Breaking Analysis: The State of Cyber Security
This is the full transcript of my Cyber Security Breaking Analysis Video. You can watch the full video with synchronized transcript here: https://lnkd.in/gX_YvWd
I’m writing to address one of the most important topics on the minds of CEOs, CIOs, CISOs, Boards of Directors, Governments and virtually every business...and that’s the topic of Cyber Security.
The state of cyber security has changed dramatically over the last ten years. As a Cyber security observer, I’ve always been obsessed with Stuxnet which the broader community discovered the same year theCUBE started in 2010. It was that milestone that opened my eyes. Consider this: It’s estimated that Stuxnet cost $1M to create. Compare that to an F35 Jet Fighter which costs $85 - $100M to build...on top of many billions of dollars in R&D. So Stuxnet hit me like a ton of bricks that the future of war was Cyber. And the barriers to entry were tiny.
My point is that we’ve gone from an era where thwarting hacktivists was our biggest cyber challenge to one where we’re now fighting nation states and highly skilled organized criminals. Of course cybercrime and monetary theft is the #1 objective behind most security breaches. It’s estimated by Cyber Security Ventures that by 2021, cyber crime will cost society $6 Trillion dollars in theft, lost productivity and recovery costs. I mean that’s just such a staggeringly large number it’s hard to even imagine.
The other sea change is how organizations have had to respond to the bad guys. It used to be simple. I have a castle and the queen is inside and we need to protect her. So we built a moat around the perimeter. Think of the queen as data. Well the queen has cloned herself a zillion times left the castle. She’s gone up to the sky with the clouds. She’s gone to the edge of the kingdom and beyond. She’s making visits to machines and hanging out with the commoners— totally exposed. By 2020 there will be hundreds of billions of IP addresses at endpoints - phones, TVs, cameras, tablets, cars, factory machines, etc. all represent opportunities for the bad guys.
The explosion of endpoints has created massive exposures and we’re seeing this manifest in the form of Phishing, malware and the weaponization of social media. If you think 2016 was crazy wait until you see how the 2020 presidential election plays out. And of course the threat of Ransomware is on the minds of organizations.
So I want to try and put some of this in context and share with you insights that we’ve learned from experts on theCUBE...and then drill into some of the ETR data to assess the state of security, the spending patterns and try to identify those companies with momentum and those that may be exposed.
Let me start with the macro challenge faced by organizations and that’s complexity. Here’s Robert Herjavec on theCUBE - you know him from Shark Tank but he’s also a security industry executive. Here’s what he told me in 2017 at Splunk .conf...take a listen:
https://video-cube365-net-east.s3.amazonaws.com/uploads/clip-mp4/922291-hardsub.mp4
So it’s that complexity that has led people like Pat Gelsinger to say security is a do-over...and cyber security is broken. He told this to me years ago on theCUBE. This past VMworld, VMware announced that it was acquiring Carbon Black, an endpoint security specialist for $2.1B and that it was creating a cloud security division to be run by Patrick Moorley, the Carbon Black CEO. Many have been skeptical about VMware’s entry into cloud security...here’s what Pat had to say on theCUBE:
https://video-cube365-net-east.s3.amazonaws.com/uploads/clip-mp4/922424-hardsub.mp4
This brings forth an interesting dynamic in the industry today. Specifically, Stephen Schmidt, the CISO of AWS at this year’s re:Inforce event said this narrative that security is broken is not true...it’s destructive and counterproductive... His and AWS’ perspective is that the state of cloud security is strong. It kind of reminded me of a heavily messaged State of the Union address by the POTUS. At the same time, in many ways AWS is doing security over. It’s coming at this problem with a clean slate called cloud and infrastructure as a service.
Here’s my take. The state of the security union is not good. Every year we spend more, lose more and are less safe. So why does AWS’ security Czar see it differently. Well, Amazon uses this notion of a shared responsibility security model - i.e. they secure the S3 buckets and the EC2 infrastructure - but it’s up to the customer to make sure she’s enforcing policies and configuring systems that adhere to the edicts of the corporation. I think this shared security model is misunderstood by a lot of people. Specifically I think people feel like “my data is in the cloud and AWS has better security than I have...ergo I’m good.” Well here’s the problem with that. You still have all these endpoints, databases, file servers, etc. that you’re managing. And even if they’re all in the cloud, you as the customer are ultimately responsible for securing your data. Let’s listen to Katie Jenkins, the CISO of Liberty Mutual on this topic:
https://video-cube365-net-east.s3.amazonaws.com/uploads/clip-mp4/922292-hardsub.mp4
Ok so there you have it from a leading security practitioner. The Cloud is not a silver bullet. Bad user behavior is going to trump good security every time - so unfortunately the battle ensues.
And here’s where it gets tricky...Security practitioners are drowning in a sea of incidents that they have to prioritize and respond to. And as you heard Robert Herjavec say, the average large company has 75 security products installed. We recently talked to another CISO, Brian Lozada - and asked him, what’s the number one challenge for security pros - here’s what he said:
https://video-cube365-net-east.s3.amazonaws.com/uploads/clip-mp4/922304-hardsub.mp4
So that’s the bottom line. We can’t keep throwing humans at the problem. Automation is the only way in which we’re going to be able to keep up.
Ok...so let’s pivot and look at some of the ETR Data. First I want to share with you what ETR is saying about spending in the overall security space...it’s pretty interesting and dovetails into some of the macro trends I’ve mentioned. First let’s talk about CIOs and CISOs. ETR is right on when they say that these executives no longer have a blank check for security. They realize they can’t keep throwing tools at the problem and they don’t have the bodies anyway as we heard from Brian Lozada. Hence what you’re seeing is a slowdown in the growth of security spending - it’s still a priority - but there’s less redundancy (in other words less experimentation with new vendors and less running systems in parallel with legacy products). So a slowdown in adoption of new tools and more replacements of legacy is what we’re seeing.
As a result, ETR has identified a bifurcation between those vendors that are very well-positioned and those that are losing wallet share. I’ll mention a few. Those with momentum: Palo Alto Networks, Crowdstrike, Okta (which does identity management), Cisco (coming at the problem from its network strength), Microsoft which recently announced Sentinel for Azure...these are the players that are some of the best positioned from the standpoint of spending momentum.
A few of those that are losing spending momentum - Checkpoint, Sonicwall, Arcsight, Dell EMC (RSA) IBM, Symantec...even FireEye is seeing somewhat higher citations of decreased spending in the ETR surveys. So this is a bit of a cause for concern.
Remember the methodology here. Every quarter ETR asks are you Green - meaning adopting this vendor as new or spending more. Are you neutral gray - i.e. spending the same, or are you red - meaning spending less or retiring. Subtract red from Green and you get a NET SCORE. The higher the net score the better.
So here’s a chart that shows a ranking of security player’s net scores. The bars show survey data from Oct 18, July ‘19 and Oct ‘18. In here you see strength from Crowdstrike, Okta, Twistlock (Palo Alto NW), Elastic, Microsoft, Illumio, Core Palo Alto, Splunk, Cisco Fortinet...ZScaler - starting to show somewhat slowing net score momentum...Carbon Black showing a meaningful drop in net score - so VMware has some work to do...but generally the companies to the left are showing spending momentum in the ETR data set. I’ll show another view on net score in a minute.
And here’s a chart showing replacement and spending decrease citations - notice the yellow - that’s the ETR October ‘19 survey of spending intentions and the bigger the yellow bar the more negative. Sagar, the Director or research at ETR pointed this out to me that there are about a dozen companies where 20% of their customer base is decreasing spend or ripping them out heading into year-end. So you can see - Sonicwall, CA, Arcsight, Symantec, Carbon Black - big negative jump, IBM same thing, Dell EMC (RSA) slight uptick that’s a bit of a concern...so you can see the bifurcation.
Here’s another really interesting cut on Net Score. What I’m showing here is the ETR data sorted by Net score - higher is better and Shared N - which is the number of mentions in the October Survey - where 1,336 IT buyers responded. So how many mentions out of that 1300. It’s essentially a proxy for the size of the installed base. So showing up on both charts is goodness. Crowdstrike with a 62% net score and 133 shared accounts. Okta similar, Palo Alto Networks, Splunk continues to show strength with a net score of 44% and 313 shared N Fortinet shows in both….Proofpoint...Look at Microsoft and Cisco on the right with 521 and 385 respectively both with very solid net scores. The flip side - go right to IBM - 132 shared accounts with a 14.4 net score - very low. Checkpoint similar same with Symantec...again the bifurcation that ETR cites is stark in this chart.
Ok so let’s wrap. In some respects, from a practitioner perspective, the sky IS falling. Increased attack surface, exploding IP addresses, distributed data, tool creep, sloppy user behavior, overworked Sec ops staff and a scarcity of skills makes life extremely dangerous for companies...it’s somewhat chaotic. But chaos can mean cash and Cyber Security is still a very vibrant space. Just by way of comparison in looking at the ETR data...check this out. What I’m showing here is companies in two sectors - Security and Storage - which I’ve said in previous episodes - storage and especially traditional storage arrays are on the back burner spending-wise for many shops. This chart shows the number of companies in the ETR data set with a net score greater than a specific target. So look - Security has 7 companies with a 49% net score or higher - storage has 1. 18 above 39% - storage has 5. 31 companies with a net score higher than 30% - storage only has 9.
So as you can see, relatively speaking, security is an extremely vibrant space but in many ways it IS broken. Pat Gelsinger called it a do-over and is affecting a strategy to fix it. I don’t think one company can solve this problem. Certainly not VMware or even AWS or Microsoft. It’s too complicated, moving too fast, it’s so lucrative for the evildoers, with very low barriers to entry. As the saying goes, the good guys have to win every day… the bad guys only have to win once. And those are just impossible odds. In my view, Brian Lozada nailed it...the focus really has to be on automation. We can’t just keep using brute force and throwing tools at the problem. So machine intelligence and analytics will definitely be part of the answer but the reality is that AI is still so complicated to operationalize. Talk about lack of skills...So I predict the more things change the more you’re going to see this industry remain a game of perpetual wack-a-mole. There will certainly be continued consolidation - unquestionably M&A will be robust in this space. So expect to see continued stories in the press of breaches and scare tactics by the vendor community that take advantage of the train wrecks. I wish I had better news for practitioners...but this is great news for investors if they can follow the trends and find the right opportunities.
Thanks for watching this CUBE INSIGHTS - POWERED BY ETR...connect with me at [email protected] @dvellante or comment on what you're seeing in my LinkedIn posts.
https://www.youtube.com/watch?time_continue=7&v=S6OdlYYUFow&feature=emb_logo