RSA 2023 and the security identity crisis, part two
The narrative from security vendors is organizations don’t spend enough money on cyber defense. Maybe… but will spending more actually address the problems organizations face? The conventional wisdom is it will help; or at least it can’t hurt. But as we and others have pointed out over the years, a crowded market and mega venture capital funding have created more tools, more complexity and more billionaires… but are we safer?
In this Breaking Analysis, we follow up last week’s episode and continue with part two. In an homage to the keynote from RSA Security LLC Chief Executive Rohit Ghai, we ask: Is there a looming identity crisis in the security industry? This week we’re excited to introduce the newest member of the SiliconANGLE editorial team, longtime journalist David Strom. With David, we’ll unpack the data and bring additional context to the Enterprise Technology Research body of work. We’ll also look at some recent data from Unit 42, Palo Alto Networks Inc.’s threat intelligence and response division. As well, we’ll dig into the anatomy of a recent double supply chain hack.
The more things change…
As we shared last week, zero trust came back as the No. 1 information technology priority in the next 12 months. The chart above from ETR is a double-click on specifically which security areas are in focus. Identity, single-sign-on and multifactor authentication or MFA came in tied with vulnerability management and patching. And the rest of the initiatives are the same ones we’ve been talking about for years in the business.
According to Strom:
You could have run this same slide five years ago, maybe even 10 years ago, with the exception of the logging tools. I mean, it’s pretty embarrassing for the security industry that we’re still talking about the same types of processes, same types of tools and techniques. And we should have a better handle on this, but we don’t.
Strom also pointed out that firewalls is missing from the chart. Every company has is firewall and it’s because of poor firewalls that we need zero trust.
Most security wounds are self-inflicted
The next data point below comes from Palo Alto Network’s Unit 42 Cloud Threat Report. It tells us that typically 5% of the security rules trigger the majority of security alerts. And the same mistakes are made over and over.
We asked Strom: “What does this tell us about security practices today?”
It shows that they’re pretty lousy. I mean, we really don’t have very much security by design. In other words, before you even code your first line of an app, you think about how to secure it. And a lot of developers are just plain lazy. They don’t really look at security as their province. They think that’s somebody else’s job. A lot of the secret scanning tools that were mentioned in the report have been available for years, yet the vast majority of organizations, like 80%, have hard-coded encryption keys and other secrets into their code. It’s just nuts. It’s just really poor practice.
Listen to David Strom talk about the lack of security by design.
Anatomy of the 3CX double supply chain hack
Continuing on the theme of a looming crisis, the chart below is brought to you by Mandiant, the threat intelligence and response company that is now part of Google LLC. As we know, threats are ever-escalating and can come from unexpected sources. A recent double supply chain hack serves as a stark reminder of the importance of robust security measures, even for seemingly harmless applications.
The chart explains what is believed to be the first evidence-based confirmation of a double supply chain compromise, where an initial supply chain infiltration triggered a second wave of compromise.
The following summarizes how Strom explained the breach:
The incident began when an employee at 3CX, a company specializing in voice-over-IP unified communication tools, downloaded a stock tracking app to a desktop at work. This seemingly innocuous action had far-reaching consequences, as the stock tracking app had been compromised two years prior. The infected app not only wreaked havoc on the employee’s computer but also infiltrated the 3CX desktop application distributed to its customers, turning the software into malware.
This unfortunate event highlights a series of errors and oversights on the part of both the employee and the company. The employee should not have been able to download the app in the first place; and the stock tracking company should have taken action to secure its compromised software. Furthermore, 3CX’s weak application security allowed the malware to infiltrate their product easily. While it’s true that the adversary was very sophisticated, suspected by Mandiant to be North Korean, this is another example of self-inflicted wounds and the crisis of confidence in security.
Facing significant backlash, 3CX recently released a blog post outlining its plans to improve its security measures. The proposed changes include more dynamic code analysis, hashed passwords, hiring penetration testers and establishing separate network operations and software departments. However, according to Strom, these measures would only bring the company up to 2015 security standards – a far cry from the cutting-edge solutions necessary to combat today’s sophisticated threats.
A double-whammy sequence of attacks
In this double supply chain hack, the first supply chain breach involved the compromised stock tracking app. The attackers infected the app and left it on the company’s website, so when unsuspecting users downloaded it, their computers would also become infected. This allowed the hackers to take control of the users’ computers and modify the software code on their desktops.
Interestingly, the attack victim was not a purposeful target for the hackers; it was more of an opportunistic exploit. They were fortunate that the stock tracking company failed to update or secure the app. After modifying the app with their own malware, the attackers simply waited for users to download it, giving them a pool of potential victims to control and exploit.
This case underscores the vital need for organizations to continuously update and improve their cybersecurity practices. In a world where even a simple stock tracking app can lead to disastrous consequences, businesses must be more vigilant to protect their customers and reputation.
Listen to David Strom explain the breach and provide critical analysis of C3X’s security practices.
The 3CX hackers exploited weaknesses in API security
As Strom points out, in the 3CX hack, the attackers took advantage of deficiencies in the application programming interface infrastructure. APIs facilitate communication between different applications, allowing them to share information and interact with one another. If a malicious actor can insert themselves into this communication stream, they can cause significant damage to the systems involved.
API security is a vital component of the software supply chain. When developers download code snippets or routines for specific tasks, such as displaying content in larger fonts or connecting a web server to a database, they are making API calls. Ensuring these API calls are secure and that the code being used is free from infection is essential to prevent incidents like the 3CX hack or the SolarWinds attack from a few years ago. Inadequate API security can lead to the proliferation of infected software, causing serious consequences for both users and organizations.
David Strom explains the relationship between API infrastructure and the supply chain hacks.
Speaking of API security – Akamai acquires Neosec
Last week ETR’s Erik Bradley pointed out that he thought one of the API security companies would get acquired. And we listed a number of potential acquirers. He didn’t predict Akamai would take out Neosec, but Erik highlighted Salt Security as a possible target.
The chart above takes data from ETR’s main TSIS (Technology Spending Intentions Survey) for Akamai – which has 190 accounts in the survey – and crosses it with emerging technology companies that are privately held and focused on API security. And we’ve listed the in blue the percentage customer overlap between Akamai and the three companies shown, Neosec, Noname Security and Salt Security. In red we show the amount of capital raised according to Crunchbase.
This past week at QlikWorld 2023, we had the opportunity to sit down with Drew Clarke, who heads strategy for Qlik, a company that has been highly acquisitive for the better part of the past six years. He cited four key criteria that are necessary to have a successful acquisition: 1) Aaignment of vision; 2) technology fit; 3) culture; and then and only then 4) financial.
There’s not a big difference across the three companies in the ETR data with respect to customer overlap. But it’s clear that Noname and Salt Security would be far more expensive than Neosec, assuming the Crunchbase data is correct. Strom has been following Akamai’s acquisitions for years, so we asked him for his thoughts on this particular acquisition.
Well, Akamai I think generally makes very well-reasoned and well-timed acquisitions because they have to maintain an absolute trust in the quality of their infrastructure. I mean, the biggest websites in the world are running over Akamai. And so they have to have the tightest security and the most error free [experience]. Google uses them, Microsoft uses them. So this is a good idea for Akamai. A lot of their acquisitions – over 30 of them – are companies who you’ve never heard of. One of the more recent ones was Linode, which is an open-source community for all sorts of coding practices. They [Akamai] probably tried out the, their API security and thought that Neosec was a solid product.
David Strom explains Akamai’s acquisition approach and likely logic behind the Neosec move.
No shortage of emerging tech M&A candidates in cybersecurity
Staying with those privately held emerging tech companies, we want to share a high level view of what’s in the ETR database. The graph below shows privately held companies in the ETR Emerging Technology Survey grouped by security subsector. You can see in the top group there are 17 cloud and 15 identity security companies. They’re the most crowded. Group 2 is AppSec and intrusion detection and prevention. Then there’s assessment, container and IoT security and so on.
We’ve highlighted identity to emphasize our identity crisis theme and we’re going to talk more about that in a moment. But we discussed with Strom the possibility that cloud and identity are over crowded and whether there is really a need for this many nonpublic companies? The following summarizes the conversation:
The space is complex and diverse. But while there are many companies, there’s a need for specialized solutions to tackle various security challenges, because generally the industry is not addressing them in a comprehensive manner. No company has one security supplier. Buyers typically employ multiple security suppliers and tools to ensure adequate protection, creating a mixture of solutions that can address different vulnerabilities.
However, the discussion also highlights a concerning trend: the continuous addition of new security tools without ever getting rid of older ones. This practice can create more problems, as IT managers are often afraid to terminate a security product for fear of exposing their systems to potential exploits. Ironically, this can result in unpatched and outdated tools becoming the very entry points for attackers to exploit.
Listen to the conversation as to whether the cloud and identity markets are overcrowded.
Identity and access management under the magnifying glass
Was Auth0 the right move for Okta?
Staying on the theme of identity – let’s take a look at some of the major players in that space.
The chart format below from ETR is one we often use on Breaking Analysis. The vertical axis represents Net Score, which measures spending momentum, or the net number of customers spending more on a specific platform. The horizontal axis is Pervasion, or the number of mentions divided by the total segment N. For a moment, we will focus on two companies, Auth0 and Okta, which we have discussed before. While we didn’t like the acquisition price ($7 billion), we appreciated the concept behind Okta’s acquisition.
The squiggly lines show the progression of Auth0 and Okta over the last several quarters. Okta had off-the-charts spending momentum during the pandemic, and its stock was performing well. However, it had a benign hack and a botched communications effort that hurt it and it has struggled to integrate Auth0. On the rightmost side of the chart, we see Cisco, which has a large presence because it includes all of Cisco’s portfolio, including Duo. As well on the graphic we see the positions of CyberArk, SailPoint, BeyondTrust, Ping Identity and OneLogin.
We asked Strom his opinion on Okta’s Auth0 acquisition. Here’s what he said:
I thought it was an interesting move. I don’t know if it was good or bad. The price was ridiculous, but they’ve really been maintained as two separate companies. You know, Okta’s more for external, IAM, and for integrating thousands, like 7,000 SaaS apps and third-party apps that they can do single-sign-on with. Auth0 is more for app dev and internally developed apps where you’re gonna be building your code from scratch and there is a bridge that can connect the two sides of the organization. But they really are two kinds of different companies. They almost compete with each other. I mean, both have multifactor authentication, both have SSO, both have passwordless things, so it’s odd that they’ve kept the two entities at arm’s length. It’s ironic because Auth0 probably has a really good app dev story and Okta has a really good integration story.
The acquisition happened about two years ago, so I don’t know what’s going on there. I think most of the people that needed Okta have bought it already, you know, probably it’s in 495 of the Fortune 500. And the other problem is these are not tools that a lot of people use. Even at a large company, you probably have one or two SSO people that do the whole thing and that’s what makes it such a powerful tool. They can handle the entire company’s login and password collection and there’s not much more of a need for more people to do that. So it’s a very, very specialized IT skill.
The rest of the identity pack
As it pertains to the other players in the chart above, over the last five years, the identity access and security market has seen significant expansion. Many companies were slow to adopt cloud technology, but now these companies all offer cloud-based products and have identity connectors for various applications. Additionally, they have developed different tools to cater to the needs of their clients. As a result, early adopters of these solutions continue to use them, and market share has expanded. For instance, according to Strom, Ping Identity is widely used in Walmart, powering thousands of computers. Once a customer buys a license for a specific number of computers, they tend to stick with the same provider, unless something significant happens. In summary, while the market is expanding, customer loyalty is strong, and it takes a significant event to sway them from their preferred provider.
Possible identity and access management acquisitions
Let’s take a closer look at the data below, which was developed from ETR’s TSIS.
Last week, we identified potential acquirers and have done that here again. This week we include Cisco, CrowdStrike, IBM, Palo Alto Networks and Zscaler as possible buyers. And we pulled 15 emerging technology companies in the IAM sector from the ETS (emerging tech) survey to plot against them. The resulting chart above shows the overlap of these companies, with 770 N in the six potential buyer companies mentioned previously. Net sentiment, a measure of intent to engage, is on the Y-axis, and mindshare, the number of mentions, is on the X-axis. While there are other identity players in the market, not shown in the chart, this provides valuable insights into the market and potential acquisition targets.
Notably, BeyondTrust and 1Password stand out from the crowd. We asked Strom if this was surprising, and if so, why?
Yeah, particularly 1Password, that’s a consumer password manager. If you’ve got an SSO tool that’s working for you in your company, you’re not gonna buy a 1Password type of product. You might start out with a password manager for a small development group, for example, so that you don’t have to remember all your passwords, but eventually you’re going to migrate to an SSO tool because you don’t want to know what your passwords are. You’re going to want to have some software that takes care of that. So that automatically logs you in when you bring up your screen in the morning when you start working. All your apps are right there on your desktop. You don’t have to sit there and say, ‘Oh, now what was the password that for that?’ So to me, that shows either the SSO tools aren’t working in those organizations or they don’t have somebody that’s competent to roll them out; or that they’ve been using that personally on their home computers because they’re now working remotely and they need something that they can use that is not part of the corporate SSO tool.
Listen to David Strom explains why 1Password’s presence in the enterprise surprised him.
What to watch for at RSA 2023
Building on last week’s ‘what to watch for at RSA, let’s wrap up and summarize the closing conversation with Strom.
Data protection as an integral part of cybersecurity
It’s critical that companies take backup and recovery seriously, especially when it comes to cybersecurity. In fact, it’s an essential component of cybersecurity. Ransomware attacks are becoming more and more prevalent, and the first thing these attacks do is disable volume shadow copies on Windows and exfiltrate backup data. Without proper backups, companies are leaving themselves vulnerable to these kinds of attacks.
It’s alarming that even after years of dealing with ransomware, companies are still not implementing proper backup and recovery measures. According to recent statistics, 100% of the ransomware attacks analyzed by one company resulted in the encryption of the backup corpus. This makes it clear that companies must take a more proactive approach to backup and recovery, implementing systems that ensure data immutability and physical air gap protection.
As noted industry data protection guru Fred Moore says, “Backup is one thing, recovery is everything.” You can make all the backups in the world, but if you can’t recover from them, they’re useless. And yet, many companies don’t even bother to test the recovery of their backups, leaving them vulnerable to a variety of disasters, from bad weather to bad actors to human error.
In short, if companies don’t take backup and recovery seriously, they’re putting themselves at serious risk. This is not something to be taken lightly or ignored. As we head into RSA and other industry events, it’s critical that companies are aware of the importance of backup and recovery in their overall cybersecurity strategy.
The scourge of passwords: Is passwordless a possibility?
The idea of a passwordless world has gained significant attention in recent times. Netflix has been in the spotlight for announcing plans to restrict password sharing in certain areas. This move has sparked concern among users as it may make it difficult for them to access content. However, it is not hard to track users who share passwords, as it involves simply tracking IP addresses.
Despite the growing interest in passwordless authentication, according to Strom it is unlikely to be achieved anytime soon. Although the Fast Identity Alliance, comprising of tech giants such as Apple, Microsoft and Google, has agreed on a general strategy for implementing passwordless solutions, the devil lies in the details. Each company has its own approach, which is not yet ready for enterprise users. It may take another year or more for a passwordless future to become a reality, according to Strom.
The role of public policy in cybersecurity
In our view, it is clear that the government’s efforts towards public policy in the cybersecurity space have been lackluster. Despite the executive orders and mandates, the recently released national cyber strategy falls short in terms of coordinating government and private sector efforts towards cybersecurity. This is especially concerning given the increasing number of nation-state actors using cyberattacks to cause harm. The lack of a national privacy policy only adds to the complexity and challenges faced by companies trying to navigate the varying privacy laws across different states. The public-private partnership, which is crucial to combating cyberthreats, is currently failing in the United States in our view. We believe a more concerted effort is needed to integrate cybersecurity into public policy with less finger-wagging and unfunded mandates and better, more cordial collaboration.
Conferences are back and RSA is expected to be massive
As we look at the trends in attendance at industry events, it’s clear that the landscape has shifted significantly since RSA 2020, the last major conference prior to the COVID-19 pandemic. Although physical events have returned, they are generally smaller in size, especially the vendor-hosted events. We’ve seen companies like Palo Alto Networks and Couchbase opt for roadshows rather than large-scale events, while IBM Think has downsized considerably. However, independent events such as RSA, MWC (formerly called Mobile World Congress) and NAB by the National Association of Broadcasters have seen significant growth in attendance.
One key factor driving this shift is the increasing popularity of hybrid events that offer both in-person and virtual attendance options. Companies that can successfully navigate this new landscape will have the opportunity to expand their audience beyond traditional physical events. RSA is taking steps in this direction with some streaming sessions scheduled for this year’s event, which has been exclusively virtual in recent years up until last year.
As the industry continues to adapt to the challenges of the post-pandemic world, it will be interesting to see how companies evolve their event strategies to maximize engagement and reach their target audience effectively. The shift toward hybrid events is likely to continue, and companies that can deliver engaging, high-quality experiences both in person and virtually will be the ones that succeed in this new era of event attendance.
TheCUBE @RSA 2023
Of course there will be lots of morning and evening events at RSA this year. We’ve counted around 131 events/parties on the list. TheCUBE will be on Broadcast Row in Moscone West all week in booth BA-06. We’ll be pushing out content on all four days with a full team of analysts, CUBE hosts and journalists at the event.
Please do stop by and see us and if you have an interesting story we will try to get you on the program.
Keep in touch
Thanks to Erik Bradley, for his ongoing partnership and contributions to Breaking Analysis. Thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight, who help us keep our community informed and get the word out, and to Rob Hof, our editor in chief at SiliconANGLE.
Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.
Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.
Here’s the full video analysis:
All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.
Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.
Image: Ra2 Studio/Adobe Stock
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU