Awesome project!
As someone deeply familiar with this problem (ex-JupiterOne), I'd caution against asserting that 'deep level of customization' is a differentiator. Your buyer (CISO) and userbase (Sec Engs) are drowning. They (and I) don't want yet another product to build on top of. This is a key reason why Wiz is so successful -- an operator can turn Wiz on and immediately receive value, no adjustments or additions needed.
I'd strategically focus on making the 'actionability' part the cornerstone of the product and really become obsessed with making that part of your product incredible. The Goliath-killing story you need will be formed by figuring out how to get your product to the point where someone can turn it on and immediately receive value for the most impactful security problems first (ex: Log4J) and the total surface area of problems the product solves for second.
I would second this. No security person says "I don't have enough problems to look into."
Security spending is down, so navel gazing products are going to be a really hard sell. Figure out how to actually solve problems in an automated/semi-automated way and ship that instead.
The other issue with all of these tools is handling onboarding/integrations and getting terrible visibility as a result. A big market gap I see is a tool that can use the vulnerabilities it discovers to further information collection just like a real attacker would. Found Splunk creds in a log? Awesome, start using them. Syslog in an S3 bucket... boom. You are now hitting the stuff that every other ASM/visualization tool has missed.
Makes sense -- we're focused on fixing problems over just being yet another Jira ticket generator.
> Found Splunk creds in a log? Awesome, start using them. Syslog in an S3 bucket... boom. You are now hitting the stuff that every other ASM/visualization tool has missed.
This is my dream :). This past weekend I was playing around with something where if I clicked on a SecretsManagerSecret node then it'd give me the CLI commands to assume the roles and then retrieve the secret. It'd be neat to take it a step further and be able to click here and get a shell -- I don't think we're _that_ far off from that (but for now to be very clear we're focusing on read-only actions only since a security tool with permissions to do scary things in your environment kinda defeats the purpose).
Thank you, this is very helpful especially given your experience in the space. I intended to frame this like "there are many tools that let a security team can pull in data from the cloud providers and detect misconfigurations, but this becomes soo much more useful when they're able to contextualize it against their internal data". If I'm responding to log4j, I want to know all of the services that are running that affected library, which ones are internet open, and who in the organization owns it. That last part is key for actionability.
Given that this is a paid product, are you liable if the chatbot misrepresents the data?
website(on firefox) nitpicks
- The handle_complexity.png image is too small to read and can't be zoomed unless opened in another tab.
- The background effect is in the foreground of chatbot_cropped_gif.gif
- The yaml schema text should have a background like the rest of the text boxes
> Given that this is a paid product, are you liable if the chatbot misrepresents the data?
Good question. Right now the chatbot is in preview and we're currently figuring that out. That said, we do have it provide the underling query that it used to answer the question so a user can double check with that.
Thanks for the comments on the landing page -- we're security nerds and definitely not great at frontend haha, will fix!
Looked at your video demo, does SubImage actually recommend changes and generate terraform? For example instead of exposing 80/443 to the EC2 instance, deploy a ELB in-front of it that listens on 80/443 publicaly and only allow the ELB to forward traffic to the ec2 instance. Also, utilize attach role to the ec2 instance to avoid storing AWS credentials in environment vars, though if the instance was compromised an attacker could still access the s3 bucket.
> does SubImage actually recommend changes and generate terraform?
We recommend changes, though we don't generate Terraform just yet. Great feedback on the specific fixes for this case, thanks.
I was watching a competitor(?) of yours a few years ago who were trying to integrate https://github.com/WithSecureLabs/IAMSpy#iamspy with Cartography to have more insight into what, actually, the IAM Roles could do
Do you have similar plans or are those kinds of things left as an "exercise to the reader" via your Intel Plugins link? I do see https://cartography-cncf.github.io/cartography/modules/aws/s... but I also see https://github.com/cartography-cncf/cartography/blob/0.100.0... so it's hard to know what level of insight one wishes to support out of the box versus the localstack model of "open core, advanced features are $$$" type deal
> have more insight into what, actually, the IAM Roles could do
We 100% do this, see https://eng.lyft.com/iam-whatever-you-say-iam-febce59d1e3b.
We evaluate the policies for the IAM principal against the resources to determine what actions they can perform on each resource. This is configurable too; here's the set of the default permission relationships shipped in OSS: https://github.com/cartography-cncf/cartography/blob/master/...
It doesn't cover conditions since those can be wacky complicated, and it doesn't cover resource policies (yet!) but in my experience this is still a very good heuristic that is already more accurate than AWS IAM Analyzer when I played with it.
The next step we're working on is to take this access map and correlate it with event data to see which permissions are used/unused so that we can prune them for ensuring least privilege. More to come here.
Edit: adding on for the part of your question about what features are paid or OSS, our paid offering is fully hosted and includes things like automatic suggested fixes, a natural language interface, customization with our dynamic schemas, and other bells and whistles. I'm not a fan of doing things like premium modules because I don't want to ever get in the position where I'm declining a pull request in open source because it covers a premium feature; that doesn't feel right.
Wow this library has a lot of history being developed at Lyft! Have you seen a good response to the paid offering? I suppose all the OSS users self hosting will switch over!
Actionability >>> observability
If you can pull this off, you will have a great time
Agreed
This is cool, and really makes sense for large organizations. Do you foresee a release for smaller enterprises (something as simple as a lightweight aws integration?)
Depends on how small. Most seed stage and early companies are more worried about product-market fit and not security. For now, we're probably best fit for companies building out their first security teams, so that's _usually_ series A and later. That said, there might be something there, I'm open to figuring something out for a smaller company.
Could definitely see us releasing some form of this for smaller companies as well, it's crazy how many vendors and how much infra even these 2 month old startups have
Looks very cool! Wiz is a beast at the moment so I will be watching closely to see if you (or anyone else really) will be able to go up against them
How come things like this are not built into most cloud providers?
AWS has Config to give you an inventory, but that only covers AWS. My guess is that there's not much incentive for the major cloud providers to build a product to help you correlate data across other products.
Congrats on the launch!
absolutely awesome -- huge need
Looks great. Sent you a DM.