> because you can rationalize a lot of the investment
1780.74 -> in specific silo tools in your cloud environment.
1784.82 -> But the other values that you gain
1786.62 -> is operational efficiency.
1788.54 -> Now, Wiz works for you.
1790.25 -> You don't need to deploy it.
1791.81 -> Because it's a simple API deployment, it's there.
1794.66 -> It actually auto-onboards new accounts
1796.73 -> if you have them created.
1798.41 -> So you don't need to work towards provisioning security
1801.14 -> across your environment, it just happens,
1803.48 -> and then you get to see the prioritize list.
1805.85 -> So a lot of the operational overhead,
1807.8 -> instead of focusing on setting your security tools up,
1811.22 -> you can actually focus on remediating and reducing the risk.
1815.09 -> So you can shift your priorities now to reducing the risk,
1818.36 -> and you can accelerate the business,
1820.01 -> because now you are not blocking them anymore.
1822.11 -> They can use any architecture, any tool they want,
1825.08 -> you are secured with Wiz, and it will look the same for you.
1828.35 -> Same type of risks, same type of graph.
1832.01 -> And with that,
1834.65 -> I'm honored to invite John Visneski
1838.64 -> to the stage.
1840.41 -> We're gonna have a fireside chat.
1842.27 -> John is the CISO
1844.28 -> for MGM Studio. - Good to see you, buddy.
1846.548 -> Thank you.
1847.55 -> And,
1849.71 -> yeah.
1850.543 -> - Oh, that's bright.
1852.32 -> I'll take my glasses off. Whoo.
1854.06 -> - Yeah.
1855.972 -> So. - Good to see ya.
1857.57 -> - Thank you. Good to see you.
1859.07 -> Thank you for coming to Vegas.
1860.35 -> - I'm just glad I made it up the stairs
1862.28 -> without falling down.
1863.113 -> - Yeah, that's a big challenge.
1865.31 -> - Absolutely.
1866.96 -> - Okay, thank you for joining.
1868.34 -> And first, maybe,
1869.9 -> you know, we can start by,
1871.28 -> if you can share a bit more about MGM Studios.
1873.71 -> You're a longtime leader in the entertainment,
1875.48 -> and basically, just sharing with the audience,
1878.27 -> what does it mean to be a security team for MGM?
1881.54 -> What do you protect? What are your priorities?
1883.82 -> - Sure. Well I mean, I don't know about you,
1885.29 -> but one of my favorite experiences in the world
1888.62 -> is that experience of the lights coming down
1891.11 -> in a movie theater with that big bucket of popcorn and-
1893.502 -> - Yeah.
1894.335 -> - your significant other or your friend
1895.61 -> and you're about to see something
1896.57 -> that you've never seen before, and suffice to say,
1899.03 -> MGM Studios has been delivering those experiences
1901.19 -> to customers worldwide for over a century.
1904.88 -> And so it should go without saying
1906.86 -> that securing those experiences,
1908.54 -> and whether it's our corporate infrastructure
1910.91 -> or whether it's our production supply chain,
1913.46 -> being able to be a safe space for creators
1915.53 -> to tell their stories is essential to what MGM Studios does,
1919.76 -> and I imagine it's the same for most film studios.
1922.577 -> And so while you don't think of cybersecurity necessarily,
1926.486 -> when you think of "James Bond" or something like that,
1929.149 -> it plays a huge role in our ability
1931.25 -> to help creators tell their stories across the world.
1934.67 -> - And basically, you have chosen
1937.25 -> the cloud path, right?
1938.17 -> So you chose to move to AWS.
1940.61 -> Can you share a bit more about that journey
1942.47 -> and you know, when was it, how did it work,
1944.78 -> and also how did it impact the security team?
1947.15 -> - Sure. Well, I think,
1948.2 -> in the middle 2010s, there was a number
1951.05 -> of really high-profile breaches.
1952.822 -> The one that always comes to mind specifically
1954.86 -> when you're thinking about the entertainment industry
1956.39 -> is the Sony hack.
1958.119 -> And I think think that spurned a lot of organizations
1961.76 -> to kickstart their digital transformation.
1963.47 -> And that's not just localized to Hollywood.
1965.63 -> I mean, I was at the Pentagon at the time
1967.4 -> and we were certainly having plenty of conversations
1969.98 -> about the Sony hack, how it happened,
1971.42 -> the impacts, you know,
1972.56 -> what it could mean for national defense.
1975.56 -> And MGM Studios is one of those organizations that,
1978.02 -> it's cliche to say, went on a digital transformation,
1980.33 -> but it's absolutely true.
1981.92 -> And like most organizations, a digital transformation
1984.212 -> gives you added complexity, and added complexity
1987.68 -> gives you additional risk, right?
1989.87 -> More serverless functions, Kubernetes, containers,
1992.763 -> a DevOps team that is moving as fast as they possibly can
1995.36 -> to improve that production pipeline.
1996.86 -> All those sorts of things introduce a level of risk
1999.595 -> to your enterprise that, you know,
2001.87 -> an old school mentality of a security team telling people
2004.27 -> what they can't do fails really quickly,
2006.34 -> and you have to be concentrated on keeping pace
2010.06 -> with that digital transformation.
2011.35 -> And that was exactly what my predecessor at MGM Studios
2014.41 -> was really good at, is as that complexity curve
2018.43 -> continues to rise, your hiring curve typically
2021.61 -> is not gonna keep pace for that,
2022.96 -> especially from a security perspective.
2024.43 -> And so how do you get the right tools in place?
2026.62 -> How do you have the right focus on automation?
2028.63 -> How do you have the right, you know,
2029.92 -> the team put together in order to keep pace
2032.8 -> with that complexity while also not burning people out,
2035.89 -> while also having an understanding
2037.15 -> that you're never gonna have a million monkeys
2038.77 -> on a million typewriter, right?
2039.88 -> It's Shakespeare.
2041.14 -> So what can we put into our toolkits
2043 -> that are really gonna enable our teams
2045.19 -> to enable the business, which is the journey
2047.89 -> that they've been on over the last 4, 5, 6 years?
2050.38 -> - Amazing, and so how did you do it?
2053.74 -> So how did you transform, and when did Wiz come into play?
2057.82 -> - Yeah, well, it's funny.
2059.041 -> You and I were having this conversation earlier.
2061.54 -> You know, Wiz predates my time at MGM Studios,
2064.87 -> so I spent a lot of time with the real brains
2066.64 -> of the operation, my team,
2068.17 -> the Paul Morrises and the Rod Santoses of the world,
2070.57 -> to kinda get an idea of like,
2071.74 -> well, I'm really impressed with what Wiz can do.
2073.78 -> It's obviously doing great things for us at MGM Studios.
2076.36 -> How did it come about?
2077.26 -> And the funny story was, is that you know,
2079.84 -> the engagement with Wiz started October,
2082.81 -> November of 2021, and for those of you who,
2086.98 -> you know, probably spent like three weeks
2088.9 -> pulling your hair out for Log4J,
2091.18 -> super well-timed, right?
2092.47 -> So you know, rolled out Wiz to the point you made earlier,
2095.871 -> super easy rollout, seconds, minutes,
2098.86 -> a week, whatever it was,
2100.57 -> just in time for Log4J.
2104.41 -> And I'm actually quite jealous 'cause the organization
2106.48 -> I was at previous to that, we did a really good job
2108.64 -> of responding to Log4J, I like to think.
2110.77 -> And I think some of those folks
2111.603 -> are actually in the audience.
2113.41 -> But it's a very manual process.
2114.985 -> It was very time intensive, all hands on deck,
2118.09 -> the technology team, the security team,
2120.001 -> everyone was coming together
2121.42 -> like a lot of other organizations,
2123.55 -> and I'm picking Paul and Rod's head, brains on my team.
2126.59 -> I was like, "Well, how was it for you guys?"
2128.14 -> He said, "You know, honestly,
2129.28 -> 10 outta 10 when it came to what Wiz was able to give us,"
2131.92 -> because instead of spending so much time on the discovery,
2134.53 -> the discovery was table stakes.
2136.42 -> See what I did there? That was a Vegas joke.
2138.7 -> The discovery was a table stakes.
2141.215 -> So they were already doing remediation when teams like mine
2144.22 -> were still trying to make sure what the blast radius was
2147.4 -> for the problem.
2148.24 -> - So you could actually focus on the remediation,
2150.49 -> removing the risk versus like other teams
2152.65 -> that focusing on the finding the problems.
2155.53 -> - Absolutely, and that shared language,
2157.63 -> and you talked about prioritization and context
2160.15 -> and things like that, that shared language
2161.59 -> between the security team and between the devs
2164.45 -> and the pure tech team helps reduce the amount of tension
2168.728 -> that comes with those sorts of incidents.
2170.92 -> - Yeah. - Anyone who's been involved
2172.33 -> in incident response, whether it's a big incident,
2174.25 -> whether it's a Log4J thing, whether it's some vendor
2176.74 -> that you have get popped, it's stressful, right?
2178.66 -> I used to have a full head of hair
2181.18 -> before I started down the cybersecurity path.
2184 -> But having that sort of shared language
2185.59 -> and having that context that comes with what needs
2188.26 -> to be prioritized ends up being a force multiplier
2191.83 -> for your entire organization, and you can feel good
2193.69 -> about that incident response as opposed
2195.28 -> to the the natural stress that comes with it.
2197.62 -> - And the prioritization and the context in the end
2200.47 -> do feel like it's incentivizing naturally the teams
2203.68 -> to act upon it, like no more pushing back,
2207.22 -> less friction.
2208.27 -> - Absolutely. I mean, 'cause log aggregation is interesting.
2211.028 -> What makes it compelling is context.
2213.7 -> Log aggregation for the sake of log aggregation,
2215.71 -> alerting and monitoring for the sake of it,
2217.24 -> data lakes for the sake of it,
2218.59 -> without that context and without that shared understanding
2220.84 -> of what information are we pulling
2222.07 -> and why is that important to our organization,
2223.84 -> not even just from a security perspective,
2225.197 -> but what is important to our organization as a business,
2227.77 -> what's driving us forward?
2229.27 -> Having that shared context and that shared sense
2231.37 -> of ownership when it comes to your relationship
2234.28 -> between your security teams and your dev teams is essential.
2236.89 -> Essential, one, just because it's really stressful
2239.2 -> to always have everybody mad at you,
2240.88 -> and two, because I really think that that democratization
2244.404 -> of a security program is the future.
2248.14 -> Steve Schmidt, Amazon CSO,
2251.38 -> he talks a lot about the cybersecurity talent gap,
2254.05 -> hundreds of thousands short
2255.499 -> in terms of how many folks that we need
2257.624 -> in order to secure our enterprises.
2259.99 -> So you're never gonna really be able
2261.37 -> to hit that number, probably.
2263.14 -> And so what can we do to be the rising tide
2265.12 -> that lifts all ships?
2265.953 -> What tools can we put in place?
2267.22 -> What mechanisms can we put in place?
2268.57 -> What process?
2269.62 -> What conversations are we having with our CTO counterparts
2272.377 -> in order to ensure that everyone is playing their part
2275.5 -> when it comes to a security program?
2277.03 -> And so that democratization is essential, particularly
2280.18 -> when you're in a resource constrained environment.
2281.65 -> - So how are you doing today?
2283.15 -> How are you ingraining security
2284.65 -> into the engineering teams, the business units?
2286.81 -> What's your best advice to the audience here on doing it?
2290.11 -> - Yeah. Get out of the way, right?
2291.6 -> I mean, and I think that's easier said than done
2294.13 -> for the most part.
2295.9 -> But when you do talk about that democratization
2298.015 -> and you do give them access to the portal
2300.34 -> and the insights, to your point earlier,
2303.46 -> they're hungry for that sort of thing.
2305.2 -> And in the past, as that complexity builds
2307.36 -> and as your enterprise gets larger and larger
2309.25 -> and you go from zero serverless functions
2312.61 -> to a million serverless functions within two months
2314.83 -> and then half of 'em are sort of stale
2316.383 -> and all those sorts of things, like giving people the tools
2319.21 -> to actually fish for themselves, and I mean F-I-S-H,
2321.82 -> not P-H-I-S-H, - Yeah.
2324.732 -> - giving them the tools to fish for themselves
2327.19 -> ends up, one, making you more secure,
2329.56 -> which is what we're here for,
2330.94 -> two, ends up building better relationships
2332.62 -> between those organizations and reduces
2334.18 -> that natural friction that comes with me being the bad guy
2337.42 -> or the cop and them being the people
2338.77 -> that are actually generating revenue for the company.
2341.86 -> But also gets us into more of a mentality
2344.86 -> where security is more like breathing in water
2348.34 -> than it is something that we really have to spend
2350.56 -> too much time arguing over what the priority is,
2353.2 -> arguing over the context,
2354.43 -> arguing over what we need to do first.
2356.14 -> - So this single list of issues actually standardizes
2358.659 -> not only for security but the entire discussion
2361.39 -> around what should be done, where do we spend our resources.
2364.72 -> - Right. I mean, because people like me
2366.04 -> come through the door, and we have a really big smile
2368.86 -> on our face and say, "Don't worry,
2370.51 -> I'm the security team, I'm here to help.
2372.67 -> Here's a list of things I need you to do,
2374.35 -> and I need you to do all of 'em right now,
2375.76 -> and I need you to do twice as fast
2377.198 -> as you're actually capable of doing 'em."
2378.79 -> And oh, by the way, the people I'm asking to do that
2380.561 -> are the same people that are like designing features
2383.41 -> that make your product better
2384.43 -> or helping with the production pipeline or whatever it is.
2387.61 -> And so being able to actually be a good broker
2391.39 -> in that relationship as opposed to someone
2393.07 -> that's just telling them, "Here's your to-do list today,"
2396.928 -> ends up being something that, one,
2399.34 -> again, reduces that friction, and then two,
2400.858 -> my team can concentrate
2402.43 -> on some of the more wicked challenges in security
2404.26 -> as opposed to having to constantly chase down
2406.389 -> vulnerability management,
2407.8 -> constantly chase down remediations,
2409.33 -> constantly chase down that sort of visibility that you need.
2411.717 -> - That's actually a really good point.
2413.5 -> So basically, once you get the process going
2415.54 -> and then natural context and incentives
2418.51 -> to the teams to operate, then you can concentrate
2420.85 -> on really like the tougher problem, what's next,
2422.83 -> what's coming, like the bigger investments you can do now.
2425.89 -> - Absolutely. 'Cause in the paradigm of a security analyst
2428.98 -> going to a dev and saying, "Hey, your application is broke.
2432.79 -> Here's how it's broke. Fix it,"
2434.35 -> no one's comfortable in that conversation.
2436.24 -> - Yeah. - The dev is like, "Hey,
2437.95 -> how come you didn't tell this to me?"
2439.635 -> on the left of the pipeline,
2441.64 -> and the security engineer is saying, 'Well, Hey man,
2443.71 -> like, do the right thing," and you end up
2446.5 -> with that butting heads no matter who they are.
2448.6 -> The personality friction that comes with that
2451.3 -> is hard to deal with.
2452.38 -> And so getting a tool in place
2453.76 -> and having that shared understanding ends up reducing that
2456.91 -> to a point where that security engineer
2458.74 -> is no longer having an uncomfortable conversation
2460.6 -> with a dev.
2461.5 -> Instead, I have them using their 50-pound brain
2464.59 -> on other problems and looking over the hill,
2466.365 -> and seeing what the next threat is,
2468.04 -> and seeing where we need to be from a compliance standpoint,
2470.104 -> and all those other things that go
2471.67 -> into a healthy cybersecurity program.
2473.56 -> - That's amazing.
2475.57 -> We should add this to the business value slide.
2478.21 -> So one other thing that is also very interesting,
2482.14 -> basically, MGM was acquired by Amazon in 2021,
2486.67 -> and basically, I would love to hear more
2489.85 -> about the experience of you as an acquired company
2493.93 -> in the M&A, and also what are the learnings
2496.264 -> and maybe how your current cloud security program
2499.053 -> and Wiz helped you to differentiate yourself
2501.73 -> in that process.
2502.81 -> - Sure. Can I get a show of hands of how many folks
2505.27 -> have been through like a big merger and acquisition?
2509.32 -> Okay, so all of you have had big headaches before.
2513.16 -> I like to joke that, whatever it was,
2515.23 -> March 16th or March 17th when the deal finalized,
2518.32 -> I had like 20 emails in my inbox from like five new bosses
2522.13 -> and seven new best friends, and I had a new to-do list,
2525.34 -> and, "Oh, by the way, you have to keep the lights on,"
2527.47 -> and all those sorts of things.
2528.88 -> And so, you know,
2531.04 -> I always say that the hardest,
2532.99 -> the hardest part of a merger and acquisition activity
2536.44 -> or anything like that is not the technical stuff,
2538.78 -> it's the cultural stuff.
2540.49 -> And so for us, you have one of the oldest film studios
2544 -> on the planet joining forces with Amazon,
2547.6 -> however you wanna describe, you know,
2549.4 -> the behemoth that is Amazon.
2551.32 -> And so having a shared understanding
2552.73 -> of what are our first priorities for 30, 60, 90 days,
2555.49 -> spoiler alert, Amazon cares quite a bit about security.
2558.46 -> And so when they bring a company in,
2560.62 -> the security team is first through the door
2562.39 -> from a cultural perspective.
2563.47 -> They're first through the door
2564.79 -> from an integration perspective.
2567.28 -> We had a to-do list, we had our 30, 60, 90 day plan,
2571.826 -> we're figuring out which foundational systems
2574 -> that we'd take off the shelf from an Amazon perspective,
2576.4 -> identifying differentiated risk that comes with us
2578.73 -> being a film studio, content security and things like that.
2582.37 -> And not only do you have
2583.45 -> like "keep the lights on" type stuff,
2585.13 -> like we have applications, we have things
2586.78 -> that need to continue to run and threats
2588.34 -> and things like that, now you have an integration to-do list
2591.76 -> from a security perspective,
2593.25 -> and then you have an integration to-do list
2595.18 -> from a technology perspective.
2596.68 -> And spoiler alert, the people that are doing that work,
2599.23 -> the engineers that are doing that work,
2600.34 -> they're the same people.
2601.57 -> And you don't get extra people to help with that.
2604.81 -> Like it's you, right?
2606.55 -> Don't get me wrong,
2607.42 -> there's plenty of really wicked smart people at Amazon.
2609.55 -> You get to phone a friend, you know,
2611.02 -> having the resources and having the ability to escalate
2614.38 -> and having the ability to prioritize things on the fly
2616.27 -> is helpful, but there's a very real restriction
2620.59 -> when it comes to, if you got three DevOps engineers,
2623.114 -> you've got three DevOps engineers, and guess what?
2625.3 -> They're not like Hermione Granger and get to, like,
2627.1 -> have a time machine or something like that
2628.9 -> and an extra few hours in the day.
2630.28 -> And so that prioritization
2631.399 -> doesn't just become a daily activity,
2634.6 -> that's an hourly activity.
2636.1 -> That is, "All right, John,
2637.57 -> you have 15 work streams on the security front.
2641.32 -> Doug, as the CTO, you have 25 work streams,
2644.77 -> app rationalization,
2645.76 -> all that sort of stuff," - Been there.
2646.69 -> - how do we bring those things together
2648.25 -> and move forward in a way that, one,
2649.9 -> meets the objectives from a security perspective for Amazon,
2652.57 -> but two and most importantly, doesn't break
2654.52 -> the shiny new toy that they just acquired?
2657.13 -> And so having a tool in our hip pocket like Wiz,
2660.052 -> that it's not just a long list of vulnerabilities
2662.83 -> and not just a long list that we create
2664.343 -> a burndown metric for, but actually helps us prioritize
2668.17 -> and gives context to the noise
2670.48 -> that we would be be hearing otherwise.
2672.16 -> So that when I have that conversation with the CTO,
2674.38 -> he doesn't have to keep telling me like, "John,
2675.88 -> we don't have enough time,"
2677.17 -> I can give him the we-know list and, oh, even better,
2679.33 -> I can get outta that conversation entirely,
2681.79 -> give his team access to the portal themselves,
2684.64 -> and we're off and running.
2685.72 -> And again, then Mike's team can concentrate
2687.37 -> on the 17 other work streams
2688.843 -> that we needed to concentrate on to roll out
2692.74 -> those abilities.
2695.14 -> So Wiz played an integral role in that,
2697.69 -> one, because of the context,
2698.95 -> two, gave us a shared understanding
2700.45 -> between not just my organization and the CTO's organization.
2703.84 -> Now you're talking about the tech folks on the Amazon side,
2706.055 -> the security folks on the Amazon side,
2708.04 -> where is that, like, centralized place
2710.11 -> that we can have a rational conversation about risk
2712.961 -> and move forward with it.
2714.73 -> I can only imagine how much more difficult it would've been
2718.09 -> if we weren't an AWS native organization.
2720.94 -> You start peeling that onion when it comes
2722.47 -> to mergers and acquisitions.
2723.91 -> Also, companies like Amazon,
2725.53 -> they acquire more than just AWS shops,
2727.951 -> you know, when you're talking
2729.19 -> about some of the other big cloud providers in the world.
2732.79 -> And so having a tool that can help with that process
2736.57 -> just gave us a leg up for the entire acquisition.
2738.7 -> - Yeah, and Wiz is like something you see
2740.74 -> as a scalable thing that you can do on any M&A.
2743.38 -> So what's the learning from this in the generic case?
2747.64 -> - Yeah, absolutely.
2748.54 -> I mean, it goes without saying that the maturity
2750.76 -> of a security program isn't always gonna be ideal
2752.818 -> when you acquire a company.
2755.23 -> Particularly, if you're acquiring a new startup
2757.15 -> or something like that, they probably,
2759.67 -> in a lot of cases, don't have a security team,
2761.29 -> or it's just an IT guy that puts a security hat on
2763.48 -> once in a while.
2764.313 -> - The DevOps, one of the 10 work streams.
2765.88 -> - And certainly, there's usually not a CISO
2768.4 -> that's sitting there that has the ear of the board
2770.98 -> or has the ear of leadership in order to help you prioritize
2773.83 -> those sorts of things.
2774.695 -> And so then, having that shared language
2776.89 -> and having that shared understanding
2778.27 -> of what sort of risk is coming through the door
2781.12 -> during an acquisition is essential.
2783.078 -> There's only so much you can do pre-acquisition
2785.5 -> to have an understanding of the entire threat landscape,
2787.51 -> and you're not always gonna have a guarantee
2788.95 -> that there's gonna be someone who can speak intelligently
2790.914 -> or eloquently about it when they come through the door.
2794.287 -> And so, what tools do we have at our disposal
2798.1 -> in order to help facilitate that conversation
2800.2 -> and get us moving in the right direction?
2802.09 -> Because the clock is ticking,
2803.59 -> The clock is always ticking.
2805.18 -> And again, like I said earlier,
2807.13 -> you know an acquisition is nothing
2808.57 -> if not more complex than your enterprise was before,
2811.81 -> and that added complexity, again, introduces that risk.
2815.44 -> - Amazing.
2816.273 -> So, maybe some final thoughts and advice to the audience
2821.195 -> on running a cloud security at the scale you are running
2824.8 -> and going through these transitions.
2827.259 -> - You have to bear with me.
2829.36 -> I had a mentor and a friend when I was in the service.
2833.02 -> He was an Air Force civil engineer,
2835.03 -> so bear with me with my metaphor.
2838.15 -> He used to say that you could be the best carpenter
2839.86 -> in the world, but you still can't build a chair
2842.5 -> if you don't have the right tools.
2843.91 -> And that metaphor actually works in reverse, too.
2845.83 -> You could be the best toolset in the world
2847.51 -> and if you don't have the right carpenters,
2849.31 -> you're still not gonna get a chair.
2851.413 -> And I think in cybersecurity, we have a tendency
2853.75 -> when it comes to folks that sit in my seat
2855.64 -> and then folks that sit in the CTO or CIO seats
2857.89 -> where we get into this situation
2859.72 -> where we all have an understanding, a shared understanding
2861.55 -> of what's important to the business
2862.87 -> from a security perspective.
2863.86 -> No one wants to be insecure.
2865.51 -> But what ends up happening without that context,
2867.61 -> without democratization,
2868.93 -> is that we turn into the Spider-Man meme
2870.67 -> where they're all pointing at each other
2872.23 -> and no one actually makes the first move
2874.21 -> because it's so hard to figure out
2875.534 -> what's actually important to us
2877.42 -> holistically as an organization.
2880 -> And so MGM, Amazon,
2884.56 -> ton of great carpenters,
2886.06 -> some of the best carpenters in the world,
2887.71 -> and I think we were just super lucky to have tools like Wiz
2890.74 -> and some of the other tools that we had
2891.94 -> in our infrastructure to give us that shared understanding
2894.43 -> of how we were gonna move forward collectively,
2896.945 -> particularly during the acquisition
2898.75 -> in order for that engagement to be successful.
2901.39 -> And so I think what I would leave folks with
2902.74 -> is always keep that in mind.
2904.84 -> You know, you're only as good as the tools
2906.4 -> that you have at your disposal.
2907.39 -> And on the flip side, don't forget
2908.798 -> that making sure that you're investing the time
2910.87 -> and the effort into the people and giving them
2913.45 -> the ability and trusting them with the ability
2916.27 -> to prosecute your security program
2917.615 -> is almost even more important.
2921.04 -> - Nice said.
2923.5 -> Thank you.
2924.37 -> And we're gonna open up actually the stage
2927.49 -> for any questions.

Source: https://www.youtube.com/watch?v=HLWKgbz3gC0