 Hello, KubeCon EU. We're really excited to be here today representing Prisma Cloud and Palo Alto Networks, reimagining the attack framework for cloud-native applications. My name is Keith Mokris. I lead product marketing for Prisma Cloud. And I'm really excited to introduce my guest presenter, Ashley Ward, Field CTO for Prisma Cloud. For two years at Palo Alto Networks, Ashley Ward has worked with customers around the globe, moved to the cloud securely, and protect their hosts, containers, and serverless applications. Before he joined Palo Alto Networks through the Twistlock acquisition, he was at Twistlock over two years, working in the field with customers across Amia. Before that, he was at Aegon, helping them securely move to the cloud and leverage microservices architectures on Red Hat OpenShift. And I'm thrilled to have him leading the demo portion of today's presentation. Ashley, thanks for being here. Keith, thanks for having me. We're really excited to talk about the new capabilities that we've released as part of Prisma Cloud focused on attack for cloud-native applications. And as we dive in, we really want to identify the fact that cloud security across diverse tech stacks is really challenging for a lot of organizations. And this is a very simple way to look at, you know, a modern cloud-native architecture. Certainly, you have the public cloud infrastructure that Prisma Cloud secures that you can use anywhere around the world. And then in the middle, you have all of the specific tech stacks or compute layers that certainly everyone here at KubeCon would be a well aware of. So you have your virtual machines, your containers and Kubernetes stacks, your PaaS stacks or serverless functions, all that you not only need to protect at runtime, but also address vulnerabilities and compliance concerns. And then certainly you have all of the public cloud or cloud-native services that connect to these applications. So you have the identity components, automation, storage, networking components. And this is really important to make sure that they're configured properly and secure as all of these things really come together to form your cloud security posture. And then when we look at the new feature that we're really excited to talk about in today's demo, we're looking at attack for cloud-native applications. And a lot of users in the audience are certainly aware of MITRE and their incredible research and guidance when it comes to endpoint protection and XDR or protecting the public cloud and other important resources. And one of the things that we've done is focused on bringing attack in this new dashboard that we call Attack Explorer, focusing on hosts, containers, Kubernetes orchestration and serverless functions to help organizations understand any incidents or audit information so they can essentially get guidance on how they can remediate these issues. So what Ashley is gonna walk through is our dashboard to help organizations understand audit and attack, how we leverage and gather all of this data across any of your different application architectures and how we've mapped all of these different responses across the 12 distinct categories that you'll see in Attack Explorer. And then ultimately one of the very cool things that we can do with Prisma Cloud is look at audit events and look at essentially time of detection and gain deeper details, whether it's audit information or forensic event data, so you can essentially understand any compromise or incidents that may be impacting your cloud infrastructure. And without further ado, this really sets the stage to hand the ball over to Ashley to guide you through these incredible features. Thanks very much, Keith. Let me get my screen shared out and pick the right screen share, which is all gone missing. There we go. So hopefully my screen's coming through. Okay, as Keith was pointing out, we have taken that attack framework and we presented it as this Attack Explorer. And really the whole thing about this is being able to visualize, I mean that you can actually action all that information that can be coming through. So here everything's separated out. We could have been getting all this as audit information, but let's pick on one. We've got here obfuscated files. So a nice simple click there brings up my next menu to say, right, what is it we're actually looking at here? And I've got that actual event that happened. We've got an audit event here, a rather nice file in my demo environment called slash evil has appeared here. And but what we're doing is if you look at that information, it can be overwhelming. And so you can get all this as logging information, but to actually have it tied back to say, okay, this particular event is triggered. This is what's shown as the obfuscated files and we've got all that container information and more that we can pick up on. But using the exact same window that I've got here, I can then drill further into saying, I know that a rule was triggered, but what does that actually mean? So I can look at the forensic data that we have for this. Now, this is for a particular running container. We can see the container started. We've got all that information about it. And we can see that we've got some behavioral learning that takes place and I'll dive into that in a second. But we've then also seen more activity that's happened. We've had an incident has been raised. There's a suspicious binary here. We see the binary being created and we can see that detail there that appeared again. Now, all of that is then, we could have triggered this and sent this out to logs. We could have automated process based on this event happening. But this is us looking to say, okay, well, we had this happen, we've got the forensics for it. We can see the effect that was generated. So in this case, Prisma Cloud was set to only alert on this because of course, it could have been blocking that event from happening. And we can even see the rule that's there. And again, I'll go into that in slightly more detail in a second. Now, when we talk about that runtime, we're not just saying, okay, let's write a rule that says, if something called slash evil gets created, then take some activity. But instead, this is all that automated learning that takes place. So examining what normal is across, we can see here the processes, what are the things that we've learned? And in this demo here, we can see, we've learned that it should just run tail and nothing else. And so when something deviates from that normal from the processes, the networking, or even to the file system, if we had any file system activity to say, what's normal? Then we can build up that runtime model and generate those alerts. Now, this is all about making it easy to consume. Going back to what Keith said, you're going to be focusing on all your different cloud accounts. And you're not just focusing on them from a security point of view, you're focusing on them. So this is where we come in at the raison d'etre of what we do, which is about saying we will secure across all those different things that you're running. So back here, back to this, we didn't need to create a rule to say suspicious elf header found. We didn't need to say if the file evil gets created. We did all this automatically. Now we can of course override these. We can see here that from this alert, we've got the actual rule that was triggered and impacted. So we could dive into that rule to say, well, actually we'll modify the rule because in our environment, although we didn't behaviorally learn that slash evil gets created, we always want that to happen. Maybe a very silly example there, but you can see how we can immediately drill in to white list, black list. We can do that learning. We can change as required. And so going back to that learning, we can even from here just say, well, let's just extend that learning. We can go to that and say, we did learn this. We didn't fully test our application. And so now let's click into that learning and go further. So coming out of this and back out to that explorer in this feature, we're taking all of that work that we already do as a product. So looking at the Kubernetes audit events that are coming in, looking at the different things that might be happening and pulling them up into the right categorization as per the framework. Here, another example, just clicking there, we can see that actually we've got kubectl or kubectl has been downloaded into a container. We didn't need to write those rules, but even if we did write a custom rule for this, we have it appearing here. So it's easy for a security person to see. It's easy for a DevOps team to see. So using that role-based access control to then get the correct visibility, we can see why this would be bad. I might, in my DevOps days, maybe have thought exacting into a container was a good idea, but actually, of course, it's not. So diving into yet another example in that explorer, I very quickly just drilled down into what was the actual event. And with this blob of the event, I could, if I wanted, then use our custom resource and custom query language to be able to say alert, generate me alert on this if there's a problem. And so these are just a glimpse into a single little feature. And as Keith said, in that beautiful picture, you're worrying about your cloud service providing account. You want to look at all those different things you might be running and all those different environments. And that's the value add for a team as opposed to trying to learn and write is this normal behavior for my container within the MITRE framework. It's all done for you. So at that, listen, thank you very much, everybody for listening to me. Thanks, Keith, for what a great little bit of slides, which I am going to find and steal and reuse. And please, everyone, do swing by our booth for more information or visit Palo Alto Networks.com. And at that, enjoy the rest of KubeCon. Thank you very much.