Orca Security Reviews

I am primarily using Orca Security for cloud security. Being part of the vulnerability management team, I utilize Orca Security for generating vulnerability alerts on cloud assets.

One aspect that stands out is the seamless integration. Once our organization is configured, any cloud account under that organization is automatically detected in Orca Security, along with all the assets associated with it. 

Another valuable feature is the side scanning technology using a snapshot mechanism. This technology allows for coverage of almost all cloud assets without interrupting their operations.

Orca Security could improve its ticket creation process. Currently, it allows for creating tickets in only one bucket, which requires monitoring to redirect tickets to the appropriate team. It would be beneficial to have segregation for different projects. 

Additionally, Orca Security could improve in reporting OS package vulnerabilities, such as missing MS patches or Linux patches.

I have been using Orca Security for one year.

I would rate the stability as nine out of ten. I personally have not encountered any bugs or issues with the console. It runs almost 24/7.

I would rate the scalability as nine out of ten. The seamless integration allows us to automatically reflect any connected project from our cloud into the console.

I would rate customer service between eight and nine out of ten. The support team assists with issues and provides information on new updates, helping us understand the product better.

Positive

Previously, we used Rapid7 for vulnerability management. We switched because we moved from on-premises to the cloud, which required a cloud security solution.

I am not sure about the pricing, as all decisions related to pricing and configuration were made by a different department.

I recommend Orca Security to others looking for a cloud security solution due to its seamless integration and side-scanning technology that does not hamper cloud asset performance. It also offers automation for ticket creation directly from alerts.

I'd rate the solution eight out of ten.

With Orca, the main thing that we're leveraging is their Cloud Security Posture Management capability. 

It is a SaaS solution.

It provides the assurance that we have coverage across AWS specifically because we have so many accounts. As a large organization, we have prod environments for customers, and then we have our corporate environments and our playground environments where there are various levels of interactions, data flows, and business use cases. Because we have Orca, we have the competence and assurance that we know where our fleet and where our assets are.

The big thing for us was just making sure that the side channel scanning, which is their proprietary tech, does not really create any burden or load by adding an agent onto the box. It should just do another snapshot. It gives us a better performance overall because there is no implication down to the actual environment or AWS.

It provides agentless data directly from our cloud configuration and from the workload's runtime block storage. The agentless approach means that there is zero performance impact. That's kind of a big part. When you typically add an agent to any system, it's going to use some of the compute or the memory, but this has no performance implications. That part is exciting because when you think of the security realm, often, as a team out of the cost center and a business enabler, there are situations where if we do affect performance, it's not great for the business. So, we have the understanding and the Corporate EQ that we don't want to have any impact on performance. This enables us again with the confidence that we're getting the right information out without having that impact down to our engineers or our production support.

The agentless and direct collection of data enable Orca to see assets within our environmental and business contexts and prioritize truly critical security issues. It provides another notch up on confidence in terms of knowing what's in our production environment and having the ability to rapidly query in case there's a new CVE that's coming up. So if we know there is a drop in data, we have the ability to scan and see the assets and do the patch management as necessary or tear down boxes that don't need to be up there anymore. With the way it works, having visibility across the org is hands down the biggest benefit for us.

The agentless approach also means that we're able to avoid the need to deploy and maintain multiple tools.

With its Cloud Security Posture Management capability, we have the ability to read across all of our cloud-based environments, which includes AWS and Azure. We have visibility into those environments. Seeing all vulnerabilities and configurations is really powerful for us, but ultimately, the ability to use the API to query across the fleet to understand what is the current state, what is the patch level, which ones are potentially exposed for a new CVE that just came out is even more valuable. It allows us to gather really specific intelligence through simple queries.

Given the agentless deployment, its time-to-value is less than 24 hours. It took less than 24 hours, and we had intelligence and insight. Ultimately, it is getting access to the API, and then from there, it is about getting the side channel scanning going on. Once that is complete, the real-time proprietary nature of new assets pops up. We also have the visibility if an old asset has been sitting out there unused for a really long time.

They can expand a little bit in anti-malware detection. While we have pretty good confidence that it's going to detect some of the static malware, some of the detections are heuristics. There could be a growth in the library from where they're pulling their information, but we don't get a lot of those alerts based on the design of our products. In general, that might be an area that needs to be filled since they offer it as a service within it.

We've been using the Orca solution for about a year and a half. 

It had maybe two periods of downtime if my memory serves me correctly, but it was hard to even know that the service was down because we weren't actively querying during those windows. These downtimes were probably for less than a few hours. I read about them through an email from the founder. We wouldn't have even noticed them if they didn't update us on it.

We started with our production account, and then we kept scaling to our test environments, to our corporate environments, ultimately to every AWS account that we have out there. It is being used as extensively as we can in our environment. We have about 14 AWS accounts. If we need more environments, it will be included as part of the practice.

Luckily, we have a shared Slack channel. So, we have an extended Slack channel, and we're in there with the founders, as well as key engineers and members. So, it's real-time for us. If we have an issue, we go in and just message out, and then we can have that full loop within that Slack channel. We were customer number nine, and having this Slack channel was just something that made sense at the time.

I would rate them a 10 out of 10. We get everything addressed pretty quickly.

In terms of vulnerability assessment coverage, a lot of it was native tooling. We were using AWS GuardDuty across the environment as step one for anomaly detection, but for vulnerability management, there was very limited capacity.  We could leverage some of the existing tools that were out there to scan and perform analysis, but in reality, we're using a lot of what AWS offers. So, for the most part, it was native AWS tooling with GuardDuty and then just doing our best to query the fleet through AWS itself. Orca has really filled the gap for us.

Because of its agentless nature, there is zero deployment time. It is mostly just getting the connection and performing the analysis. The deployment strategy is mostly, "Choose the accounts that are there and then hookup Orca." It took less than 24 hours, and we had intelligence and insight. 

It is the cost of the visibility that you get. When you really sit down and think about what do you need to do to secure an environment with a low impact on the business, and you take a look out into the world, I think this tool is well justified around cost.

We were looking at a few other tools out there. Dome9 and Lacework were the big key ones that were out there. There were some of the old heavy hitters, but they really didn't add a ton of value to what we were looking for. Some of them were just AWS GuardDuty on steroids. 

For us, Orca just offered a better comprehensive solution. We had done enough demos and discussions, and we felt like, "Hey, it's worth the gamble on someone that's trying to solve something and maybe we can help drive the backlog or some of the features as well by being an early customer". That's a part of our strategy when it comes to choosing security solutions. It definitely fits our business needs.

When choosing to go with Orca, the fact that it is a SaaS solution that is updated daily, and that new features are available at no additional cost was useful for us. That's the way it should be. There shouldn't be paywalls and all these other things. You're paying for the proprietary technology of the company and how they kind of package that up. They've been very open in terms of what features are available when and how they work.

When we first looked at Orca, we weren't skeptical about whether it could do all the things that they said it can do. That's because the way it was presented was very logical in terms of how they instrumented the technological approach, and then the background of the founders made a lot of sense. So, either it was going to work, or it wasn't going to work, and if it didn't work, then we'd have an issue. When we did a PoC, it worked very well for us in a short window of time, and we had the confidence that this was going to be the right tool for us.

I would advise others to not just set it and forget it. This is an ongoing capability. Just like every vulnerability management process, it is an ongoing continuous cycle. So, I wouldn't leverage this for one-time use or quarterly use. This is real-time that you should be analyzing, and on top of that, as new vulnerabilities are set, use the search function.

Everything is included in Orca’s package, but Orca hasn't helped us to consolidate vendors or services. That's because we weren't replacing any existing ones. We didn't have six other things doing what they were doing. We were venturing out into a solution that has not ever been in place and figuring out exactly how to integrate it, how to leverage, and ultimately how to level up the organization.

I would rate this solution a 10 out of 10.

Orca is the inceptive tool that I deploy when I join a company. It will be one of the first things I do after an awareness training program. The reason is that Orca serves the function of giving me insights into the resting risk state, abstractly, because it combines so many signals without actually having to govern the assets. As soon as I have access to the AWS or GCP or Azure accounts, I just drop Orca in and it shows me the abstract risk of everything in that cloud.

Using Orca, I build up a security program. Orca not only attests to and assesses these risks and helps me identify risks that need to be mitigated, but it also helps me build an entire security program because it does it —and this is key—in a deterministic fashion, where it's wholly governing the ecosystem.

Orca’s platform provides agentless data directly from your cloud configuration with zero performance impact. The way they do it is brilliant: They pull snapshots. So it just cannot affect the performance of the machine. From my understanding, the snapshot process in the major clouds is completely benign and does not affect the performance. First of all, that means it can analyze machines that I don't have access to. That in itself is the most game-changing thing I have seen, not just in security but in technology, in my 25-year career. Agents are a huge problem in security. They're necessary for certain things, but even if an agent doesn't cause performance issues it's not about having performance issues. It's about the perception, the concern, the fear, the accountability, and the confidence in the tool because of the small risk of those performance issues being caused.

Orca does more than allow you to see assets within their environmental and business contexts to prioritize critical security issues. The trend in security over the last two or three years ago has been to raise risks that are real. But Orca is doing more than that. Orca combines all these signals to aggregate risk. There is a discipline that they exercise in the way they process all the signals together. Whenever there is an Orca alert that there is an imminent compromise or an actual compromise, which are the two highest severities out of four, they're actionable, every time. We might have encountered a couple that weren't actionable, out of a couple of hundred. 

The visibility Orca provides into my environment is at the highest level. I was super skeptical about Orca when I interviewed the Orca team. When they told me that you can just drop their software in and you don't need to log in to the machines, nor do they need to be powered on, I said, "How the heck are you doing that?" When they told me how it worked I said, "Woah, that's pretty simple. Why didn't I think of that?" When I dropped them into the environment, from the very get-go I had more insight into the risks in my environment than I had had during the entire two and a half years I had been here.

I'm thinking about room for improvement that is really grand, in terms of ways that may not be possible. I like to partner with innovators and that's why I partnered with Orca. I don't think what I have in mind is possible—but I didn't think Orca was possible either when I met them. 

If they could disrupt the host intrusion detection space (HIDS) that would be huge. If I could have them assess risk in real-time—which does not seem possible from the block storage analysis perspective—and they could figure that out without an agent, there would be no need for other security tools except for CI/CD pipeline analysis. 

I'm thinking about "omniscient" and "omnipresent." That's what Orca does from a resting state risk standpoint. It's the "all-seeing eye." If it could do that from an active state standpoint in real-time, or even to the second, minute, or hour, that would be big stuff. If they could crack that I don't know what would stop them from dominating the market completely.

On a more practical level, Orca doesn't work in data centers right now. If a company has a large data center footprint, Orca is not necessarily the best solution for that business. If 20 percent of my risk lies in the cloud, and 80 percent is in data centers, I should probably go with an agent-based solution, assuming I can deploy it.

We became an Orca customer in February of 2020. We use their SaaS solution which is deployed on the three major public clouds.

There were a couple of times when Orca was down when I was trying to access it. I work strange hours because all of my team is in the UK right now. It was 2 a.m. on a Saturday and I was trying to log in but it wasn't working. That was pretty bad. What if I was trying to attend to an emergency security issue?

But relative to my other security tools, Orca is definitely the most stable that I've seen.

It is deployed everywhere in our company. It is a requirement that when we build a cloud or we have a new business joining the company, that it be deployed at inception. It is one of the very first things that I require before any integration is done.

We have used their technical support, but we haven't needed it very much.

When Orca was a very early stage startup and they were working out the kinks, one of our clouds, GCP, was not as easy to deploy in because we have 400 workloads running there. We didn't ask for any support but their CEO stepped up, worked all night, and did it himself.

Orca is focusing on what is right when it comes to customer success. Every business has a limited amount of resources and has to take a certain amount of risk. They didn't build a sales team until pretty late in the game. That speaks to why they're respected so much in the industry. They have a relatively new customer success team, maybe because they haven't had a need for it. When I encounter a problem I will want to put it to the test. I think they'll do pretty well. They have scaled up a bit.

Positive

We did not have a previous solution. Before I had Orca, my option for governing at the level that Orca governs was to use network TAP devices from companies like ExtraHop Networks, but they're not capable of gleaning the information that Orca can.

Deploying it only takes a couple of minutes and it hasn't required any maintenance at all. It's so easy to deploy that you can switch away from it pretty easily too. I just don't know anyone who wants to. The stickiness is only in their excellence. For the consumer that's a win-win.

For our deployment they brought in a junior CSM who was brilliant, a wonderful CSM. I was pressuring him and making him very nervous, but he explained the install process: "You copy this URL and paste it here." My DevOps engineer who was onsite messaged me and said, "It's actually really easy. We just put the card in and it was installed two minutes later."

It wasn't very important to me that Orca’s solution includes everything “out-of-the-box." But it was certainly a positive thing to have. My view on security is that I'll deploy something that nobody else has emulated. I'll have a very big, cumbersome stack to manage because I want to support excellence in each space. I believe in the Unix philosophy: Do one thing and do it well. But Orca is doing a lot of things well. I can't deny that. And that means I haven't secured some of these other solutions because it does things well. It's among the best cloud configuration auditing software there is. It has replaced a couple of things that were in my environment and avoided the need for an additional couple of things that would be in my environment. One of them is a portion of host intrusion detection, and that has enabled me to move to a solution that is half the cost. That particular move has saved me about $450,000. That's not my total spend in Orca but it's close to it.

Also, it is updated daily and new features are available at no additional cost. It's a "it just works" thing. And it actually mitigates the need for human expenses of around $80,000 a year in payroll. When you factor in the 1.4 times overhead for human resources, that's going to be $112,000 a year and the perceived liability of the company is probably three times that. We're looking at a replacement of $336,000 a year.

In addition, the time to value is better than any other security product in the market. Even if I wanted somebody else to do all the work, I would have to give them more information than I need to give Orca. It would take a couple of hours to filter the data for a mid-sized company, whereas Orca literally installed in two minutes.

I called my security team and we were talking about all the various players in the security space, and all the technical aspects. They were saying, "Orca does this, Orca does that," going on about it. I don't really see Orca as being the next Palo Alto displacer, but that's probably because I'm super skeptical. But that's how amazing the governance is. My security said, "Yeah, Orca is the tool that we use, even though you made us PoC all these other solutions."

I spoke with someone who knows the space well and I said, "Okay, Steve, please help me here. You guys know this field. Is there anything else that competes with Orca in this space?" I believe this was before Wiz was on peoples' radars. Steve said, "No, I haven't heard of anything else." I was worried that I would spend all this money on a tool that did something that doesn't exist but it turned out it actually existed.

Every CSO says they don't want false positives, but what CSOs never say is, "I don't want to have false negatives." That bothers me. They're happy because a solution doesn't say, "You need to fix this thing" when it doesn't need to be fixed. But they're ignoring the fact that solutions are not identifying things that do need to be fixed. That's where Orca comes in perfectly. By running it in tandem with my HIDS or some other system, it's validating or invalidating the attestation of security risks from the other software. I had one solution that never gave me any false positives but it did give me a lot of false negatives. After Orca exposed that, I was no longer a customer of that product.

Because I had Orca first and it attested to the risk, it demonstrated the need to employ their competitor. If I had deployed their competitor first, it would not have attested to that risk and the need to deploy Orca. Orca justifies the spend, a multi-hundred-thousand-dollar spend by a mid-sized company on one of their known competitors. That's cool because that means it's not really a competitor.

Whenever people ask me what Orca does, and I say vulnerability assessment, I always say, "But that is really downplaying it." We use Nexus to do vulnerability scanning, which costs almost nothing. But I have almost never acted on a single alert from Nexus because there are so many false positives and the risk categorization is not very good.

I was skeptical about whether it could do all the things they say it can do, and now that I have used it I would say to that skeptic: "Continue to be a skeptic." But the skepticism was blown away by Orca very quickly, at every single turn, on every single angle, and at every single opportunity. Orca destroyed my skepticism. But you have to be skeptical. Still, I would also say to that skeptic: "Just give it a shot. It takes two minutes to deploy." If I had just done that, I would have saved myself time.

Orca is much better than their competitor. They're the best in their space. They're the best in the security tool industry. And they're probably the best in terms of companies that I've worked with in general. Are they the best in mitigating actual risk versus the investment? I will always have to say that security awareness training, not as a service but as an abstract concept, is the best thing that we can do in security. Orca might help with awareness training by being so simple. I can use Orca to make technical leaders aware of security issues.

But technical leaders aren't the ones who need to be made aware of security issues. It's the general staff and public. That means customers and employees. Orca falls right in behind security awareness training. What CSOs out there need to do to make the greatest impact on their company is to get up on stage and tell people why security matters. But in all other areas, Orca is definitely the best. The first thing I'm going to spend my money on is Orca. I can do awareness training for free just by being vocal onstage. Orca requires no time. It doesn't compete with awareness training because I can do that while Orca is spending its time attesting to the pragmatic technical risks in my cloud environment.