Hit enter after type your search item
Wzy Word


Breaking Analysis: The State of Cyber Security Q4 2019


>> From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE Now, here's your host, Dave Vellante

>> Hello, everyone, and welcome to this week's Cube Insights, powered by ETR Today is November 8, 2019 and I'd like to address one of the most important topics in the minds of a lot of executives I'm talking about CEOs, CIOs, Chief Information Security Officers, Boards of Directors, governments and virtually every business around the world And that's the topic of cyber security The state of cyber security has changed really dramatically over the last 10 years

I mean, as a cyber security observer I've always been obsessed with Stuxnet, which the broader community discovered the same year that theCUBE started in 2010 It was that milestone that opened my eyes Think about this It's estimated that Stuxnet cost a million dollars to create That's it

Compare that to an F-35 fighter jet It costs about $85-$100 million to build one And that's on top of many billions of dollars in R&D So Stuxnet, I mean, it hit me like a ton of bricks That the future of war was all about cyber, not about tanks

And the barriers to entry were very, very low Here's my point We've gone from an era where thwarting hacktivists was our biggest cyber challenge to one where we're now fighting nation states and highly skilled organized criminals And of course, cyber crime and monetary theft is the number one objective behind most of these security breaches that we see in the press everyday It's estimated that by 2021 cyber crime is going to cost society $6 trillion in theft, lost productivity, recovery costs

I mean, that's just a staggeringly large number It's even hard to fathom Now, the other C-change is how organizations have had to respond to the bad guys It used to be pretty simple I got a castle and the queen is inside

We need to protect her, so what do we do? We built a mote, put it around the perimeter Now, think of the queen as data Well, what's happened? The queen has cloned herself a zillion times She's left the castle She's gone up to the sky with the clouds

She's gone to the edge of the kingdom and beyond She's also making visits to machines and the factories and hanging out with the commoners She's totally exposed Listen, by 2020, there's going to be hundreds of billions of IP addresses These are going to be endpoints and phones, TVs, cameras, tablets, automobiles, factory machines, and all these represent opportunities for the bad guys to infiltrate

This explosion of endpoints that I'm talking about is created massive exposures, and we're seeing it manifest itself in the form of phishing, malware, and of course the weaponization of social media You know, if you think that 2016 was nuts, wait 'til you see how the 2020 presidential election plays out And of course, there's always the threat of ransomware It's on everybody's minds these days So I want to try to put some of this in context and share with you some insights that we've learned from the experts on theCUBE

And then let's drill into some of the ETR data and assess the state of security, the spending patterns We're going to try to identify some of those companies with momentum and maybe some of those that are a little bit exposed Let me start with the macro and the challenged faced by organization and that's complexity Here's Robert Herjavec on theCUBE Now, you know him from the Shark Tank, but he's also a security industry executive

Herjavec told me in 2017 at the Splunkcom Conference that he thought the industry was overly complex Let's take a look and listen >> I think that the industry continues to be extremely complicated There's a lot of vendors

There's a lot of products The average Fortune 500 company has 72 security products There's a stat that RSA this year, that there's 1500 new security start-ups every year Every single year How are they going to survive? And which ones do you have to buy because they're critical and provide valuable insights? And which ones are going to be around for a year or two and you're never going to hear about again? So it's a extremely challenging complex environment

>> So it's that complexity that had led people like Pat Gelsinger to say security is a do-over, and that cyber security is broken He told me this years ago on theCUBE And this past VM World we talked to Pat Gelsinger and remember, VMware bought Carbon Black, which is an endpoint security specialist, for $21 billion And he said that he's basically creating a cloud security division to be run by Patrick Morley, who is the Carbon Black CEO

Now, many have sort of questioned and been skeptical about VMware's entrance into the space But here's a clip that Pat Gelsinger shared with us on theCUBE this past VM World Let's listen and we'll come back and talk about it >> And this move in security, I am just passionate about this, and as I've said to my team, if this is the last I do in my career is I want to change security We just not are satisfying our customers

They shouldn't put more stuff on our platforms >> National defense issues, huge problems >> It's just terrible And I said, if it kills me, right, I'm going to get this done And they says, "It might kill you, Pat

" >> So this brings forth an interesting dynamic in the industry today Specifically, Steven Smith, the CISO of AWS, at this year's Reinforce, which is their security conference, Amazon's big cloud security conference, said that this narrative that security is broken, it's just not true, he said It's destructive and it's counterproductive His and AWS's perspective is that the state of cloud security is actually strong Kind of reminded me of a heavily messaged State of the Union address by the President of the United States

At the same time, in many ways, AWS is doing security over It's coming at it from the standpoint of a clean slate called cloud and infrastructure as a surface Here's my take The state of security in this union is not good Every year we spend more, we lose more, and we feel less safe

So why does AWS, the security czar, see if differently? Well, Amazon uses this notion of a shared responsibility security model In other words, they secure the S3 buckets, maybe the EC2 infrastructure, not maybe, the EC2 infrastructure But it's up to the customer to make sure that she is enforcing the policies and configuring systems that adhere to the EDIX of the corporation So I think the shared security model is a bit misunderstood by a lot of people What do I mean by that? I think sometimes people feel like well, my data's in the cloud, and AWS has better security than I do

Here I go, I'm good Well, AWS probably does have better security than you do Here's the problem with that You still have all these endpoints and databases and file servers that you're managing, and that you have to make sure comply with your security policies Even if you're all on the cloud, ultimately, you are responsible for securing your data

Let's take a listen to Katie Jenkins, the CISO of Liberty Mutual, on this topic and we'll come back >> Yeah, so the shared responsibility model is, I think that's an important speaking point to this whole ecosystem At the end of the day, Liberty Mutual, our duty is to protect policyholder data It doesn't matter if it's in the cloud, if it's in our data centers, we have that duty to protect >> It's on you

>> All right, so there you have it from a leading security practitioner The cloud is not a silver bullet Bad user behavior is going to trump good security every time So unfortunately the battle goes on And here's where it gets tricky

Security practitioners are drowning in a sea of incidents They have to prioritize and respond to, and as you heard Robert Herjavec say, the average large company has 75 security products installed Now, we recently talked to another CISO, Brian Lozada, and asked him what's the number one challenge for security pros Here's what he said >> Lack of talent

I mean, we're starving for talent Cyber security's the only field in the world with negative unemployment We just don't have the actual bodies to actually fill the gaps that we have And in that lack of talent CISOs are starving We're looking for the right things or tools to actually patch these holes and we just don't have it

Again, we have to force the industry to patch all of those resource gaps with innovation and automation I think CISOs really need to start asking for more automation and innovation within their programs >> So bottom line is we can't keep throwing humans at the problem Can't keep throwing tools at the problem Automation is the only way in which we're going to be able to keep up

All right, so let's pivot and dig in to some of the ETR data First, I want to share with you what ETR is saying overall, what their narrative looks like around spending So in the overall security space, it's pretty interesting what ETR says, and it dovetails into some of the macro trends that I've just shared with you Let's talk about CIOs and CISOs ETR is right on when they tell me that these executives no longer have a blank check to spend on security

They realize they can't keep throwing tools and people at the problem They don't have the bodies, and as we heard from Brian Lozada And so what you're seeing is a slowdown in the growth, somewhat of a slowdown, in security spending It's still a priority But there's less redundancy

In other words, less experimentation with new vendors and less running systems in parallel with legacy products So there's a slowdown adoption of new tools and more replacement of legacy stuff is what we're seeing As a result, ETR has identified this bifurcation between those vendors that are very well positioned and those that are losing wallet share Let me just mention a few that have the momentum, and we're going to dig into this data in more detail Palo Alto Networks, CrowdStrike, Okta, which does identity management, Cisco, who's coming at the problem from its networking strength

Microsoft, which recently announced Sentinel for Azure These are the players, and some of them that are best positioned, I'll mention some others, from the standpoint spending momentum in the ETR dataset Now, here's a few of those that are losing momentum Checkpoint, SonicWall, ArcSight, Dell EMC, which is RSA, is kind of mixed We'll talk about that a little bit

IBM, Symantec, even FireEye is seeing somewhat higher citations of decreased spending in the ETR surveys and dataset So there's a little bit of a cause for concern Now, let's remember the methodology here Every quarter ETR asks are you green, meaning adopting this vendor as new or spending more? Are you neutral, which is gray, are you spending the same? Or are you red, meaning that you're spending less or retiring? You subtract the red from the green and you get what's called a net score The higher the net score, the better

So here's a chart that shows a ranking of security players and their net scores The bars show survey data from October '18, July '19, and October '19 In here, you see strength from CrowdStrike, Okta, Twistlock, which was acquired by Palo Alto Networks You see Elastic, Microsoft, Illumio, the core, Palo Alto Classic, Splunk looking strong, Cisco, Fortinet, Zscaler is starting to show somewhat slowing net score momentum Look at Carbon Black

Carbon Black is showing a meaningful drop in net score So VMware has some work to do But generally, the companies to the left are showing spending momentum in the ETR dataset And I'll show another view on net score in a moment But I want to show a chart here that shows replacement spending and decreased spending citations

Notice the yellow That's the ETR October '19 survey of spending intentions And the bigger the yellow bar, the more negative So Sagar, the director of research at ETR, pointed this out to me, that, look at this There are about a dozen companies where 20%, a fifth of the customer base is decreasing spend or ripping them out heading into the year end

So you can see SonicWall, CA, ArcSight, Symantec, Carbon Black, again, a big negative jump IBM, same thing Dell EMC, which is RSA, slight uptick That's a bit of a concern So you can see this bifurcation that ETR has been talking about for awhile

Now, here's a really interesting kind of net score What I'm showing here is the ETR data sorted by net score, again, higher is better, and shared N, which is the number of shared accounts in the survey, essentially the number of mentions in that October survey with 1,336 IT buyers responded So how many of that 1,300 identified these companies? So essentially it's a proxy for the size of the install base So showing up on both charts is really good So look, CrowdStrike has a 62% net score with a 133 shared account

So a fairly sizable install base and a very high net score Okta, similar Palo Alto Networks and Splunk, both large, continue to show strength They got net scores of 44% and 313 shared N Fortinet shows up in both

Proofpoint Look at Microsoft and Cisco With 521 and 385 respectively on the right hand side So big install bases with very solid net scores Now look at the flip side

Go down to the bottom right to IBM 132 shared accounts with a 144% net score That's very low Check Point similarly

Same with Symantec Again, bifurcation that ETR has been citing Really stark in this chart All right, so I want to wrap In some respects from a practitioner perspective, the sky erectus is falling

You got increased attack surface You've got exploding number of IP addresses You got data distributed all over the place, tool creep You got sloppy user behavior, overwork security op staff, and a scarcity of skills And oh, by the way, we're all turning into a digital business, which is all about data

So it's a very, very dangerous time for companies And it's somewhat chaotic Now, chaos, of course, can mean cash for cyber security companies and investors This is still a very vibrant space So just by the way of comparison and looking at some of the ETR data, check this out

What I'm showing is companies in two sectors, security and storage, which I've said in previous episodes of breaking analysis, storage, and especially traditional storage disk arrays are on the back burner spending wise for many, many shops This chart shows the number of companies in the ETR dataset with a net score greater than a specific target So look, security has seven companies with a 49% net score or higher Storage has one Security has 18 above 39%

Storage has five Security has 31 companies in the ETR dataset with a net score higher than 30% Storage only has nine And I like to think of 30% as kind of that the point at which you want to be above that 30% So as you can see, relatively speaking, security is an extremely vibrant space

But in many ways it is broken Pat Gelsinger called it a do-over and is affecting a strategy to fix it Personally, I don't think one company can solve this problem Certainly not VMware, or even AWS, or even Microsoft It's too complicated, it's moving too fast

It's so lucrative for the bad guys with very low barriers to entry, as I mentioned, and as the saying goes, the good guys have to win every single day The bad guys, they only have to win once And those are just impossible odds So in my view, Brian Lozada, the CISO that we interviewed, nailed it The focus really has to be on automation

You know, we can't just keep using brute force and throwing tools at the problem Machine intelligence and analytics are definitely going to be part of the answer But the reality is AI is still really complicated too How do you operationalize AI? Talk to companies trying to do that It's very, very tricky

Talk about lack of skills, that's one area that is a real challenge So I predict the more things change the more you're going to see this industry remain a game of perpetual whack a mole There's certainly going to be continued consolidation, and unquestionably M&A is going to be robust in this space So I would expect to see continued storage in the trade press of breaches And you're going to hear scare tactics by the vendor community that want to take advantage of the train wrecks

Now, I wish I had better news for practitioners But frankly, this is great news for investors if they can follow the trends and find the right opportunities This is Dave Vellante for Cube Insights powered by ETR Connect with me at DavidVellante@siliconangle

com, or @dvellante on Twitter, or please comment on what you're seeing in the marketplace in my LinkedIn post Thanks for watching Thank you for watching this breaking analysis We'll see you next time (energetic music)

Source: Youtube

This div height required for enabling the sticky sidebar