WEBVTT 1 00:00:00.120 --> 00:00:02.970 Anna Delaney: Hello, this is our weekly edition of the ISMG 2 00:00:02.970 --> 00:00:05.640 Editors' Panel. I'm Anna Delaney. And I'm joined by three 3 00:00:05.670 --> 00:00:08.610 of my excellent colleagues to share their take on the latest 4 00:00:08.610 --> 00:00:12.960 cybersecurity stories. And those teammates are Tom Field, senior 5 00:00:12.960 --> 00:00:16.290 vice president of editorial, Tony Morbin, executive news 6 00:00:16.290 --> 00:00:19.860 editor for the EU, and Michael Novinson, managing editor for 7 00:00:19.860 --> 00:00:21.960 ISMG business. Great to see you all. 8 00:00:22.710 --> 00:00:24.690 Tom Field: Happy, it's summer. 9 00:00:25.530 --> 00:00:30.150 Anna Delaney: So, Tom, stunning background as always. Tell us 10 00:00:28.740 --> 00:00:31.110 Tom Field: Stunning summer! The first weekend of summer. As you 11 00:00:30.150 --> 00:00:30.270 more. 12 00:00:31.110 --> 00:00:33.780 recall, last week, when we were here, we had just come from our 13 00:00:33.780 --> 00:00:38.580 New York cybersecurity summit. And I had nothing but Times 14 00:00:38.580 --> 00:00:41.940 Square buildings in the view behind me. I got home on 15 00:00:41.940 --> 00:00:45.660 Wednesday. And by Friday, I was seeing this site, which is the 16 00:00:45.660 --> 00:00:47.970 lake right out in front of my lake home where I spent the 17 00:00:47.970 --> 00:00:51.150 weekend just unwinding and enjoying the first weekend of 18 00:00:51.150 --> 00:00:52.410 summer 2022. 19 00:00:52.780 --> 00:00:57.700 Anna Delaney: Fabulous! It looks like a painting. Tony, to 20 00:00:57.700 --> 00:00:58.540 another piece of art. 21 00:00:58.780 --> 00:01:00.850 Tony Morbin: Going to have to apologize to the Greeks here 22 00:01:00.850 --> 00:01:03.910 because it's the Parthenon Marbles. Currently at the 23 00:01:03.910 --> 00:01:06.490 National Gallery, although there's a lot of moves to get 24 00:01:06.490 --> 00:01:09.250 them back to Greece, but they're a lovely sight here. So I 25 00:01:09.250 --> 00:01:12.010 thought a bit of you know, see them while they're still here. 26 00:01:12.480 --> 00:01:15.000 Anna Delaney: Topic of hot debate. But great to see them. 27 00:01:15.300 --> 00:01:17.280 And Michael, I love this. 28 00:01:17.750 --> 00:01:19.790 Michael Novinson: Oh, thank you. It's no bad. But this is 29 00:01:19.790 --> 00:01:22.520 actually the Looff Carousel in Pawtucket, Rhode Island. And is 30 00:01:22.520 --> 00:01:27.110 the oldest continuously operating stationary carousel in 31 00:01:27.140 --> 00:01:31.040 the country, the United States, has gone for 127 years now since 32 00:01:31.100 --> 00:01:36.200 1895. It's the cup, the price is good. It's 50 cents a ride; 33 00:01:36.230 --> 00:01:38.900 children under two ride free. And the rides last nearly 10 34 00:01:38.900 --> 00:01:43.010 minutes. So very fun thing, if any of you find yourselves in 35 00:01:43.010 --> 00:01:43.610 Rhode Island. 36 00:01:44.060 --> 00:01:52.010 Tom Field: Not far from Boston, Anna, when you visit the 37 00:01:46.660 --> 00:01:49.942 Anna Delaney: Oh, I'm there. While I'm still in New York in 38 00:01:50.015 --> 00:01:54.611 my head this week. This is the interior of the Met Opera House. 39 00:01:54.684 --> 00:01:59.280 So, it's definitely a feast for the eyes and the ears. That's a 40 00:01:55.490 --> 00:01:56.000 northeast. 41 00:01:59.353 --> 00:02:03.365 reality. Tom, we are midway through 2022; we'll be just 42 00:02:03.438 --> 00:02:06.940 over. What's the top theme of this year for you? 43 00:02:06.690 --> 00:02:09.606 Tom Field: Oh, that's a good point. We are as we start to 44 00:02:09.670 --> 00:02:13.538 going into the weekend, we are in the second half of 2022. As 45 00:02:13.602 --> 00:02:17.533 you look back on the first half of this year, I think you have 46 00:02:17.597 --> 00:02:20.957 to say that the story of the year has been the Russia 47 00:02:21.021 --> 00:02:24.699 invasion of Ukraine, now for several reasons. One, this is 48 00:02:24.762 --> 00:02:28.440 the nation-state-driven cyber war we have talked about for 49 00:02:28.504 --> 00:02:32.435 decades. For a long time, we've talked about what would happen 50 00:02:32.499 --> 00:02:35.923 if there was a nation-state hostility, and cyber was a 51 00:02:35.986 --> 00:02:39.918 critical component of it. We've seen it now. It involves other 52 00:02:39.981 --> 00:02:44.040 nations. You know, I don't want to escalate this to the state of 53 00:02:44.103 --> 00:02:47.908 a world war. But you're seeing other nations get involved in 54 00:02:47.971 --> 00:02:51.205 this partisan nations in addition to other nations' 55 00:02:51.269 --> 00:02:55.010 partisan forces. I don't think that we sat back and foresaw 56 00:02:55.074 --> 00:02:58.688 ransomware gangs getting involved in this conflict on one 57 00:02:58.751 --> 00:03:02.556 side or the other. I don't think we foresaw the power of the 58 00:03:02.620 --> 00:03:06.424 hacktivist community to come in and exert their force or for 59 00:03:06.488 --> 00:03:09.976 that matter, freelance cybersecurity professionals that 60 00:03:10.039 --> 00:03:13.717 want to aid Ukraine or lend them their power in one way or 61 00:03:13.780 --> 00:03:17.395 another. I don't think we foresaw that. And I think as we 62 00:03:17.458 --> 00:03:21.200 sit here, you and I've been a part of so many conversations 63 00:03:21.263 --> 00:03:25.385 over the past few months, at our conferences, you at RSA, and you 64 00:03:25.448 --> 00:03:29.316 can't help but talk about the residual impact of this and the 65 00:03:29.380 --> 00:03:32.297 impact on critical infrastructure and how this 66 00:03:32.360 --> 00:03:36.228 affects ransomware. And how it affects cybercrime. And bottom 67 00:03:36.292 --> 00:03:40.097 line is, we don't know. And as we go into the second half of 68 00:03:40.160 --> 00:03:43.965 the year, I think this becomes one of the overriding stories 69 00:03:44.028 --> 00:03:48.023 still, there's no end in sight. There's no clear victory in the 70 00:03:48.087 --> 00:03:51.828 sight. We don't know how these storylines are going to play 71 00:03:51.891 --> 00:03:55.569 out. But we do know, they're gonna significantly influence 72 00:03:55.633 --> 00:03:59.311 the conversations we have and the decisions we make in the 73 00:03:59.374 --> 00:04:00.960 second half of this year. 74 00:04:01.410 --> 00:04:03.240 Anna Delaney: Absolutely, and since there was, in fact, 75 00:04:03.240 --> 00:04:06.690 warning at RSA to not get too complacent just because you've 76 00:04:06.690 --> 00:04:10.050 not experienced a massive cyberattack as a result of the 77 00:04:10.050 --> 00:04:13.590 war. And I had an interesting conversation with Elvis Chan of 78 00:04:13.590 --> 00:04:19.200 the FBI in San Francisco, who was really worried about cyber 79 00:04:19.320 --> 00:04:23.730 retaliatory attacks on behalf of the Russians, and in particular, 80 00:04:23.850 --> 00:04:26.790 infrastructure, critical infrastructure, election 81 00:04:26.790 --> 00:04:30.750 infrastructure, energy sector, transportation and the financial 82 00:04:30.750 --> 00:04:34.860 sector. So he's concerned about three types of attacks: 83 00:04:34.860 --> 00:04:38.460 coordinated ransomware attacks, data wiping attacks and 84 00:04:38.670 --> 00:04:41.070 continued spear phishing attacks. 85 00:04:41.510 --> 00:04:44.600 Tom Field: Complacency is an issue, and I would add also that 86 00:04:44.780 --> 00:04:48.470 we've talked about this in past conversations. We, collective 87 00:04:48.470 --> 00:04:52.880 we, like short, finite stories. We like a story that begins on 88 00:04:52.880 --> 00:04:55.640 Monday and by Friday, you know the end of it. That isn't the 89 00:04:55.640 --> 00:04:59.630 case with this one. And as we go on, we are likely to have 90 00:04:59.840 --> 00:05:03.590 desperation enter the field from one side or the other, from 91 00:05:03.590 --> 00:05:08.150 Ukraine or Russia. Desperation creates a new sense of urgency, 92 00:05:08.150 --> 00:05:10.910 and desperation creates more storylines that will be 93 00:05:10.910 --> 00:05:12.980 following. Elvis Chan is spot on. 94 00:05:14.070 --> 00:05:17.220 Tony Morbin: I mean, that whole idea of hacktivists getting 95 00:05:17.220 --> 00:05:20.040 involved does concern me. You can well understand either 96 00:05:20.040 --> 00:05:24.930 patriotic Ukrainians, Russians, or idealistic people jumping in 97 00:05:25.140 --> 00:05:28.290 to support those that they do support. But we've already seen 98 00:05:28.290 --> 00:05:34.440 them: Malaysian hacktivists attacking India for, you know, 99 00:05:34.530 --> 00:05:39.750 perceived slights in terms of religion. We've seen supposedly 100 00:05:39.750 --> 00:05:44.310 hacktivists attacking Lithuania, which looks very much totally in 101 00:05:44.310 --> 00:05:48.450 line with government policy. So you're now getting genuine 102 00:05:48.450 --> 00:05:51.270 hacktivists jumping into things that used to be the realm of the 103 00:05:51.270 --> 00:05:54.540 state, and the state hiding behind hacktivists to do the 104 00:05:54.540 --> 00:05:57.210 sort of things that they would have previously been a bit wary 105 00:05:57.210 --> 00:06:01.110 of doing. So this kind of escalation is my big concern. 106 00:06:01.540 --> 00:06:04.330 Tom Field: And, Tony, know where that scares me domestically? Is 107 00:06:04.330 --> 00:06:10.090 that, we have a polarizing U.S. Supreme Court that is making 108 00:06:10.090 --> 00:06:14.110 decisions that is upsetting a good part of the population. 109 00:06:14.620 --> 00:06:17.530 What happens if the hacktivists community gets involved? And why 110 00:06:17.530 --> 00:06:20.050 wouldn't they? I think this is the world we live in now. 111 00:06:20.860 --> 00:06:22.750 Tony Morbin: Yeah, I mean, for hacktivism to become a 112 00:06:23.290 --> 00:06:27.970 legitimate means of expression is very dangerous, because, you 113 00:06:27.970 --> 00:06:31.840 know, I was about to say something that doesn't apply in 114 00:06:31.840 --> 00:06:34.810 America, which is you wouldn't let ordinary people have machine 115 00:06:34.810 --> 00:06:38.860 guns. But yeah, in the rest of the world, you wouldn't let 116 00:06:38.860 --> 00:06:41.620 ordinary people have machine guns, you know, you'd restrict 117 00:06:41.620 --> 00:06:46.930 that to the military. You're giving military grade weapons in 118 00:06:46.930 --> 00:06:49.060 the form of cyber to the average person. 119 00:06:49.750 --> 00:06:52.000 Anna Delaney: But I also think, it's gonna be quite interesting. 120 00:06:52.030 --> 00:06:55.780 Remember that Russia relies on Western technology, and in six 121 00:06:55.780 --> 00:06:58.570 months' time, they're not going to be getting patching and 122 00:06:58.570 --> 00:07:02.770 updates, necessarily, are they? So, what will that look like in 123 00:07:02.770 --> 00:07:05.020 six months' time? We will be in a different situation. 124 00:07:05.500 --> 00:07:09.340 Tom Field: I come back to what I said moments ago, Anna, we don't 125 00:07:09.730 --> 00:07:10.090 know. 126 00:07:11.800 --> 00:07:16.120 Anna Delaney: Michael, from one insecure story to another, more 127 00:07:16.120 --> 00:07:19.060 layoffs this week you've been reporting on, unfortunately. 128 00:07:19.090 --> 00:07:19.810 Tell us more. 129 00:07:20.440 --> 00:07:23.920 Michael Novinson: Absolutely. So it's been a really rough past 40 130 00:07:23.920 --> 00:07:26.620 days for the industry. We've actually seen seven companies 131 00:07:27.010 --> 00:07:30.100 have publicly disclosed layoffs that started in late May. We had 132 00:07:30.100 --> 00:07:34.480 Lacework, then Cybereason, then OneTrust. And then since the 133 00:07:34.480 --> 00:07:39.760 start of RSA, we've had Deep Instinct. We've had Automox. 134 00:07:39.790 --> 00:07:42.610 We've had Aura. And now most recently, we've had IronNet 135 00:07:44.170 --> 00:07:46.960 announce layoffs. These layoffs have affected anywhere from 136 00:07:46.960 --> 00:07:50.230 usually about 10 to 20, maybe up to 25% of their staff in the 137 00:07:50.230 --> 00:07:52.930 case of OneTrust. Couple of dynamics, which I think are 138 00:07:52.930 --> 00:07:56.020 interesting to watch are. The first is that these are not 139 00:07:56.020 --> 00:07:59.110 universal. There are kind of specific characteristics that we 140 00:07:59.110 --> 00:08:01.630 see in the companies that are doing these layoffs. The first 141 00:08:01.630 --> 00:08:05.380 several in terms of Cybereason, OneTrust and Lacework were all 142 00:08:05.380 --> 00:08:08.050 companies that were expected to IPO either this year or next 143 00:08:08.050 --> 00:08:12.310 year. There's seemingly no opportunity for them to do that. 144 00:08:12.460 --> 00:08:15.310 They need to make the cash that they have right now last longer. 145 00:08:15.520 --> 00:08:17.980 And that's the main reason they're doing it. We've then 146 00:08:17.980 --> 00:08:21.340 seen some earlier stage startups. We've seen our Deep 147 00:08:21.340 --> 00:08:24.370 Instinct and Aura, both of which are unicorns, with valuations in 148 00:08:24.370 --> 00:08:28.120 excess of a billion do layoffs. And in certainly, in 2022, when 149 00:08:28.120 --> 00:08:30.940 they get unicorn valuation, it's less clear that they did get 150 00:08:30.940 --> 00:08:35.560 that. Yeah, I saw Automox, which is really maybe a mid-to-early 151 00:08:35.560 --> 00:08:37.840 stage startup that did do a nine-figure funding round last 152 00:08:37.840 --> 00:08:40.540 year, but they're definitely a newer company. And then most 153 00:08:40.540 --> 00:08:43.450 recently, with IronNet, we've seen a publicly traded company 154 00:08:43.780 --> 00:08:48.910 do it albeit at a relatively small one. So I think, what I 155 00:08:48.910 --> 00:08:52.990 was gonna say is yes, not universal. And people who are 156 00:08:53.050 --> 00:08:55.000 losing their jobs are finding that they're getting a lot of 157 00:08:55.000 --> 00:08:57.490 offers. I had spoken to an individual who was laid off at 158 00:08:57.490 --> 00:09:00.790 Cybereason. He had posted about it on LinkedIn, and in 18 hours, 159 00:09:00.790 --> 00:09:03.520 he had told me he had received or he had been contacted by 160 00:09:03.520 --> 00:09:06.070 CrowdStrike, by SentinelOne, by Sophos, and by a number of 161 00:09:06.070 --> 00:09:08.830 security startups. I wanted to speak to him about job 162 00:09:08.830 --> 00:09:12.850 opportunities. Similarly, I know Anna, you and I were at RSA. 163 00:09:13.990 --> 00:09:17.020 Lacework did the layoffs. Wiz, who was in our studios, was 164 00:09:17.020 --> 00:09:18.670 getting a lot of questions whether they're looking to do 165 00:09:18.670 --> 00:09:21.340 something similar. And when I was speaking to the folks that 166 00:09:21.340 --> 00:09:24.280 was there very clear, absolutely not we are continuing to hire. 167 00:09:24.280 --> 00:09:26.830 We've actually spoken to some of the folks who've lost their 168 00:09:26.830 --> 00:09:29.290 jobs, at least work and we're not at all thinking about 169 00:09:29.290 --> 00:09:32.620 layoffs, even though they are also a venture backed company. I 170 00:09:32.620 --> 00:09:34.570 think the other thing that's important to look at is really 171 00:09:34.570 --> 00:09:37.300 who is investing in these companies, when you're talking 172 00:09:37.300 --> 00:09:39.940 about the startups, because so much of this is investor driven. 173 00:09:40.360 --> 00:09:44.470 In particular, SoftBank was backing the companies though, 174 00:09:44.500 --> 00:09:47.410 did these layoffs. So they've got Cybereason. They led the 175 00:09:47.410 --> 00:09:52.240 rounds in 2015, 2017 and 2019. And similarly, they've been 176 00:09:52.240 --> 00:09:56.200 involved in funding OneTrust. And yeah, SoftBank had a lot of 177 00:09:56.200 --> 00:09:58.870 challenges. Most notably, they had gotten involved with WeWork, 178 00:09:58.870 --> 00:10:03.280 and the people who are financing them have really subjected them 179 00:10:03.280 --> 00:10:06.340 to a lot more scrutiny. And we're seeing that kind of the 180 00:10:06.340 --> 00:10:08.770 message they're putting out to their portfolio companies is 181 00:10:09.520 --> 00:10:13.180 we're not coming to save you, that you need to figure out how 182 00:10:13.180 --> 00:10:15.580 to make things work with the money you have. And I know a 183 00:10:15.850 --> 00:10:19.720 company outside of Israel did a really good report on SoftBank 184 00:10:19.720 --> 00:10:22.900 and their investments in Israel. And they're saying that 20% of 185 00:10:22.900 --> 00:10:25.240 the tech layoffs we've seen this year are from companies that are 186 00:10:25.240 --> 00:10:30.100 backed by SoftBank. So, I think that matters. The other thing, 187 00:10:30.100 --> 00:10:32.680 which is important to think about is that you saw some 188 00:10:32.680 --> 00:10:35.380 non-traditional investors get involved in cybersecurity last 189 00:10:35.380 --> 00:10:39.640 year. To call out two examples, in terms of Cybereason, and they 190 00:10:39.640 --> 00:10:43.360 received north of $200 million of funding from Liberty 191 00:10:43.360 --> 00:10:45.910 Strategic Capital. That's a venture capital firm that was 192 00:10:45.910 --> 00:10:48.820 created by Steven Mnuchin, the former U.S. Treasury Secretary. 193 00:10:49.060 --> 00:10:50.920 This was the first investment they'd ever made in 194 00:10:50.920 --> 00:10:54.910 cybersecurity. They went very big, with a big nine-figure 195 00:10:54.910 --> 00:10:58.600 investment. But obviously, they don't have the type of 196 00:10:58.600 --> 00:11:01.510 background in the industry that an inside partners, or KKR, or 197 00:11:01.510 --> 00:11:05.890 Thoma Bravo has. Similarly, we saw with Aura that they actually 198 00:11:05.890 --> 00:11:09.550 had Jeffrey Katzenberg, who's the former CEO of DreamWorks, 199 00:11:09.550 --> 00:11:12.940 and instrumental and getting struck out. He was he's actually 200 00:11:12.940 --> 00:11:17.260 on the board, and he was involved with financially 201 00:11:17.260 --> 00:11:19.600 backing them, obviously, similarly, someone who does not 202 00:11:19.600 --> 00:11:24.010 have a deep background in cybersecurity. And I know, I 203 00:11:24.010 --> 00:11:26.590 think some of the folks who aren't as experienced in this 204 00:11:26.590 --> 00:11:32.710 industry are starting to get cold feet. And some people got 205 00:11:32.710 --> 00:11:36.370 scared. And I know, I was having some conversations at RSA with 206 00:11:36.370 --> 00:11:39.130 folks telling me that it wasn't even these companies that wanted 207 00:11:39.130 --> 00:11:40.960 to do layoffs, it was their investors telling them that you 208 00:11:40.960 --> 00:11:45.760 have to. And I think, it does speak to and I know Alberto 209 00:11:45.940 --> 00:11:48.820 YĆ©pez, who we had in our studios at RSA brought this up too. But 210 00:11:48.820 --> 00:11:51.130 it speaks to the value of having people invest in you who are 211 00:11:51.130 --> 00:11:54.280 familiar with cyber. Who are really able to do due diligence 212 00:11:54.280 --> 00:11:56.830 and scrutiny when they give you the money, and also aren't going 213 00:11:56.830 --> 00:11:59.410 to get scared when there's a market downturn and recognize 214 00:11:59.830 --> 00:12:01.930 that there is still fundamentally a need for 215 00:12:01.930 --> 00:12:04.480 cybersecurity technology. And this isn't discretionary 216 00:12:04.480 --> 00:12:08.740 spending. So I think, it does speak to the benefit of having 217 00:12:08.740 --> 00:12:12.160 kind of experienced investors backing you even if that means 218 00:12:12.160 --> 00:12:14.170 you maybe don't get quite as much money or maybe don't have 219 00:12:14.170 --> 00:12:15.520 quite as high of a valuation. 220 00:12:16.920 --> 00:12:19.178 Anna Delaney: So, what's the word in the cybersecurity 221 00:12:19.234 --> 00:12:22.170 community? How are they responding to these layoffs? 222 00:12:22.000 --> 00:12:24.200 Michael Novinson: So yeah, I think for a lot of people, it's 223 00:12:24.253 --> 00:12:27.449 a great opportunity to try to hire some folks, talent is hard 224 00:12:27.502 --> 00:12:30.593 to find. And if you can, if you're a Wiz or you Orca if you 225 00:12:30.646 --> 00:12:33.318 hire folks from Lacework, Cybereason folks. It'd be 226 00:12:33.371 --> 00:12:36.305 interesting. So I think, it's good; I think those hiring 227 00:12:36.358 --> 00:12:39.606 opportunities. The other thing to watch is going to be the M&A 228 00:12:39.659 --> 00:12:42.646 side. We've been hearing for months that to expect an M&A 229 00:12:42.698 --> 00:12:45.790 spree end of day. Dave DeWalt was saying that a lot at RSA, 230 00:12:45.842 --> 00:12:49.039 that just valuations have come down very sharply. And there's 231 00:12:49.091 --> 00:12:52.445 value to be had right now. Both in terms of public companies, as 232 00:12:52.497 --> 00:12:55.694 well as maybe some of these late stage startups that can't go 233 00:12:55.746 --> 00:12:58.943 public anytime soon, are they going to be open to a financial 234 00:12:58.995 --> 00:13:02.244 or strategic buyer. We haven't really seen too much meaningful 235 00:13:02.296 --> 00:13:05.440 M&A activity in the past 60 days. But what people are saying 236 00:13:05.493 --> 00:13:08.585 is that folks are waiting for this to bottom out, everybody 237 00:13:08.637 --> 00:13:11.991 wants to the buyers want to get the best value they can. So they 238 00:13:12.043 --> 00:13:15.082 want to see things hit bottom first. But I do think in the 239 00:13:15.135 --> 00:13:17.912 coming months, that so many companies are when you're 240 00:13:17.964 --> 00:13:21.266 talking to public ones 30%, 40%, 50% off of the highs, they had 241 00:13:21.318 --> 00:13:24.410 late 2021 that you have to imagine somebody's gonna step in 242 00:13:24.462 --> 00:13:27.449 and say, Look, these, the fundamentals of these companies 243 00:13:27.502 --> 00:13:30.541 are good. They're category leaders, they're having stable, 244 00:13:30.593 --> 00:13:33.947 strong double-digit growth. You have to imagine that some of the 245 00:13:33.999 --> 00:13:37.248 folks, maybe even perhaps, some of the large technology firms, 246 00:13:37.301 --> 00:13:40.497 the Google, and the Microsoft and the Amazon of the world are 247 00:13:40.550 --> 00:13:43.903 going to step in, and they have a large enough market caps, even 248 00:13:43.956 --> 00:13:46.943 with the downturn and take a look at some of these public 249 00:13:46.995 --> 00:13:49.930 companies or some of these late stage private companies. 250 00:13:50.620 --> 00:13:52.690 Tom Field: I'm bullish. I think you're spot on, Michael. I think 251 00:13:52.690 --> 00:13:54.880 that yes, you have to acknowledge the economic 252 00:13:54.880 --> 00:13:57.100 conditions, the economic uncertainty we're looking at 253 00:13:57.100 --> 00:14:00.070 right now. But as you said, the fundamentals don't change. We 254 00:14:00.070 --> 00:14:03.160 still have OT security issues, we still have software supply 255 00:14:03.160 --> 00:14:06.580 chain security issues, we still have cloud security concerns. 256 00:14:07.360 --> 00:14:10.960 The adversaries aren't experiencing a downturn; these 257 00:14:10.960 --> 00:14:13.450 issues aren't going to go away. Cybersecurity is an essential. 258 00:14:14.920 --> 00:14:16.930 Michael Novinson: The one thing I would just add is I do think 259 00:14:16.930 --> 00:14:19.510 for everybody, there's much more pressure, pressure on the path 260 00:14:19.510 --> 00:14:23.560 to profitability. And I've heard more about profitability and 261 00:14:24.880 --> 00:14:27.490 GAAP net income and stuff in the past three months in earnings 262 00:14:27.490 --> 00:14:29.800 calls than I did probably in the previous four years combined. 263 00:14:29.800 --> 00:14:33.640 And I mean, when you look at the cyber sector, then the only 264 00:14:33.640 --> 00:14:35.980 companies that consistently make money that are publicly traded 265 00:14:35.980 --> 00:14:40.240 are Check Point and Fortinet on a GAAP basis. And I do think for 266 00:14:40.240 --> 00:14:42.550 a lot of these companies, they're just kind of assumed we 267 00:14:42.550 --> 00:14:45.970 can lose money forever, as long as we keep gaining share, that 268 00:14:46.420 --> 00:14:49.300 their assumptions don't have to change. And it's obviously being 269 00:14:49.330 --> 00:14:51.670 able to lose lots of money makes it easy to spend a lot of money 270 00:14:51.670 --> 00:14:55.150 in R&D and to hire go-to-market folks. But if there's pressure 271 00:14:55.150 --> 00:14:57.580 even on the startups, when they're filing those S-1 to go 272 00:14:57.580 --> 00:15:00.400 public to show how they're going to get to profitability. It is 273 00:15:00.400 --> 00:15:02.500 gonna change how a lot of these companies scale and grow. 274 00:15:02.000 --> 00:15:07.040 Anna Delaney: Well, Tony, as Tom mentioned, the criminals are not 275 00:15:07.070 --> 00:15:10.850 stopping anytime soon. And often we ask interviewees, what can we 276 00:15:10.850 --> 00:15:13.880 learn from cyber criminals? But it turns out, they are looking 277 00:15:13.880 --> 00:15:15.080 at the defenders as well. 278 00:15:15.660 --> 00:15:19.050 Tony Morbin: Absolutely, it's a two-way street, and even back 279 00:15:19.050 --> 00:15:22.650 again from what they're now doing. Interesting story I saw 280 00:15:22.650 --> 00:15:26.010 over the weekend was LockBit ransomware, as a service group 281 00:15:26.010 --> 00:15:30.630 has announced that as part of its LockBit 3.0 operation, it is 282 00:15:30.630 --> 00:15:33.600 going to pay people who find vulnerabilities that they can 283 00:15:33.600 --> 00:15:37.320 exploit, as well as pay people who find bugs in the software 284 00:15:37.320 --> 00:15:41.970 that it uses to encrypt files that might have allowed victims 285 00:15:41.970 --> 00:15:44.880 to rescue their data. So it's looking for both offensive and 286 00:15:44.880 --> 00:15:48.330 defensive solutions. It says, it's going to pay bounties for 287 00:15:48.330 --> 00:15:51.960 brilliant ideas to improve ransomware operations, and also 288 00:15:51.960 --> 00:15:54.870 pay for personally identifiable information on high profile 289 00:15:54.870 --> 00:15:58.380 individuals. And now they're talking about bug bounties of 290 00:15:58.770 --> 00:16:02.430 between a 1,000 and a million dollars, according to a post on 291 00:16:02.430 --> 00:16:05.790 their website. The million dollar prize is specifically if 292 00:16:05.790 --> 00:16:10.170 you can name the affiliate program manager, known as 293 00:16:10.170 --> 00:16:13.380 LockBit sup. That's actually been around for a couple of 294 00:16:13.380 --> 00:16:16.050 years, but they've now put this million dollar figure on it. 295 00:16:16.620 --> 00:16:19.920 Now, usually, you know, in the conventional world, bug bounty 296 00:16:19.920 --> 00:16:23.250 programs are intended to incentivize responsible 297 00:16:23.250 --> 00:16:26.820 disclosure of vulnerabilities by enticing ethical hackers to 298 00:16:26.820 --> 00:16:30.120 submit their findings to the vendor concerned. Now for the 299 00:16:30.120 --> 00:16:32.340 company, the benefit of crowdsourcing is obviously 300 00:16:32.340 --> 00:16:35.250 reaching a wider pool of hacking expertise who wouldn't have been 301 00:16:35.250 --> 00:16:38.550 available in-house. The downside has always been the trust issue, 302 00:16:38.580 --> 00:16:41.280 because there's often some trepidation about letting 303 00:16:41.280 --> 00:16:45.300 outsiders into their networks. So what does this development 304 00:16:45.300 --> 00:16:49.560 tell us about both ransomers and about bug bounties? Who, first 305 00:16:49.560 --> 00:16:52.800 of all, for anybody who hadn't accepted it or recognized, many 306 00:16:52.800 --> 00:16:56.040 of the ransomers have now reached a level of maturity as 307 00:16:56.040 --> 00:16:59.310 businesses that are well financed, professionally run, 308 00:16:59.460 --> 00:17:02.910 and can adopt any of the tools that legitimate businesses use. 309 00:17:03.120 --> 00:17:07.440 They are the new organized crime syndicates. Second, the 310 00:17:07.440 --> 00:17:11.040 criminals think bug bounties and crowdsourcing are effective ways 311 00:17:11.160 --> 00:17:14.520 to improve their operation by tapping expertise outside of the 312 00:17:14.520 --> 00:17:19.140 organization. So they don't have trust issues with crowdsourcing, 313 00:17:19.440 --> 00:17:22.260 partly because criminals have always had zero trust approach 314 00:17:22.260 --> 00:17:26.550 to dealing with each other. Now whether ransomers, in turn, will 315 00:17:26.550 --> 00:17:29.820 be trusted by a dodgy researcher looking for an illegal reward 316 00:17:29.910 --> 00:17:33.510 for a discovered vulnerability that remains to be seen. But 317 00:17:33.660 --> 00:17:36.720 here the fact is LockBit itself is already a 318 00:17:36.720 --> 00:17:39.870 ransomware-as-a-service operation, so that demonstrates 319 00:17:39.870 --> 00:17:42.810 how cyber criminals are already buying services from each other. 320 00:17:43.080 --> 00:17:46.680 That includes access brokers, those who buy and sell assault 321 00:17:46.680 --> 00:17:50.460 stolen datasets, and this gang itself has previously paid for 322 00:17:50.460 --> 00:17:53.730 vulnerabilities and bugs in applications, including remote 323 00:17:53.730 --> 00:17:57.120 control tools and web applications. What is different 324 00:17:57.120 --> 00:17:59.580 this time is that they're inviting everybody to be 325 00:17:59.580 --> 00:18:03.750 criminals. As they say, we invite all security researchers, 326 00:18:03.780 --> 00:18:07.440 ethical and unethical hackers on the planet to participate in our 327 00:18:07.440 --> 00:18:11.640 bug bounty program. Fortunately, people don't only do things for 328 00:18:11.640 --> 00:18:15.690 money, and most people do not want to be criminals. Plus, 329 00:18:15.690 --> 00:18:18.660 there are legitimate bug bounty programs that will pay ethical 330 00:18:18.660 --> 00:18:22.950 hackers. So what should we do on the defender side? Obviously, we 331 00:18:22.980 --> 00:18:25.620 need to make it easier for responsible disclosure as a 332 00:18:25.620 --> 00:18:28.170 priority and certainly not prosecute those who are 333 00:18:28.170 --> 00:18:31.620 delivering bad news. Companies should see if bug bounties and 334 00:18:31.620 --> 00:18:34.440 crowdsourcing are appropriate for them, and perhaps also 335 00:18:34.440 --> 00:18:37.110 solicit good ideas on how to improve their security. 336 00:18:37.710 --> 00:18:40.230 Coordinated international law enforcement and government 337 00:18:40.230 --> 00:18:44.820 programs should be facilitating crowdsourced defense. And, of 338 00:18:44.820 --> 00:18:48.330 course, organizations should ensure that we implement a zero 339 00:18:48.330 --> 00:18:51.780 trust architecture that enables us to take advantage of any good 340 00:18:51.780 --> 00:18:55.590 ideas wherever they come from. Unfortunately, this development 341 00:18:55.590 --> 00:18:58.830 does also mean we need to further strengthen the security 342 00:18:58.830 --> 00:19:02.100 of our internal supply chain, including who has access to what 343 00:19:02.100 --> 00:19:07.110 data and any secrets there are, because now everything can be 344 00:19:07.110 --> 00:19:10.110 monetized by everybody who has access to your code. 345 00:19:11.110 --> 00:19:14.134 Anna Delaney: Worrying trend. Tom, if you recall, Attorney 346 00:19:14.203 --> 00:19:18.397 Lisa Sotto telling us in our recent proof of concept, I think 347 00:19:18.465 --> 00:19:22.246 there are more than 60 ransomware groups wreaking havoc 348 00:19:22.315 --> 00:19:26.509 at the moment and demands have gone up. I think there used to 349 00:19:26.577 --> 00:19:30.840 be five, $1 to $5 million, and now $10 million and upwards and 350 00:19:30.908 --> 00:19:34.690 then negotiating less, so it's a really worrying trend. 351 00:19:34.000 --> 00:19:38.290 Tom Field: I like the theme of this group as well. A totally 352 00:19:38.290 --> 00:19:42.160 neglected dimension. Let's make ransomware great again. Where 353 00:19:42.160 --> 00:19:43.090 have I heard that before? 354 00:19:42.390 --> 00:19:45.137 Tony Morbin: I kind of deliberately left that bit out, 355 00:19:45.204 --> 00:19:48.755 and LockBit the other interesting thing about them is 356 00:19:48.822 --> 00:19:52.977 with the demise of Conte or the supposed demise of Conte, they 357 00:19:53.044 --> 00:19:57.266 are now the biggest ransomware group. And they were responsible 358 00:19:57.333 --> 00:20:01.286 for half of ransomware attacks in May this year. So they're 359 00:20:01.353 --> 00:20:03.900 kind of trying to take the Conte role. 360 00:20:04.930 --> 00:20:07.390 Anna Delaney: Well, Tom, you mentioned what the biggest theme 361 00:20:07.390 --> 00:20:10.630 of the year. What are you looking to as the next six 362 00:20:10.630 --> 00:20:11.350 months unfold? 363 00:20:11.000 --> 00:20:13.716 Tom Field: Oh, no question. As we look toward the second half 364 00:20:13.771 --> 00:20:16.814 of this year, I think we're gonna hear an awful lot more 365 00:20:16.868 --> 00:20:20.019 about OT, operational technology security, particularly in 366 00:20:20.074 --> 00:20:22.845 regards to critical infrastructure support, because 367 00:20:22.899 --> 00:20:25.888 of the technology issues. We are aware of everything is 368 00:20:25.942 --> 00:20:29.257 connected, and because of the cultural issues, because OT and 369 00:20:29.311 --> 00:20:32.517 IT are not connected, I think that's gonna be a significant 370 00:20:32.571 --> 00:20:35.886 topic of conversation. Software, supply chain security, we've 371 00:20:35.940 --> 00:20:39.200 spent the first half of this year talking about Log4J. And I 372 00:20:39.255 --> 00:20:42.678 know that as recently as about two months ago, 40% of new Log4J 373 00:20:42.732 --> 00:20:45.830 downloads were the corrupt version. And Log4J is only the 374 00:20:45.884 --> 00:20:49.253 one we know about, we're gonna hear a lot more about software, 375 00:20:49.307 --> 00:20:52.350 supply chain security, and particularly the ESPON. Cloud 376 00:20:52.404 --> 00:20:55.665 security. You know, there's a phrase in talk radio, longtime 377 00:20:55.719 --> 00:20:58.871 listener, first time caller. When it comes to cloud, there 378 00:20:58.925 --> 00:21:02.348 are a lot of longtime listeners who are making their first-time 379 00:21:02.402 --> 00:21:05.717 cloud strategies. And they're finding out that cloud security 380 00:21:05.771 --> 00:21:09.086 is a different animal altogether than on-prem security. And I 381 00:21:09.140 --> 00:21:12.292 think we'll be hearing a lot more about that. Those are my 382 00:21:12.346 --> 00:21:12.890 top three. 383 00:21:13.970 --> 00:21:15.560 Anna Delaney: Can't argue. Michael? 384 00:21:15.000 --> 00:21:17.619 Michael Novinson: So two things for me, the first would be on 385 00:21:15.000 --> 00:21:17.940 Anna Delaney: For sure. And, Tony? 386 00:21:17.000 --> 00:21:24.890 Tony Morbin: I would echo Tom, in relation to cloud in that the 387 00:21:17.680 --> 00:21:21.397 the business side of the world, the M&A, just both the public 388 00:21:21.458 --> 00:21:25.357 companies with kind of those $3 to $5 billion valuations getting 389 00:21:25.418 --> 00:21:29.318 bought, as well as some of these late stage startups who thought 390 00:21:29.378 --> 00:21:32.912 they're gonna go public. The other thing to keep an eye on 391 00:21:32.973 --> 00:21:36.141 would be this early stage startup market, and is the 392 00:21:36.202 --> 00:21:39.797 slowdown. It's starting to affect the early stage companies 393 00:21:39.858 --> 00:21:43.636 and making it hard for companies that have a viable product to 394 00:21:43.697 --> 00:21:47.291 get that Series A and that Series B to really bring that to 395 00:21:47.352 --> 00:21:51.191 market and to scale. So I'm just curious how much the financial 396 00:21:51.252 --> 00:21:54.664 troubles is going to hurt kind of the next generation of 397 00:21:54.724 --> 00:21:56.370 innovation in the industry. 398 00:22:03.530 --> 00:22:08.390 fallout from work from home and, you know, the digitization and 399 00:22:08.480 --> 00:22:14.090 the move to work, working from using cloud hasn't stopped at 400 00:22:14.090 --> 00:22:17.300 all. And, in fact, I was just on a roundtable last night, and 401 00:22:17.300 --> 00:22:20.240 there were some major banks who still had a bit of trepidation 402 00:22:20.240 --> 00:22:24.680 about the movement to the cloud resiliency. What would they do 403 00:22:24.680 --> 00:22:28.730 if their cloud service provider or SAS provider were to fall 404 00:22:28.730 --> 00:22:33.890 over? So, you know, that an ongoing issue, and probably 405 00:22:33.890 --> 00:22:37.670 hybrid networks will be the way for many of them for some time 406 00:22:37.670 --> 00:22:42.230 to come. But ongoing move to the cloud, and potentially new 407 00:22:42.260 --> 00:22:43.610 vulnerabilities as a result. 408 00:22:44.560 --> 00:22:47.920 Anna Delaney: Sure, well, a busy six months for us then ahead. 409 00:22:48.100 --> 00:22:50.590 Thank you so much, Tom, Tony, Michael. Always a pleasure. 410 00:22:50.590 --> 00:22:51.640 Thank you very much. 411 00:22:51.970 --> 00:22:52.450 Tony Morbin: Thank you. 412 00:22:53.440 --> 00:22:55.600 Anna Delaney: Thanks so much for watching. Until next time.