One approach to a Cloud-Native Application Protection Platform from a Defender's perspective

As organizations increasingly adopt cloud-native and public cloud infrastructures, securing these environments has become a critical priority. In this talk, I will share the current status of our company’s ongoing project to implement a Cloud-Native Application Protection Platform (CNAPP), with the Security Operations Center (SOC) playing a key role alongside other departments. This initiative is focused on enhancing proactive threat detection and response capabilities for our cloud-native environments. I will discuss the rationale behind the project, insights from the Proof of Concept phase, and where we stand today. This session is particularly valuable for SOC analysts and security professionals seeking to strengthen runtime security and optimize detection and response processes in dynamic cloud-native environments.

The shift to cloud-native and public cloud environments presents unique challenges for securing infrastructure, applications, and runtime environments. Recognizing these challenges, our company initiated a comprehensive project to implement a Cloud-Native Application Protection Platform (CNAPP), bringing together multiple departments, including the Security Operations Center (SOC). While this initiative is still ongoing, this talk will provide an overview of its current status, the steps taken so far, and the lessons learned along the way. I will begin by explaining the broader organizational motivations for starting this project, including the need to improve security for cloud-native environments while ensuring scalability and centralized protection for infrastructure, runtime, and source code. I will detail our experiences during the first phase, where we analyzed raw logs from Platform-as-a-Service (PaaS) and Container-as-a-Service (CaaS) environments. This phase helped us identify data gaps, design meaningful alerts, and understand the limitations of manual detection mechanisms, driving us toward the Proof of Concept (PoC) of a CNAPP solution. The talk will focus on key aspects of the project, such as motivation, threat analysis, requirements gathering, and collaboration across departments. I will also highlight the technical, procedural, and organizational challenges faced during the PoC and the ongoing implementation phases. While the CNAPP solution is not yet fully deployed, I will share insights into the progress we’ve made so far, how CNAPP integrates with our SIEM system to improve threat detection, and how we respond to them in the SOC. Attendees will leave with actionable takeaways on how to enhance detection and response capabilities specifically within the runtime of cloud environments. For example, how to build effective detection rules in SIEM to identify suspicious activities in cloud runtime environments, such as privilege escalations or anomalous container behavior. This session will provide insights into the challenges faced by SOC analysts in achieving greater visibility and operational efficiency when dealing with dynamic cloud-native infrastructures. It is particularly valuable for SOC analysts and security professionals aiming to strengthen runtime security, improve threat detection, and optimize response processes through CNAPP solutions.