What needs improvement with Orca Security?

Orca Security could improve its ticket creation process. Currently, it allows for creating tickets in only one bucket, which requires monitoring to redirect tickets to the appropriate team. It would be beneficial to have segregation for different projects. Additionally, Orca Security could improve in reporting OS package vulnerabilities, such as missing MS patches or Linux patches.

The documentation for Orca Security could be improved. The compliance framework also needs enhancements, especially concerning integrations with other tools like ServiceNow's vulnerability modules, which are not as mature as expected. It should also increase its capability to ingest data from other security tools like CloudSight for endpoint detection and provide real-time monitoring.

Orca needs improvement in snoozing or dismissing specific alarms. Currently, snoozing dismisses all future vulnerabilities related to a CVE. Another improvement is in handling alerts for multiple files with the same CVE; it should provide an option to manage each file separately without affecting others.

The company is managed by industry veterans. It's a cloud-based product. They handle misconfigurations and analyse your runtime to detect malware. They're at the forefront regarding developer security. The platform is vast, inundated with information. One can easily feel overwhelmed by the sheer volume of data. The solution is very complicated.

Actually, it's not all clouds that they are currently onboarded with. For instance, they are not yet with public cloud and many other private clouds. Therefore, there is room for improvement, and more private clouds should be added. For the private cloud, we need to install agents into the environment.

Maybe better customization options for security frameworks and better integration with reporting tools like Power BI or Grafana dashboards. Modularizing reports and dashboards would be fantastic. Simplifying the way users build custom frameworks would be good.

Maybe the presentation of the data in the dashboard. It's a little bit chaotic. There is room for improvement.

I would say that there are some loading issues. Since this is a cloud-native platform, there may be a problem with connecting to the dashboard as soon as it's open. The interface can be a bit cranky and sometimes takes a lot of time to load. So, the way APIs are deployed for our dashboards or monitoring systems needs to be corrected and optimized. In future releases, Orca Secure needs to have new integrations with different security solutions apart from the cloud. We have EDRs, XDRs, and MDRs. Orca Security should automate the process of connecting and integrating with these solutions. It can be an essential way of protecting the infrastructure in an effective manner.

The solution could improve by making the dashboards more elaborative and more descriptive.

The main drawback in an agentless approach is that if the solution detects a virus or malware in the environment, we need to manually remove it. But from my experience with other production environments, it's not straightforward to install agents in the hope they will automatically remediate viruses, even from production environments. If you make mistakes, you can cause huge damage to your environment and, when it comes to production, there is zero tolerance for errors. And realistically, you can't use the most important feature of an agent, which is the remediation, because remediating on production is not something that is easy to do. Orca's agentless approach makes more sense. Even if you have an agent, it takes resources. In addition, you need to deploy, maintain, and update an agent, which amounts to a lot of unnecessary work. And lastly, while it's true that an agent sees more when compared with an agentless solution, the gap is very small. In the end, to make sure that we progress and that our security level is increasing, we need to take action. Orca is only a detection tool. It shows you the problems, but you need to make sure that the problems are fixed. It's a fair trade-off because production is a different environment. It's not like endpoint security where the cost of ruining an endpoint is worth the risk. You would rather kill an endpoint than risk being infected with malware. But this is not the same approach for data center or cloud security. Ultimately, the ability to auto-remediate is something that I would like to see.

In the future, I'd like to see Orca work better with third-party vendors. Specifically, being able to provide sanitized results from third parties. I would like to see support for FedRAMP certification.

With any security tool, there's always room for improvement. We were among the early adopters, and many of the major improvements that we were looking for have already been added. Right now, we're looking at what the other players in that space are offering and if it can be integrated into Orca. I had a discussion with Orca six months ago about implementing these features. But once you start customizing your tool for specific customers, it doesn't necessarily mean that it will match the needs of other customers, and you begin to branch out. In general, I think the Orca's roadmap is pretty well aligned to what we need today.

I would like to see an option to do security checks on a code level. This is possible because they have access to all of the code running in the cloud provider, and combining their site-scanning solution with that would be a nice add-on. This would guarantee our customers that whatever is running in their cloud production is secure on all layers. It would be nice if this solution had the capability of fixing issues. As it is now, it only reports them. Having a button to patch a product, disable a service, or delete a VM would be nice. At this point, this is something they might not want to do because they are only doing audits rather than making changes. It is also something that would require having additional permissions, including write access using the API.

They can expand a little bit in anti-malware detection. While we have pretty good confidence that it's going to detect some of the static malware, some of the detections are heuristics. There could be a growth in the library from where they're pulling their information, but we don't get a lot of those alerts based on the design of our products. In general, that might be an area that needs to be filled since they offer it as a service within it.

Orca could give me more alerts. It could give me a dashboard with all the specific types of alerts I want to see for the day. It should just be one click. This is one area where I feel Datadog is better. Datadog has something called Security Signals, where they give you a dashboard, and you can structure it by the day or specify a period. It just tells you the different security signals that have occurred with a very obvious risk designation by color. That makes it easier than Orca's current view. So I think Orca could improve its interface. Another shortcoming of Orca is that it doesn't integrate with our particular non-standard ticketing system. So we have to finish developing an appropriate webhook for it. Other than that, it's integrated well with our identity provider and with our cloud environments.

As with all software, the user interface can always be made simpler to use. It would be helpful for people with very little knowledge, like somebody sitting behind the SOC, to allow them to be able to drill down into things a little bit easier than it is currently.

I'm thinking about room for improvement that is really grand, in terms of ways that may not be possible. I like to partner with innovators and that's why I partnered with Orca. I don't think what I have in mind is possible—but I didn't think Orca was possible either when I met them. If they could disrupt the host intrusion detection space (HIDS) that would be huge. If I could have them assess risk in real-time—which does not seem possible from the block storage analysis perspective—and they could figure that out without an agent, there would be no need for other security tools except for CI/CD pipeline analysis. I'm thinking about "omniscient" and "omnipresent." That's what Orca does from a resting state risk standpoint. It's the "all-seeing eye." If it could do that from an active state standpoint in real-time, or even to the second, minute, or hour, that would be big stuff. If they could crack that I don't know what would stop them from dominating the market completely. On a more practical level, Orca doesn't work in data centers right now. If a company has a large data center footprint, Orca is not necessarily the best solution for that business. If 20 percent of my risk lies in the cloud, and 80 percent is in data centers, I should probably go with an agent-based solution, assuming I can deploy it.