WEBVTT 1 00:00:00.300 --> 00:00:02.700 Anna Delaney: Hello, I'm Anna Delaney and welcome to the ISMG 2 00:00:02.700 --> 00:00:05.550 Editors' Panel where I'm joined by three brilliant ISMG 3 00:00:05.550 --> 00:00:08.910 colleagues to discuss and dissect the latest security 4 00:00:08.910 --> 00:00:12.420 trends and technologies. Party time again this week with 5 00:00:12.420 --> 00:00:15.870 Marianne Kolbasuk McGee, who leads our healthcare coverage, 6 00:00:16.080 --> 00:00:19.530 Michael Novinson, who heads our business analysis, and last but 7 00:00:19.530 --> 00:00:24.090 not least, our cybercrime wiz Mathew Schwartz. Great to see 8 00:00:24.090 --> 00:00:28.050 you all again today. Where are you, Michael? 9 00:00:29.470 --> 00:00:33.220 Michael Novinson: I am at this DePasquale Plaza in Providence's 10 00:00:33.220 --> 00:00:36.010 Federal Hill neighborhood. It's about the closest you can get to 11 00:00:36.010 --> 00:00:38.680 Europe without actually going to Europe. It's the historic 12 00:00:39.040 --> 00:00:42.100 Italian American neighborhood in Providence, they got the pine 13 00:00:42.100 --> 00:00:46.090 cone hanging when you enter, the median and the road is painted 14 00:00:46.720 --> 00:00:49.150 red, white and green for the Italian flag and you can find 15 00:00:49.150 --> 00:00:52.690 some great ravioli and gelato so not a friend and last week took 16 00:00:52.690 --> 00:00:53.860 them over there had a great time. 17 00:00:54.230 --> 00:00:57.680 Anna Delaney: Yeah, it does have that Italian feel to it. It's 18 00:00:57.680 --> 00:01:01.310 gorgeous. And as long as there's gelato, we are all good. 19 00:01:03.590 --> 00:01:07.760 Marianne, a beautiful landscape again today. Is that early in 20 00:01:07.760 --> 00:01:08.300 the morning? 21 00:01:08.000 --> 00:01:11.390 Marianne McGee: Oh, actually last evening, again, taking the 22 00:01:11.390 --> 00:01:15.680 dog for a walk. It's a golf course that's like not that far 23 00:01:15.680 --> 00:01:20.990 from where we live. So yeah, just before sundown so. 24 00:01:21.380 --> 00:01:25.400 Anna Delaney: Nice. Nice pink skies. Mathew, some street art 25 00:01:25.400 --> 00:01:26.540 again. Love it. 26 00:01:26.520 --> 00:01:29.358 Mathew Schwartz: Thank you very much. I'm hanging out outside 27 00:01:29.422 --> 00:01:32.970 Shotz, which is a pool and snooker hall here in Dundee, 28 00:01:33.034 --> 00:01:35.550 Scotland, but I just I love the 8 Ball. 29 00:01:35.000 --> 00:01:37.876 Anna Delaney: Yeah, very cool. And I'm in Paris, why not? 30 00:01:37.943 --> 00:01:42.023 Outside a flower shop. I thought it was appropriately pretty, 31 00:01:42.090 --> 00:01:45.835 spring like. So there you go, sharing it with you today. 32 00:01:45.902 --> 00:01:49.781 Mathew, starting with you then. For over a year now, quite 33 00:01:49.848 --> 00:01:53.661 honestly, the cybersecurity world has been focused on one 34 00:01:53.728 --> 00:01:57.942 country and the dynamics that's caused the invasion of Ukraine, 35 00:01:58.009 --> 00:02:02.089 so Russia's movements and how that will impact the cybercrime 36 00:02:02.156 --> 00:02:05.968 world. And you've reported that some experts say that the 37 00:02:06.035 --> 00:02:09.848 Kremlin may be preparing for intensified cyber operations 38 00:02:09.914 --> 00:02:13.928 ahead of the spring offensive. So just talk to us about what 39 00:02:13.995 --> 00:02:17.540 they're saying. And what's the reasoning behind this? 40 00:02:18.500 --> 00:02:21.230 Mathew Schwartz: Yes, so it's been over a year now since 41 00:02:21.260 --> 00:02:26.720 Russia intensified its invasion. And what happens next isn't 42 00:02:26.750 --> 00:02:30.830 clear, although there is open-source intelligence and 43 00:02:30.830 --> 00:02:34.730 reporting, for example, from the British military, about what 44 00:02:34.730 --> 00:02:39.320 they think Russia might be preparing to do. And so British 45 00:02:39.320 --> 00:02:42.110 intelligence has reported that since early January, there have 46 00:02:42.110 --> 00:02:46.430 been signs the Russian military's attempting to restart 47 00:02:46.550 --> 00:02:50.930 major operations, in particular, to try to recapture an area in 48 00:02:50.930 --> 00:02:54.290 the eastern part of the country. Now, one of the fascinating 49 00:02:54.290 --> 00:02:58.790 things to me about cyber operations during this conflict: 50 00:02:59.150 --> 00:03:03.440 there's two main things really. One: the cyber war everyone was 51 00:03:03.440 --> 00:03:08.000 expecting never came to pass. And I think there's going to be 52 00:03:08.570 --> 00:03:12.170 volumes of PhD theses written about why this didn't happen. 53 00:03:12.440 --> 00:03:15.530 But the short version seems to be it's easier to use things 54 00:03:15.530 --> 00:03:19.130 like missiles and artillery to hit targets than to expend 55 00:03:19.160 --> 00:03:24.590 valuable zero days to attempt to achieve the same effect. So 56 00:03:24.680 --> 00:03:28.520 we've seen cyber used in more supplemental ways throughout the 57 00:03:28.520 --> 00:03:31.790 conflict. And the other really interesting thing to me is we've 58 00:03:31.820 --> 00:03:35.690 seen organizations such as Microsoft, which has a massive 59 00:03:35.930 --> 00:03:41.120 in-house intelligence, Threat Intelligence Division. Among 60 00:03:41.120 --> 00:03:44.510 other organizations, Google's another, really sharing some 61 00:03:44.510 --> 00:03:49.460 interesting insights about what exactly is going on when it does 62 00:03:49.460 --> 00:03:53.510 come to these cyber operations. So Microsoft has just put out a 63 00:03:53.510 --> 00:03:58.160 report recently: We're seeing an uptick in, for example, 64 00:03:58.310 --> 00:04:02.090 ransomware being used in the conflict, not as part of a money 65 00:04:02.090 --> 00:04:07.220 making scheme, but rather for destructive activity. There are 66 00:04:07.220 --> 00:04:13.040 signs that Sandworm, a well-known Russian state attack 67 00:04:13.040 --> 00:04:16.490 group, has been honing its destructive malware 68 00:04:16.490 --> 00:04:20.390 capabilities. Again, everyone was expecting destructive 69 00:04:20.390 --> 00:04:23.300 malware, they were expecting reprisals against the West or 70 00:04:23.300 --> 00:04:27.410 anybody who helps Ukraine. Largely, we haven't seen this 71 00:04:27.410 --> 00:04:31.700 come to pass, thankfully. We did see some wiper malware, but it 72 00:04:31.700 --> 00:04:36.740 seems too spike. So, with the invasion last February 24, we 73 00:04:36.740 --> 00:04:39.830 saw a lot of wiper malware in March and April, and then it 74 00:04:39.830 --> 00:04:45.380 really declined. There is a small surge, however, at the end 75 00:04:45.380 --> 00:04:50.870 of 2022, and their suggestion that maybe Russia has gotten its 76 00:04:51.050 --> 00:04:56.240 wiper malware reserves back up and is ready to use them again. 77 00:04:56.630 --> 00:05:00.890 But what seems to be happening - and the Ukraine Government said 78 00:05:00.890 --> 00:05:04.310 this as well in a report that it recently released, recapping 79 00:05:04.310 --> 00:05:08.930 what it has seen during 2022 - what seems to be happening is 80 00:05:08.930 --> 00:05:12.890 while Russia has got some really great cyber capabilities, it's 81 00:05:12.920 --> 00:05:18.500 keeping them for stealth. And that means for cyber espionage 82 00:05:18.590 --> 00:05:23.720 efforts, which it will attempt to run over the long term, as we 83 00:05:23.720 --> 00:05:26.600 saw, for example, with SolarWinds, which has been 84 00:05:26.600 --> 00:05:31.190 attributed to the SPR, Russia's foreign intelligence service. 85 00:05:31.550 --> 00:05:34.760 So, to again, with Sandworm, which is part of Russia's GRU, 86 00:05:34.760 --> 00:05:38.000 military intelligence agency, when they have these 87 00:05:38.000 --> 00:05:42.410 capabilities, they like to keep it low, slow, quiet, so that 88 00:05:42.410 --> 00:05:45.650 they can use them, in particular, against 89 00:05:45.650 --> 00:05:48.950 organizations that are supporting Ukraine, not 90 00:05:48.950 --> 00:05:52.280 necessarily to disrupt their systems, but for classic 91 00:05:52.310 --> 00:05:57.770 intelligence efforts, meaning trying to divine what 92 00:05:57.800 --> 00:06:01.550 decision-makers are thinking, what they're planning on doing, 93 00:06:01.610 --> 00:06:04.370 which is the role of intelligence. Intelligence helps 94 00:06:04.400 --> 00:06:07.010 organizations - not organizations - helps keep 95 00:06:07.010 --> 00:06:10.880 countries from going to war, or if they are at war to hopefully 96 00:06:11.990 --> 00:06:14.750 make the conflict less intense, because if you know what they're 97 00:06:14.750 --> 00:06:19.820 going to do, you can react, hopefully in a more low-key 98 00:06:19.820 --> 00:06:23.540 manner. And so this is Russia wielding its intelligence 99 00:06:23.600 --> 00:06:27.800 capabilities. Again, we have seen cyber, it hasn't been the 100 00:06:27.800 --> 00:06:31.310 flavor of cyber or the extremes of cyber that some may have 101 00:06:31.310 --> 00:06:34.790 thought. But we're continuing definitely to see that. And 102 00:06:34.790 --> 00:06:37.850 Russia is refining its efforts, still seeing phishing attacks, 103 00:06:37.850 --> 00:06:43.220 all that sort of thing, but espionage over outright 104 00:06:43.250 --> 00:06:47.300 hitting-you-over-the-head-with-the-cyber-operations. That's what we've seen so far in 105 00:06:47.300 --> 00:06:49.550 the conflict. And that's what these experts are predicting 106 00:06:49.550 --> 00:06:50.570 we'll see more of. 107 00:06:51.560 --> 00:06:54.350 Anna Delaney: Very interesting and I recommend anybody watching 108 00:06:54.350 --> 00:06:57.770 this now to go and watch your interview with Alexander Leslie, 109 00:06:58.040 --> 00:07:00.620 analyst researcher at Recorded Future. I thought that was 110 00:07:00.620 --> 00:07:04.400 fascinating. And it looks at how this space has evolved, how the 111 00:07:04.400 --> 00:07:07.730 cybercrime, especially for Russian cybercriminals, how 112 00:07:07.730 --> 00:07:12.380 they've shifted over the year. And what I found fascinating, in 113 00:07:12.380 --> 00:07:16.370 particular, this talent drain from Russia and Ukraine, the 114 00:07:16.370 --> 00:07:19.370 role of hacktivism. And the impact on the Russian speaking 115 00:07:19.370 --> 00:07:24.110 Brotherhood is very interesting. So what was your main point of 116 00:07:24.110 --> 00:07:26.930 interest from that interview or anything that surprised you? 117 00:07:27.020 --> 00:07:28.250 Love your perspective. 118 00:07:29.090 --> 00:07:31.520 Mathew Schwartz: Right, so yeah, I was talking about Microsoft's 119 00:07:31.520 --> 00:07:35.000 threat intel, Ukraine's threat intel, so many fascinating 120 00:07:35.000 --> 00:07:39.620 aspects have come out of the conflict. Horrible, though it 121 00:07:39.620 --> 00:07:43.910 is. One of the upsides we've seen, though, is, as you 122 00:07:43.910 --> 00:07:47.000 mentioned, Alexander Lezlie, Recorded Future, he's deep into 123 00:07:47.000 --> 00:07:51.140 the Russian cybercrime underground and analysis. And 124 00:07:51.140 --> 00:07:56.000 he's seen a brain drain, an IT brain drain from Russia, Ukraine 125 00:07:56.000 --> 00:07:59.090 and some of the neighboring states. And this brain drain has 126 00:07:59.090 --> 00:08:03.200 included criminals. And he said a lot of criminals, it's not 127 00:08:03.200 --> 00:08:06.980 clear what's going to happen. They fled. And so these local 128 00:08:06.980 --> 00:08:10.310 networks they were plugged into are gone. And maybe they're 129 00:08:10.310 --> 00:08:12.800 turning up in other countries, maybe they've emigrated to 130 00:08:12.800 --> 00:08:15.860 Western Europe, for example, and they seem to be keeping their 131 00:08:15.860 --> 00:08:19.460 head down. So that's been one of the main takeaways for me is we 132 00:08:19.460 --> 00:08:21.860 just don't know how this is going to shake out. So much 133 00:08:21.860 --> 00:08:24.710 cybercrime is associated with Russian speakers. But when those 134 00:08:24.710 --> 00:08:28.490 Russian speakers are no longer in Russia, in this safe haven 135 00:08:28.490 --> 00:08:31.310 they have had - provided, they don't attack Russia - what 136 00:08:31.310 --> 00:08:34.940 happens next? Hopefully, there'll be a diminishment in 137 00:08:34.940 --> 00:08:38.090 cybercrime. Obviously, where crime is concerned, we don't 138 00:08:38.090 --> 00:08:41.750 know. Thieves love to thieve. So we'll see what happens. 139 00:08:43.030 --> 00:08:45.130 Anna Delaney: As ever, great work, Mathew. And yeah, I look 140 00:08:45.130 --> 00:08:49.660 forward to hearing about what happens next. As you say, not 141 00:08:50.440 --> 00:08:54.160 great news for the world. But interesting in terms of threat 142 00:08:54.160 --> 00:08:58.570 intelligence and where this is all moving. Marianne, you have 143 00:08:58.570 --> 00:09:01.780 written this week about an Alabama cardiovascular clinic, 144 00:09:01.780 --> 00:09:04.750 which is facing a proposed class action lawsuit. What are the 145 00:09:04.750 --> 00:09:05.440 details? 146 00:09:06.290 --> 00:09:09.890 Marianne McGee: Well, as we often see in large data 147 00:09:09.890 --> 00:09:14.210 breaches, you know, once there's a large data breach reported, 148 00:09:14.210 --> 00:09:16.100 and particularly in the healthcare sector, there's sort 149 00:09:16.100 --> 00:09:20.300 of a race to file class action lawsuits against the breached 150 00:09:20.300 --> 00:09:25.190 entity. And as you mentioned, the case that I wrote about this 151 00:09:25.190 --> 00:09:28.250 week - and there's been so many of these cases - but I'll tell 152 00:09:28.250 --> 00:09:34.010 you why this is unusual. This case involved on a Alabama-based 153 00:09:34.190 --> 00:09:40.040 cardiovascular practice called Cardiovascular Associates. And 154 00:09:40.070 --> 00:09:46.040 the lawsuit was filed by one of nearly 442,000 individuals who 155 00:09:46.040 --> 00:09:50.210 are affected by this data exfiltration breach that the 156 00:09:50.210 --> 00:09:54.500 clinic reported last month to the Department of Health and 157 00:09:54.500 --> 00:09:59.300 Human Services. Now in this breach, there was a wide range 158 00:09:59.300 --> 00:10:03.110 of sensitive patient data compromised, including personal, 159 00:10:03.140 --> 00:10:07.130 clinical and financial information. And like other 160 00:10:07.130 --> 00:10:10.490 proposed class action lawsuits, they get filed in the aftermath 161 00:10:10.490 --> 00:10:14.870 of data breach, the plaintiffs and class members in the CVA 162 00:10:14.870 --> 00:10:19.160 lawsuit are seeking monetary damages. But what stood out to 163 00:10:19.160 --> 00:10:23.390 me in reading the lawsuit complaint was there is also a 164 00:10:23.390 --> 00:10:28.370 long list of very detailed kinds of security improvements that 165 00:10:28.370 --> 00:10:32.060 the plaintiffs and the class members are also seeking from 166 00:10:32.060 --> 00:10:37.520 CVA as part of injunctive relief. That includes CVA 167 00:10:37.520 --> 00:10:42.110 implementing and maintaining a comprehensive information 168 00:10:42.110 --> 00:10:47.150 security program, encrypting old data, implementing data 169 00:10:47.150 --> 00:10:52.520 segmentation, but then also requiring 10 years of annual 170 00:10:52.550 --> 00:10:57.680 court-monitored SOC2-type attestations that would be 171 00:10:57.680 --> 00:11:02.180 conducted by an independent third-party assessor. Now it's 172 00:11:02.180 --> 00:11:06.920 become more common for class action lawsuits in breach cases 173 00:11:07.010 --> 00:11:11.210 to include demands that a breached entity improve its 174 00:11:11.210 --> 00:11:15.080 security. But this was one of the more detailed requests that 175 00:11:15.080 --> 00:11:19.820 I've seen in a lawsuit complaint. So far, not much has 176 00:11:19.820 --> 00:11:23.180 been revealed by CVA about what happened in the security 177 00:11:23.180 --> 00:11:27.740 incident. CVA reported the breach to federal regulators as 178 00:11:27.740 --> 00:11:32.570 a hacking incident involving a network server and CVA said in 179 00:11:32.570 --> 00:11:35.870 its breach notice that the incident involved unauthorized 180 00:11:35.870 --> 00:11:40.970 access and removal of a copy of data from the network between 181 00:11:40.970 --> 00:11:45.950 November 28 and December 5 of last year. But beyond that, the 182 00:11:45.950 --> 00:11:49.490 organization has not been very forthcoming about other details, 183 00:11:49.520 --> 00:11:54.110 such as whether ransomware was involved or something else. So 184 00:11:54.110 --> 00:11:57.500 because we don't know exactly what sort of incident occurred 185 00:11:57.530 --> 00:12:01.550 that could explain why this lawsuit against CVA pretty much 186 00:12:01.550 --> 00:12:04.910 throws the kitchen sink at the entity in terms of all the 187 00:12:04.910 --> 00:12:09.680 security improvements that are needed. That lawsuit includes 188 00:12:09.680 --> 00:12:12.620 allegations as many other lawsuits often do in the 189 00:12:12.620 --> 00:12:16.520 healthcare sector that CVA failed to implement security 190 00:12:16.520 --> 00:12:20.930 guidelines called for under the Federal Trade Commission, HIPAA 191 00:12:20.930 --> 00:12:25.190 regulations, and also the NIST cybersecurity framework. But 192 00:12:25.220 --> 00:12:28.190 also in the future, it'll be interesting to see if these 193 00:12:28.190 --> 00:12:32.510 kinds of lawsuits also end up citing other regulatory failures 194 00:12:32.510 --> 00:12:36.290 by breached entities, such as failures to implement any of the 195 00:12:36.290 --> 00:12:40.010 yet defined minimum security standards that are being called 196 00:12:40.010 --> 00:12:42.890 for under the Biden administration's National 197 00:12:42.890 --> 00:12:46.670 Cybersecurity strategy, especially as it involves two 198 00:12:46.700 --> 00:12:50.720 critical infrastructure sectors like healthcare. So it's sort of 199 00:12:50.720 --> 00:12:53.570 an interesting case, there's so many of them, but like I said, 200 00:12:53.570 --> 00:12:57.140 this one's pretty detailed in what it wants this entity to do. 201 00:12:58.230 --> 00:13:00.450 Anna Delaney: So many of them, as you say, and so what can 202 00:13:00.450 --> 00:13:02.940 other healthcare entities take away from this? 203 00:13:03.740 --> 00:13:06.410 Marianne McGee: Well, you know, again, some entities are more 204 00:13:06.410 --> 00:13:09.260 forthcoming than others in terms of how much information they'll, 205 00:13:09.290 --> 00:13:15.620 you know, divulge about their breach. You know, whatever the 206 00:13:16.550 --> 00:13:20.570 failings were of CVA, they might be similar to what other 207 00:13:20.570 --> 00:13:25.040 entities are facing, you know, and not only in their day-to-day 208 00:13:25.070 --> 00:13:28.340 operations, while they might be avoiding a breach, and sooner or 209 00:13:28.340 --> 00:13:31.100 later, something like this could happen to them, too. So it's, 210 00:13:31.310 --> 00:13:35.000 you know, it's just one of these things that you don't want it to 211 00:13:35.000 --> 00:13:36.680 happen to you next sort of thing. 212 00:13:37.530 --> 00:13:40.380 Anna Delaney: Absolutely. Thank you, Marianne. Well, Michael, 213 00:13:40.380 --> 00:13:44.010 you were looking at the Gartner Magic Quadrant for endpoint 214 00:13:44.010 --> 00:13:46.950 protection. What are some main takeaways for you? 215 00:13:47.890 --> 00:13:49.570 Michael Novinson: Absolutely. And thank you for having me, 216 00:13:49.570 --> 00:13:55.690 Anna. So I think the top of the latest in Magic Quadrant for 217 00:13:55.690 --> 00:13:58.600 endpoint protection is not a huge surprise. The category 218 00:13:58.600 --> 00:14:00.700 leaders at this point are pretty clear, it's CrowdStrike and 219 00:14:00.700 --> 00:14:03.820 Microsoft. You look at market share data, you look at growth 220 00:14:03.820 --> 00:14:06.220 rates, they are head and shoulders above the rest of the 221 00:14:06.220 --> 00:14:09.370 field, growing much faster than the endpoint security market as 222 00:14:09.370 --> 00:14:11.980 a whole. Market share is double or triple than any of their 223 00:14:11.980 --> 00:14:16.000 competitors. And the Gartner Magic Quadrant is firm, from a 224 00:14:16.600 --> 00:14:20.500 technology standpoint, that their analysts and the customers 225 00:14:20.500 --> 00:14:22.990 they interact with find it superior in terms of the range 226 00:14:22.990 --> 00:14:26.470 of use cases it can address, in terms of the different form 227 00:14:26.470 --> 00:14:30.190 factors, in terms of its efficacy at stopping threat 228 00:14:30.190 --> 00:14:33.460 actors. So, the top was not a huge surprise. What was 229 00:14:33.460 --> 00:14:36.730 interesting is as you started to move down, how they saw the rest 230 00:14:36.730 --> 00:14:41.020 of the market shaping up, but there certainly was some just 231 00:14:41.020 --> 00:14:43.930 disalignment between kind of market share data versus where 232 00:14:43.930 --> 00:14:46.990 the MQ was. And I guess that makes sense that the MQ is 233 00:14:46.990 --> 00:14:49.690 trying to predict where the market is going rather than 234 00:14:49.690 --> 00:14:53.020 simply telling you, "Here's where the market is today." So 235 00:14:53.020 --> 00:14:59.860 they really are leaning into these next-gen pureplay EDR 236 00:14:59.860 --> 00:15:03.010 providers. You saw SentinelOne is up there, which they had been 237 00:15:03.010 --> 00:15:05.770 last year, too. You saw Cybereason move up into the 238 00:15:05.770 --> 00:15:09.130 leaders quadrant, while even though they're not in the top 10 239 00:15:09.130 --> 00:15:11.500 of market share whatsoever, and they have had some layoffs in 240 00:15:11.500 --> 00:15:15.520 the past year. And then you saw in the other direction, you saw 241 00:15:16.930 --> 00:15:20.380 Trellix ended up as a niche player, even though a year ago, 242 00:15:20.410 --> 00:15:23.320 they were evaluated as McAfee before their merger with FireEye 243 00:15:23.320 --> 00:15:26.830 and they were a leader. So you're seeing longtime companies 244 00:15:27.490 --> 00:15:30.670 at the leaders quadrant, Symantec under Broadcom's 245 00:15:30.670 --> 00:15:33.700 ownership is not a leader, even though both of those companies 246 00:15:33.700 --> 00:15:39.460 have pretty large market share. So I think they are looking for 247 00:15:39.460 --> 00:15:42.430 companies who have focus in the market. Some of the things that 248 00:15:42.430 --> 00:15:46.540 were relevant to the Gartner analysts were really around who 249 00:15:46.540 --> 00:15:50.050 is adopting this technology at this point is that the endpoint 250 00:15:50.050 --> 00:15:52.780 protection market's fairly mature that large sophisticated 251 00:15:52.780 --> 00:15:56.560 organizations with decent-sized security budgets have either a 252 00:15:56.710 --> 00:16:00.010 next-generation offering or they have a cloud-based offering. And 253 00:16:00.010 --> 00:16:05.800 really at this point, what the remaining adopters who are still 254 00:16:05.800 --> 00:16:09.280 maybe on a more conventional on-premises, antivirus 255 00:16:09.340 --> 00:16:13.570 signature-based platform are really some of the smaller, less 256 00:16:13.570 --> 00:16:16.000 sophisticated, more resource-constrained companies. 257 00:16:16.300 --> 00:16:21.820 So really, what Gartner put a lot of weight on is how capable 258 00:16:21.970 --> 00:16:25.330 a vendor was in supporting smaller, less sophisticated 259 00:16:25.360 --> 00:16:29.800 buyers. So they really were looking for MDR, they actually 260 00:16:29.830 --> 00:16:32.620 held off on publishing the MQ because they wanted to take a 261 00:16:32.620 --> 00:16:36.460 deep dive into what companies were doing around MDR, how many 262 00:16:36.730 --> 00:16:39.910 customers were consuming their endpoint, their endpoint 263 00:16:39.910 --> 00:16:44.830 protection on a managed basis, as well as what the road map 264 00:16:44.830 --> 00:16:48.160 looks like around MDR. So that really did help a company like 265 00:16:48.160 --> 00:16:53.020 Cybereason, which, according to Gartner, has a larger percentage 266 00:16:53.020 --> 00:16:55.810 of its customers consuming employee protection via a 267 00:16:55.810 --> 00:16:59.410 managed service than any other vendor who they evaluated. 268 00:16:59.770 --> 00:17:05.980 Conversely, Trellix who had historically, on the FireEye 269 00:17:05.980 --> 00:17:09.790 side, had a large managed security division through the 270 00:17:10.360 --> 00:17:12.880 fact that you had FireEye products, and then Mandiant 271 00:17:12.880 --> 00:17:15.850 services. But since FireEye was split off from Mandiant, they're 272 00:17:16.090 --> 00:17:20.590 no longer together. Gartner, I thought that over time that 273 00:17:20.590 --> 00:17:24.040 would really impede their ability to deliver as a managed 274 00:17:24.040 --> 00:17:26.740 service, especially since there's only, the two are only 275 00:17:26.740 --> 00:17:30.610 really tied together for three years at this point. So that was 276 00:17:30.610 --> 00:17:34.120 a big deal. Then obviously, the other thing that's hanging over 277 00:17:34.120 --> 00:17:40.360 this is really the question of standalone EDR versus XDR. And 278 00:17:40.630 --> 00:17:43.420 certainly, some of the broader platform vendors had some 279 00:17:43.420 --> 00:17:46.360 quibbles with Gartner saying that if you really only have 280 00:17:46.360 --> 00:17:49.210 native endpoint telemetry, if you're CrowdStrike or 281 00:17:49.210 --> 00:17:52.390 SentinelOne or Cybereason, and you're really focused on the 282 00:17:52.390 --> 00:17:55.630 endpoint, how can you do what we're able to do at Trend Micro 283 00:17:55.630 --> 00:17:59.170 or Microsoft or at Sophos, where we get network telemetry, and we 284 00:17:59.170 --> 00:18:03.700 have email telemetry, and we have all these different points, 285 00:18:03.700 --> 00:18:06.790 which we're able to natively ingest and reach broader 286 00:18:06.790 --> 00:18:10.090 conclusions. So there's really, I think, a question of how are 287 00:18:10.090 --> 00:18:12.580 customers procuring this technology, are people really 288 00:18:12.880 --> 00:18:16.120 procuring endpoint protection, separate of XDR. Are they 289 00:18:16.540 --> 00:18:20.350 looking to buy their endpoint and their network in their cloud 290 00:18:20.500 --> 00:18:24.310 security from a single vendor? So the consolidation question is 291 00:18:24.340 --> 00:18:25.630 always top of mind. 292 00:18:26.980 --> 00:18:29.680 Anna Delaney: So, you said it also looks at the year ahead, 293 00:18:29.860 --> 00:18:33.400 how the space will evolve. What's going to happen? 294 00:18:33.000 --> 00:18:35.052 Michael Novinson: So, good question. I mean, I think 295 00:18:35.112 --> 00:18:38.613 certainly at the top, I think there's little doubt that as 296 00:18:38.673 --> 00:18:42.475 contracts come up and folks look for renewals, that CrowdStrike 297 00:18:42.536 --> 00:18:45.916 and Microsoft are the top choice. What the analysts from 298 00:18:45.976 --> 00:18:49.597 Gartner outlined, there's just kind of how - which companies 299 00:18:49.658 --> 00:18:53.219 appeal to which buyers the most. CrowdStrike is really that 300 00:18:53.279 --> 00:18:56.659 technical buyer, those large, sophisticated companies in 301 00:18:56.719 --> 00:19:00.341 sectors like financial services, whether it's somebody who's 302 00:19:00.401 --> 00:19:04.143 really looking at the efficacy of technology, then CrowdStrike 303 00:19:04.203 --> 00:19:07.885 is just the Ferrari and those people love it. Microsoft tends 304 00:19:07.945 --> 00:19:11.748 to be most popular with kind of a non-security buyer. If you're 305 00:19:11.808 --> 00:19:15.369 having a CIO or you're having other members of the C-suite, 306 00:19:15.429 --> 00:19:18.809 the CFO and they are in really the consolidation so that 307 00:19:18.870 --> 00:19:22.672 they're able to do with those E3 and E5 licenses, where they're 308 00:19:22.732 --> 00:19:26.293 able to bundle some of the office productivity with some of 309 00:19:26.354 --> 00:19:30.156 the security and you reduce your vendor staff and that's really 310 00:19:30.217 --> 00:19:33.174 appealing to maybe a non-security buyer. And then 311 00:19:33.234 --> 00:19:36.916 SentinelOne, who really came in in third place essentially in 312 00:19:36.976 --> 00:19:40.537 the quadrant, has done a lot around on-premises deployments 313 00:19:40.598 --> 00:19:44.159 and being able to support not just Windows OS but through a 314 00:19:44.219 --> 00:19:47.901 lot around like above legacy and current generation Linux and 315 00:19:47.961 --> 00:19:51.884 Apple, then SentinelOne tends to be a popular choice for folks in 316 00:19:51.945 --> 00:19:55.264 manufacturing or maybe in retail, who have a little bit 317 00:19:55.324 --> 00:19:58.523 more specialized need. SentinelOne has a pretty broad 318 00:19:58.584 --> 00:20:01.964 range of environments that they can support. So that was 319 00:20:02.024 --> 00:20:05.766 certainly one piece of it. And then I think the other piece is 320 00:20:05.826 --> 00:20:09.568 really just going to be around how this market shakes out that 321 00:20:09.629 --> 00:20:13.431 you have companies who've been around a long time. And you also 322 00:20:13.491 --> 00:20:17.052 have companies like Cybereason who aren't yet public. We've 323 00:20:17.113 --> 00:20:20.734 seen a lot of consolidation already in this market, with the 324 00:20:20.794 --> 00:20:24.054 formation of Trellix, with Broadcom Symantec, now with 325 00:20:24.114 --> 00:20:27.735 potentially VMware and Broadcom coming together, which would 326 00:20:27.796 --> 00:20:30.934 bring together the legacy Symantec Endpoint with the 327 00:20:30.995 --> 00:20:34.495 legacy Carbon Black Endpoint. And so I think just watching 328 00:20:34.556 --> 00:20:38.358 continued consolidation and how vendors can manage bringing two 329 00:20:38.418 --> 00:20:42.040 disparate platforms together while minimizing disruption for 330 00:20:42.100 --> 00:20:45.420 customers is going to be interesting in the year ahead. 331 00:20:46.500 --> 00:20:48.270 Anna Delaney: Very good, thorough analysis, as always. 332 00:20:48.270 --> 00:20:48.960 Thank you, Michael. 333 00:20:49.500 --> 00:20:49.950 Michael Novinson: Welcome. 334 00:20:50.790 --> 00:20:53.880 Anna Delaney: So finally, as spring is in the end, the day is 335 00:20:53.910 --> 00:20:57.420 beginning to feel brighter and lighter. I'd like you to share 336 00:20:57.420 --> 00:21:00.540 something we can all feel positive or hopeful about as an 337 00:21:00.540 --> 00:21:03.210 industry. 338 00:21:03.930 --> 00:21:06.360 Michael Novinson: I could start. So this is going to be a little 339 00:21:06.360 --> 00:21:08.820 sneak peek. I might go into this in more detail in the future 340 00:21:08.820 --> 00:21:12.090 Editors' Panel. But I've been crunching some data around 341 00:21:12.090 --> 00:21:14.370 headcount in the security industry, particularly with 342 00:21:14.370 --> 00:21:18.120 public companies. And good news is that despite all the layoff 343 00:21:18.120 --> 00:21:20.700 announcements, headcount is growing and among publicly 344 00:21:20.700 --> 00:21:23.400 traded security companies, the average public company grew 345 00:21:23.400 --> 00:21:27.840 their headcount 15 to 20% last year, despite the odd, despite 346 00:21:27.840 --> 00:21:30.480 the economic headwinds. So I think really, the big point is 347 00:21:30.480 --> 00:21:33.780 that headcount is much more tied to revenue than stock price. So 348 00:21:33.780 --> 00:21:37.320 even though public companies stocks took a major beating, if 349 00:21:37.320 --> 00:21:41.100 companies were growing the revenue by 20-25, 30%, they need 350 00:21:41.100 --> 00:21:45.480 additional boots on the ground, feet in the SOC in order to 351 00:21:45.480 --> 00:21:48.390 support all these new customers in the expanded deployment. So 352 00:21:48.690 --> 00:21:51.270 hiring is continuing aplenty in cybersecurity. 353 00:21:52.020 --> 00:21:53.970 Anna Delaney: Interesting observation. Thanks, Michael. 354 00:21:55.950 --> 00:21:56.760 Mathew, go ahead. 355 00:21:56.960 --> 00:22:01.670 Mathew Schwartz: Sure. So one of the things that gives me hope is 356 00:22:01.670 --> 00:22:06.530 the continued disruption by law enforcement of cybercrime groups 357 00:22:06.560 --> 00:22:11.630 or individuals accused of being involved. For example, we just 358 00:22:11.630 --> 00:22:16.190 recently had the takedown of the alleged administrator of 359 00:22:17.270 --> 00:22:22.850 BreachForums, aka Breached. And after he got arrested, it was 360 00:22:22.850 --> 00:22:27.440 taken over by a new admin, who subsequently shut it down 361 00:22:27.590 --> 00:22:31.040 because he reported seeing something unusual that made him 362 00:22:31.040 --> 00:22:35.510 worry it had been infiltrated by law enforcement. Was it or 363 00:22:35.510 --> 00:22:39.320 wasn't it? Who cares? Because it's ended up in this 364 00:22:39.350 --> 00:22:42.980 disruption, not just the alleged administrator, but of this 365 00:22:43.310 --> 00:22:47.270 cybercrime forum he was running - was allegedly running - that 366 00:22:47.270 --> 00:22:52.430 was buying, selling all kinds of information. So I love this law 367 00:22:52.430 --> 00:22:55.580 enforcement disruption model where they don't just arrest the 368 00:22:55.610 --> 00:23:00.440 alleged perp. But they managed to inject some uncertainty into 369 00:23:00.440 --> 00:23:04.010 the proceedings, to the point where, yes, this may get 370 00:23:04.010 --> 00:23:07.460 restarted in a different guise. But the more disruption we see, 371 00:23:07.640 --> 00:23:08.750 the better it is 372 00:23:09.710 --> 00:23:12.800 Anna Delaney: Very clever and positive news. Absolutely. 373 00:23:13.130 --> 00:23:13.820 Marianne? 374 00:23:14.830 --> 00:23:17.140 Marianne McGee: Well, I don't think anyone likes more 375 00:23:17.140 --> 00:23:21.250 regulation. But, you know, coming, the spring, probably 376 00:23:21.250 --> 00:23:25.300 into summer, we'll see maybe some more clarity from the 377 00:23:25.300 --> 00:23:29.650 Department of Health and Human Services about some of its plans 378 00:23:30.100 --> 00:23:33.820 for the HIPAA rules moving forward. They've been kind of 379 00:23:33.820 --> 00:23:37.690 floating, you know, so-called modifications for a while. And 380 00:23:37.690 --> 00:23:40.840 then also there's some new guidance that will be coming 381 00:23:40.840 --> 00:23:44.650 out, joint guidance that's been developed by the Department of 382 00:23:44.650 --> 00:23:47.890 Health and Human Services and the health sector coordinating 383 00:23:47.890 --> 00:23:54.280 council for healthcare industry, cyber best practices. Again, you 384 00:23:54.280 --> 00:23:56.710 know, probably some heavy reading there, but it could be 385 00:23:56.710 --> 00:23:57.910 helpful to the industry. 386 00:23:59.050 --> 00:24:01.390 Anna Delaney: Absolutely. Positive news all round. This is 387 00:24:01.390 --> 00:24:05.470 great. Fun, as always, as well. So Michael, Marianne, Mathew, 388 00:24:05.500 --> 00:24:06.850 thank you so much for joining me. 389 00:24:07.870 --> 00:24:08.590 Mathew Schwartz: Thanks, Anna. 390 00:24:08.920 --> 00:24:09.550 Marianne McGee: Thanks, Anna. 391 00:24:10.180 --> 00:24:10.660 Michael Novinson: Thank you. 392 00:24:11.170 --> 00:24:13.360 Anna Delaney: And thanks so much for watching. Until next time.