RSA 2023 and the security identity crisis, part two

The narrative from security vendors is organizations don’t spend enough money on cyber defense. Maybe… but will spending more actually address the problems organizations face? The conventional wisdom is it will help; or at least it can’t hurt. But as we and others have pointed out over the years, a crowded market and mega venture capital funding have created more tools, more complexity and more billionaires… but are we safer?

In this Breaking Analysis, we follow up last week’s episode and continue with part two. In an homage to the keynote from RSA Security LLC Chief Executive Rohit Ghai, we ask: Is there a looming identity crisis in the security industry?  This week we’re excited to introduce the newest member of the SiliconANGLE editorial team, longtime journalist David Strom. With David, we’ll unpack the data and bring additional context to the Enterprise Technology Research body of work. We’ll also look at some recent data from Unit 42, Palo Alto Networks Inc.’s threat intelligence and response division. As well, we’ll dig into the anatomy of a recent double supply chain hack.

The more things change…

As we shared last week, zero trust came back as the No. 1 information technology priority in the next 12 months. The chart above from ETR is a double-click on specifically which security areas are in focus. Identity, single-sign-on and multifactor authentication or MFA came in tied with vulnerability management and patching. And the rest of the initiatives are the same ones we’ve been talking about for years in the business.

According to Strom:

You could have run this same slide five years ago, maybe even 10 years ago, with the exception of the logging tools. I mean, it’s pretty embarrassing for the security industry that we’re still talking about the same types of processes, same types of tools and techniques. And we should have a better handle on this, but we don’t.

Strom also pointed out that firewalls is missing from the chart. Every company has is firewall and it’s because of poor firewalls that we need zero trust.

Listen to David Strom riff on the embarrassing state of security today and the failure of firewalls to protect organizations.

Most security wounds are self-inflicted

The next data point below comes from Palo Alto Network’s Unit 42 Cloud  Threat Report. It tells us that typically 5% of the security rules trigger the majority of security alerts. And the same mistakes are made over and over.

We asked Strom: “What does this tell us about security practices today?”

It shows that they’re pretty lousy. I mean, we really don’t have very much security by design. In other words, before you even code your first line of an app, you think about how to secure it. And a lot of developers are just plain lazy. They don’t really look at security as their province. They think that’s somebody else’s job. A lot of the secret scanning tools that were mentioned in the report have been available for years, yet the vast majority of organizations, like 80%, have hard-coded encryption keys and other secrets into their code. It’s just nuts. It’s just really poor practice.

Listen to David Strom talk about the lack of security by design.

Anatomy of the 3CX double supply chain hack

Continuing on the theme of a looming crisis, the chart below is brought to you by Mandiant, the threat intelligence and response company that is now part of Google LLC. As we know, threats are ever-escalating and can come from unexpected sources. A recent double supply chain hack serves as a stark reminder of the importance of robust security measures, even for seemingly harmless applications.

The chart explains what is believed to be the first evidence-based confirmation of a double supply chain compromise, where an initial supply chain infiltration triggered a second wave of compromise.

Speaking of API security – Akamai acquires Neosec

Last week ETR’s Erik Bradley pointed out that he thought one of the API security companies would get acquired. And we listed a number of potential acquirers. He didn’t predict Akamai would take out Neosec, but Erik highlighted Salt Security as a possible target.

The chart above takes data from ETR’s main TSIS (Technology Spending Intentions Survey) for Akamai – which has 190 accounts in the survey – and crosses it with emerging technology companies that are privately held and focused on API security. And we’ve listed the in blue the percentage customer overlap between Akamai and the three companies shown, Neosec, Noname Security and Salt Security. In red we show the amount of capital raised according to Crunchbase.

This past week at QlikWorld 2023, we had the opportunity to sit down with Drew Clarke, who heads strategy for Qlik, a company that has been highly acquisitive for the better part of the past six years. He cited four key criteria that are necessary to have a successful acquisition: 1) Aaignment of vision; 2) technology fit; 3) culture; and then and only then 4) financial.

Listen to Qlik CSO Drew Clarke explain the four key criteria that are necessary for a good acquisition.

There’s not a big difference across the three companies in the ETR data with respect to customer overlap. But it’s clear that Noname and Salt Security would be far more expensive than Neosec, assuming the Crunchbase data is correct. Strom has been following Akamai’s acquisitions for years, so we asked him for his thoughts on this particular acquisition.

Well, Akamai I think generally makes very well-reasoned and well-timed acquisitions because they have to maintain an absolute trust in the quality of their infrastructure. I mean, the biggest websites in the world are running over Akamai. And so they have to have the tightest security and the most error free [experience]. Google uses them, Microsoft uses them. So this is a good idea for Akamai. A lot of their acquisitions –  over 30 of them – are companies who you’ve never heard of. One of the more recent ones was Linode, which is an open-source community for all sorts of coding practices. They [Akamai] probably tried out the, their API security and thought that Neosec was a solid product.

David Strom explains Akamai’s acquisition approach and likely logic behind the Neosec move.

No shortage of emerging tech M&A candidates in cybersecurity

Staying with those privately held emerging tech companies, we want to share a high level view of what’s in the ETR database. The graph below shows privately held companies in the ETR Emerging Technology Survey grouped by security subsector. You can see in the top group there are 17 cloud and 15 identity security companies. They’re the most crowded. Group 2 is AppSec and intrusion detection and prevention. Then there’s assessment, container and IoT security and so on.

We’ve highlighted identity to emphasize our identity crisis theme and we’re going to talk more about that in a moment. But we discussed with Strom the possibility that cloud and identity are over crowded and whether there is really a need for this many nonpublic companies? The following summarizes the conversation:

The space is complex and diverse. But while there are many companies, there’s a need for specialized solutions to tackle various security challenges, because generally the industry is not addressing them in a comprehensive manner. No company has one security supplier. Buyers typically employ multiple security suppliers and tools to ensure adequate protection, creating a mixture of solutions that can address different vulnerabilities.

However, the discussion also highlights a concerning trend: the continuous addition of new security tools without ever getting rid of older ones. This practice can create more problems, as IT managers are often afraid to terminate a security product for fear of exposing their systems to potential exploits. Ironically, this can result in unpatched and outdated tools becoming the very entry points for attackers to exploit.

Listen to the conversation as to whether the cloud and identity markets are overcrowded.

Identity and access management under the magnifying glass

Was Auth0 the right move for Okta?

Staying on the theme of identity – let’s take a look at some of the major players in that space.

As it pertains to the other players in the chart above, over the last five years, the identity access and security market has seen significant expansion. Many companies were slow to adopt cloud technology, but now these companies all offer cloud-based products and have identity connectors for various applications. Additionally, they have developed different tools to cater to the needs of their clients. As a result, early adopters of these solutions continue to use them, and market share has expanded. For instance, according to Strom, Ping Identity is widely used in Walmart, powering thousands of computers. Once a customer buys a license for a specific number of computers, they tend to stick with the same provider, unless something significant happens. In summary, while the market is expanding, customer loyalty is strong, and it takes a significant event to sway them from their preferred provider.

Possible identity and access management acquisitions

Let’s take a closer look at the data below, which was developed from ETR’s TSIS.

Last week, we identified potential acquirers and have done that here again. This week we include Cisco, CrowdStrike, IBM, Palo Alto Networks and Zscaler as possible buyers. And we pulled 15 emerging technology companies in the IAM sector from the ETS (emerging tech) survey to plot against them. The resulting chart above shows the overlap of these companies, with 770 N in the six potential buyer companies mentioned previously. Net sentiment, a measure of intent to engage, is on the Y-axis, and mindshare, the number of mentions, is on the X-axis. While there are other identity players in the market, not shown in the chart, this provides valuable insights into the market and potential acquisition targets.

Notably, BeyondTrust and 1Password stand out from the crowd. We asked Strom if this was surprising, and if so, why?

Yeah, particularly 1Password, that’s a consumer password manager. If you’ve got an SSO tool that’s working for you in your company, you’re not gonna buy a 1Password type of product. You might start out with a password manager for a small development group, for example, so that you don’t have to remember all your passwords, but eventually you’re going to migrate to an SSO tool because you don’t want to know what your passwords are. You’re going to want to have some software that takes care of that. So that automatically logs you in when you bring up your screen in the morning when you start working. All your apps are right there on your desktop. You don’t have to sit there and say, ‘Oh, now what was the password that for that?’ So to me, that shows either the SSO tools aren’t working in those organizations or they don’t have somebody that’s competent to roll them out; or that they’ve been using that personally on their home computers because they’re now working remotely and they need something that they can use that is not part of the corporate SSO tool.

Listen to David Strom explains why 1Password’s presence in the enterprise surprised him.

What to watch for at RSA 2023

Building on last week’s ‘what to watch for at RSA, let’s wrap up and summarize the closing conversation with Strom.

Data protection as an integral part of cybersecurity

It’s critical that companies take backup and recovery seriously, especially when it comes to cybersecurity. In fact, it’s an essential component of cybersecurity. Ransomware attacks are becoming more and more prevalent, and the first thing these attacks do is disable volume shadow copies on Windows and exfiltrate backup data. Without proper backups, companies are leaving themselves vulnerable to these kinds of attacks.

It’s alarming that even after years of dealing with ransomware, companies are still not implementing proper backup and recovery measures. According to recent statistics, 100% of the ransomware attacks analyzed by one company resulted in the encryption of the backup corpus. This makes it clear that companies must take a more proactive approach to backup and recovery, implementing systems that ensure data immutability and physical air gap protection.

As noted industry data protection guru Fred Moore says, “Backup is one thing, recovery is everything.” You can make all the backups in the world, but if you can’t recover from them, they’re useless. And yet, many companies don’t even bother to test the recovery of their backups, leaving them vulnerable to a variety of disasters, from bad weather to bad actors to human error.

In short, if companies don’t take backup and recovery seriously, they’re putting themselves at serious risk. This is not something to be taken lightly or ignored. As we head into RSA and other industry events, it’s critical that companies are aware of the importance of backup and recovery in their overall cybersecurity strategy.

The scourge of passwords: Is passwordless a possibility?