The narrative from security vendors is organizations don’t spend enough money on cyber defense. Maybe…but will spending more actually address the problems organizations face? The conventional wisdom is it will help; or at least it can’t hurt, but as we and others have pointed out over the years, a crowded market and mega VC funding have created more tools, more complexity and more billionaires…but are we safer?
In this Breaking analysis we follow up last week’s episode and continue with Part 2. In an homage to the keynote from RSA CEO Rohit Ghai, we ask, is there a looming identity crisis in the security industry? This week we’re excited to introduce the newest member of the SiliconANGLE editorial team, long time journalist, David Strom. With David, we’ll unpack the data and bring additional context to the ETR body of work. We’ll also look at some recent data from Unit 42, Palo Alto’s threat intelligence and response division. As well, we’ll dig into the anatomy of a recent double supply chain hack.
The More Things Change…
As we shared last week, zero trust came back as the number one IT priority in the next twelve months. The chart above from ETR is a double click on specifically which security areas are in focus. Identity, single sign on and multi-factor authentication (MFA) came in tied with vulnerability management and patching. And the rest of the initiatives are the same ones we’ve been talking about for years in the business.
According to David Strom:
You could have run this same slide five years ago, maybe even 10 years ago, with the exception of the logging tools. I mean, it’s pretty embarrassing for the security industry that we’re still talking about the same types of processes, same types of tools and techniques. And we should have a better handle on this, but we don’t.
Strom also pointed out that firewalls is missing from the chart. Every company has is firewall and it’s because of poor firewalls that we need zero trust.
[Listen to David Strom riff on the embarrassing state of security today and the failure of firewalls to protect organizations].
Most Security Wounds are Self-Inflicted
The next data point below comes from Palo Alto Network’s Unit 42 Cloud Threat Report. It tells us that typically 5% of the security rules trigger the majority of security alerts. And the same mistakes are made over and over.
We asked Strom: “What does this tell us about security practices today?”
It shows that they’re pretty lousy. I mean, we really don’t have very much security by design. In other words, before you even code your first line of an app, you think about how to secure it. And a lot of developers are just plain lazy. They don’t really look at security as their province. They think that’s somebody else’s job. A lot of the secret scanning tools that were mentioned in the report have been available for years, yet the vast majority of organizations, like 80%, have hard coded encryption keys and other secrets into their code. It’s, it’s just nuts. It’s just really poor practice.
[Listen to David Strom talk about the lack of security by design].
Anatomy of the 3CX Double Supply Chain Hack
Continuing on the theme of a looming crisis, the chart below is brought to you by Mandiant, the threat intelligence and response company that is now part of Google. As we know, threats are ever-escalating and can come from unexpected sources. A recent double supply chain hack serves as a stark reminder of the importance of robust security measures, even for seemingly harmless applications.
The chart explains what is believed to be the first evidence-based confirmation of a double supply chain compromise, where an initial supply chain infiltration triggered a second wave of compromise.
The following summarizes how David Strom explained the breach:
The incident began when an employee at 3CX, a company specializing in voiceover IP unified communication tools, downloaded a stock tracking app to their desktop at work. This seemingly innocuous action had far-reaching consequences, as the stock tracking app had been compromised two years prior. The infected app not only wreaked havoc on the employee’s computer but also infiltrated the 3CX desktop application distributed to its customers, turning the software into malware.
This unfortunate event highlights a series of errors and oversights on the part of both the employee and the company. The employee should not have been able to download the app in the first place; and the stock tracking company should have taken action to secure their compromised software. Furthermore, 3CX’s weak application security (AppSec) allowed the malware to infiltrate their product easily. While it’s true that the adversary was very sophisticated (suspected by Mandiant to be North Korean), this is another example of self-inflicted wounds and the crisis of confidence in security.
Facing significant backlash, 3CX recently released a blog post outlining its plans to improve its security measures. The proposed changes include more dynamic code analysis, hashed passwords, hiring penetration testers, and establishing separate network operations and software departments. However, according to Strom, these measures would only bring the company up to 2015 security standards – a far cry from the cutting-edge solutions necessary to combat today’s sophisticated threats.
A Double Whammy Sequence of Attacks
In this double supply chain hack, the first supply chain breach involved the compromised stock tracking app. The attackers infected the app and left it on the company’s website, so when unsuspecting users downloaded it, their computers would also become infected. This allowed the hackers to take control of the users’ computers and modify the software code on their desktops.
Interestingly, the attack victim was not purposeful target for the hackers; it was more of an opportunistic exploit. They were fortunate that the stock tracking company failed to update or secure the app. After modifying the app with their own malware, the attackers simply waited for users to download it, giving them a pool of potential victims to control and exploit.
This case underscores the vital need for organizations to continuously update and improve their cybersecurity practices. In a world where even a simple stock tracking app can lead to disastrous consequences, businesses must be more vigilant to protect their customers and reputation.
[Listen to David Strom explain the breach and provide critical analysis of C3X’s security practices].
The 3CX Hackers Exploited Weaknesses in API Security
As Strom points out, in the 3CX hack, the attackers took advantage of deficiencies in the API (application programming interface) infrastructure. APIs facilitate communication between different applications, allowing them to share information and interact with one another. If a malicious actor can insert themselves into this communication stream, they can cause significant damage to the systems involved.API security is a vital component of the software supply chain. When developers download code snippets or routines for specific tasks, such as displaying content in larger fonts or connecting a web server to a database, they are making API calls. Ensuring these API calls are secure and that the code being used is free from infection is essential to prevent incidents like the 3CX hack or the SolarWinds attack from a few years ago. Inadequate API security can lead to the proliferation of infected software, causing serious consequences for both users and organizations.
[David Strom explains the relationship between API infrastructure and the supply chain hacks].
Speaking of API Security – Akamai Acquires Neosec
Last week Erik Bradley pointed out that he thought one of the API security companies would get acquired. And we listed a number of potential acquirers. He didn’t predict Akamai would take out Neosec but Erik highlighted Salt Security as a possible target.
The chart above takes data from ETR’s main TSIS (Technology Spending Intentions Survey) for Akamai – which has 190 accounts in the survey – and crosses it with emerging technology companies that are privately held and focused on API security. And we’ve listed the in blue the percent customer overlap between Akamai and the three companies shown, Neosec, Noname Security and Salt Security. In red we show the amount of capital raised according to Crunchbase.
This past week at QlikWorld 2023, we had the opportunity to sit down with Drew Clarke who heads strategy for Qlik, a company that has been highly acquisitive for the better part of the past six years. He cited four key criteria that are necessary to have a successful acquisition: 1) Alignment of vision; 2) Technology fit; 3) Culture; and then and only then 4) Financial.
[Listen to Qlik CSO Drew Clarke explain the four key criteria that are necessary for a good acquisition].
There’s not a big difference across the three companies in the ETR data with respect to customer overlap. But it’s clear that Noname and Salt security would be far more expensive than Neosec, assuming the Crunchbase data is correct. David Strom has been following Akamai’s acquisitions for years so we asked him for his thoughts on this particular acquisition.
Well, Akamai I think generally makes very well reasoned and well timed acquisitions because they have to maintain an absolute trust in the quality of their infrastructure. I mean, the biggest websites in the world are running over Akamai. And so they have to have the tightest security and the most error free [experience]. Google uses them, Microsoft uses them. So this is a good idea for Akamai. A lot of their acquisitions – over 30 of them – are companies who you’ve never heard of. One of the more recent ones was Linode, which is an open source community for all sorts of coding practices. They [Akamai] probably tried out the, their API security and thought that Neosec was a solid product.
[David Strom explains Akamai’s acquisition approach and likely logic behind the Neosec move].
No Shortage of Emerging Tech M&A Candidates in Cybersecurity
Staying with those privately held emerging tech companies, we want to share a high level view of what’s in the ETR database. The graph below shows privately held companies in the ETR Emerging Technology Survey (ETS) grouped by security subsector. You can see in the top group there are 17 cloud and 15 identity security companies. They’re the most crowded. Group 2 is AppSec and intrusion detection and prevention..Then assessment, container and IoT security and so on.
We’ve highlighted identity to emphasize our identity crisis theme and we’re going to talk more about that in a moment. But we discussed with David Strom the possibility that cloud and identity are over crowded and whether there is really a need for this many non-public companies? The following summarizes the conversation…
The space is complex and diverse. But while there are many companies, there’s a need for specialized solutions to tackle various security challenges; because generally the industry is not addressing them in a comprehensive manner. No company has one security supplier. Buyers typically employ multiple security suppliers and tools to ensure adequate protection, creating a mixture of solutions that can address different vulnerabilities.
However, the discussion also highlights a concerning trend: the continuous addition of new security tools without ever getting rid of older ones. This practice can create more problems, as IT managers are often afraid to terminate a security product for fear of exposing their systems to potential exploits. Ironically, this can result in unpatched and outdated tools becoming the very entry points for attackers to exploit.
[Listen to the conversation as to whether the cloud and identity markets are overcrowded].
Identity & Access Management Under the Magnifying Glass
Was Auth0 the Right Move for Okta?
Staying on the theme of identity – let’s take a look at some of the major players in that space.
The chart format below from ETR is one we often use on Breaking Analysis. The vertical axis represents Net Score, which measures spending momentum, or the net number of customers spending more on a specific platform. The horizontal axis is Pervasion, or the number of mentions divided by the total segment N. For a moment, we will focus on two companies, Auth0 and Okta, which we have discussed before. While we didn’t like the acquisition price ($7B), we appreciated the concept behind Okta’s acquisition.
The squiggly lines show the progression of Auth0 and Okta over the last several quarters. Okta had off-the-charts spending momentum during the pandemic, and its stock was performing well. However, they had a benign hack and a botched communications effort that hurt them and they’ve struggled to integrate Auth0. On the rightmost side of the chart, we see Cisco, which has a large presence because it includes all of Cisco’s portfolio, including Duo. As well on the graphic we see the positions of CyberArk, SailPoint, BeyondTrust, Ping Identity, and OneLogin.
We asked David Strom his opinion on Okta’s Auth0 acquisition. Here’s what he said:
I thought it was an interesting move. I don’t know if it was good or bad. The price was ridiculous, but they’ve really been maintained as two separate companies. You know, Okta’s more for external, IAM, and for integrating thousands, like 7,000 SaaS apps and third party apps that, that they can do single sign on with. Auth0 is more for app dev and internally developed apps where you’re gonna be building your code from scratch and there is a bridge that can connect the two sides of the organization. But they really are two kinds of different companies. They almost compete with each other. I mean, both have multi-factor authentication, both have SSO, both have passwordless things, so it’s odd that they’ve kept the two entities at arms length. It’s ironic because Auth0 probably has a really good app dev story and Okta has a really good integration story.
The acquisition happened about two years ago, so I don’t know what’s going on there. I think most of the people that needed Okta have bought it already, you know, probably it’s in 495 of the Fortune 500. And the other problem is these are not tools that a lot of people use. Even at a large company, you probably have one or two SSO people that do the whole thing and that’s what makes it such a powerful tool. They can handle the entire company’s login and password collection and there’s not much more of a need for more people to do that. So it’s a very, very specialized IT skill.
As it pertains to the other players in the chart above, over the last five years, the identity access and security market has seen significant expansion. Many companies were slow to adopt cloud technology, but now these companies all offer cloud-based products and have identity connectors for various applications. Additionally, they have developed different tools to cater to the needs of their clients. As a result, early adopters of these solutions continue to use them, and market share has expanded. For instance, according to Strom, Ping Identity is widely used in Walmart, powering thousands of computers. Once a customer buys a license for a specific number of computers, they tend to stick with the same provider, unless something significant happens. In summary, while the market is expanding, customer loyalty is strong, and it takes a significant event to sway them from their preferred provider.
Possible Identity & Access Management Acquisitions
Let’s take a closer look at the data below, which was developed from ETR’s TSIS.
Last week, we identified potential acquirers and have done that here again. This week we include Cisco, CrowdStrike, IBM, Palo Alto Networks, and Zscaler as possible buyers. And we pulled fifteen emerging technology companies in the IAM sector from the ETS (emerging tech) survey to plot against them. The resulting chart above shows the overlap of these companies, with 770 N in the six potential buyer companies mentioned previously. Net sentiment, a measure of intent to engage, is on the Y-axis, and mindshare, the number of mentions, is on the X-axis. While there are other identity players in the market, not shown in the chart, this provides valuable insights into the market and potential acquisition targets.
Notably, BeyondTrust and 1Password stand out from the crowd. We asked David Strom if this was surprising, and if so, why?
Yeah, cause particularly 1Password, that’s a consumer password manager. If you’ve got an SSO tool that’s working for you in your company, you’re not gonna buy a 1Password type of product. You might start out with a password manager for a small development group, for example, so that you don’t have to remember all your passwords, but eventually you’re gonna migrate to an SSO tool because you don’t wanna know what your passwords are. You’re gonna wanna have some software that takes care of that. So that automatically logs you in when you bring up your screen in the morning when you start working. All your apps are right there on your desktop. You don’t have to sit there and say, ‘oh, now what was the password that for that?’ So to me, that shows either the SSO tools aren’t working in those organizations or they don’t have somebody that’s competent to roll them out; or that they’ve been using that personally on their home computers because they’re now working remotely and they need something that they can use that is not part of the corporate SSO tool.
[Listen to David Strom explains why 1Password’s presence in the enterprise surprised him].
What to Watch for at RSA 2023
Building on last week’s ‘what to watch for at RSA’ let’s wrap up and summarize the closing conversation with David Strom.
Data Protection as an Integral Part of Cybersecurity
It’s critical that companies take backup and recovery seriously, especially when it comes to cybersecurity. In fact, it’s an essential component of cybersecurity. Ransomware attacks are becoming more and more prevalent, and the first thing these attacks do is disable volume shadow copies on Windows and exfiltrate backup data. Without proper backups, companies are leaving themselves vulnerable to these kinds of attacks.
It’s alarming that even after years of dealing with ransomware, companies are still not implementing proper backup and recovery measures. According to recent statistics, a hundred percent of the ransomware attacks analyzed by one company resulted in the encryption of the backup corpus. This makes it clear that companies must take a more proactive approach to backup and recovery, implementing systems that ensure data immutability and physical air gap protection.
As noted industry data protection guru Fred Moore says “backup is one thing, recovery is everything.” You can make all the backups in the world, but if you can’t recover from them, they’re useless. And yet, many companies don’t even bother to test the recovery of their backups, leaving them vulnerable to a variety of disasters, from bad weather to bad actors to human error.
In short, if companies don’t take backup and recovery seriously, they’re putting themselves at serious risk. This is not something to be taken lightly or ignored. As we head into RSA and other industry events, it’s critical that companies are aware of the importance of backup and recovery in their overall cybersecurity strategy.
The Scourge of Passwords – Is Passwordless a Possibility?
The idea of a passwordless world has gained significant attention in recent times. Netflix has been in the spotlight for announcing their plans to restrict password sharing in certain areas. This move has sparked concern among users as it may make it difficult for them to access content. However, it is not hard to track users who share passwords, as it involves simply tracking IP addresses.
Despite the growing interest in passwordless authentication, according to David Strom, it is unlikely to be achieved anytime soon. While the Fast Identity Alliance, comprising of tech giants like Apple, Microsoft, and Google, has agreed on a general strategy for implementing passwordless solutions, the devil lies in the details. Each company has its own approach, which is not yet ready for enterprise users. It may take another year or more for a passwordless future to become a reality according to Strom.
The Role of Public Policy in Cybersecurity
Conferences are Back and RSA is Expected to be Massive
As we look at the trends in attendance at industry events, it’s clear that the landscape has shifted significantly since RSA 2020, the last major conference prior to the COVID-19 pandemic. While physical events have returned, they are generally smaller in size, especially the vendor-hosted events. We’ve seen companies like Palo Alto Networks and Couchbase opt for roadshows rather than large-scale events, while IBM Think has downsized considerably. However, independent events like RSA, MWC (Mobile World Congress), and NAB have seen significant growth in attendance.
One key factor driving this shift is the increasing popularity of hybrid events that offer both in-person and virtual attendance options. Companies that can successfully navigate this new landscape will have the opportunity to expand their audience beyond traditional physical events. RSA is taking steps in this direction with some streaming sessions scheduled for this year’s event, which has been exclusively virtual in recent years up until last year.
As the industry continues to adapt to the challenges of the post-pandemic world, it will be interesting to see how companies evolve their event strategies to maximize engagement and reach their target audience effectively. The shift towards hybrid events is likely to continue, and companies that can deliver engaging, high-quality experiences both in person and virtually will be the ones that succeed in this new era of event attendance.
theCUBE @RSA 2023
Keep in Touch
Thanks to Erik Bradley, for his ongoing partnership and contributions to Breaking Analysis. Thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out. And to Rob Hof, our EiC at SiliconANGLE.
Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.
Email firstname.lastname@example.org | DM @dvellante on Twitter | Comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.
Watch the full video analysis:
Image: ra2 studio
Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at email@example.com.
All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.
Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.