RedLock is now a part of Palo Alto Networks - READ MORE
< Back

RedLock vs. CASB: Know Which Challenges You Are Trying to Solve

by   |   07.17.18, 6:00 AM

Prior to founding RedLock, my co-founder and I spent years at an industry-leading Cloud Access Security Broker (CASB). When we first began thinking about RedLock’s initial product, we focused on the challenges enterprises face as they embrace the DevOps movement fueled by public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

RedLock was founded on the thesis that traditional data-center security tools were all incompatible in public cloud. These tools included:

  • Configuration Management Databases (CMDB)
  • Traditional network security solutions, including in-line firewalls, micro-segmentation solutions, and netflow monitoring tools
  • Log management &amp; SIEM platforms
  • Governance, Risk & Compliance (GRC) solutions

RedLock vs. CASBs: Our fundamental missions and focus are very different

RedLock solves public cloud IaaS and PaaS use cases where customers need to manage a CMDB, secure their network traffic, hosts, API and control plane configurations, and users. We detect a range of public cloud threats including vulnerable hosts, compromised access keys, misconfigured and leaky cloud resources, open security groups, suspicious network traffic, data exfiltration and cryptomining, and much more. Detecting these threats requires sophisticated technology that correlates data from multiple sources (including 3rd party threat intel feeds) and helps incident response teams investigate, rapidly gain context and respond to threats in minutes.

CASBs on the other hand were designed to detect which SaaS apps are in use within the enterprise and leverage an in-line proxy architecture to govern access to SaaS applications. They typically also apply Data Loss Prevention (DLP) and encryption technologies to secure the data. They weren’t designed to address the fundamental challenges associated with IaaS and PaaS platforms previously described in this article but CASBs do a phenomenal job with SaaS.

There are areas of functional overlap such as both RedLock and the CASBs offer sophisticated UEBA (User-based Analytics), which is the process of baselining user activity and behavior to detect potential intrusions and malicious activity. But aside from this, the distinctions between RedLock and CASBs couldn’t be clearer: CASB configuration checking and monitoring tools can tell you what “could” go wrong; RedLock can tell you what “is” wrong using real-time analytics from your public cloud and helps your SOC teams rapidly respond.

RedLock and CASBs: A Deeper Comparison

Let’s look at a more detail comparison of the key functional areas that help distinguish between the two technologies:

RedLock CASBs
Time to Operationalize
  • Typical deployments take 15 minutes and provide comprehensive capabilities with no agents or proxies.
  • 100% API based.
  • Agent and in-line architecture typically take years to fully implement and realize value.
  • Requires multiple methods of deployment (API, agent and/or in-line) to fully operationalize.
Total Cost of Ownership (TCO) & Return on Investment (ROI)
  • Rapid deployments allow CISOs and their teams to show same-day ROI.
  • Does not require a dedicated team for care and feeding thereby streamlining TCO.
  • Native platform data aggregation typically reduces enterprise SIEM storage costs by up to 95%.
  • Complexity of products coupled with multi-year deployments explode TCO and slash ROI.
  • Typical CASB deployments require dedicated teams, further adding to TCO.
GCP, Azure & AWS Support across IaaS & PaaS Services
  • Broad support across not only IaaS but also PaaS which is skyrocketing in popularity with business teams.
  • Mostly focused on IaaS and missing the DevOps and enterprise moves to containers and serverless.
DevOps / DevSecOps
  • Developer friendly. Can be embedded into the CI/CD pipeline to automate assessments and remediation.
  • Requires manual interaction and is not DevOps friendly.
  • Auto remediation capabilities not available.
Network Monitoring
  • Network monitoring and intrusion detection by monitoring traffic from internet and suspicious IP addresses to sensitive workloads.
  • Network traffic visualization through intuitive graphs.
  • Advanced correlation to classify workloads and detect vulnerable resources.
  • Limited to no network monitoring (flow logs).
  • Limited to no intrusion detection.
  • Limited to no app identification via machine learning.
  • Limited to no network data correlation with configuration, CloudTrail / flow logs to facilitate incident investigation and response.
In-cloud Visibility
  • Automatically discover all assets running inside the public cloud environments, identify the DevOps teams that are making changes to them, and track all historical changes made to assets.
  • Requires dedicated on-prem appliances to scan proxy logs to discover the cloud apps being used in the enterprise, but without any detailed discovery of the IaaS and PaaS assets, their configurations, changes, etc.
User Behavior Analytics (UEBA)
  • Advanced machine learning to detect account and access key hijacking, brute force login and unusual user access to detect insider and external threats.
  • Full audit trail of user and privileged activities.
  • Audit information mostly limited to instance level information such as start, stop, terminate, etc.
Configuration & Compliance Monitoring
  • Out-of-the-box policies for GDPR, CIS, PCI, HIPAA, SOC 2, NIST compliance controls and reporting across AWS, Azure and GCP.
  • Substantial labor savings frees up resources to work on other strategic efforts.
  • Typically limited to CIS benchmarks only.
Host Monitoring
  • Integrates with host vulnerability tools such as Amazon Inspector,, Amazon GuardDuty, etc. to correlate vulnerability data with cloud configurations & network traffic to provide deeper visibility into security risks in cloud environment.
  •  No native host level visibility.
  • No integration with enterprise-class vulnerability scanning tools such as or AWS GuardDuty.

Use Cases where CASB falls short

As discussed, cloud threat defense providers such as RedLock solve very different uses compared to CASBs. To illustrate further, here are a few use case examples:

  • Cloud configuration management database (CMDB) for monitoring and securing assets across multiple cloud providers. Organizations migrating to the cloud are often very surprised at the lack of cloud security and compliance visibility they get natively from cloud providers, especially when compared to their traditional on-premise world. Detecting, classifying and tracking your cloud asset inventory is difficult because cloud resources are ephemeral and often fragmented or simply not tracked at all. RedLock solves these issues by creating a cloud configuration management database (CMDB) for public cloud assets, providing comprehensive visibility for asset identification and profiling, as well as change tracking and user attribution thanks to machine learning.
 RedLock’s unique cloud management database (CMDB) provide deep visibility into cloud environments.

 RedLock’s unique cloud management database (CMDB) provide deep visibility into cloud environments.

  • SOC enablement: incident response & forensics. Rapidly detecting and remediating risks across resource configurations, multiple clouds, network architecture, and user activities has long been the bane of SOCs as they are often mistakenly left out of cloud migrations and deployments. Let’s take the example of a new cloud resource that has been deployed. RedLock will monitor for open security groups, and in the screenshot below finds a number of databases open to the internet and also receiving malicious traffic. RedLock empowers your SOC team and can remediate these issues as well as remove the databases from the public security groups and place them in a private group. What can a CASB do in this situation? The CASB may be able to detect the misconfigured security group, but wouldn’t be able to identify the applications associated with it, and the impact resulting from it, thereby making it impossible to rapidly remediate. In summary, RedLock will give your SOC immediate situational awareness and can respond and facilitate remediation in this scenario, while a CASB cannot.
RedLock automatically discovers new resources, detects misconfigurations and threats, and accelerates remediation.

 RedLock automatically discovers new resources, detects misconfigurations and threats, and accelerates remediation.

  • Vulnerability identification, correlation and analysis. By now you know that continuously monitoring cloud computing workloads is the only way to ensure a secure environment. Even with monitoring, the recent Spectre and Meltdown incidents showed that hosts are vulnerable to receiving malicious traffic from the Internet. A CASB would have no mechanism to detect this as they typically do not ingest flow logs or correlate host level vulnerability data. RedLock, on the other hand, enables the ability to create specific policies to look for these vulnerabilities and provides additional context. For example, the following screenshot shows a RedLock query that is looking for the Spectre and Meltdown CVEs AND workloads that are Internet facing, running a database application, and are consistently receiving malicious traffic from public internet (RedLock automatically makes this correlation using both our proprietary technology as well as 3rd party threat intel feeds).
 RedLock enables the ability to create specific policies to look for host vulnerabilities and also provides additional context into the nature and severity of threats.

 RedLock enables the ability to create specific policies to look for host vulnerabilities and also provides additional context into the nature and severity of threats.

When organizations are looking to address security challenges in SaaS applications CASBs should be their primary tool. There are several excellent CASB vendors who are developing innovations and delivering value to customers. But when it comes to rapidly protecting public cloud IaaS & PaaS resources a focused cloud threat defense strategy is required. And this is precisely where RedLock successfully helps many customers today.


Related Posts