Permiso, a start-up that focuses on cloud identity detection and response for cloud infrastructures, announced earlier this week that it has launched P0 Labs.
The P0 Labs name refers to the company’s “priority zero” mission of detecting and responding to the latest cloud infrastructure attacks for its customers.
SC Media caught up with Paul Nguyen, the company’s co-founder and co-CEO and Ian Ahl, vice president and head of P0 Labs, to talk about the company’s unique identity-based approach to cloud security, and its plans to expand integrations and help customers adapt as nation-state actors start migrating to the cloud.
Let's begin by providing some background on the company and the story of how you started?
Nguyen: Permiso was started by Jason Martin and I three years ago when we were both executives at FireEye. We decided that cloud security was going to be the next frontier, very similar to the way we saw data centers evolve 20 years ago. We tried to buy a couple of cloud security companies and it gave us some insight into the market. FireEye wanted to look at detection and response as that next evolution for cloud security. Unfortunately, we weren’t able to execute on that strategy, so Jason and I left to do it on our own. We saw a huge opportunity for detection and response in the cloud security market which is still very much in its infancy. So we’re excited to do something that’s completely white space, never been done before.
Is Permiso mainly a red team pen testing company? Or with your emphasis on detection and response are you taking the purple team approach?
Ahl: We are a cloud detection and response company and have some services built around that. I built the P0 Labs team with incident responders and pen testers for that purple team purpose of insinuating attacks on the red team side and having those responders watch what’s going on. Our goal is to find bad guys. We take our knowledge to the front lines and bring it in there, but we also use the purple team approach to create the bad activity first so we can take that knowledge and codify it into our product. So a lot of times what we’ll do is create malicious activity first, monitor what we are doing with the malicious activity, and then write detections associated with the malicious activity.
What’s different about the threat landscape in the cloud that requires a new approach from what the security industry has done in the past?
Ahl: The attackers want to move to the cloud for the same reason everyone else does: speed, scale, and impact. And that’s the biggest differential from a capability standpoint. They know they can have a larger impact going to the cloud. Right now, we are at the phase where its mostly commodity attackers, ransomware and bitcoin mining, but now we are seeing advanced attackers starting to come into the cloud space. They have for years, but it’s just in larger numbers now. For example, APT29 is a group I worked on when I was at Mandiant. Those were the perpetrators of the SolarWinds incident. These are Russian nation-state threat actors, really top-tier when it comes to the groups that are tracked out there. And we know they are shifting now as well. They are getting into the vendor supply chain and are targeting cloud providers and targeting security vendors in the cloud so they can leverage that access to get into other environments.
So what are you doing to counteract this growing threat?
Nguyen: We are using identity as that main mechanism for us to detect evil. One of the main vectors we’re seeing is compromised credentials or exposed secrets: attackers gaining access via an initial set of credentials they compromise and can then follow that trail, and as they pivot they create other users and run other impact events.
The identity approach is very novel. Traditional approaches have been focused on networks, hosts, and IP addresses, which was a data center construct. In cloud, the cloud service providers are not exposing the network and hosts, they are providing services. The way you instrument those services is via APIs using credential. You hear about S3 buckets, which is data storage. And EC2, which is compute. How do you spin up more S3 or EC2? You have to have valid credentials to execute. It’s not about a network or host. It’s calling APIs using valid credential to spin up and spin down infrastructure, which is the power of the cloud.
Even if you look at traditional security products, it’s always about assets and hosts and networks: endpoint detection, network detection, email. In cloud, it’s completely different, it’s services. So how do you instrument services to build apps? People have a hard time when they switch to cloud in thinking about the security model in cloud. Our very first angel investor was Jason Chan, who used to be the vice president of information security at Netflix. Chan and his team at Netflix were on a very mature end of cloud and they gave us some of the initial constructs that we thought about in terms of what capabilities the mass security market would need as they start out with security in the cloud just getting in to cloud and finally getting where Netflix has evolved. We deconstructed what Jason Chan had done and said we can bring these capabilities down to where the customers are today.
How will P0 Labs make this happen?
Ahl: There are a lot of products, normal SIEMs that can take an event and let you know when something bad happens. What we do is group things around identity and credentials and pull all those events around attacker techniques and build rules around a “session.” A session is a grouping of events based on identity and credentials in a period of time. If I went into AWS and clicked “create bucket” and “delete bucket” and then attempted to spin up EC2 instances that would create hundreds of events to make that happen. A normal cloud SIEM would look event-by-event. We group that activity into one session. For example the system lets me know any time an identity attempts to escalate privileges within this type of resource. This allows us to describe complex logic because we group it all together.
Nguyen: Have you seen the Avengers movies? There’s the concept of the multiverse: parallel existences of same the person, but they are on different timelines. I may have 10 credentials in a cloud environment. So that’s 10 different timelines and 10 different sessions I have to track independently of one another. Timeline 1 is malicious, timelines 2 and 3 are fine. When we see attackers, they are hopping across timelines and credentials. What we do is follow their trail and we haven’t seen anyone be able to do that multiverse tracking across sessions.
Permiso made news in January with its $10 million seed funding round. Given a looming recession, what's a realistic timeframe for future funding rounds and meeting your objectives for the future?
Nguyen: We aren’t thinking about fundraising right now, but we will be raising a round in the next 6-18 months based upon market demands. We’re mainly focused on how to find evil in these new frontiers of cloud infrastructure. Today, there’s not a lot of tooling to find the bad guys. I think we are a few months ahead of the market. We plan to extend our integrations. We formed a partnership with HashiCorp. to integrate with its vault. We’re also looking to work with identity providers such as Okta, Ping, SailPoint, and Azure AD, that’s a big part of our story. We also have customers requesting integrations into their CI/CD DevOps pipelines. Our heritage is former FireEye, former Mandiant. We know what evil looks like and Ian and his team know how to respond to evil. Ian has been responsible for tracking these threat actor groups. So our focus is staying ahead of the adversary. Get the best intel to understand where they are going, then build protections for our customers. An attacker can sit in an environment for a long time. We want to shorten that as much as possible.