Interview: CrowdStrike’s Fabio ‍Fratucello talks about the cloud security journey and the GenAI race

We were lucky enough to recently sit down with CrowdStrike’s field chief technology officer, Fabio ‍Fratucello.

With a career in security that goes back 20 years and encompasses stints at Westpac and Hewlett Packard Enterprises, Fabio has seen – and learnt – more than a few things in his time. This time, Cyber Daily quizzed Fabio on the drivers and challenges of cloud adoption and the risks and rewards of generative AI.

Cyber Daily: We’ve seen statistics that, especially in Australia, companies are adopting the cloud left, right and centre. In fact, they’re probably adopting too many cloud services, and that’s causing some vulnerabilities, so … are companies adopting the cloud in the right manner?

Fabio Fratucello: Yeah, you’re right.

In terms of the trends, we’re seeing organisations probably not just adopting but [also]continuing and accelerating with digital transformation and cloud adoptions.

Depending on the organisation, there could be a single cloud, but many organisations are adopting a multi-cloud strategy. After the last couple of years, there’s really been an acceleration of organisations realising the business benefit of these digital transformation journeys in terms of scalability; in terms of bringing better total cost of ownership to the business directly but it comes with, of course, different threats.

You know the threat landscape for cloud environments is different from what has been the traditional threats, and we’re still seeing organisations struggling with really understanding what is the right security or risk approach to securing a cloud environment.

CD: So what is the right risk approach in that case?

VIEW ALL

Fabio Fratucello: Well, there’s probably two elements – at a macro level and then we can go deeper into the tools.

One is: what is the thread landscape that is relevant to the cloud environment as opposed to the traditional on-prem? And then there’s the cloud environment itself, as you know how the technology and operations need to be assessed and managed differently from traditional on-prem.

So, I think if we start with the threat landscape … Overall, the trend is that the threat landscape continues to accelerate. We have threats coming faster and that are more sophisticated.

If we just look at some of the stats that are relevant to any type of business, not just the cloud environment. At CrowdStrike, we measure the breakout time, which is the time it takes an adversary to move laterally. So they compromise the host, and from that host, they move to a secondary host. And that time has moved from 62 to 84 minutes, right? So they’re becoming faster in this activity – that’s the average time. The fastest time was just more than two minutes – I think it’s two minutes and seven or eight seconds.

So, if you think about it, you know, an operator is just, you know, leaving the desk, going to get a drink, get a coffee, get a tea coming back, and an adversary has managed to achieve a lateral movement, which is kind of scary.

When we look specifically at the cloud environment and what it means over there, what we’re seeing is what we call cloud-conscious adversaries. So these are specifically threat groups that have over time built specialisation and knowledge in targeting cloud environments, and so the cloud intrusions that are attributed to cloud-conscious adversaries have grown significantly year on year – we’re talking about more than a 75 per cent increase year on year.

So, again, think about those threat groups – they really know the inside out of Google, of Microsoft Azure, AWS; they know the underlying principles that organisations are using as a foundation to set up security controls.

The other element is a combination of how identity plays a role in the cloud environment; it’s becoming a key domain in respect to detection, prevention, and response. And if you think of identity as effectively your key to the digital system, when you have this key, you’re fast forwarding into the kill chain. You already have the right credentials, you don’t need to harvest, you don’t need a vulnerability, a software vulnerability to be available to put a foot in the door; you have the keys, you just need to open the door, and that brings us to the old practice of prevention, detection, and response.

You need to have the right tool, and the right visibility, when you compare those two elements together to be able to face the adversaries.

CD: So these groups that are particularly cloud intelligent? Are they ransomware operators, regular black hat hackers, nation-state groups – or a mixture of all of the above?

Fabio Fratucello: That is a good question.

There is a good mixture of this. A good portion is what we call crime, so … Adversaries that are financially motivated.

But we have seen, for example, just to drop a couple of names, Fancy Bear in Russia, we’ve seen Scattered Spider, which is traditionally one of the biggest e-crime actors, being very well versed in targeting cloud environments.

CD: And Scattered Spider. That’s linked to the AlphV/Black Cat organisation, isn’t it? Or an affiliate of theirs, at least?

Fabio Fratucello: Yeah, they have some level of affiliation in terms of tools, correct.

CD: Threat intelligence, just knowing who’s who, is a whole challenge, isn’t it?

Fabio Fratucello: Yeah – absolutely.

Look, the whole, I guess, threat intelligence, attribution … It is a big practice in itself these days, and if you just think of the cyber security evolution, now we have not just a team but individual teams that are specialised in threat discovery, threat attribution and so forth. It plays a key element in cyber defence because, of course, if you understand the TTPs, the tactics, and the procedures that an adversary is likely to use against you ... If you know the likely goals of an adversary, you can put all of those elements together and it helps you build a picture from a defensive standpoint.

CD: So, we know what companies are kind of doing wrong – they’ve got this scattershot approach to adopting cloud technologies. So, what’s the right way to go about bringing your organisation into the cloud? And is there actually a place for staying away – does every company need the cloud?

Fabio Fratucello: So when we think of securing the cloud environment, we really think of a holistic approach to security. I’ll simplify it a little bit, but if we look at the cloud, there are three major buckets that need to be secure. If we think of how the cloud operates and how it operates differently from on-prem, you have a technology that can be spun up through code. You have a technology that can have a number of ephemeral workloads, and then you’re operating within the confinement of the cloud or in the cloud.

Where I’m going is that the critical three buckets that we see is pre-runtime, runtime, and the control plane.

Pre-runtime is effectively everything before code is committed and pushed to the cloud. So it’s what is called shift left. Security is the dev SEC OPS type of approach, and that’s a very critical and important element in that space. For example, if we’re thinking about it, you know of writing code and then using the code to spin up infrastructure in the cloud, do we have, for example, secrets baked into the code? Are we using libraries that may contain vulnerabilities and can be checked before something gets spun up in the cloud?

This is really where the developers and the engineers are meeting for security. Part of the challenge is that these are traditionally two different teams and, of course, having a tool that brings different teams working together in harmony – it’s already tapping into delivering the right security outcome.

Then, if we go completely to the other end, we have the control plane. So how do we ensure that the cloud environment is set up, configured, maintained according to the right baseline, according to the right profile, according to security best practice, whatever that may be, and how do we surface any deviation as soon as possible to the organisation, to the defenders so they understand what has changed, how it’s changed and what needs to be done? Are we comfortable with the change, or do we need to do a rollback? Do you have an S3 bucket, for example, that is visible from the Internet and it should not be?

And then the last component is, really, runtime, which is probably the most challenging from a technology-perspective component to secure. That’s where you know you have access to the runtime environments. So here you need an agent to be effective. Here is where you can really stop the breach because you’re now in kernel mode. You’re now running on the operating system on Kubernetes or whatever the runner is going to be, and you have the ability to inline detect, prevent, and respond to the threats, and so all of these three elements need to be there to have a comprehensive approach to cloud security, and more importantly, when those elements are consolidated and unified – that’s where we’re starting seeing customers taking advantage and creating synergies, natural synergies because ultimately you’re trying to protect your environment.

You really don’t care how an adversary is getting in; you want a detective to respond no matter what avenue that is.

CD: I’m going to finish with a question I like to ask everybody who works in this field – what keeps you up at night when it comes to security? You know, what do you and your colleagues worry about over coffee?

Fabio Fratucello: That’s been a common question. I spent most of my time as a customer and as a CISO, so that was the big question back in the day. I don’t get the question often, but thank you for asking me

We’re not necessarily focused on a specific vulnerability or a specific threat at this point in time. We’re focused on making sure we continue to have a business that has insights. The North Star, in terms of where we’re going, and really continue to drive change, continue to drive research and development … Is trying to out-innovate the adversary.

But, if we just think of the buzzword these days, with AI or generative AI, we actually know that the threat groups are using it. They’re not expecting AI to be regulated; they don’t really care about it, because they’re not a regulated business. They’re criminals, right? So they’re using it to their advantage as much as they can.

And you know, if we think from a defensive standpoint, the technology … It’s an amazing technology if used properly, so we’re really investing in it – this is just an avenue; it’s not a unique avenue, but it’s a great example how we’re continuing to invest in generative AI and how we’re making generative AI as a technology available to organisations from a defensive standpoint – again, to win the race.

It is a race at the end of the day, right?

So we want to be better. We want to be faster than the adversary so we can stop a breach before it occurs.

CD: Thank you for your time, Fabio. We really appreciate it.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.