Permission, a startup focusing on cloud identity detection and response for cloud infrastructures, announced earlier this week that it has launched P0 Labs.
The P0 Labs name refers to the company’s “priority zero” mission of detecting and responding to the latest attacks on cloud infrastructure for its customers.
SC Media caught up with Paul Nguyen, the company’s co-founder and co-CEO, and Ian Ahl, vice president and director of P0 Labs, to discuss the company’s unique identity-based approach to cloud security and its plans to expand integrations and help customers adapt as nation-state actors begin to migrate to the cloud.
Let’s start by providing some background on the company and the story of how you got started.
Nguyen: Jason Martin and I started Permission three years ago when we were both executives at FireEye. We decided that cloud security was going to be the next frontier, much like how we saw data centers evolve 20 years ago. We tried to buy a couple of cloud security companies and it gave us a taste of the market. FireEye wanted to see detection and response as the next evolution of cloud security. Unfortunately, we couldn’t execute that strategy, so Jason and I went off to do it on our own. We saw a huge opportunity for detection and response in the cloud security market, which is still in its infancy. So we’re excited to do something that’s completely blank, never done before.
Permission is primarily a red team penetration testing company? Or with its emphasis on detection and response, is it taking the purple team approach?
Ahh: We are a cloud detection and response company and we have some services built around that. I put together the P0 Labs team of incident responders and penetration testers for the purple team’s purpose of hinting at attacks on the red team side and having those responders watch what’s going on. Our goal is to find the bad guys. We take our knowledge to the front line and embed it there, but we also use the purple team approach to create the bad activity first so we can take that knowledge and codify it into our product. So a lot of times what we’ll do is create malicious activity first, monitor what we’re doing with the malicious activity, and then write the detections associated with the malicious activity.
What is different about the cloud threat landscape that requires a new approach than what the security industry has done in the past?
Ahh: Attackers want to move to the cloud for the same reason everyone else does: speed, scale, and impact. And that is the biggest differential from a capacity point of view. They know they can have a bigger impact by going to the cloud. Right now, we’re in the phase where it’s mostly commodity attackers, ransomware, and bitcoin mining, but now we’re seeing advanced attackers starting to enter the cloud space. They have done it for years, but now it is only in large quantities. For example, APT29 is a group I worked on when I was at Mandiant. Those were the perpetrators of the SolarWinds incident. These are Russian nation-state threat actors, really top tier when it comes to the groups that are tracked there. And we know that now they are also changing. They’re getting into the vendor supply chain and they’re targeting cloud providers and cloud security providers so they can take advantage of that access to get into other environments.
So what are you doing to counter this growing threat?
Nguyen: We are using identity as that main mechanism to detect evil. One of the main vectors we’re seeing is compromised credentials or exposed secrets: attackers gain access through an initial set of credentials they compromise and then they can follow that trail, and as they spin, they create other users and run other impact events.
The identity approach is very novel. Traditional approaches have focused on networks, hosts, and IP addresses, which was a data center construct. In the cloud, cloud service providers do not expose the network and hosts, but rather provide services. The way you instrument those services is through APIs using credentials. You hear about S3 buckets, which is data storage. And EC2, which is computing. How do you spin more S3 or EC2? You have to have valid credentials to run. It is not about a network or a host. You are calling APIs using valid credentials to turn the infrastructure on and off, which is the power of the cloud.
Even if you look at traditional security products, it’s always about assets, hosts, and networks: endpoint detection, network detection, email. In the cloud, it’s completely different, it’s the services. So how are services instrumented to build applications? People find it difficult to think about the cloud security model when they move to the cloud. Our first angel investor was Jason Chan, who used to be the vice president of information security at Netflix. Chan and his team at Netflix were at a very mature point in the cloud and they gave us some of the initial builds that we thought of in terms of the capabilities that the mass market security would need as they start with cloud security just started. to the cloud and finally get to where Netflix has evolved. We deconstructed what Jason Chan had done and said we can bring these capabilities to where customers are today.
How will P0 Labs make this happen?
Ahh: There are many, normal SIEM products that can take an event and let you know when something bad happens. What we do is bundle things around identity and credentials and extract all those events around attacker techniques and build rules around a “session”. A session is a grouping of events based on identity and credentials over a period of time. If I went into AWS and clicked “create bucket” and “delete bucket” and then tried to spin up EC2 instances that would create hundreds of events to make that happen. A normal cloud SIEM would search event by event. We bundled that activity into a single session. For example, the system alerts me every time an identity attempts to increase privileges within this resource type. This allows us to describe complex logic because we group it all together.
Nguyen: Have you seen the Avengers movies? There’s the concept of the multiverse: parallel existences of the same person, but they’re on different timelines. I can have 10 credentials in a cloud environment. So that’s 10 different timelines and 10 different sessions that I have to track independently of each other. Timeline 1 is malicious, timelines 2 and 3 are fine. When we see attackers, they are jumping across timelines and credentials. What we do is track them and we haven’t seen anyone able to do that multiverse tracking between sessions.
Permit made headlines in January with its $10 million seed funding round. Given the looming recession, what is a realistic timeline for future funding rounds and meeting your goals for the future?
Nguyen: We are not thinking of raising funds at this time, but will raise a round in the next 6-18 months depending on market demands. We primarily focus on how to find evil in these new frontiers of cloud infrastructure. Nowadays, there are not many tools to find the bad guys. I think we are a few months ahead of the market. We plan to extend our integrations. We form a partnership with HashiCorp. to integrate with your vault. We’re also looking to work with identity providers like Okta, Ping, SailPoint and Azure AD, that’s a big part of our story. We also have customers requesting integrations into their CI/CD DevOps pipelines. Our legacy is old FireEye, old Mandiant. We know what evil looks like and Ian and his team know how to respond to evil. Ian has been responsible for tracking down these groups of threat actors. So our focus is to stay ahead of the adversary. Get the best information to understand where they’re going, then create protections for our customers. An attacker can sit in one environment for a long time. We want to shorten that as much as possible.