WEBVTT 1 00:00:00.180 --> 00:00:02.160 Anna Delaney: Hello, and thank you for joining us for the 2 00:00:02.160 --> 00:00:05.280 weekly edition of the ISMG's Editors' Panel. I'm Anna 3 00:00:05.280 --> 00:00:08.280 Delaney, and this week I'm joined by two of my esteemed 4 00:00:08.280 --> 00:00:11.940 colleagues to discuss and digest some of the most important and 5 00:00:11.970 --> 00:00:15.060 interesting cybersecurity stories of the moment. 6 00:00:15.480 --> 00:00:18.450 Introducing my fellow panelists, Mathew Schwartz, executive 7 00:00:18.450 --> 00:00:21.690 editor of DataBreachToday and Europe and Michael Novinson, 8 00:00:21.780 --> 00:00:25.560 managing editor for ISMG business. Great to see you both. 9 00:00:26.700 --> 00:00:27.540 Mathew Schwartz: Great to be here. 10 00:00:27.990 --> 00:00:28.890 Michael Novinson: Thank you for having me. 11 00:00:30.090 --> 00:00:32.730 Anna Delaney: Michael, you have company. Do explain. 12 00:00:32.000 --> 00:00:56.150 Anna Delaney: Very good. Two elephants in the room. Love it. 13 00:00:32.570 --> 00:00:34.699 Michael Novinson: Yes, I do. I am accompanied by two of the 14 00:00:34.750 --> 00:00:37.918 three elephants at the Roger Williams Park Zoo in Providence. 15 00:00:37.970 --> 00:00:41.242 Julie, Alice and Keith have been there for a number of decades. 16 00:00:41.293 --> 00:00:44.513 The only zoo with elephants in New England. They are a big hit 17 00:00:44.565 --> 00:00:47.681 with my daughter; love eating grass out of buckets, drinking 18 00:00:47.733 --> 00:00:50.692 water and generally engaging in tomfoolery around lots of 19 00:00:50.744 --> 00:00:53.549 infants and toddlers. Always a great time seeing them. 20 00:00:56.780 --> 00:01:00.110 Very cute. And Mathew, you're outside as well. We've seen this 21 00:01:00.110 --> 00:01:01.040 view before, I think. 22 00:01:01.000 --> 00:01:02.740 Mathew Schwartz: This is a view you've seen before. This is the 23 00:01:02.740 --> 00:01:06.820 Magdalen Green Bandstand here in Dundee, and it's just been a 24 00:01:06.820 --> 00:01:09.520 lovely run of weather. It was a beautiful summer and then it was 25 00:01:09.520 --> 00:01:12.520 raining and horrible. We've just had some sunshine lately. So I 26 00:01:12.520 --> 00:01:15.820 just, you know, local neighborhood stuff, just 27 00:01:15.850 --> 00:01:17.470 beautiful while it lasts. 28 00:01:17.920 --> 00:01:19.480 Anna Delaney: It's great. It's very Monet. We're seeing it in 29 00:01:19.480 --> 00:01:22.390 different seasons. Two times a day. Love it. 30 00:01:23.380 --> 00:01:25.450 Mathew Schwartz: I try to keep you informed and up to date. 31 00:01:25.630 --> 00:01:28.480 Anna Delaney: Absolutely. We appreciate it. Well, I'm back in 32 00:01:28.480 --> 00:01:32.110 Valencia this week, sorry to drag out some old photos. But I 33 00:01:32.110 --> 00:01:35.620 was there earlier this year, of course. And I just fell in love 34 00:01:35.620 --> 00:01:38.560 with the architecture and doorways, and doors, and 35 00:01:38.590 --> 00:01:43.360 doorknobs. Everything looks pretty there. So I thought I'd 36 00:01:43.360 --> 00:01:48.100 share. Well, Matt, Uber is in the news again this week. As it 37 00:01:48.100 --> 00:01:52.090 emerges, a young hacker gained access to pretty much everything 38 00:01:52.090 --> 00:01:55.300 in Uber's internal systems, including customer data, what 39 00:01:55.300 --> 00:01:55.930 happened? 40 00:01:56.470 --> 00:02:00.580 Mathew Schwartz: Yes, so it's yet another MFA bypass attack. 41 00:02:00.610 --> 00:02:04.180 We've been seeing so many of these recently. So multifactor 42 00:02:04.210 --> 00:02:07.900 authentication, a lot of organizations have it in place. 43 00:02:07.990 --> 00:02:11.740 And when you try to log into a resource or access the corporate 44 00:02:11.740 --> 00:02:15.670 network, especially if you're remote, you'll get a window that 45 00:02:15.670 --> 00:02:18.490 opens up on your system that says, "Is this really you? Do 46 00:02:18.490 --> 00:02:22.390 you really want to log in?" And unfortunately, for 47 00:02:22.420 --> 00:02:26.170 organizations, a lot of employees appear to be falling 48 00:02:26.170 --> 00:02:31.720 for these types of attacks, and remote hackers are able to spoof 49 00:02:31.720 --> 00:02:36.520 them into providing them with access. The latest victim is 50 00:02:36.550 --> 00:02:40.840 Uber. But we've been seeing this left, right and center. Okta was 51 00:02:40.870 --> 00:02:44.170 one of the big organizations that got hit. Mailchimp, 52 00:02:44.260 --> 00:02:51.070 another. And the MO, if you will, for a lot of these attacks 53 00:02:51.100 --> 00:02:55.780 is we have these apparent youngsters, oftentimes it seems, 54 00:02:55.960 --> 00:03:00.970 finding these bypass tactics. So in the case of Uber, as you 55 00:03:00.970 --> 00:03:04.000 mentioned, this seems to be a teenager based on information 56 00:03:04.000 --> 00:03:09.250 that's been doxed about the alleged attacker. And this 57 00:03:09.280 --> 00:03:15.160 teenager looks like he was able to bypass or access Uber's Duo 58 00:03:15.160 --> 00:03:19.480 Security. It's one login. It's Amazon Web Services. It's Google 59 00:03:19.480 --> 00:03:22.600 workplace, or workspace, I should say environments, as well 60 00:03:22.600 --> 00:03:27.760 as various tools, and also the bug bounty program that Uber 61 00:03:27.790 --> 00:03:32.830 participates in. There's a lot to take away here for any CISO. 62 00:03:33.010 --> 00:03:36.670 I think the big one that I'm going to highlight is hardware 63 00:03:36.790 --> 00:03:42.010 keys. Well, anything that's kind of FIDO compliant, the likes of 64 00:03:42.010 --> 00:03:45.790 YubiKey. What we've seen from the organizations that have been 65 00:03:45.790 --> 00:03:50.650 targeted but not fallen victim and Cloudflare comes to mind is 66 00:03:50.680 --> 00:03:54.310 they're using hardware keys because this means that unless 67 00:03:54.310 --> 00:03:59.500 you've got the key, you can't be given access to the network. In 68 00:03:59.500 --> 00:04:02.800 other cases, though, employees keep getting tricked. And this 69 00:04:02.800 --> 00:04:06.700 isn't employees' fault. This is the fact that attackers have 70 00:04:06.700 --> 00:04:11.050 found a way to game the MFA system in order to trick the 71 00:04:11.050 --> 00:04:14.830 employees into giving them access and they can get in 72 00:04:14.890 --> 00:04:19.060 remotely. A lot of people think MFA will stop anything, but it's 73 00:04:19.090 --> 00:04:23.140 yet one more defense and you need to have layer defenses that 74 00:04:23.140 --> 00:04:27.250 organizations can and should have in place, but we're seeing 75 00:04:27.790 --> 00:04:32.110 as with Uber most recently, it's easy to bypass or maybe that 76 00:04:32.110 --> 00:04:34.900 easy. I shouldn't put it that way. But if you're a teenager 77 00:04:34.900 --> 00:04:37.240 with too much time on your hands, you've got the school 78 00:04:37.240 --> 00:04:40.630 holidays, we sometimes see a rise in attacks, I think because 79 00:04:40.630 --> 00:04:45.250 of that. They found a way to get past it. So like I say, the 80 00:04:45.250 --> 00:04:49.570 latest is Uber and organizations should be studying this attack 81 00:04:49.630 --> 00:04:53.080 and figuring out if they could fall victim. If so, what can 82 00:04:53.080 --> 00:04:56.260 they do to help ensure that that doesn't happen? 83 00:04:57.500 --> 00:04:59.600 Anna Delaney: Yeah, pretty embarrassing if a teenager can 84 00:04:59.600 --> 00:05:04.160 hack into the system. Well, the hack - the social engineering, I 85 00:05:04.160 --> 00:05:08.000 suppose - how much sympathy do you have with Uber on this one? 86 00:05:08.000 --> 00:05:10.070 Because as you say MFA was implemented. 87 00:05:11.320 --> 00:05:14.230 Mathew Schwartz: Yeah. I mean, it's tricky. I mean, you do have 88 00:05:14.230 --> 00:05:17.290 sympathy, don't you? I mean, we've gotten data breaches here. 89 00:05:17.500 --> 00:05:22.720 So Uber says it believes that the attacker involved using the 90 00:05:22.720 --> 00:05:28.570 aliased TeaPot may have just hit Rockstar Games, for example, and 91 00:05:28.600 --> 00:05:32.050 stolen some information, some videos, some source code, about 92 00:05:32.050 --> 00:05:37.900 the latest or upcoming Grand Theft Auto video game. So this 93 00:05:37.900 --> 00:05:41.830 is somebody who's very good at what they do. Doesn't matter if 94 00:05:41.830 --> 00:05:44.380 they're 18 years old, or whatever. They're good at 95 00:05:44.380 --> 00:05:47.890 getting in, they're good at stealing things. And Uber is an 96 00:05:47.920 --> 00:05:51.790 obvious target. I guess Rockstar Games is as well. But the 97 00:05:51.820 --> 00:05:55.570 Lapsus$ hacking group that this attacker allegedly belongs to, 98 00:05:56.200 --> 00:06:00.640 has hit not just Okta, also Microsoft, Nvidia, Samsung, 99 00:06:00.820 --> 00:06:05.770 Ubisoft, and many more. A lot of people like to say they were hit 100 00:06:05.770 --> 00:06:10.300 by sophisticated attacker. But a lot of times this comes down to 101 00:06:10.300 --> 00:06:14.740 bored teenagers. Do you want to call them sophisticated? We 102 00:06:14.740 --> 00:06:18.070 don't need to argue that point right now. So I do have 103 00:06:18.070 --> 00:06:21.610 sympathy. I think this, again, should be a learning experience. 104 00:06:21.610 --> 00:06:24.850 I mean, we've seen some big names get taken down by these 105 00:06:24.850 --> 00:06:29.080 MFA bypass attacks. Cisco being another one of them; reputable 106 00:06:29.080 --> 00:06:33.610 companies with excellent security departments. This is a 107 00:06:33.610 --> 00:06:37.780 workaround that some teenagers and now everybody else will have 108 00:06:37.780 --> 00:06:43.180 figured out how to exploit. So anybody who gets hit with it 109 00:06:43.210 --> 00:06:46.630 going forward, I'd say you probably should have been 110 00:06:46.630 --> 00:06:50.230 prepared. You maybe have a few more weeks grace period. But you 111 00:06:50.230 --> 00:06:52.510 need to lock this down, and you need to do it right away. 112 00:06:53.950 --> 00:06:56.890 Anna Delaney: Now, why do you think more? Why aren't more 113 00:06:56.890 --> 00:06:58.870 organizations implementing FIDO too? 114 00:07:00.610 --> 00:07:04.450 Mathew Schwartz: Costs is one thing. There was an interesting 115 00:07:04.450 --> 00:07:08.380 series of blog posts by a Microsoft researcher talking to 116 00:07:08.380 --> 00:07:11.920 me about the importance of hardware keys, especially as a 117 00:07:11.920 --> 00:07:15.100 lesson to be learned from all of these recent breaches. And 118 00:07:15.100 --> 00:07:18.040 there's another security researcher who commented, so 119 00:07:18.040 --> 00:07:20.290 does Microsoft have that implemented for every one of its 120 00:07:20.290 --> 00:07:24.460 employees? This was a former Microsoft employee. So the 121 00:07:24.460 --> 00:07:27.910 insinuation there is no, even Microsoft doesn't have these 122 00:07:27.910 --> 00:07:30.490 keys. So I mean, there's probably going to be some user 123 00:07:30.490 --> 00:07:35.530 resistance to having to haul around a key like this. There 124 00:07:35.530 --> 00:07:38.560 could be some challenges, getting it in place for all of 125 00:07:38.560 --> 00:07:41.410 the various applications that you might want to use it with. 126 00:07:41.770 --> 00:07:44.860 It's another cost. Maybe you've got to convince senior 127 00:07:44.860 --> 00:07:47.380 management. But you're going to have a much easier time of doing 128 00:07:47.380 --> 00:07:50.650 that with this crisis that we've been having with the MFA bypass 129 00:07:50.650 --> 00:07:51.280 attacks. 130 00:07:52.169 --> 00:07:54.569 Anna Delaney: Do you think we'll see some change there, then? 131 00:07:55.440 --> 00:07:57.060 Mathew Schwartz: I would hope we would see some change there 132 00:07:57.090 --> 00:07:57.720 definitely. 133 00:07:58.679 --> 00:08:01.229 Anna Delaney: And has Uber said anything in the aftermath of 134 00:08:01.229 --> 00:08:02.729 this case? 135 00:08:03.500 --> 00:08:05.450 Mathew Schwartz: Well, they've been providing some updates 136 00:08:05.480 --> 00:08:12.050 about what did or didn't happen. And they've committed to doing 137 00:08:12.050 --> 00:08:14.840 better, basically, they're going to be rotating their keys more 138 00:08:14.840 --> 00:08:18.770 often. A lot of the things that you would expect, they disabled 139 00:08:18.770 --> 00:08:21.710 some of the affected or potentially affected tools. They 140 00:08:21.710 --> 00:08:24.740 are continuing to review their codebase. They say they don't 141 00:08:24.740 --> 00:08:28.280 think the attacker changed any of their code. They have 142 00:08:29.300 --> 00:08:32.000 separation, which is good, between their development and 143 00:08:32.000 --> 00:08:36.350 production systems. And they don't think the attacker was 144 00:08:36.350 --> 00:08:39.470 able to get access to production systems, or to access credit 145 00:08:39.470 --> 00:08:43.940 card information, user data, any of that sort of stuff. So Uber 146 00:08:43.940 --> 00:08:47.090 had some good defenses that everybody should have in place. 147 00:08:47.750 --> 00:08:50.360 Their testing environment couldn't be used to push code 148 00:08:50.360 --> 00:08:53.060 into their production environment, things like that. 149 00:08:53.150 --> 00:08:56.300 That's all good. That helped arrest the full impact of this 150 00:08:56.300 --> 00:09:00.890 breach. Uber's also said it traced to a third party to one 151 00:09:00.890 --> 00:09:05.180 of its contractors, which again, we see, very often. If an 152 00:09:05.180 --> 00:09:08.540 attacker wants to get in, they're not afraid to hack an 153 00:09:08.540 --> 00:09:13.730 organization in order to then pivot into a business that it 154 00:09:13.820 --> 00:09:16.790 does business for. So we saw that in this case as well. 155 00:09:18.140 --> 00:09:21.680 Again, everybody should be reviewing the kinds of access 156 00:09:21.710 --> 00:09:24.320 that their employees have and also that their contractors 157 00:09:24.320 --> 00:09:28.850 have, make sure they've got the right defenses in place. So yes, 158 00:09:28.880 --> 00:09:33.470 Uber has shared further details and I invite all CISOs to learn 159 00:09:33.470 --> 00:09:35.090 from their missteps. 160 00:09:36.590 --> 00:09:39.740 Anna Delaney: Rich insight as always, Matt, thank you. So 161 00:09:39.770 --> 00:09:44.240 Michael, Gartner's four-year-old Magic Quadrant for WAN Edge 162 00:09:44.270 --> 00:09:47.690 Infrastructure report has a new name this year - the Magic 163 00:09:47.690 --> 00:09:51.560 Quadrant for SD-WAN. What else has changed or not? 164 00:09:52.530 --> 00:09:54.810 Michael Novinson: Interesting question, Anna. Thank you for 165 00:09:54.810 --> 00:09:59.490 asking. So Gartner did rebrand, it was really a recognition that 166 00:09:59.670 --> 00:10:03.570 SD-WAN is just the term that the market is using for WAN edge 167 00:10:03.570 --> 00:10:07.560 infrastructure technology. Not a huge, meaningful change in 168 00:10:07.560 --> 00:10:11.250 criteria with the rebranding but realized especially as the 169 00:10:11.250 --> 00:10:15.810 conversation revolves around secure access service edge or 170 00:10:15.810 --> 00:10:20.970 SASE that SD-WAN has really become the main term used to 171 00:10:20.970 --> 00:10:24.540 refer to the networking side of that. In terms of this year's 172 00:10:24.630 --> 00:10:27.930 SD-WAN Magic Quadrant, we're seeing three companies really 173 00:10:27.930 --> 00:10:30.900 pulling away from the pack, that being Fortinet, VMware and 174 00:10:30.900 --> 00:10:34.170 Cisco. Also, I believe they're three market cheerleaders that 175 00:10:34.170 --> 00:10:37.470 our group and others have found, so are definitely having the 176 00:10:37.470 --> 00:10:42.720 best ability to execute and have a pretty robust and broad set of 177 00:10:42.720 --> 00:10:47.310 SD-WAN tooling as well. What's interesting this year is that 178 00:10:47.520 --> 00:10:50.820 we're starting to see a pretty big divide between single-vendor 179 00:10:50.820 --> 00:10:54.510 SASE and multi-vendor SASE. Gartner has been pushing pretty 180 00:10:54.510 --> 00:10:59.430 hard now, for vendors to adopt a single-vendor SASE approach that 181 00:10:59.430 --> 00:11:03.180 means that they would have organic SD-WAN capabilities as 182 00:11:03.180 --> 00:11:07.710 well as organic security service edge your SSE capabilities. SSE 183 00:11:07.710 --> 00:11:10.890 consisting of cloud access security broker, secure web 184 00:11:10.890 --> 00:11:15.180 gateway, and zero trust network access. And Gartner really wants 185 00:11:15.750 --> 00:11:18.870 vendors who are serious about SASE to do it all themselves 186 00:11:18.870 --> 00:11:24.450 rather than relying on partnerships. In terms of where 187 00:11:24.450 --> 00:11:29.910 that's going so far, Gartner says that today less than 10% of 188 00:11:30.030 --> 00:11:33.000 customers are using a single vendor for SASE, but they expect 189 00:11:33.000 --> 00:11:37.740 that number to hit 50% by 2025. It's working its way from the 190 00:11:37.740 --> 00:11:41.610 bottom up. That small and midsize businesses, mid-market 191 00:11:41.610 --> 00:11:44.910 customers are starting to do single vendor SASE. Since they 192 00:11:44.910 --> 00:11:48.690 have less specific requirements, they like the cost savings, like 193 00:11:48.690 --> 00:11:51.660 the ease of use that comes from getting all of their SASE 194 00:11:51.660 --> 00:11:55.200 technology in one place. Where there's been more resistance is 195 00:11:55.200 --> 00:11:57.810 in the enterprise, particularly the upper enterprise where there 196 00:11:57.810 --> 00:12:00.810 sometimes are unique configuration requirements or 197 00:12:00.810 --> 00:12:04.290 demand for best of breed technology. If you're look at 198 00:12:04.290 --> 00:12:08.820 the two quadrants right now, Forrester earlier this year had 199 00:12:08.820 --> 00:12:12.810 put out the first ever Wave looking at security service 200 00:12:12.810 --> 00:12:15.930 edge. And if you looked at the top three performing companies 201 00:12:15.960 --> 00:12:19.980 in the Forrester Wave for SSE, that being Zscalar. Netskope and 202 00:12:19.980 --> 00:12:23.550 Skyhigh Security , there's no overlap with the top performing 203 00:12:23.580 --> 00:12:27.150 SD-WAN companies as according to Gartner, which are Cisco, 204 00:12:27.150 --> 00:12:30.840 Fortinet, VMware as well as Palo Alto Networks, Versa Networks 205 00:12:30.870 --> 00:12:36.270 and HPE (Aruba). If you take one step back on the SSE side, at 206 00:12:36.270 --> 00:12:39.750 that second strong performer level, you will see Cisco and 207 00:12:39.750 --> 00:12:43.140 Palo Alto Networks, strong performers in SSE and leaders in 208 00:12:43.170 --> 00:12:51.810 SD-WAN, but vice versa in terms of the SSE leaders, none of them 209 00:12:51.810 --> 00:12:55.830 at the time of the Forrester Wave came out how to play an 210 00:12:55.860 --> 00:12:59.640 SD-WAN, since that point Netskope, has bought its way 211 00:12:59.640 --> 00:13:03.930 into SD-WAN with an acquisition of Infiot, which will allow them 212 00:13:03.930 --> 00:13:08.280 to offer folks single-vendor SASE, but they're still also 213 00:13:08.580 --> 00:13:12.510 committed to maintaining a multi-vendor SASE strategy as 214 00:13:12.510 --> 00:13:15.330 well. They have a very close partnership with HPE (Aruba) for 215 00:13:15.330 --> 00:13:19.290 SD-WAN and they're committed to offering customers flexibility. 216 00:13:19.740 --> 00:13:22.200 So really where we see the market breaking down here is 217 00:13:22.200 --> 00:13:25.530 that Fortinet, Palo Alto Networks and Cisco are all in on 218 00:13:25.530 --> 00:13:29.280 single-vendor SASE. The executive I was speaking to from 219 00:13:29.280 --> 00:13:32.490 Fortinet made it clear that they really are not looking to offer 220 00:13:32.490 --> 00:13:35.430 any partnerships around SSE since they see that it's really 221 00:13:35.430 --> 00:13:38.580 direct competition to what Fortinet can do. On the 222 00:13:39.090 --> 00:13:43.230 multi-vendor SASE front - Versa Networks , Zscalar, Skyhigh 223 00:13:43.230 --> 00:13:47.460 Security, HPE (Aruba) are fully committed to a multi-vendor 224 00:13:47.460 --> 00:13:50.880 strategy. They feel SASE is a team sport, and you can't be 225 00:13:50.880 --> 00:13:53.820 good at everything. And then kind of straddling the fence in 226 00:13:53.820 --> 00:13:56.940 the middle you see Netskope, which has the single vendor 227 00:13:56.940 --> 00:13:59.340 offering now but they still seem to acknowledge that a lot of 228 00:13:59.340 --> 00:14:02.670 customers will tell for multi vendor and VMware, which both 229 00:14:02.670 --> 00:14:06.510 has partnerships, but also has some cloud security capabilities 230 00:14:06.510 --> 00:14:07.050 as well. 231 00:14:09.460 --> 00:14:11.740 Anna Delaney: Are you surprised by any of this or how it's 232 00:14:11.740 --> 00:14:14.350 evolving? And will there be a time where we see a 233 00:14:14.350 --> 00:14:16.780 single-vendor SASE dominate? 234 00:14:18.670 --> 00:14:20.530 Michael Novinson: I'm a little surprised by the amount of 235 00:14:20.530 --> 00:14:23.710 pressure that Gartner is putting on in this front that they have 236 00:14:23.980 --> 00:14:27.610 a clear point of view. And I do think that does influence where 237 00:14:27.610 --> 00:14:34.270 the market goes. So in that way, I mean, I think we've seen this 238 00:14:34.270 --> 00:14:37.720 consolidation story in security before. If you go back to the 239 00:14:37.720 --> 00:14:40.810 mid 2010s, there was a lot of dialogue around creating 240 00:14:40.810 --> 00:14:44.740 platform security, a place where customers could go into all 241 00:14:44.740 --> 00:14:48.220 their security needs met in one place. You saw Symantec prior to 242 00:14:48.220 --> 00:14:51.910 its Broadcom acquisition, and McAfee prior to the split of its 243 00:14:51.910 --> 00:14:53.770 consumer and enterprise business. It's really going 244 00:14:53.770 --> 00:14:57.100 after this platform approach. It never really took off and we do 245 00:14:57.100 --> 00:15:00.850 see at least among more robust security organizations that they 246 00:15:00.850 --> 00:15:04.630 want to have top flight technology, ensure maybe they 247 00:15:04.630 --> 00:15:07.450 don't want seven year AD vendors, but they're willing to 248 00:15:07.450 --> 00:15:11.680 work with 5-10-15. And so I guess I do wonder at the 249 00:15:11.680 --> 00:15:15.190 customer level, particularly for ones that are doing rigorous 250 00:15:15.190 --> 00:15:18.520 security testing, I understand that, that they don't want to 251 00:15:18.520 --> 00:15:21.610 work with a different vendor for CASB, and a different vendor for 252 00:15:21.610 --> 00:15:24.790 SWG, and a different vendor for zero trust network access. 253 00:15:24.790 --> 00:15:26.860 That's a lot of things to configure and implement and 254 00:15:26.860 --> 00:15:30.490 manage. But if you can have simply two vendors, one who does 255 00:15:30.490 --> 00:15:33.700 security service edge the second one who does SD-WAN, it's not 256 00:15:33.700 --> 00:15:36.280 going to be that much of an inconvenience for them. It's not 257 00:15:36.280 --> 00:15:38.890 going to be that much of a deal breaker, or is it really 258 00:15:38.890 --> 00:15:41.620 important in order to optimize performance and to optimize 259 00:15:41.620 --> 00:15:45.520 simplicity to go to one? So Gartner really sees that moving 260 00:15:45.550 --> 00:15:49.060 there. I think it's really a question of ultimately they're 261 00:15:49.060 --> 00:15:53.590 saying 50% by 2025. Ultimately, what percentage of customers end 262 00:15:53.590 --> 00:15:57.670 up on single-vendor SASE? How fast do we get there? From my 263 00:15:57.670 --> 00:16:00.160 personal opinion, I think there's a lot of folks who are 264 00:16:00.160 --> 00:16:04.630 comfortable working with separate vendors vs for SD-WAN 265 00:16:04.630 --> 00:16:06.970 and for SSE. And I think that may stay that way for a little 266 00:16:06.970 --> 00:16:07.480 while. 267 00:16:08.650 --> 00:16:10.360 Mathew Schwartz: I was going to ask exactly what Anna did. I 268 00:16:10.360 --> 00:16:13.720 mean, a lot of organizations are wanting to get this technology 269 00:16:13.720 --> 00:16:17.890 now, if they don't already have it. And you have Gartner saying, 270 00:16:17.980 --> 00:16:20.950 wouldn't it be nice if it was all available - available from 271 00:16:20.950 --> 00:16:23.560 the same vendor. And a lot of these businesses are saying, 272 00:16:23.680 --> 00:16:26.680 look, we've already got it, or we've decided to go like you say 273 00:16:26.680 --> 00:16:29.440 it with maybe two or three vendors, maybe hoping to get it 274 00:16:29.440 --> 00:16:33.670 down to two. It just seems to me like we'll be revisiting this in 275 00:16:33.670 --> 00:16:37.450 a few years. And I would be surprised if Gartner's vision 276 00:16:37.450 --> 00:16:40.750 actually comes to pass. We've seen so many calls for a single 277 00:16:40.750 --> 00:16:44.020 vendor for this, a single vendor for that. Like you say, there's 278 00:16:44.020 --> 00:16:47.380 so often tradeoffs with a platform approach. Things 279 00:16:47.380 --> 00:16:51.580 change, things evolve. I don't know, I'm not holding my breath 280 00:16:51.580 --> 00:16:52.000 maybe. 281 00:16:52.810 --> 00:16:54.550 Michael Novinson: And I think it's important to remember that 282 00:16:55.540 --> 00:16:58.540 all the top players who started in very different spaces - 283 00:16:58.750 --> 00:17:01.420 Fortinet and Palo Alto Networks started as firewall vendors. 284 00:17:01.420 --> 00:17:04.480 Cisco in routers and switching VMware in virtualization. 285 00:17:04.720 --> 00:17:08.710 Zscalar in secure web gateway. And then Skyhigh Security as 286 00:17:08.710 --> 00:17:11.680 well as Netskope started as cloud access security brokers. 287 00:17:11.800 --> 00:17:14.020 And fundamentally, as a company, you're going to be strongest at 288 00:17:14.020 --> 00:17:17.110 wherever you started. And I think it's really hard to ask 289 00:17:17.140 --> 00:17:19.660 even the best capitalized vendors - or the Palo Altos of 290 00:17:19.660 --> 00:17:23.380 the world - to be good at everything. And the broader you 291 00:17:23.380 --> 00:17:28.570 get, I mean, how robust is the technology and then also, if 292 00:17:28.570 --> 00:17:32.290 you're relying on acquisitions to do it. How well integrated is 293 00:17:32.290 --> 00:17:35.740 it? And one interesting note I'll just make on the SD-WAN 294 00:17:35.770 --> 00:17:39.790 side is that, essentially, of the six vendors who are leaders 295 00:17:39.790 --> 00:17:42.190 all but two of them built their SD-WAN portfolios through 296 00:17:42.190 --> 00:17:45.880 acquisition. Only Fortinet and Versa Networks did it all 297 00:17:45.880 --> 00:17:49.870 themselves. HPE obviously bought Aruba. Palo Alto Networks bought 298 00:17:49.900 --> 00:17:53.890 CloudGenix. Cisco bought both Meraki and Viptela and the 299 00:17:54.280 --> 00:17:56.320 VMware has also made acquisitions to get into that 300 00:17:56.320 --> 00:18:01.840 market. So as you rely more and more on M&A, are you sacrificing 301 00:18:01.840 --> 00:18:05.560 some in terms of quality integration and ease of use? 302 00:18:06.670 --> 00:18:08.620 Mathew Schwartz: Just to have the boilerplate that says we 303 00:18:08.620 --> 00:18:12.700 have all of this stuff now that we offer. Yeah, definitely. 304 00:18:13.720 --> 00:18:15.520 Anna Delaney: Michael, thanks so much for sharing the latest 305 00:18:15.520 --> 00:18:19.780 trends. That was great. Okay, final question - reflecting on 306 00:18:19.810 --> 00:18:23.830 the news stories of the year so far, which one stands out as 307 00:18:23.830 --> 00:18:26.920 having an important impact on the industry and security 308 00:18:26.920 --> 00:18:31.000 leaders? So something that's leading to or has led to a shift 309 00:18:31.090 --> 00:18:32.020 in the space? 310 00:18:34.660 --> 00:18:36.580 Mathew Schwartz: Difficult question. I am actually going to 311 00:18:36.580 --> 00:18:39.610 go back to what I spoke about before. When you see these big 312 00:18:39.610 --> 00:18:43.150 name organizations like Okta, and then customers of Okta 313 00:18:43.330 --> 00:18:48.370 getting their data exposed, because they're using MFA, but 314 00:18:48.370 --> 00:18:52.090 hackers have found a way to get around it. I would say this is 315 00:18:52.090 --> 00:18:55.330 definitely much more than nuisance territory. I don't 316 00:18:55.330 --> 00:19:00.190 know, it's definitely not a SolarWinds level of thing 317 00:19:01.000 --> 00:19:04.840 happening. But I do think it's enough of a clear and present 318 00:19:04.870 --> 00:19:08.470 danger, that for my money, this is one of the things that I will 319 00:19:08.470 --> 00:19:13.450 be acting on now. Because if you can't guard against attackers 320 00:19:13.540 --> 00:19:17.290 accessing your network remotely, then you're not just going to 321 00:19:17.290 --> 00:19:20.380 have these darn teenagers that are part of Lapsus$ , you're 322 00:19:20.380 --> 00:19:22.240 probably going to have those darn teenagers that are part of 323 00:19:22.240 --> 00:19:26.290 a ransomware group, etc, etc, etc. So I will get that locked 324 00:19:26.290 --> 00:19:30.850 down soon as, again, you know, not as sexy maybe as a 325 00:19:30.850 --> 00:19:34.600 nation-state attack of the SolarWinds variety, but probably 326 00:19:34.600 --> 00:19:37.870 the SolarWinds hackers are investigating this for their own 327 00:19:37.870 --> 00:19:41.860 purposes as well. So justify it however you need, but I'd say 328 00:19:41.860 --> 00:19:45.610 for my money, this is a story that's screaming out to act now. 329 00:19:46.690 --> 00:19:47.710 Don't get pulled later. 330 00:19:49.360 --> 00:19:54.160 Anna Delaney: Very convincing. Mathew. We agree, I think. We 331 00:19:54.160 --> 00:19:56.260 cannot speak for you, Michael. But yes, indeed. 332 00:19:57.850 --> 00:20:00.190 Michael Novinson: Absolutely. And I think from my standpoint, 333 00:20:00.190 --> 00:20:02.710 in the world of business, the impact of the macroeconomic 334 00:20:02.710 --> 00:20:06.370 downturn on the cybersecurity industry is really the biggest 335 00:20:06.370 --> 00:20:09.460 thing I've been tracking. And cybersecurity is a fast growing 336 00:20:09.460 --> 00:20:11.890 space, but it can't defy the laws of gravity, whether it's 337 00:20:11.890 --> 00:20:14.890 rising inflation rates, the war on Russia and Ukraine, supply 338 00:20:14.890 --> 00:20:19.030 chain issues that affect this industry as well. One of the 339 00:20:19.030 --> 00:20:21.790 most interesting trend I think it's been driving is what we 340 00:20:21.790 --> 00:20:26.020 call take private deals or private equity firms coming in 341 00:20:26.020 --> 00:20:28.180 and buying publicly traded companies. We've been seeing a 342 00:20:28.180 --> 00:20:33.610 lot of it since the stock market peaked in November of 2021. Most 343 00:20:33.610 --> 00:20:39.070 notably, we've had Thoma Bravo purchased SailPoint. They've 344 00:20:39.070 --> 00:20:42.340 agreed to buy Ping Identity. They've had conversations with 345 00:20:42.340 --> 00:20:44.860 Darktrace about making an acquisition, because that 346 00:20:44.860 --> 00:20:48.910 ultimately didn't come through. Turn/River Capital bought Tufin. 347 00:20:48.940 --> 00:20:52.810 And now we have, just this week Vista Equity has made an offer 348 00:20:52.810 --> 00:20:55.600 to buy the remaining shares of KnowBefore it takes the company 349 00:20:55.600 --> 00:20:59.680 private at a valuation of $4.2 billion. So what does this mean 350 00:20:59.680 --> 00:21:02.230 for companies when they leave the private market? It usually 351 00:21:02.230 --> 00:21:05.830 means a little bit more pressure on efficiency, taking out some 352 00:21:05.830 --> 00:21:08.020 of those general and administrative costs. There's no 353 00:21:08.020 --> 00:21:12.580 public reporting requirements anymore. Sometimes that leads to 354 00:21:12.580 --> 00:21:16.450 job cuts, and then also there's a lot of pressure to try to grow 355 00:21:16.450 --> 00:21:19.930 that total addressable market or TAM. I know a common part of 356 00:21:19.930 --> 00:21:23.740 that Thoma Bravo playbook is to encourage targeted acquisitions 357 00:21:23.740 --> 00:21:26.200 to allow their portfolio companies to enter new markets, 358 00:21:26.650 --> 00:21:29.890 and increase the amount of cross sell and upsell activity. It was 359 00:21:29.890 --> 00:21:33.160 the playbook that followed with both Sophos and with Barracuda, 360 00:21:33.370 --> 00:21:37.750 which under Thoma has made a number of acquisitions. So you 361 00:21:37.750 --> 00:21:42.010 can expect some streamlining, some cutting in non-core areas, 362 00:21:42.010 --> 00:21:47.080 but also some movement into some new areas with smaller 363 00:21:47.080 --> 00:21:49.690 acquisitions when companies go private. 364 00:21:50.760 --> 00:21:53.850 Anna Delaney: So much happening in this space simultaneously. 365 00:21:54.090 --> 00:21:57.030 But I was going to talk about Twitter versus Uber. You know, 366 00:21:57.030 --> 00:22:00.690 we've seen these two fascinating yet contrasting stories 367 00:22:00.690 --> 00:22:03.600 involving former heads of security for both organizations. 368 00:22:03.600 --> 00:22:07.800 And I guess both bring up an interesting question around 369 00:22:07.830 --> 00:22:11.880 cybersecurity leadership and ethics and decision making. And 370 00:22:12.270 --> 00:22:16.710 the industry is watching both cases closely as to see how they 371 00:22:16.740 --> 00:22:21.510 will evolve. We were speaking to former CISO David Pollino, on 372 00:22:21.510 --> 00:22:24.510 the Proof of Concept show recently, and he says both of 373 00:22:24.510 --> 00:22:27.840 these cases speak to security culture, the security culture of 374 00:22:27.840 --> 00:22:31.680 a company. And a CISO just can't keep a company secure. You need 375 00:22:31.680 --> 00:22:35.490 the support of the board and executives and you need to 376 00:22:35.490 --> 00:22:40.020 align, or you need to make sure the incentives and behavior are 377 00:22:40.020 --> 00:22:44.520 aligned to promote good security practices. So perhaps pivotal 378 00:22:44.520 --> 00:22:47.460 stories around the future of cybersecurity leadership. 379 00:22:49.790 --> 00:22:53.810 Mathew Schwartz: Yeah, I mean, CISO Joe Sullivan, formerly of 380 00:22:53.870 --> 00:22:58.670 Uber, his case could conclude this week or very soon. That's 381 00:22:58.670 --> 00:23:01.790 fascinating. I think we're getting glimpses on what was the 382 00:23:01.790 --> 00:23:05.270 culture like at Uber. And that's been part of the testimony. And 383 00:23:05.930 --> 00:23:08.150 there's going to be some lessons to be learned there for sure. 384 00:23:08.180 --> 00:23:10.730 Especially if you're a CISO, make sure you've got legal cover 385 00:23:10.760 --> 00:23:14.570 before you do anything. And then as you say, with Peiter Zatko's, 386 00:23:14.780 --> 00:23:18.950 aka Mudge's testimony recently and his whistleblowing about 387 00:23:19.040 --> 00:23:23.720 Twitter, a very different story of someone who left and said, 388 00:23:23.720 --> 00:23:27.080 "We're not doing good enough. I'm really concerned." So 389 00:23:27.080 --> 00:23:30.710 slightly different story. But CISOs are in the spotlight, as 390 00:23:30.710 --> 00:23:34.490 you mentioned, which is maybe a little unusual, but hopefully 391 00:23:34.490 --> 00:23:35.330 for the best. 392 00:23:35.600 --> 00:23:37.730 Anna Delaney: And two revered CISOs, I mean, they are very 393 00:23:37.730 --> 00:23:38.630 well respected. 394 00:23:39.020 --> 00:23:40.640 Mathew Schwartz: Extremely, both of them. Yes. 395 00:23:41.930 --> 00:23:44.990 Anna Delaney: Well, there you go. Lots happening. As always, 396 00:23:44.990 --> 00:23:47.030 thank you very much, Mathew and Michael. This has been 397 00:23:47.030 --> 00:23:47.480 brilliant. 398 00:23:48.500 --> 00:23:49.580 Mathew Schwartz: Thanks for having me, Anna. 399 00:23:50.030 --> 00:23:51.350 Michael Novinson: Thank you for the time. It's been great 400 00:23:51.350 --> 00:23:51.680 journey. 401 00:23:51.980 --> 00:23:54.470 Anna Delaney: You're welcome and happy holidays, Mathew. We won't 402 00:23:54.470 --> 00:23:57.890 see you for a couple of weeks. Don't miss us too much. 403 00:23:58.610 --> 00:24:00.290 Mathew Schwartz: I promise to come back with new background 404 00:24:00.290 --> 00:24:00.800 photos. 405 00:24:00.830 --> 00:24:04.520 Anna Delaney: Good. Nothing less. Thank you very much for 406 00:24:04.520 --> 00:24:05.960 watching. Until next time.