WEBVTT 1 00:00:00.000 --> 00:00:03.130 Anna Delaney: Hi, welcome to the ISMG Editors' Panel. I'm Anna 2 00:00:03.196 --> 00:00:06.848 Delaney, and here's our roundup of the most gripping and 3 00:00:06.913 --> 00:00:10.697 important cybersecurity news stories of the week. I'm very 4 00:00:10.762 --> 00:00:14.154 pleased to be joined by colleagues Tom Field, senior 5 00:00:14.219 --> 00:00:17.806 vice president of editorial; Mathew Schwartz, executive 6 00:00:17.871 --> 00:00:21.785 editor for DataBreachToday and Europe; and Michael Novinson, 7 00:00:21.850 --> 00:00:25.568 managing editor for ISMG business. Really good to see you 8 00:00:25.633 --> 00:00:28.830 all. Tom, are you keeping warm in the snow there? 9 00:00:30.270 --> 00:00:34.260 Tom Field: The scene behind me actually is Calgary in Canada. 10 00:00:34.470 --> 00:00:37.140 Just a couple of weeks back, 1st of November. I arrived there on 11 00:00:37.140 --> 00:00:40.050 Halloween. And the trick-or-treat was snow the next 12 00:00:40.050 --> 00:00:42.570 day and it was not their first storm of the season. It was 13 00:00:42.570 --> 00:00:45.870 their second, so yes, immediately went from fall to 14 00:00:45.870 --> 00:00:48.090 winter very quickly. And I guess that's where we are now. 15 00:00:48.180 --> 00:00:50.340 Anna Delaney: Yeah. Hope you had your snow boots with you. 16 00:00:50.880 --> 00:00:51.840 Tom Field: Indeed. I did not. 17 00:00:54.930 --> 00:00:57.540 Anna Delaney: Mathew, you're in the stadium. But tell us more. 18 00:00:57.000 --> 00:01:01.500 Mathew Schwartz: Yes, I'm surrounded by sporting prowess 19 00:01:01.530 --> 00:01:06.720 in Dublin. I was at the annual Cybercrime Summit that gets held 20 00:01:07.080 --> 00:01:11.550 in Dublin. And this year and last year, it's been out Aviva 21 00:01:11.550 --> 00:01:14.820 Stadium on Lansdowne street. So we've got this wonderful view. 22 00:01:14.910 --> 00:01:19.140 They also have a nice corporate area with some comfortable rooms 23 00:01:19.170 --> 00:01:22.200 and it being Ireland's possibly some pints of Guinness 24 00:01:22.230 --> 00:01:25.560 afterwards, when in Ireland as they say. 25 00:01:25.600 --> 00:01:27.820 Anna Delaney: When in Ireland; I thoroughly approve. Very good. 26 00:01:28.270 --> 00:01:29.500 Tom Field: It's the "afterwards" part that surprises me. 27 00:01:31.000 --> 00:01:35.710 Anna Delaney: Michael, saving the best to us here because, you 28 00:01:31.240 --> 00:01:31.900 Mathew Schwartz: Shocking. 29 00:01:35.710 --> 00:01:39.160 know, you've got company. Very cute company, I must say. 30 00:01:39.960 --> 00:01:42.990 Michael Novinson: Oh, thank you. This was from 364 days ago, the 31 00:01:43.350 --> 00:01:48.870 U.S. holiday of Thanksgiving. 2021. This was my house. This is 32 00:01:48.870 --> 00:01:53.700 the food that I made. Here's the turkey. On the other side of me, 33 00:01:53.700 --> 00:01:57.750 this is my daughter Sonia in the background. A big pile of dishes 34 00:01:57.750 --> 00:02:00.960 there for my husband to clean afterward. But yes, we had a 35 00:02:00.960 --> 00:02:04.230 wonderful Thanksgiving at home. Abbreviated COVID Thanksgiving 36 00:02:04.230 --> 00:02:06.420 will be on the road, seeing extended family this year, but 37 00:02:06.420 --> 00:02:09.120 it was fun enjoying a feast as a family of three. 38 00:02:09.870 --> 00:02:12.780 Anna Delaney: For sure, making us feel hungry. But enjoy it 39 00:02:12.780 --> 00:02:17.280 this week, of course. So brief background to my location, a 40 00:02:17.280 --> 00:02:20.880 power station in London. Battersea Power Station has just 41 00:02:21.030 --> 00:02:24.270 reopened or actually recently opened for the first time in 42 00:02:24.270 --> 00:02:28.320 stores to the public. And it's now a shopping mall that has 43 00:02:28.320 --> 00:02:32.040 retained much of its former architecture from the 1930s. 44 00:02:32.040 --> 00:02:36.030 They're all very art deco. And behind me is what was formerly 45 00:02:36.030 --> 00:02:40.860 known as Control Room B, replete with switches and knobs to 46 00:02:41.160 --> 00:02:45.510 control the city's power. And actually, funnily enough, one 47 00:02:45.510 --> 00:02:48.960 section was dedicated purely to Buckingham Palace and that's a 48 00:02:48.990 --> 00:02:54.330 cool fact. But now it's a very nice charming, cool, I must say, 49 00:02:54.540 --> 00:02:57.270 1950s Bar, so I had to try it out, of course. 50 00:02:57.450 --> 00:03:00.450 Mathew Schwartz: Sounds like a British drama from the 1980s - 51 00:03:00.450 --> 00:03:01.500 Control Room B. 52 00:03:01.000 --> 00:03:03.850 Tom Field: I thought she was in a starship to be honest with 53 00:03:04.060 --> 00:03:04.330 you. 54 00:03:04.360 --> 00:03:09.070 Anna Delaney: Looks and feels like that. Well, Tom, 'tis the 55 00:03:09.070 --> 00:03:10.990 season for cybercrime, is it not? 56 00:03:10.000 --> 00:03:15.400 Tom Field: It is. In fact, I spoke recently with Sam Curry, 57 00:03:15.490 --> 00:03:17.650 old friend of ours. He's the chief security officer for 58 00:03:17.650 --> 00:03:21.550 Cybereason. And of course, Cybereason did its third annual 59 00:03:21.550 --> 00:03:25.930 study of ransomware attack trends around holidays. And we 60 00:03:25.930 --> 00:03:29.650 all know that when it comes to weekends and holidays, the 61 00:03:29.650 --> 00:03:32.590 adversaries up the games, they don't take time off. They know 62 00:03:32.590 --> 00:03:36.430 companies are at reduced staff, they know that people are hoping 63 00:03:36.430 --> 00:03:40.090 for a break and maybe looking the other way. And SolarWinds 64 00:03:40.090 --> 00:03:44.380 was two years ago. We got Log4j last year. Hence we got lots of 65 00:03:44.530 --> 00:03:48.070 security leaders and PTSD this year waiting to see what happens 66 00:03:48.070 --> 00:03:51.940 next. So I spoke with Sam, a week or so ago, about this 67 00:03:51.940 --> 00:03:54.820 latest study and the findings. And I said to him that it's not 68 00:03:54.820 --> 00:03:58.720 news that the adversaries attack on weekends and holidays. What 69 00:03:58.780 --> 00:04:01.180 is news? I will share his response with you. 70 00:04:01.000 --> 00:04:06.070 Sam Curry: What we found is the preparedness. And I think people 71 00:04:06.070 --> 00:04:10.570 can do a lot more ahead of time. Now I'm not condoning perhaps 72 00:04:10.570 --> 00:04:12.760 paying. In fact, I think you can't pay to get out of the 73 00:04:12.760 --> 00:04:16.480 mess, to be perfectly clear. But I think that people aren't doing 74 00:04:16.480 --> 00:04:18.490 enough to prepare ahead of time. I mentioned antivirus. I 75 00:04:18.490 --> 00:04:22.060 mentioned EDR. We found that in the crisis, a quarter of those 76 00:04:22.060 --> 00:04:26.200 who decided to pay were in fact scrambling to set up crypto 77 00:04:26.200 --> 00:04:29.950 wallets. How do they in fact get the money out? A quarter of them 78 00:04:29.980 --> 00:04:33.670 were engaged in advanced negotiations, which means three 79 00:04:33.670 --> 00:04:37.450 quarters weren't. They weren't able to buy time to validate the 80 00:04:37.480 --> 00:04:41.140 data was really stolen. That means this is stuff that could 81 00:04:41.140 --> 00:04:44.680 have been done peacetime and there are strategies that people 82 00:04:44.680 --> 00:04:47.590 can engage in ahead of time and say how do we get ready in case 83 00:04:47.590 --> 00:04:51.010 of emergency break glass? Yes, but how do we do the tabletop to 84 00:04:51.010 --> 00:04:54.580 have it done? How do we make sure that this feels like a 85 00:04:54.580 --> 00:04:59.230 reflex when the time comes as opposed to a completely unused 86 00:04:59.590 --> 00:05:03.880 policy and then blowing the dust off of unused document. That 87 00:05:03.880 --> 00:05:07.810 sort of thing. That shouldn't be news. People should be preparing 88 00:05:07.810 --> 00:05:11.080 now for it. And if they aren't, we're about to go into the 89 00:05:11.080 --> 00:05:13.870 Thanksgiving season in the United States, Christmas all 90 00:05:13.870 --> 00:05:16.990 around the world and other holidays. Now's the time to be 91 00:05:16.990 --> 00:05:19.210 doing it. Because even if you don't celebrate those holidays, 92 00:05:19.210 --> 00:05:22.750 the bad guys know that most companies do. And that's when 93 00:05:22.750 --> 00:05:23.890 they'll be at their weakest. 94 00:05:23.000 --> 00:05:27.200 Tom Field: Here we are. U.S. Thanksgiving is tomorrow. 95 00:05:28.790 --> 00:05:30.830 Mathew Schwartz: You're trying to jinx us, Tom. I mean, I'm 96 00:05:30.830 --> 00:05:34.340 sure everything will be fine. But hopefully, organizations 97 00:05:34.340 --> 00:05:37.970 will be prepared. Although, as a cybersecurity journalist with an 98 00:05:37.970 --> 00:05:41.690 increasing amount of cynicism, I think it's unlikely that a lot 99 00:05:41.690 --> 00:05:45.110 of the victims will be seeing half prepared, because experts 100 00:05:45.110 --> 00:05:48.410 like Sam have been saying this for so long. Preparation pays. 101 00:05:48.440 --> 00:05:51.500 Take a little bit of time now, think about what you do. Print 102 00:05:51.500 --> 00:05:54.020 out the phone numbers of who you need to call in case your 103 00:05:54.020 --> 00:05:57.440 systems get cryptolocked. And we keep seeing organizations 104 00:05:57.620 --> 00:06:00.080 apparently getting surprised even though there shouldn't be 105 00:06:00.080 --> 00:06:01.760 any surprises left about this. 106 00:06:02.330 --> 00:06:05.420 Tom Field: Matt, you're exactly right. After Log4j, after 107 00:06:05.420 --> 00:06:07.910 SolarWinds, it should be no surprise about the timing of the 108 00:06:07.910 --> 00:06:11.720 year and what we should expect. But to me, it's similar to the 109 00:06:11.720 --> 00:06:14.780 background I have behind here. When that snowstorm hit in 110 00:06:14.780 --> 00:06:18.590 Calgary, I drove to the airport the next day. I saw cars on the 111 00:06:18.590 --> 00:06:22.190 side of the road. I saw trucks doing circles in front of me. I 112 00:06:22.190 --> 00:06:25.280 saw accidents all over the place. And it's the same thing 113 00:06:25.280 --> 00:06:27.440 I've encountered all my life growing up in the northeast of 114 00:06:27.440 --> 00:06:32.150 the U.S. Every winter, people are driving in the snow like 115 00:06:32.150 --> 00:06:35.600 it's the first time, like they haven't done it before. And they 116 00:06:35.600 --> 00:06:38.840 go out, have accidents much like these. I think the cybersecurity 117 00:06:38.840 --> 00:06:42.170 community is not much different. We know the snowstorm is coming 118 00:06:42.170 --> 00:06:43.910 but we forgot how to drive in the offseason. 119 00:06:43.000 --> 00:06:46.810 Anna Delaney: And just emphasizing that point. 120 00:06:46.930 --> 00:06:50.170 According to Cyberreason's study, I think they surveyed 121 00:06:50.200 --> 00:06:55.390 1,200 cybersecurity professionals, and 88% of them 122 00:06:55.750 --> 00:06:59.020 said they had missed a holiday or weekend event due to a 123 00:06:59.020 --> 00:07:02.080 ransomware attack. So we've even experienced it. 124 00:07:03.970 --> 00:07:06.370 Tom Field: There you go. I don't mean to be the Grinch of the 125 00:07:06.370 --> 00:07:08.440 season, but we know what's coming. Keep your eyes on the 126 00:07:08.440 --> 00:07:08.950 skies. 127 00:07:09.500 --> 00:07:12.140 Anna Delaney: Yeah, great advice. Matt, rolling into 128 00:07:12.140 --> 00:07:16.160 ransomware then. What are the dominant cybercrime trends of 129 00:07:16.160 --> 00:07:16.880 2022? 130 00:07:17.950 --> 00:07:21.040 Mathew Schwartz: Well, Anna, four weeks is a long time, and I 131 00:07:21.040 --> 00:07:24.190 wouldn't want to get ahead of what could be something that we 132 00:07:24.190 --> 00:07:27.010 didn't see coming, not a snow storm, because we know that 133 00:07:27.010 --> 00:07:30.640 those are coming but some other calamitous events. I know I 134 00:07:30.640 --> 00:07:34.810 sound like a doomsday merchant here. But there's been a few 135 00:07:34.810 --> 00:07:40.540 really interesting trends so far. Just in no particular order 136 00:07:40.540 --> 00:07:43.870 to hit some of them. There's a new report out by cybersecurity 137 00:07:43.870 --> 00:07:47.950 firm Group-IB. And it looks at what's been a real surge in 138 00:07:47.980 --> 00:07:51.250 information stealing malware, sometimes known as info stealers. 139 00:07:51.730 --> 00:07:54.370 I find this sort of thing fascinating. So if you look at 140 00:07:54.370 --> 00:07:58.300 malware, we've had a lot of changes over the years. Banking 141 00:07:58.300 --> 00:08:03.130 Trojans used to be big. Now we're really bothered as we 142 00:08:03.130 --> 00:08:07.630 should be by ransomware. But we shouldn't over obsess about 143 00:08:07.630 --> 00:08:11.890 ransomware because criminals are trying to make a buck. And 144 00:08:11.890 --> 00:08:14.320 they'll do whatever they need to do with the least amount of 145 00:08:14.320 --> 00:08:18.040 efforts, typically, in order to get that done. And so as 146 00:08:18.160 --> 00:08:20.620 wielding ransomware has become a little more difficult because of 147 00:08:20.620 --> 00:08:23.560 law enforcement disruptions, there's been a rise in 148 00:08:23.590 --> 00:08:27.190 info stealers. And so Group-IB looked at what's going on. And 149 00:08:27.400 --> 00:08:32.560 one of the big ways of obtaining info stealers is as-a-service. So 150 00:08:32.560 --> 00:08:35.620 ransomware as a service, kind of well known. Lot of attackers 151 00:08:35.620 --> 00:08:38.920 work with groups that maintain the malware, and in return the 152 00:08:38.980 --> 00:08:42.580 developers that maintain it, get a cut. The same goes with 153 00:08:42.610 --> 00:08:46.840 info stealing malware. So if you want to go out make a criminal 154 00:08:46.840 --> 00:08:51.130 profit, illicit proceeds, you can sign up to be an affiliate, 155 00:08:51.700 --> 00:08:55.120 or user of one of these information stealing malware 156 00:08:55.210 --> 00:08:59.020 stealer-as-a-service sort of businesses, and they will give 157 00:08:59.020 --> 00:09:04.360 you info stealers such as Raccoon that is the most popular. Second 158 00:09:04.360 --> 00:09:09.040 most popular is RedLine. And these are designed as malware, 159 00:09:09.040 --> 00:09:11.590 designed to infect the system. And they'll look for all sorts 160 00:09:11.590 --> 00:09:15.430 of things. Credentials for Amazon, credentials for PayPal, 161 00:09:15.700 --> 00:09:19.420 your financial records, crypto wallet information, maybe your 162 00:09:19.420 --> 00:09:24.790 accounts on Steam, or Roblox or even Discord. And then this gets 163 00:09:24.790 --> 00:09:30.520 ingested and sometimes the person who's using the malware, 164 00:09:30.520 --> 00:09:33.400 gets to keep some of it. Typically though the 165 00:09:33.850 --> 00:09:36.550 stealer-as-a-service operators will keep the most lucrative 166 00:09:36.550 --> 00:09:39.760 stuff. So we see them, for example, peeling off anything to 167 00:09:39.760 --> 00:09:43.300 do with cryptocurrency or cryptocurrency wallets, because 168 00:09:43.390 --> 00:09:46.840 they can sometimes use that themselves to go after people's 169 00:09:46.840 --> 00:09:49.360 cryptocurrency wallets to try to drain them. And so these 170 00:09:49.360 --> 00:09:52.660 attacks, if they're successful, is model. If it's successful, 171 00:09:52.750 --> 00:09:57.190 can be extremely lucrative. I think it's fascinating that you 172 00:09:57.190 --> 00:09:59.950 have this service model as well. Like I was saying RedLine is 173 00:09:59.980 --> 00:10:04.090 really popular. Group-IB said that 23 out of the 34 gangs that 174 00:10:04.090 --> 00:10:07.480 it's tracking that provide this service, use RedLine. Eight of 175 00:10:07.480 --> 00:10:11.650 the groups use Raccoon, and then three, use something custom. So 176 00:10:11.650 --> 00:10:15.610 you see, again, this model where you don't need to have a lot of 177 00:10:15.610 --> 00:10:18.400 technical expertise to get involved. You can work with a 178 00:10:18.400 --> 00:10:20.950 service that provides it to you. You go out and infect the 179 00:10:20.950 --> 00:10:26.320 systems. Everybody reaps the rewards. Info stealers as a 180 00:10:26.320 --> 00:10:29.050 service. As a side note, there's been an interesting new piece of 181 00:10:29.050 --> 00:10:32.260 ransomware called AxLocker, which is based on some 182 00:10:32.260 --> 00:10:34.450 ransomware that's been seen before. But one really 183 00:10:34.450 --> 00:10:37.060 interesting thing to me about this is it doesn't just 184 00:10:37.090 --> 00:10:39.820 cryptolock systems, it also looks for people's Discord 185 00:10:39.820 --> 00:10:44.470 credentials. So Discord, if you don't know, it's loved by the 186 00:10:44.470 --> 00:10:47.740 kids, all the gamers, they like to stream what they're doing. 187 00:10:47.890 --> 00:10:52.180 It's got Voice over IP, it's got instant messaging. So why are 188 00:10:52.180 --> 00:10:55.210 attackers looking for discord credentials? Well, there are 189 00:10:55.210 --> 00:10:59.110 about 150 million active users every month on Discord and a 190 00:10:59.110 --> 00:11:03.280 fair number of those are really into NFT's and cryptocurrency. 191 00:11:03.490 --> 00:11:07.180 So it turns out the Discord - if you're a scammer or a fraudster 192 00:11:07.180 --> 00:11:10.600 - is a great place to try to target them, especially if you 193 00:11:10.600 --> 00:11:15.220 can steal the access to a legitimate Discord service, 194 00:11:15.340 --> 00:11:19.210 maybe on a Discord server devoted to crypto, and then try 195 00:11:19.210 --> 00:11:21.910 to scam the people who are on it. And so this leads to the 196 00:11:21.910 --> 00:11:25.120 other big trend I want to talk about which is cryptocurrency 197 00:11:25.120 --> 00:11:29.320 targeting, and we think about hacking of exchanges, North 198 00:11:29.320 --> 00:11:33.100 Korea, here's looking at you. But really with a lot of these 199 00:11:33.100 --> 00:11:36.280 cryptocurrency targeting attacks, it's much more likely 200 00:11:36.280 --> 00:11:39.040 to see things that are a lot less technically sophisticated - 201 00:11:39.280 --> 00:11:44.770 scams schemes, things like rug pulls, where I create a token 202 00:11:44.770 --> 00:11:49.570 called squid coin. And I get a bunch of people to invest in it, 203 00:11:49.870 --> 00:11:52.720 but I don't let them sell it. And then once it hits what I 204 00:11:52.720 --> 00:11:58.330 think is a critical mass, maybe $3.4 million worth. I turn it 205 00:11:58.330 --> 00:12:01.990 all off and I walk away with all the funds. I take that liquidity 206 00:12:01.990 --> 00:12:06.040 and use it against investors. So if you can think of a scheme and 207 00:12:06.040 --> 00:12:09.580 it can be executed by fraudsters, expect it to happen. 208 00:12:09.760 --> 00:12:13.780 And so I think with the crash and burn that we're seeing of 209 00:12:13.780 --> 00:12:17.260 cryptocurrency exchange FTX, it seems to be a crash and burn 210 00:12:17.260 --> 00:12:20.560 whatever they say. That's had a knock on effect. Bitcoin's down 211 00:12:20.560 --> 00:12:25.720 from $21,000 at a high to earlier this week, but $15,500 212 00:12:25.750 --> 00:12:29.740 per bitcoin. That's still a lot of cash. I mean, okay, if you're 213 00:12:29.740 --> 00:12:32.050 an investor, it doesn't look good. But if you're a criminal, 214 00:12:32.170 --> 00:12:35.650 and you can convert those bitcoins into dollars, that is 215 00:12:35.830 --> 00:12:42.160 an amazing attack or amazing scenario still. And so, anybody 216 00:12:42.190 --> 00:12:44.920 with any interest in cryptocurrency or NFT's or who 217 00:12:44.920 --> 00:12:49.000 gets an email promising a bonanza of free bitcoin, all you 218 00:12:49.000 --> 00:12:51.310 have to do is just deposit a little bit to show us your good 219 00:12:51.310 --> 00:12:54.610 intentions, that kind of thing that we've seen so many times 220 00:12:54.610 --> 00:12:58.360 before now in a crypto guys just beware all of that. Keep an eye 221 00:12:58.360 --> 00:13:02.080 out as well for cryptojacking malware the turns the CPUs and 222 00:13:02.080 --> 00:13:04.750 your infrastructure against you. Apparently, there's been a real 223 00:13:04.990 --> 00:13:09.160 rise in critical infrastructure or any organization that has a 224 00:13:09.160 --> 00:13:13.090 lot of servers, for example, getting hit with this stuff so 225 00:13:13.090 --> 00:13:17.170 that criminals can mine more cryptocurrency. So those are 226 00:13:17.170 --> 00:13:20.770 just few the themes, obviously check back with me in four or 227 00:13:20.770 --> 00:13:23.230 five, six weeks, and then again in six months, because some of 228 00:13:23.230 --> 00:13:25.840 these attacks take forever to come to light. And we'll see 229 00:13:25.930 --> 00:13:29.800 what really went down in 2022. Yeah, yeah. 230 00:13:30.200 --> 00:13:34.100 Anna Delaney: Exciting. Can't wait now. But in terms of 231 00:13:34.130 --> 00:13:38.120 info stealing malware, how's the industry currently tackling 232 00:13:38.120 --> 00:13:39.740 that? Do we have the right defenses? 233 00:13:40.500 --> 00:13:43.110 Mathew Schwartz: Well, it's the same defenses as you would use 234 00:13:43.168 --> 00:13:46.881 against any kind of malware. The trouble is, like ransomware, it 235 00:13:46.939 --> 00:13:50.130 has a habit of worming into organizations. So phishing 236 00:13:50.188 --> 00:13:53.843 attacks, RDP, we focus on this a lot. For ransomware, saying if 237 00:13:53.901 --> 00:13:57.208 you want to get ahead of ransomware, you need to be aware 238 00:13:57.266 --> 00:14:00.747 of those two things. AxLocker, for example, and other groups 239 00:14:00.805 --> 00:14:04.286 are oftentimes targeting known vulnerabilities. So SonicWALL 240 00:14:04.344 --> 00:14:07.535 vulnerabilities that the likes of CISA have been urging 241 00:14:07.593 --> 00:14:11.132 organizations to patch forever. Attackers know all this. So I 242 00:14:11.190 --> 00:14:14.613 mean, many times attackers will get in and do more than one 243 00:14:14.671 --> 00:14:17.687 thing. Maybe they will ultimately deploy ransomware. 244 00:14:17.745 --> 00:14:21.342 But before that, maybe they'll deploy info stealing malware. Or 245 00:14:21.400 --> 00:14:24.649 they'll do that and then hand off to ransomware gang. So 246 00:14:24.707 --> 00:14:28.478 anything goes when you're are an attacker, they're just trying to 247 00:14:28.536 --> 00:14:32.133 monetize these in the best, most direct, quickest, easiest way 248 00:14:32.191 --> 00:14:35.614 possible. So do we have the right defenses? No, because the 249 00:14:35.672 --> 00:14:38.979 likes of ransomware is still getting in. And info stealing 250 00:14:39.037 --> 00:14:41.010 malware is just as easy to deploy. 251 00:14:42.840 --> 00:14:45.810 Anna Delaney: Thanks, Matt, as ever, Well, Michael, more 252 00:14:45.810 --> 00:14:49.440 acquisitions this week. Palo Alto Networks has acquired Cider 253 00:14:49.470 --> 00:14:51.450 Security. Tell us about it. 254 00:14:52.200 --> 00:14:53.730 Michael Novinson: Absolutely. And I thank you for the 255 00:14:53.730 --> 00:14:57.210 opportunity. So Palo Alto Networks is a really interesting 256 00:14:57.240 --> 00:15:00.420 company and that so much of their capability is been built 257 00:15:00.420 --> 00:15:04.350 up through mergers and acquisitions from 2018 to 2021. 258 00:15:04.380 --> 00:15:07.650 Nobody was more active than they were on the M&A circuit, they 259 00:15:07.650 --> 00:15:10.530 bought a dozen companies, built out their cloud security 260 00:15:10.530 --> 00:15:13.530 practice from scratch, bought some stuff in the security 261 00:15:13.530 --> 00:15:16.740 operations world, some SOAR capabilities and multiple 262 00:15:16.740 --> 00:15:20.130 endpoint security companies. And then really, almost quickly it 263 00:15:20.130 --> 00:15:23.610 started to come to a halt. Last big acquisition they had done 264 00:15:23.610 --> 00:15:26.670 was in February of 2021, a company named Bridgecrew. And 265 00:15:26.670 --> 00:15:30.300 then the customer or their CEO, got on earnings calls and said, 266 00:15:30.330 --> 00:15:33.210 we're done with M&A, we bought everything we need to buy, we 267 00:15:33.210 --> 00:15:36.900 have capabilities in three areas - security operations, cloud 268 00:15:36.900 --> 00:15:39.750 security, network security. We're not looking to get into 269 00:15:39.780 --> 00:15:41.790 other parts of security, we're not looking to be identity and 270 00:15:41.790 --> 00:15:44.190 identity security company, an email security company, and we 271 00:15:44.190 --> 00:15:49.590 have the capabilities we need in each of these areas. And we 272 00:15:49.590 --> 00:15:51.540 don't want to start buying companies that do a lot of the 273 00:15:51.540 --> 00:15:54.300 same things as that we already do. We don't want overlapping 274 00:15:54.300 --> 00:15:58.290 capabilities who really does not add new capabilities. So they're 275 00:15:58.290 --> 00:16:02.010 kind of at a 20-month pause. But as you alluded to last week, 276 00:16:02.250 --> 00:16:05.700 they went back to M&A and purchased Cider Security for 277 00:16:05.730 --> 00:16:10.140 $250 million in terms of both the cash and the equity piece. 278 00:16:10.230 --> 00:16:12.990 So why did they do that? And I think that really comes down to 279 00:16:12.990 --> 00:16:16.170 what cybersecurity does that they're really focused on 280 00:16:16.170 --> 00:16:19.020 securing engineering processes and engineering systems from 281 00:16:19.020 --> 00:16:23.160 code to deployment. And if you think about when Palo Alto 282 00:16:23.160 --> 00:16:26.730 Networks was building out their practices through M&A, that 283 00:16:27.000 --> 00:16:30.360 supply chain security code, security shift-left, CI/CD, this 284 00:16:30.360 --> 00:16:33.840 stuff wasn't as top of mind. So most of their M&A took place, 285 00:16:33.870 --> 00:16:37.860 pre-SolarWinds. And all of that took place pre-Log4j. So this 286 00:16:37.860 --> 00:16:43.050 wasn't as central to them. So I think they realized that if they 287 00:16:43.050 --> 00:16:45.900 do want to be that broad platform, that can be all things 288 00:16:45.900 --> 00:16:48.360 to all people that they need to have to play into the code 289 00:16:48.360 --> 00:16:52.110 security market. Now, Cider Security takes a bit of a 290 00:16:52.110 --> 00:16:55.860 different approach than some of the other players here. A lot of 291 00:16:55.860 --> 00:17:00.870 the companies have been really focused on the source code and 292 00:17:00.870 --> 00:17:03.210 trying to figure out where does that source code come from? And 293 00:17:03.210 --> 00:17:07.080 is that secure? Cider focuses a little bit differently, they are 294 00:17:07.080 --> 00:17:09.360 focused on that development pipeline. But it's really more 295 00:17:09.360 --> 00:17:13.680 about the dozens or hundreds of applications, or the dozens or 296 00:17:13.680 --> 00:17:16.980 hundreds of pieces of software that companies use as they're 297 00:17:16.980 --> 00:17:22.110 developing technology and figuring out where do sourcing 298 00:17:22.110 --> 00:17:24.270 all of those applications, sourcing all that software and 299 00:17:24.270 --> 00:17:27.060 figuring out, where does that come from? Is that secure? Are 300 00:17:27.060 --> 00:17:30.240 there any vulnerabilities in that, and in particular, looking 301 00:17:30.270 --> 00:17:34.680 at open-source type software, things like Log4j, and looking 302 00:17:34.680 --> 00:17:39.840 at vulnerabilities there. So this will fit into what Palo 303 00:17:39.840 --> 00:17:42.960 Alto Networks does with their Prisma Cloud practice, which 304 00:17:42.960 --> 00:17:46.230 does do a lot of that CNAP cloud security type capability. But 305 00:17:46.290 --> 00:17:49.620 Palo's been really focused on trying to bridge that divide 306 00:17:49.620 --> 00:17:52.950 between cloud security and application security. And their 307 00:17:52.950 --> 00:17:56.040 feeling is that in terms of what Cider is able to do around 308 00:17:56.040 --> 00:17:59.040 security engineering, processes and systems that that will be 309 00:17:59.040 --> 00:18:00.090 integral to that. 310 00:18:01.560 --> 00:18:03.360 Anna Delaney: And Michael, do you think we'll be seeing more 311 00:18:03.360 --> 00:18:06.300 acquisitions from Palo Alto, perhaps next year? 312 00:18:06.000 --> 00:18:09.510 Michael Novinson: I don't think we're going to see a ton. I 313 00:18:09.510 --> 00:18:12.030 think they'll pick and choose their spots carefully. This was 314 00:18:12.030 --> 00:18:14.730 obviously supply chain security, something that's really 315 00:18:14.730 --> 00:18:19.350 percolated in recent months. I mean, you could say the same 316 00:18:19.350 --> 00:18:22.260 thing. Do they want to make a play into critical 317 00:18:22.260 --> 00:18:29.670 infrastructure in a post colonial world? I mean, they've 318 00:18:29.700 --> 00:18:32.190 picked and chosen their spots carefully. I mean, I think 319 00:18:32.670 --> 00:18:35.040 they've been clear to investors, they're not going back to that 320 00:18:35.040 --> 00:18:36.900 pace, they ended up spending about three and a half billion 321 00:18:36.900 --> 00:18:40.110 dollars, over the three year period and acquisitions. 322 00:18:41.040 --> 00:18:43.590 Investors weren't happy. It was causing them to lose money. 323 00:18:43.620 --> 00:18:46.770 Given that where the economy is right now, investors really want 324 00:18:46.770 --> 00:18:50.940 to see companies making money. So I don't think investors would 325 00:18:50.940 --> 00:18:53.400 be happy to see them receive that pace of acquisition, nor do 326 00:18:53.400 --> 00:18:56.580 I think Palo feels they have those types of gaps that they 327 00:18:56.580 --> 00:18:59.580 would need to but could they potentially make a play into 328 00:18:59.610 --> 00:19:04.440 infrastructure security, looking at IoT or security medical 329 00:19:04.440 --> 00:19:06.690 devices? That might be adjacent to some of what they do with 330 00:19:06.690 --> 00:19:09.390 firewalls today. But I think they would pick and choose their 331 00:19:09.390 --> 00:19:12.300 spots very carefully. I guess the one final note I would make 332 00:19:12.300 --> 00:19:16.980 is that their acquisitions with the exception of expanse, which 333 00:19:16.980 --> 00:19:19.110 was quite a bit bigger than everything else, they've bought 334 00:19:19.110 --> 00:19:22.140 - they've spent between 150 and 500 million - that's kind of 335 00:19:22.140 --> 00:19:25.170 their sweet spot is they want technology that's been built up 336 00:19:25.170 --> 00:19:27.900 mature, but they don't want to buy sales and marketing they 337 00:19:27.900 --> 00:19:31.020 have that they have to go to market engine themselves. So I 338 00:19:31.020 --> 00:19:33.300 know there's been talk about some larger companies needing to 339 00:19:33.300 --> 00:19:35.430 exit companies that were unicorns that maybe don't have 340 00:19:35.430 --> 00:19:38.760 an exit path with the IPO market closing. That's not a space I 341 00:19:38.760 --> 00:19:41.640 see them playing and they really want to take strong technology 342 00:19:41.640 --> 00:19:43.830 and strong leadership plugging into their go to market engine. 343 00:19:43.830 --> 00:19:48.240 So I'd expect them to stay in that low nine figures range when 344 00:19:48.240 --> 00:19:49.590 it comes to M&A going forward. 345 00:19:50.710 --> 00:19:53.907 Anna Delaney: Very interesting. Thank you very much, Michael. So 346 00:19:53.971 --> 00:19:58.000 finally it's Thanksgiving week of course. My final question is, 347 00:19:58.063 --> 00:20:01.772 what is the biggest turkey moment of 2022. And I know that 348 00:20:01.836 --> 00:20:05.609 Matt said five weeks left to go so we could still have more 349 00:20:05.673 --> 00:20:07.720 turkeys. But Tom, you are ready. 350 00:20:08.740 --> 00:20:11.830 Tom Field: I think we have one - my turkey doesn't gobble, it 351 00:20:11.830 --> 00:20:16.990 tweets. I think I've got to go with Elon Musk, and in his 352 00:20:16.990 --> 00:20:21.820 initial stewardship of the most influential social media network 353 00:20:21.820 --> 00:20:26.020 in the world, Twitter, seeing such an exodus, encouraging such 354 00:20:26.020 --> 00:20:31.480 an exodus of security and privacy professionals. Poor 355 00:20:31.480 --> 00:20:31.870 timing. 356 00:20:34.150 --> 00:20:38.110 Mathew Schwartz: Yeah, my turkey is definitely an own goal. It 357 00:20:38.110 --> 00:20:41.080 has less of an impact on me, because Twitter's a wonderful 358 00:20:41.080 --> 00:20:43.540 community. And it's a shame. It takes forever to build a 359 00:20:43.540 --> 00:20:47.050 community up and it's easy to tear it down. On that front, 360 00:20:47.050 --> 00:20:49.750 though, when it comes to ransomware, I love the fact that 361 00:20:49.750 --> 00:20:52.870 Conti shot itself in the foot earlier this year by backing, 362 00:20:53.260 --> 00:20:57.460 the Moscow ordered invasion of Ukraine, and all of a sudden, 363 00:20:57.460 --> 00:21:01.060 nobody was paying Conti anymore. And Conti went oops, and had to 364 00:21:01.060 --> 00:21:04.270 burn his brand. It was very stupid. Before that spun out a 365 00:21:04.270 --> 00:21:06.910 number of other different groups. But what we're hearing 366 00:21:06.940 --> 00:21:10.480 is for affiliates, and maybe this is why info stealing malware 367 00:21:10.480 --> 00:21:13.360 is surging. For affiliates of ransomware groups, working with 368 00:21:13.360 --> 00:21:16.030 big name brands is a liability. They are in the crosshairs of 369 00:21:16.030 --> 00:21:19.630 law enforcement. And we have a really hard time disrupting 370 00:21:19.630 --> 00:21:23.230 ransomware. But it's great news that some of the bigger, more 371 00:21:23.230 --> 00:21:25.510 professional, well-polished organizations with the most 372 00:21:25.510 --> 00:21:28.960 affiliates taking down the biggest organizations via big 373 00:21:28.960 --> 00:21:32.260 game hunting, are having a harder time making that business 374 00:21:32.260 --> 00:21:34.330 model work. So gobble gobble! 375 00:21:35.920 --> 00:21:38.080 Anna Delaney: Great turkey. Michael? 376 00:21:39.020 --> 00:21:41.930 Michael Novinson: I could take my inspiration from the business 377 00:21:41.930 --> 00:21:44.210 world. And this would be the special purpose acquisition 378 00:21:44.210 --> 00:21:48.230 companies that were so so hot in 2021. We saw several security 379 00:21:48.230 --> 00:21:51.710 players take advantage of that. We saw AppGate, IronNet, ZeroFox 380 00:21:51.710 --> 00:21:54.650 all go public through SPAC and then complex monitor but didn't 381 00:21:54.650 --> 00:21:57.680 even make it across the finish line and trying to take that 382 00:21:57.680 --> 00:22:00.530 shortcut of avoiding the traditional Esteban IPO path. 383 00:22:00.800 --> 00:22:05.090 This had consequences. IronNet lost the Co-CEO and laid off 384 00:22:05.090 --> 00:22:07.970 half of its staff involved with lawsuits. Allegations of 385 00:22:07.970 --> 00:22:12.590 misleading investors often tend to do pretty sharp layoffs. And 386 00:22:12.590 --> 00:22:16.790 then ZeroFox also had to have seen a very sharp decline in 387 00:22:16.790 --> 00:22:19.790 their stock price since going public in August. I think it's 388 00:22:19.790 --> 00:22:24.080 just a reminder that there's no shortcut to success that the IPO 389 00:22:24.080 --> 00:22:26.630 metrics that the industry maintains that you want to have 390 00:22:26.630 --> 00:22:29.330 at least 150 million in top line revenue that you need a path to 391 00:22:29.330 --> 00:22:32.270 profitability, that you have to disclose all of this beforehand, 392 00:22:32.270 --> 00:22:35.660 and an S-1 filing and do an investor roadshow and then 393 00:22:35.660 --> 00:22:38.300 present all of your financials to the investment community. 394 00:22:38.300 --> 00:22:40.670 Those are good things, it's good to have that due diligence and 395 00:22:40.670 --> 00:22:43.310 that scrutiny. When you start trying to find an end around to 396 00:22:43.310 --> 00:22:46.280 make to bring a smaller company, that company with only 25 or 30 397 00:22:46.280 --> 00:22:48.830 million in top line revenue to the public market that you're 398 00:22:48.830 --> 00:22:50.900 going to pay a price for and maybe not right away. Maybe the 399 00:22:50.900 --> 00:22:54.860 market's hot like it wasn't 2021. But eventually you will 400 00:22:54.860 --> 00:22:58.160 and I think it's important to remember to grow responsibly to 401 00:22:58.520 --> 00:23:01.790 follow traditional accounting practices, traditional paths to 402 00:23:01.790 --> 00:23:04.910 market and not let yourself grow and get big before you try to 403 00:23:04.910 --> 00:23:05.810 take the next leap. 404 00:23:05.000 --> 00:23:09.890 Anna Delaney: It's very turkey. Thank you. I was going to say 405 00:23:09.890 --> 00:23:14.510 Elon Musk as well and his plan to charge users for the blue 406 00:23:14.510 --> 00:23:18.410 checkmarks, which seems like an attacker's dream. Anyway, we'll 407 00:23:18.410 --> 00:23:21.260 see what happens there. I hope you'll get to enjoy some turkeys 408 00:23:21.260 --> 00:23:22.400 this week as well. 409 00:23:22.940 --> 00:23:24.620 Tom Field: Thank you very much. Tonight's the night of planes, 410 00:23:24.620 --> 00:23:26.330 trains and automobiles. I look forward to it. 411 00:23:27.830 --> 00:23:29.690 Anna Delaney: Happy Thanksgiving! Thank you very 412 00:23:29.690 --> 00:23:31.520 much. Thanks so much for watching.