WEBVTT 1 00:00:07.170 --> 00:00:09.570 Mathew Schwartz: Hello and welcome to the ISMG Editors' 2 00:00:09.570 --> 00:00:13.350 Panel, where we round up the latest cybersecurity news and 3 00:00:13.380 --> 00:00:18.150 trends. I'm Mathew Schwartz, your guest host for this week's 4 00:00:18.150 --> 00:00:23.310 episode, and it's my pleasure to welcome my ISMG colleagues to 5 00:00:23.310 --> 00:00:27.240 the studio here. Tom Field, senior vice president of 6 00:00:27.240 --> 00:00:30.870 editorial; Michael Novinson, managing editor for business; 7 00:00:30.870 --> 00:00:35.400 and Chris Riotta, managing editor for GovInfoSecurity. 8 00:00:35.760 --> 00:00:38.100 Gentlemen, great to have you here. 9 00:00:38.430 --> 00:00:39.810 Tom Field: Good to be here. What we do with Anna? 10 00:00:41.370 --> 00:00:45.000 Mathew Schwartz: Anna has some probably overdue and extremely 11 00:00:45.000 --> 00:00:49.770 well-deserved time-off. So, we're attempting to pinch hit in 12 00:00:49.770 --> 00:00:50.580 her absence. 13 00:00:50.760 --> 00:00:52.380 Tom Field: Patience with us folks, patience. 14 00:00:54.720 --> 00:00:57.360 Mathew Schwartz: So, where are we virtually in the world today? 15 00:00:57.360 --> 00:00:58.530 Tom, where are you? 16 00:00:58.830 --> 00:01:02.850 Tom Field: I am at the fair. How about this? The annual Windsor 17 00:01:02.850 --> 00:01:07.230 fair in a small town near my small town is here for the week 18 00:01:07.230 --> 00:01:10.170 leading up to Labor Day, and I've already spent a day and a 19 00:01:10.170 --> 00:01:10.710 night there. 20 00:01:11.910 --> 00:01:14.820 Mathew Schwartz: Excellent. Michael, where are you hailing 21 00:01:14.820 --> 00:01:15.330 from? 22 00:01:15.990 --> 00:01:17.580 Michael Novinson: Somewhere a little less exciting. This is 23 00:01:17.580 --> 00:01:20.370 the Weaver Library in East Providence, Rhode Island. They 24 00:01:20.370 --> 00:01:24.690 had a ... like back to school outer space party, and if you 25 00:01:24.690 --> 00:01:27.510 truly wanted to see something terrifying for the 3-5 year 26 00:01:27.510 --> 00:01:30.780 olds, they have a bunch of people walking in scary alien 27 00:01:30.780 --> 00:01:33.570 costumes. Never seen so many children clinging to their 28 00:01:33.570 --> 00:01:35.250 parents and running for the walls. These are not like the 29 00:01:35.250 --> 00:01:37.710 friendly Martians. These are like ... it's about life-size 30 00:01:37.710 --> 00:01:40.350 scary aliens. Very terrifying for the four-year olds. 31 00:01:44.670 --> 00:01:47.310 Eventually warmed up and joined in the dance party. My daughter 32 00:01:47.310 --> 00:01:49.500 got a picture of the Mandalorian. So, fun all the way 33 00:01:49.500 --> 00:01:49.740 around. 34 00:01:50.340 --> 00:01:52.650 Tom Field: Wow! I was hoping you did do your costume. 35 00:01:56.850 --> 00:01:59.430 Michael Novinson: Yeah. Then, they saw the aliens walking to 36 00:01:59.430 --> 00:02:02.400 their cars. So, my daughter is assured to know they are real 37 00:02:02.400 --> 00:02:05.310 people, normal people, just wearing costume. That was 38 00:02:05.340 --> 00:02:06.240 reassuring for her. 39 00:02:06.540 --> 00:02:07.950 Mathew Schwartz: Well, they are just commuting Michael. They 40 00:02:07.950 --> 00:02:12.120 could just be commuting. Okay, excellent. Chris, where are you 41 00:02:12.120 --> 00:02:12.900 hailing from? 42 00:02:13.380 --> 00:02:17.160 Chris Riotta: I'm somewhere arguably as exciting as the fair 43 00:02:17.190 --> 00:02:20.520 or a outer space party, depending on what your vibe is. 44 00:02:20.550 --> 00:02:23.790 I'm outside of the United Nations. I've been doing a lot 45 00:02:23.790 --> 00:02:28.140 of reporting in recent weeks on a cybercrime convention making 46 00:02:28.140 --> 00:02:31.320 its way through the UN General Assembly. So, that's where I'm 47 00:02:31.320 --> 00:02:32.130 joining from today. 48 00:02:32.880 --> 00:02:36.540 Mathew Schwartz: Fantastic. Well, I look forward to digging 49 00:02:36.540 --> 00:02:42.360 into that more completely. Now, just to the opening of our 50 00:02:42.360 --> 00:02:46.170 proceedings here, I'm going to go first to Michael. Michael, I 51 00:02:46.170 --> 00:02:50.040 know that you have been listening in on a number of 52 00:02:50.100 --> 00:02:55.200 cybersecurity firms' earnings calls, and these earnings calls 53 00:02:55.200 --> 00:02:58.890 have been referencing a very small outage the world may have 54 00:02:58.890 --> 00:03:02.610 heard of that had to do recently with CrowdStrike. And 55 00:03:02.670 --> 00:03:06.150 CrowdStrike's, I think it's fair to say competitors, have been 56 00:03:06.150 --> 00:03:11.340 highlighting how they're different - technically and as a 57 00:03:11.340 --> 00:03:14.970 business. What have you been hearing? Is it surprising you? 58 00:03:14.000 --> 00:03:16.597 Michael Novinson: Thank you for the opportunity Mat. So, we've 59 00:03:16.656 --> 00:03:20.375 gotten to hear from two pretty high-profile CEOs. So far, we've 60 00:03:20.434 --> 00:03:23.858 heard from Nikesh Arora, the chairman and CEO of Palo Alto 61 00:03:23.917 --> 00:03:27.223 Networks, as well as just this week, we heard from Tomer 62 00:03:27.282 --> 00:03:30.883 Weingarten, the co-founder and CEO at SentinelOne. So, Nikesh 63 00:03:30.942 --> 00:03:34.484 had a little bit to say about the outage. Tomer had a lot to 64 00:03:34.543 --> 00:03:37.613 say. So, let's ... and there's kind of two different 65 00:03:37.672 --> 00:03:41.155 perspectives. One is talking about the architecture and the 66 00:03:41.214 --> 00:03:44.520 technology and how approaches differ from a software ... 67 00:03:44.579 --> 00:03:47.944 development software update perspective, and the other is 68 00:03:48.003 --> 00:03:51.604 the business opportunity that's resulting from the outage and 69 00:03:51.663 --> 00:03:55.146 customers of re-evaluating opportunities. So, starting with 70 00:03:55.205 --> 00:03:58.806 Palo Alto Networks here. So, Nikesh highlighted how that both 71 00:03:58.865 --> 00:04:02.111 companies did talked about how their testing process is 72 00:04:02.170 --> 00:04:05.476 completely different. So for Palo, it's ... they've been 73 00:04:05.535 --> 00:04:08.841 using a 1%-3% cohort before rolling out updates. They do 74 00:04:08.900 --> 00:04:12.442 them in a phase manner. And these are all, of course, things 75 00:04:12.501 --> 00:04:15.984 that CrowdStrike is going, is planning to do going forward, 76 00:04:16.043 --> 00:04:19.349 but hadn't been doing to date. And then, from a business 77 00:04:19.408 --> 00:04:22.950 opportunity standpoint, they catch that into specifically in 78 00:04:23.009 --> 00:04:26.669 the XDR market, which is really a market where CrowdStrike was 79 00:04:26.728 --> 00:04:30.329 first since they were born. As an endpoint detection response 80 00:04:30.388 --> 00:04:33.989 vendor, Palo has expanded into there more recently, made some 81 00:04:34.048 --> 00:04:37.767 endpoint security acquisitions roll out their XSIAM offering in 82 00:04:37.826 --> 00:04:41.191 September of 2022 and then is taking over that IBM QRadar 83 00:04:41.250 --> 00:04:44.733 business, transitioning those cloud-based customers over to 84 00:04:44.792 --> 00:04:48.629 XSIAM. So, since CrowdStrike was there first that they have a bit 85 00:04:48.689 --> 00:04:51.994 of an incumbency advantage ... and he was ... Nikesh was 86 00:04:52.053 --> 00:04:55.005 talking about how the customers are evaluating XDR 87 00:04:55.064 --> 00:04:58.606 opportunities. That is ... the company that's not the number 88 00:04:58.665 --> 00:05:02.325 one player in the market, but this is exciting. It's no longer 89 00:05:02.384 --> 00:05:05.808 a slam dunk for some of the other folks in that space. So, 90 00:05:05.867 --> 00:05:09.527 that's what he had to say. Tomer had a lot more to say. So, he 91 00:05:09.586 --> 00:05:12.361 was getting into, from a technology standpoint, 92 00:05:12.420 --> 00:05:16.080 specifically, how they rely on that their use of AI means that 93 00:05:16.139 --> 00:05:19.622 there's less integration into the kernel. I'm going to give 94 00:05:19.681 --> 00:05:23.282 you a couple of quotes as I'm talking about this just to give 95 00:05:23.341 --> 00:05:26.824 you a sense of the flavor. So, starts off with this quote - 96 00:05:26.883 --> 00:05:30.307 "The scaling disruption caused by this incident is a stark 97 00:05:30.366 --> 00:05:33.908 reminder of the risk posed by vendor concentration. This was 98 00:05:33.967 --> 00:05:37.273 an avoidable incident that was born out of disregard for 99 00:05:37.332 --> 00:05:40.697 software deployment best practices. This failure will not 100 00:05:40.756 --> 00:05:44.180 be quickly dismissed." So, as you can see now that we're a 101 00:05:44.239 --> 00:05:47.663 month out, people were being gentle the first couple days. 102 00:05:47.722 --> 00:05:50.968 Didn't want to be seen as ambulance tracing, but people 103 00:05:51.027 --> 00:05:54.333 are certainly a lot more aggressive this year or at this 104 00:05:54.392 --> 00:05:57.521 point in terms of the rhetoric. So, from a technology 105 00:05:57.580 --> 00:06:00.414 standpoint, what Tomer was talking about is that 106 00:06:00.473 --> 00:06:03.719 SentinelOne requires less updates that they've been for 107 00:06:03.779 --> 00:06:07.143 the past 5-7 years moving away from being embedded in the 108 00:06:07.202 --> 00:06:10.685 kernel. They're not at all with Mac or with Linux, and it's 109 00:06:10.744 --> 00:06:13.578 limited from a Windows perspective. That they've 110 00:06:13.637 --> 00:06:17.002 embedded AI models into the endpoint agent, and that even 111 00:06:17.061 --> 00:06:20.544 when they download updates into SentinelOne, they live in a 112 00:06:20.603 --> 00:06:24.086 different part of the system, which they were talking about 113 00:06:24.145 --> 00:06:27.451 how that's beneficial to stability. In terms of customer 114 00:06:27.510 --> 00:06:30.993 takeover, what they're talking about is that there's been a 115 00:06:31.052 --> 00:06:34.062 number of conversations with some very high-profile 116 00:06:34.122 --> 00:06:37.604 customers, some who've already made a commitment to switch, 117 00:06:37.663 --> 00:06:40.733 some who are exploring switching, but that the sales 118 00:06:40.792 --> 00:06:44.275 cycle and endpoint security is typically a 9-12 month sales 119 00:06:44.334 --> 00:06:47.876 cycle. So, while there are a couple of folks who are looking 120 00:06:47.935 --> 00:06:51.595 to leap right away, that's the exception rather than the rule. 121 00:06:51.654 --> 00:06:55.373 This is really something that's going to play out over multiple 122 00:06:55.432 --> 00:06:58.856 quarters. There weren't any financials given. There are no 123 00:06:58.915 --> 00:07:02.162 projections in terms of uplifts in the coming quarters, 124 00:07:02.221 --> 00:07:04.937 specifically from this CrowdStrike outage. The 125 00:07:04.996 --> 00:07:08.361 conversation was more at an anecdotal level. So, and then 126 00:07:08.420 --> 00:07:11.962 what one or two more points here Tomer was talking about, in 127 00:07:12.021 --> 00:07:15.504 terms of from people who are asking investors about takeout 128 00:07:15.563 --> 00:07:18.987 programs, so saying that they're not doing anything from a 129 00:07:19.046 --> 00:07:22.706 go-to-market standpoint, that they're not doing discounting or 130 00:07:22.765 --> 00:07:26.248 teaser rates or anything, but that they have invested a lot 131 00:07:26.307 --> 00:07:29.495 into literature and collateral that's highlighting the 132 00:07:29.554 --> 00:07:32.741 differences in architecture between how CrowdStrike is 133 00:07:32.800 --> 00:07:36.460 architected and how SentinelOne is architected. They're really 134 00:07:36.519 --> 00:07:40.298 trying to aggressively get those out into market. And I'll leave 135 00:07:40.357 --> 00:07:44.076 you with one quote here, which is "I think these are very, very 136 00:07:44.135 --> 00:07:47.795 nuanced elements of how these products work that have not been 137 00:07:47.854 --> 00:07:51.514 in the spotlight nor were they clear to customers. And I think 138 00:07:51.573 --> 00:07:54.820 what happened, obviously put this front and center." So 139 00:07:54.879 --> 00:07:58.598 certainly, from the standpoint of folks like SentinelOne, which 140 00:07:58.657 --> 00:08:02.081 is quite a bit smaller than CrowdStrike, they're certainly 141 00:08:02.140 --> 00:08:05.210 not going to let this issue go to rest anytime soon. 142 00:08:05.930 --> 00:08:08.930 Mathew Schwartz: Having smaller competitors decry vendor 143 00:08:08.930 --> 00:08:13.670 concentration is interesting. I think, of course, they will do 144 00:08:13.670 --> 00:08:17.660 that. You also mentioned that the security tools don't run in 145 00:08:17.660 --> 00:08:21.980 the kernel for Linux or Mac. But, I don't think any others do 146 00:08:22.010 --> 00:08:25.130 either, and I think that's one of the challenge with Windows. I 147 00:08:25.130 --> 00:08:29.480 know that Microsoft has promised to unveil what it plans to do 148 00:08:29.600 --> 00:08:33.410 that's different. It's getting some pressure from Germany in 149 00:08:33.410 --> 00:08:37.340 particular, saying, why does security software still need to 150 00:08:37.340 --> 00:08:41.240 hook into the kernel? What can you do about it that doesn't, I 151 00:08:41.240 --> 00:08:46.370 think, stifle competition will be the subtext there. Still a 152 00:08:46.370 --> 00:09:10.790 very dominant issue it seems today. Go ahead Tom. 153 00:08:52.680 --> 00:08:55.860 Tom Field: From your perspective Michael, and I'm putting you on 154 00:08:55.920 --> 00:08:59.340 the spot here a bit, but CrowdStrike survived this, and I 155 00:08:59.400 --> 00:09:03.180 ask that because I'm of the mind that, you know, there are very 156 00:09:03.240 --> 00:09:07.140 few organizations that have been taken down because they suffered 157 00:09:07.200 --> 00:09:10.980 a security incident, very few! Target is emblematic of one that 158 00:09:11.040 --> 00:09:14.580 survived, even though it's talked about to this day. But, I 159 00:09:14.640 --> 00:09:18.300 have also heard opinions from people in the business. Someone 160 00:09:18.360 --> 00:09:21.720 told me last week, they gave CrowdStrike two years after 161 00:09:21.780 --> 00:09:24.120 this. I'm curious what your opinion is. 162 00:09:24.000 --> 00:09:26.568 Michael Novinson: I think to the grand scheme of things, they're 163 00:09:26.624 --> 00:09:30.141 going to be fine. I mean, if you look at market cap, that their 164 00:09:30.197 --> 00:09:33.491 valuation is down about 25%-30%. That's been holding fairly 165 00:09:33.547 --> 00:09:36.506 steady for the past few weeks or so. That's certainly 166 00:09:36.562 --> 00:09:39.912 significant. It's about $30 billion. I don't have that in my 167 00:09:39.967 --> 00:09:42.982 pockets, but you still have to remember even with that 168 00:09:43.038 --> 00:09:46.556 valuation hit that CrowdStrike is the second-most valuable pure 169 00:09:46.611 --> 00:09:50.073 play cybersecurity company in the world, behind only Palo Alto 170 00:09:50.129 --> 00:09:53.646 Networks. SentinelOne, who would be the most direct competitor, 171 00:09:53.702 --> 00:09:57.164 is a fraction of that is maybe ... So, CrowdStrike is at about 172 00:09:57.219 --> 00:10:00.178 $55 billion valuations. SentinelOne is at $7 billion. 173 00:10:00.234 --> 00:10:03.640 So, I mean, really the biggest competitor to CrowdStrike, and 174 00:10:03.696 --> 00:10:06.934 there's IDC, actually just put out there endpoint security 175 00:10:06.990 --> 00:10:10.340 market share data is Microsoft. Microsoft is not only bigger 176 00:10:10.396 --> 00:10:13.522 than CrowdStrike at this point in endpoint security, but 177 00:10:13.578 --> 00:10:16.816 they're growing faster. And certainly, I think folks would 178 00:10:16.872 --> 00:10:20.278 argue if people are choosing Microsoft over CrowdStrike, it's 179 00:10:20.334 --> 00:10:23.516 not really a security-driven decision, given all of these 180 00:10:23.572 --> 00:10:26.922 security issues that Microsoft has that certainly customers, 181 00:10:26.978 --> 00:10:30.272 particularly in the mid-market and below, are cost 182 00:10:30.328 --> 00:10:33.901 conscious that you have these E5 licenses and bundling, which is 183 00:10:33.957 --> 00:10:37.251 hard for a pure play security vendor to do since they don't 184 00:10:37.307 --> 00:10:40.656 have an OS that they're also selling you. So I yeah, I think 185 00:10:40.712 --> 00:10:44.286 it certainly takes some wind out of their sails and but so yeah, 186 00:10:44.341 --> 00:10:47.356 I think they will grow more slowly, but I don't think, 187 00:10:47.412 --> 00:10:50.874 barring a repeat of this, that something like this will happen 188 00:10:50.929 --> 00:10:54.391 again. To Mat's point about the kernel, and this was, I was on 189 00:10:54.447 --> 00:10:57.685 call with financial investors, so they're not going to get 190 00:10:57.741 --> 00:11:01.203 hypertechnical. This wasn't a call with CISOs. But I mean, the 191 00:11:01.258 --> 00:11:04.162 big points that Tomer was making, because obviously, 192 00:11:04.217 --> 00:11:07.567 CrowdStrike is committing to doing less in the kernel and to 193 00:11:07.623 --> 00:11:10.973 doing phased updates, is the point that he made is we're not 194 00:11:11.029 --> 00:11:14.211 starting now with the new deployment process that we have 195 00:11:14.267 --> 00:11:17.338 a 5-7 year head start because we've been requiring less 196 00:11:17.394 --> 00:11:20.409 updates that we've been embedding AI into the endpoint 197 00:11:20.464 --> 00:11:23.703 agent that updates live in a different part of the system, 198 00:11:23.759 --> 00:11:27.276 away from the kernel. And these are things we've been doing for 199 00:11:27.332 --> 00:11:30.793 a number of years, rather than just starting now to figure out 200 00:11:30.849 --> 00:11:34.255 how to do that. So his point was, from a security standpoint, 201 00:11:34.311 --> 00:11:37.493 that CrowdStrike has, rather than SentinelOne, has a head 202 00:11:37.549 --> 00:11:40.787 start here. I mean, what's interesting in terms of that is 203 00:11:40.843 --> 00:11:44.472 really where CrowdStrike's bread and butter, but historically has 204 00:11:44.528 --> 00:11:47.766 been that large enterprise. That's where they that's where 205 00:11:47.822 --> 00:11:51.284 they were born. That's where, I mean, their tagline has been - 206 00:11:51.339 --> 00:11:54.578 We Stop Breaches, and that's really where they played. And 207 00:11:54.633 --> 00:11:58.095 certainly both SentinelOne and Microsoft typically played down 208 00:11:58.151 --> 00:12:01.501 market that SentinelOne had a very strong network of managed 209 00:12:01.557 --> 00:12:05.018 security service providers and partners, and they worked a lot 210 00:12:05.074 --> 00:12:08.368 with these professional service automation vendors to reach 211 00:12:08.424 --> 00:12:11.718 customers, and CrowdStrike's tried to move down market, but 212 00:12:11.774 --> 00:12:14.900 what's interesting now is that, yeah, you have the large 213 00:12:14.956 --> 00:12:18.139 enterprises, and those are the ones who are probably most 214 00:12:18.194 --> 00:12:21.768 security conscious, but also can be most flexible from a pricing 215 00:12:21.824 --> 00:12:24.894 standpoint. So, if they're considering other things, if 216 00:12:24.950 --> 00:12:28.188 they're taking a deep look at the architecture and saying, 217 00:12:28.244 --> 00:12:31.147 "Yes, SentinelOne's architecture is more secure than 218 00:12:31.203 --> 00:12:34.609 CrowdStrike's, that there is some opportunity for a customer, 219 00:12:34.665 --> 00:12:37.903 for taking away customers." But, I think, it's going to be 220 00:12:37.959 --> 00:12:41.309 gradual. And I think is Tomer was saying to really have some 221 00:12:41.365 --> 00:12:44.770 numbers behind these anecdotes that we're looking 9-12 months 222 00:12:44.826 --> 00:12:45.720 into the future. 223 00:12:45.240 --> 00:12:47.866 Mathew Schwartz: Fascinating stuff. Well, thank you Michael 224 00:12:47.928 --> 00:12:51.430 for sharing the latest on CrowdStrike and the impact, or 225 00:12:51.493 --> 00:12:55.182 fallout, depending on how you're viewing it. So, we've been 226 00:12:55.245 --> 00:12:58.872 focusing, as you say, on a company that works with some of 227 00:12:58.935 --> 00:13:02.687 the biggest organizations in the world. Tom, I know that you 228 00:13:02.749 --> 00:13:06.751 recently had a conversation with Alberto Yépez, our friend who's 229 00:13:06.814 --> 00:13:10.503 the co-founder and managing director at Forgepoint Capital, 230 00:13:10.566 --> 00:13:14.381 talking about, well, security isn't one size fits all. He was 231 00:13:14.443 --> 00:13:18.008 talking about, I think, the unique cybersecurity needs of 232 00:13:18.070 --> 00:13:21.510 small- and mid-sized businesses. What were you hearing? 233 00:13:21.300 --> 00:13:24.227 Tom Field: Yeah exactly. Michael couldn't have given a better 234 00:13:24.285 --> 00:13:27.798 transition actually talking about the up market and the down 235 00:13:27.857 --> 00:13:31.487 market, and that was part of the conversation I had. We met at 236 00:13:31.545 --> 00:13:35.000 Black Hat a few weeks back, and of course, talked about the 237 00:13:35.058 --> 00:13:38.220 state of the cybersecurity marketplace and investment. 238 00:13:38.278 --> 00:13:41.850 Talked about how to not talk about AI and the real use cases. 239 00:13:41.908 --> 00:13:45.245 We talked about the securities and technologies that he's 240 00:13:45.304 --> 00:13:48.934 bullish on today, but we spent a good deal of our conversation 241 00:13:48.992 --> 00:13:51.978 talking about the unique cybersecurity needs of the 242 00:13:52.037 --> 00:13:55.432 small- to mid-sized market. We talk about this marketplace 243 00:13:55.491 --> 00:13:58.594 sometime like it's a minority, but reality is, 98% of 244 00:13:58.652 --> 00:14:02.341 businesses are considered small to mid size, and they're a part 245 00:14:02.400 --> 00:14:06.147 of the larger enterprises supply chains. So, when you talk about 246 00:14:06.205 --> 00:14:09.894 their security deficits, their security needs and organizations 247 00:14:09.952 --> 00:14:13.406 that are trying to meet those needs now, it's a significant 248 00:14:13.465 --> 00:14:16.978 conversation. So, I was pleased to have this discussion with 249 00:14:17.036 --> 00:14:20.608 Alberto, and I want to share with you just an excerpt of what 250 00:14:20.666 --> 00:14:22.950 he shared with me in that conversation. 251 00:14:23.170 --> 00:14:25.840 Alberto Yépez: Well, SMB largely underserved. So, I agree with 252 00:14:25.840 --> 00:14:31.450 you a 100%. It's the backbone of our economy, and that you in the 253 00:14:31.450 --> 00:14:35.260 U.S., we talk about an SMB market, where it tends to be the 254 00:14:35.500 --> 00:14:38.290 larger companies, and smaller countries are SMB businesses. 255 00:14:38.290 --> 00:14:41.680 So, I think we're seeing more innovation, we're beginning to 256 00:14:41.680 --> 00:14:45.790 see more delivery as a service, as you know that transformation 257 00:14:45.820 --> 00:14:50.770 could only be possible because of the cloud capability in the 258 00:14:50.770 --> 00:14:55.180 service delivery platform. So, I think it is only going to become 259 00:14:55.210 --> 00:14:58.570 more and more important. We've been very fortunate to be part 260 00:14:58.570 --> 00:15:02.410 of journeys of teams like Huntress as a company that, you 261 00:15:02.410 --> 00:15:06.340 know, they exclusively focus on working with the SMB saying, "We 262 00:15:06.340 --> 00:15:10.690 want to give in the best quality cybersecurity defenses as the 263 00:15:10.720 --> 00:15:14.200 largest companies in the Fortune 500." So, I would say, largely 264 00:15:14.200 --> 00:15:17.770 underserved. We see more investment. We need even more. 265 00:15:18.040 --> 00:15:23.410 It's not enough. And more importantly, I think, smaller 266 00:15:23.410 --> 00:15:28.030 organizations, they don't have the skill set, are more willing 267 00:15:28.030 --> 00:15:30.730 to invest now, because it's being delivered as a service, 268 00:15:30.730 --> 00:15:33.340 and therefore they don't have to make all the other investments 269 00:15:33.340 --> 00:15:37.270 in infrastructure and knowledge and keep talent. Not only 270 00:15:37.270 --> 00:15:39.970 attract and retain talent, but now they're getting partners 271 00:15:39.970 --> 00:15:43.480 that are helping them with that key component of their life as a 272 00:15:43.480 --> 00:15:43.930 company. 273 00:15:44.290 --> 00:15:45.940 Tom Field: Yeah man, we've heard bits and pieces these three 274 00:15:45.940 --> 00:15:48.910 years. Phil Reitinger and his organization have focused on 275 00:15:48.910 --> 00:15:51.730 small- to mid-sized organizations for some time. We 276 00:15:51.730 --> 00:15:56.110 spoke earlier this year with Dawn Cappelli with the OT-CERT. 277 00:15:56.260 --> 00:15:59.170 And OT certainly is considered more considered small- to 278 00:15:59.170 --> 00:16:02.440 mid-sized organizations and those, and particularly 279 00:16:02.440 --> 00:16:05.950 community utility infrastructure. I've seen lots 280 00:16:05.950 --> 00:16:08.110 of pieces of this coming together now, and I think the 281 00:16:08.110 --> 00:16:12.730 timing is terrific, because the needs are ... the organization 282 00:16:12.730 --> 00:16:16.000 might be smaller, the needs are just as great, if not greater. 283 00:16:16.990 --> 00:16:19.900 Mathew Schwartz: I am hearing a lot of discussion lately as well 284 00:16:19.900 --> 00:16:23.830 about the ability of small- and mid-sized firms to access 285 00:16:23.830 --> 00:16:27.940 technologies they might not have thought about. Microsoft being 286 00:16:27.940 --> 00:16:31.750 one example of things that people often default into. But 287 00:16:32.050 --> 00:16:36.190 as Alberto was saying, working with cloud delivery, or also I'm 288 00:16:36.190 --> 00:16:40.030 hearing managed security service providers, and I think there's 289 00:16:40.030 --> 00:16:43.420 more of them now targeting the small- and mid-sized market and 290 00:16:43.420 --> 00:16:46.420 making a really compelling business case for why you might 291 00:16:46.420 --> 00:16:47.320 want to work with them. 292 00:16:47.800 --> 00:16:49.930 Tom Field: You're exactly right in the threat landscape we all 293 00:16:49.930 --> 00:16:52.090 face every day. It's a compelling argument to start 294 00:16:52.090 --> 00:16:55.030 looking at the next options. So, the timing is terrific to have 295 00:16:55.030 --> 00:16:56.350 more conversations about this. 296 00:16:56.000 --> 00:16:59.510 Michael Novinson: And I'll just add one quick thing on this, 297 00:16:59.510 --> 00:17:02.180 which is we are seeing kind of a new generation of SMB-focused 298 00:17:02.180 --> 00:17:04.610 vendors, certainly one portfolio company of Forgepoint's Huntress, 299 00:17:04.610 --> 00:17:08.000 who has done a ton in the SMB market, focused on, as 300 00:17:08.000 --> 00:17:10.940 they say, we serve the 99%. Certainly, ThreatLocker as well, 301 00:17:10.940 --> 00:17:13.550 who took that allowlisting technology, brought it down 302 00:17:13.550 --> 00:17:16.820 market and certainly, and from a provider standpoint, that so 303 00:17:16.820 --> 00:17:18.800 many of the companies who are serving the SMB in the mid 304 00:17:18.800 --> 00:17:22.010 market have been around for decades. Sophos and WatchGuard 305 00:17:22.010 --> 00:17:26.540 and Sonicwall and I said, Bitdefender. And those 306 00:17:26.780 --> 00:17:29.510 companies, they certainly have legacy technology to bet around. 307 00:17:29.510 --> 00:17:32.480 But, we're seeing some new companies get scale, get unicorn 308 00:17:32.480 --> 00:17:37.070 valuations, get significant nine- figure ARR focused on the SMB in 309 00:17:37.070 --> 00:17:39.500 the mid market, which is certainly a promising sign for 310 00:17:39.770 --> 00:17:41.180 organizations in that space. 311 00:17:41.750 --> 00:17:43.190 Tom Field: Agree. Won't be the last time we have this 312 00:17:43.190 --> 00:17:43.970 conversation Mat. 313 00:17:45.250 --> 00:17:48.850 Mathew Schwartz: I would be surprised if it was. Well, all 314 00:17:48.850 --> 00:17:53.020 of this discussion about getting the right defenses in place, 315 00:17:53.200 --> 00:17:56.410 hopefully those defenses working correctly. That is all, of 316 00:17:56.410 --> 00:17:59.350 course, in the service of improving your defensive 317 00:17:59.380 --> 00:18:05.500 posture. And speaking of helping us with defense, the United 318 00:18:05.500 --> 00:18:10.060 Nations has been working on a convention against cybercrime. 319 00:18:10.570 --> 00:18:14.860 Chris, I know you have been following these events closely. 320 00:18:15.040 --> 00:18:18.850 What's the latest on the UN's effort and why is there some 321 00:18:18.850 --> 00:18:20.980 opposition to what's been going on lately? 322 00:18:21.620 --> 00:18:24.140 Chris Riotta: Yeah, it's actually a fascinating story. 323 00:18:24.140 --> 00:18:27.860 You know, it seems on its surface like this would be a 324 00:18:27.980 --> 00:18:31.910 highly popular initiative by the United Nations and Western 325 00:18:31.910 --> 00:18:34.430 countries, but there's been a lot of controversy and a lot of 326 00:18:34.430 --> 00:18:37.520 growing concerns around some of the specifics. But, before we 327 00:18:37.520 --> 00:18:40.070 dig into those, I think that it's important that we take a 328 00:18:40.070 --> 00:18:43.520 quick step back and see how we got here in the first place. So, 329 00:18:43.550 --> 00:18:47.870 the process for this Cybercrime Convention first began in 2017 330 00:18:48.110 --> 00:18:51.410 when Russia, of all member states, first proposed the idea 331 00:18:51.410 --> 00:18:55.190 of creating a UN cybercrime treaty. So, the move was met 332 00:18:55.190 --> 00:18:58.730 with significant skepticism, especially from Western nations, 333 00:18:58.730 --> 00:19:01.640 including the United States, which opposed starting 334 00:19:01.640 --> 00:19:05.540 negotiations under the UN's auspices at the time. The 335 00:19:05.540 --> 00:19:08.930 concern was, and it still resonates today, that the 336 00:19:08.930 --> 00:19:12.860 convention led by Russia might not prioritize the protection of 337 00:19:12.860 --> 00:19:16.670 global digital security, internet freedoms and the 338 00:19:16.670 --> 00:19:19.700 privacy rights that we all rely on today and know of when it 339 00:19:19.700 --> 00:19:23.990 comes to The World Wide Web. So, fast forward to December 2019, 340 00:19:24.260 --> 00:19:28.100 the UN General Assembly votes unexpectedly to establish an 341 00:19:28.100 --> 00:19:31.640 intergovernmental committee tasked with drafting the treaty. 342 00:19:32.000 --> 00:19:35.210 The decision was significant because it sort of set into 343 00:19:35.210 --> 00:19:38.750 motion the process that many experts feared would kind of 344 00:19:38.750 --> 00:19:42.650 sideline the interests of democratic nations in favor of a 345 00:19:42.650 --> 00:19:46.850 more authoritarian approach to cybercrime. The concern at the 346 00:19:46.850 --> 00:19:50.300 time again was that the language in the treaty would fail to 347 00:19:50.300 --> 00:19:54.260 adequately safeguard many of the freedoms and rights that are 348 00:19:54.290 --> 00:19:57.860 central to the open Internet. So, as the treaty took shape, 349 00:19:57.890 --> 00:20:00.770 there was a coalition of technology organizations 350 00:20:00.920 --> 00:20:04.670 represented by the Cybersecurity Tech Accord, and they began to 351 00:20:04.670 --> 00:20:08.270 raise some significant alarms. They warned that the treaty, as 352 00:20:08.270 --> 00:20:11.780 drafted, could actually facilitate cybercrime rather 353 00:20:11.780 --> 00:20:15.800 than prevent it. This is because the treaty would allow for the 354 00:20:15.800 --> 00:20:19.520 sharing of personal information between nations with little to 355 00:20:19.520 --> 00:20:24.770 no oversight or transparency. It also lacks clear thresholds for 356 00:20:24.770 --> 00:20:27.860 criminal intent, which puts security researchers, 357 00:20:27.860 --> 00:20:30.770 journalists and even whistleblowers at risk of 358 00:20:30.770 --> 00:20:34.490 prosecution in many countries that could just choose to abuse 359 00:20:34.490 --> 00:20:37.400 the treaty's provisions. I mean, we could foresee this happening 360 00:20:37.400 --> 00:20:41.930 in Russia or something of the sort. The convention requires 361 00:20:41.930 --> 00:20:45.290 all member states to criminalize unauthorized access to 362 00:20:45.290 --> 00:20:49.070 information and communications technology systems. And while 363 00:20:49.070 --> 00:20:52.460 this sounds reasonable on its surface, the devil really is in 364 00:20:52.460 --> 00:20:56.720 the details. Critics argue that the treaty's broad and vague 365 00:20:56.720 --> 00:21:01.010 language could be exploited by authoritarian regimes to crack 366 00:21:01.010 --> 00:21:04.670 down on legitimate activities under the guise of combating 367 00:21:04.670 --> 00:21:09.440 cybercrime. Now, the UN GA is preparing to vote on the 368 00:21:09.440 --> 00:21:14.270 finalized draft, which could come in a few months, sometime 369 00:21:14.270 --> 00:21:16.880 this fall, where we're anticipating. And the tech 370 00:21:16.880 --> 00:21:22.550 accord, which led a delegation, is growing, joining a growing 371 00:21:22.550 --> 00:21:25.670 number of organizations, including Human Rights Watch, 372 00:21:25.670 --> 00:21:29.810 the Electronic Frontier Foundation, major technology 373 00:21:29.810 --> 00:21:34.160 firms like Cisco, which are all pushing member states to either 374 00:21:34.160 --> 00:21:39.140 reject the convention in its current form or make significant 375 00:21:39.320 --> 00:21:43.160 amendments to the final draft. They argue that the treaty is 376 00:21:43.160 --> 00:21:46.280 just too flawed to adopt and that it could create significant 377 00:21:46.280 --> 00:21:49.400 challenges for cybersecurity professionals and ethical 378 00:21:49.400 --> 00:21:52.580 hackers who play a really crucial role in maintaining the 379 00:21:52.580 --> 00:21:56.450 safety and security of our digital world. I spoke to Nick 380 00:21:56.480 --> 00:21:59.960 Ashton-Hart this week, who leads the cybersecurity tech accord 381 00:22:00.140 --> 00:22:03.830 and the delegation to the United Nations, and he told me, "The 382 00:22:03.860 --> 00:22:07.580 best option now is for a majority of the UN's member 383 00:22:07.580 --> 00:22:11.540 states to decide not to adopt the convention at all." So, the 384 00:22:11.540 --> 00:22:15.290 UN processes do allow members to submit amendments after the 385 00:22:15.290 --> 00:22:19.310 finalization of a draft, but each of those proposals would be 386 00:22:19.310 --> 00:22:22.850 subject to debate and require approval by a majority vote to 387 00:22:22.850 --> 00:22:26.000 be included in the final version of the text. So, it's pretty 388 00:22:26.030 --> 00:22:30.800 complex. As is, Ashton-Hart said that members such as the U.S. 389 00:22:30.830 --> 00:22:34.340 will be limited to supporting implementation through capacity 390 00:22:34.340 --> 00:22:37.730 building and technical assistance. Of course, my whole 391 00:22:37.730 --> 00:22:40.850 story on this is published across ISMG's verticals and on 392 00:22:40.880 --> 00:22:43.610 web info security. So, you can check that out if you want to 393 00:22:43.790 --> 00:22:44.990 dig into it a little bit more. 394 00:22:45.680 --> 00:22:47.990 Mathew Schwartz: A fascinating story. As you say, it seems like 395 00:22:47.990 --> 00:22:51.740 it should have been a slam dunk, and now it seems like a lot of 396 00:22:51.740 --> 00:22:54.740 people are just waiting for it to go away unfortunately. 397 00:22:55.820 --> 00:22:58.610 Chris Riotta: Yeah. I mean, you know, if implemented as is, the 398 00:22:58.610 --> 00:23:01.700 convention could really undermine global cybersecurity 399 00:23:01.700 --> 00:23:05.270 efforts by discouraging very activities like ethical hacking 400 00:23:05.270 --> 00:23:09.260 and security research that are so crucial for identifying and 401 00:23:09.260 --> 00:23:11.960 mitigating cyberthreats. So, it could really create this 402 00:23:11.960 --> 00:23:15.170 chilling effect that a lot of the experts that I've spoken to 403 00:23:15.410 --> 00:23:18.170 say that it would just really make professionals a lot less 404 00:23:18.170 --> 00:23:21.980 willing to engage in necessary cybersecurity work for fear of 405 00:23:21.980 --> 00:23:23.570 legal repercussions. 406 00:23:24.860 --> 00:23:27.380 Mathew Schwartz: There's so much nuance when it comes to 407 00:23:27.410 --> 00:23:30.890 attempting to legislate procybersecurity, 408 00:23:31.310 --> 00:23:36.920 anti-cybercrime sorts of initiatives, which thank you 409 00:23:36.920 --> 00:23:39.680 very much Chris. That was fascinating. Which brings me to 410 00:23:39.680 --> 00:23:46.430 my last question, just for fun, instead of all this nuance and 411 00:23:46.460 --> 00:23:51.170 gray area and difficulty separating right from wrong, 412 00:23:51.830 --> 00:23:56.180 what if we look to superheroes? Specifically, if there is an 413 00:23:56.180 --> 00:24:00.440 existing superhero out there, how would you reboot it for the 414 00:24:00.440 --> 00:24:04.640 cybercrime or the cybersecurity realm and why? 415 00:24:06.140 --> 00:24:11.480 Tom Field: I have an idea. I'm a big fan of the captain - Captain 416 00:24:11.480 --> 00:24:16.010 America. You know, Captain America was born in 1941 before 417 00:24:16.040 --> 00:24:20.990 the U.S. got into World War II and very much went after the 418 00:24:21.650 --> 00:24:27.170 Nazis and its allies that were put in the world at war. And if 419 00:24:27.170 --> 00:24:29.630 Captain America is willing to take on Adolf Hitler, the very 420 00:24:29.630 --> 00:24:31.910 first issue of Captain America has got Adolf Hitler being 421 00:24:31.910 --> 00:24:34.820 punched by Captain America is willing to take on Captain 422 00:24:34.820 --> 00:24:39.050 America and the Nazi regime, I think, very ready to take on a 423 00:24:39.050 --> 00:24:41.990 few nation states and maybe some disinformation campaigns as 424 00:24:41.990 --> 00:24:44.720 well. So, my money's behind the red, white and blue. 425 00:24:46.760 --> 00:24:49.820 Mathew Schwartz: Here's the cap. Excellent. Thank you. Michael, 426 00:24:49.850 --> 00:24:50.570 what about you? 427 00:24:50.000 --> 00:24:53.960 Michael Novinson: I think it old school. Not quite that far back. 428 00:24:53.960 --> 00:24:58.910 I was thinking about the Wonder Twins from the late 1970s into 429 00:24:58.910 --> 00:25:02.060 more recent times. And Wonder Twin powers activate made me 430 00:25:02.060 --> 00:25:04.610 think of got two of them thinking of two-factor 431 00:25:04.610 --> 00:25:08.450 authentication and the importance of not relying on a 432 00:25:08.450 --> 00:25:11.750 single entity or a single source. So, that was my 433 00:25:11.750 --> 00:25:13.730 inspiration. Also just been hearing too much about 434 00:25:13.730 --> 00:25:17.300 Spider-Man from Disney Jr recently. So, I wanted a little 435 00:25:17.300 --> 00:25:18.020 break from that. 436 00:25:18.380 --> 00:25:20.720 Mathew Schwartz: Excellent. Wonder Twin powers indeed. Thank 437 00:25:20.720 --> 00:25:23.810 you. Chris, what about you? 438 00:25:24.290 --> 00:25:27.350 Chris Riotta: Well, as a major tech enthusiast, I've always 439 00:25:27.350 --> 00:25:31.340 loved Batman for his gadgets and gizmos. So, I think it would be 440 00:25:31.340 --> 00:25:35.360 really cool to kind of lean into that. Could ... his Batcave 441 00:25:35.360 --> 00:25:38.210 could be turned into, like, you know, a fortified data center. 442 00:25:38.210 --> 00:25:42.320 He could kind of combat major hacks or you could even take the 443 00:25:42.320 --> 00:25:45.410 other route of being the Joker and launch a major cyberattack 444 00:25:45.410 --> 00:25:48.170 against the Dark Knight himself, which I think could be pretty. 445 00:25:49.490 --> 00:25:51.110 Tom Field: Thinking about a Dark Knight web now. 446 00:25:52.130 --> 00:25:52.910 Chris Riotta: Exactly. 447 00:25:54.850 --> 00:25:56.380 Mathew Schwartz: Excellent. Well, if this isn't too much 448 00:25:56.380 --> 00:25:59.560 word play, I was thinking Craven The Threat Hunter. 449 00:25:59.830 --> 00:26:00.430 Tom Field: Oh nice. 450 00:26:00.720 --> 00:26:02.970 Mathew Schwartz: Why just go after a big game when you could 451 00:26:02.970 --> 00:26:07.260 go after big threats in the cybercrime realm? 452 00:26:07.890 --> 00:26:08.850 Tom Field: You got Spider-Man. 453 00:26:09.270 --> 00:26:12.780 Mathew Schwartz: Yeah, exactly right. Spider-Man, he's so, you 454 00:26:12.780 --> 00:26:17.100 know, free cyber you know. There's this bigger fish to fry. 455 00:26:18.090 --> 00:26:20.250 Tom Field: Well done. Hey Mat, you never explained your 456 00:26:20.250 --> 00:26:21.450 background today? What is it? 457 00:26:21.900 --> 00:26:24.900 Mathew Schwartz: Oh, great question. I'm here in Scotland. 458 00:26:25.110 --> 00:26:29.370 It was a beautiful day recently, and I say it that way because 459 00:26:29.370 --> 00:26:33.180 our summer has been a collection of five or six nice days in 460 00:26:33.180 --> 00:26:37.710 recent months and lots of rain. So, this was my little moment of 461 00:26:37.710 --> 00:26:39.450 Zen on a recent beautiful day. 462 00:26:39.840 --> 00:26:41.340 Tom Field: Very nice. 463 00:26:41.910 --> 00:26:45.090 Mathew Schwartz: Thanks for the ask there. Thanks everyone for 464 00:26:45.120 --> 00:26:50.430 your superhero stories and also your analysis of the latest and 465 00:26:50.430 --> 00:26:54.930 greatest cybersecurity news. Tom, Michael, Chris, thanks so 466 00:26:54.930 --> 00:26:55.890 much for being here. 467 00:26:55.000 --> 00:26:56.770 Thanks for having us. 468 00:26:56.770 --> 00:26:57.190 Michael Novinson: Thank you Mat. 469 00:26:57.760 --> 00:26:59.080 Tom Field: Wherever you are, see you soon. 470 00:26:59.470 --> 00:27:01.960 Mathew Schwartz: That's right. Back to your regularly scheduled 471 00:27:01.960 --> 00:27:06.190 host, very soon with Anna Delaney. Until then, I'm Mathew 472 00:27:06.190 --> 00:27:08.620 Schwartz with ISMG. Thanks for joining us.