>> From theCUBE Studios in Palo Alto and Boston, bringing you data-driven insights from theCUBE and ETR. This is "Breaking Analysis" with Dave Vellante. >> Recent conversations with IT decision makers show a stark contrast between exiting 2023 versus the mindset when we were leaving 2022. CIOs are generally funding new initiatives by pushing off or cutting lower priority items, while security efforts are still being funded. Those that enable business initiatives that generate revenue or taking priority over cleaning up legacy technical debt. The bottom line is, for the moment, at least, the mindset is not cut everything, rather, it's put a pause on cleaning up legacy hairballs and fund monetization. Hello, and welcome to this week's Wikibon Cube Insights powered by ETR. In this breaking analysis, we tap recent discussions from two primary sources, year-end ETR roundtables with IT decision makers, and CUBE conversations with data, cloud, and IT architecture practitioners. The sources of data for this breaking analysis come from the following areas. Eric Bradley's recent ETR year end panel featured a financial services DevOps and SRE manager, a CSO in a large hospitality firm, a director of IT for a big tech company, the head of IT infrastructure for a financial firm, and a CTO for global travel enterprise, and for our upcoming Supercloud2 conference on January 17th, which you can register free by the way, at supercloud.world, we've had CUBE conversations with data and cloud practitioners, specifically, heads of data in retail and financial services, a cloud architect and a biotech firm, the director of cloud and data at a large media firm, and the director of engineering at a financial services company. Now we've curated commentary from these sources and now we share them with you today as anecdotal evidence supporting what we've been reporting on in the marketplace for these last couple of quarters. On this program, we've likened the economy to the slingshot effect when you're driving, when you're cruising along at full speed on the highway, and suddenly you see red brake lights up ahead, so, you tap your own brakes and then you speed up again, and traffic is moving along at full speed, so, you think nothing of it, and then, all of a sudden, the same thing happens. You slow down to a crawl and you start wondering, "What the heck is happening?" And you become a lot more cautious about the rate of acceleration when you start moving again. Well, that's the trend in IT spend right now. Back in June, we reported that despite the macro headwinds, CIOs were still expecting 6% to 7% spending growth for 2022. Now that was down from 8%, which we reported at the beginning of 2022. That was before Ukraine, and Fed tightening, but given those two factors, you know that that seemed pretty robust, but throughout the fall, we began reporting consistently declining expectations where CIOs are now saying Q4 will come in at around 3% growth relative to last year, and they're expecting, or should we say hoping that it pops back up in 2023 to 4% to 5%. The recent ETR panelists, when they heard this, are saying based on their businesses and discussions with their peers, they could see low single digit growth for 2023, so, 1%, 2%, 3%, so, this sort of slingshotting, or sometimes we call it a seesaw economy, has caught everyone off guard. Amazon is a good example of this, and there are others, but Amazon entered the pandemic with around 800,000 employees. It doubled that workforce during the pandemic. Now, right before Thanksgiving in 2022, Amazon announced that it was laying off 10,000 employees, and, Jassy, the CEO of Amazon, just last week announced that number is now going to grow to 18,000. Now look, this is a rounding error at Amazon from a headcount standpoint and their headcount remains far above 2019 levels. Its stock price, however, does not and it's back down to 2019 levels. The point is that visibility is very poor right now and it's reflected in that uncertainty. We've seen a lot of layoffs, obviously, the stock market's choppy, et cetera. Now importantly, not everything is on hold, and this downturn is different from previous tech pullbacks in that the speed at which new initiatives can be rolled out is much greater thanks to the cloud, and if you can show a fast return, you're going to get funding. Organizations are pausing on the cleanup of technical debt, unless it's driving fast business value. They're holding off on modernization projects. Those business enablement initiatives are still getting funded. CIOs are finding the money by consolidating redundant vendors, and they're stealing from other pockets of budget, so, it's not surprising that cybersecurity remains the number one technology priority in 2023. We've been reporting that for quite some time now. It's specifically cloud, cloud native security container and API security. That's where all the action is, because there's still holes to plug from that forced march to digital that occurred during COVID. Cloud migration, kind of showing here on number two on this chart, still a high priority, while optimizing cloud spend is definitely a strategy that organizations are taking to cut costs. It's behind consolidating redundant vendors by a long shot. There's very little evidence that cloud repatriation, i.e., moving workloads back on prem is a major cost cutting trend. The data just doesn't show it. What is a trend is getting more real time with analytics, so, companies can do faster and more accurate customer targeting, and they're really prioritizing that, obviously, in this down economy. Real time, we sometimes lose it, what's real time? Real time, we sometimes define as before you lose the customer. Now in the hiring front, customers tell us they're still having a hard time finding qualified site reliability engineers, SREs, Kubernetes expertise, and deep analytics pros. These job markets remain very tight. Let's stay with security for just a moment. We said many times that, prior to COVID, zero trust was this undefined buzzword, and the joke, of course, is, if you ask three people, "What is zero trust?" You're going to get three different answers, but the truth is that virtually every security company that was resisting taking a position on zero trust in an attempt to avoid... They didn't want to get caught up in the buzzword vortex, but they're now really being forced to go there by CISOs, so, there are some good quotes here on cyber that we want to share that came out of the recent conversations that we cited up front. The first one, "Zero trust is the highest ROI, because it enables business transformation." In other words, if I can have good security, I can move fast, it's not a blocker anymore. Second quote here, "ZTA," zero trust architecture, "Is more than securing the perimeter. It encompasses strong authentication and multiple identity layers. It requires taking a software approach to security instead of a hardware focus." The next one, "I'd love to have a security data lake that I could apply to asset management, vulnerability management, incident management, incident response, and all aspects for my security team. I see huge promise in that space," and the last one, I see NLP, natural language processing, as the foundation for email security, so, instead of searching for IP addresses, you can now read emails at light speed and identify phishing threats, so, look at, this is a small snapshot of the mindset around security, but I'll add, when you talk to the likes of CrowdStrike, and Zscaler, and Okta, and Palo Alto Networks, and many other security firms, they're listening to these narratives around zero trust. I'm confident they're working hard on skating to this puck, if you will. A good example is this idea of a security data lake and using analytics to improve security. We're hearing a lot about that. We're hearing architectures, there's acquisitions in that regard, and so, that's becoming real, and there are many other examples, because data is at the heart of digital business. This is the next area that we want to talk about. It's obvious that data, as a topic, gets a lot of mind share amongst practitioners, but getting data right is still really hard. It's a challenge for most organizations to get ROI and expected return out of data. Most companies still put data at the periphery of their businesses. It's not at the core. Data lives within silos or different business units, different clouds, it's on-prem, and increasingly it's at the edge, and it seems like the problem is getting worse before it gets better, so, here are some instructive comments from our recent conversations. The first one, "We're publishing events onto Kafka, having those events be processed by Dataproc." Dataproc is a Google managed service to run Hadoop, and Spark, and Flank, and Presto, and a bunch of other open source tools. We're putting them into the appropriate storage models within Google, and then normalize the data into BigQuery, and only then can you take advantage of tools like ThoughtSpot, so, here's a company like ThoughtSpot, and they're all about simplifying data, democratizing data, but to get there, you have to go through some pretty complex processes, so, this is a good example. All right, another comment. "In order to use Google's AI tools, we have to put the data into BigQuery. They haven't integrated in the way AWS and Snowflake have with SageMaker. Moving the data is too expensive, time consuming, and risky," so, I'll just say this, sharing data is a killer super cloud use case, and firms like Snowflake are on top of it, but it's still not pretty across clouds, and Google's posture seems to be, "We're going to let our database product competitiveness drive the strategy first, and the ecosystem is going to take a backseat." Now, in a way, I get it, owning the database is critical, and Google doesn't want to capitulate on that front. Look, BigQuery is really good and competitive, but you can't help but roll your eyes when a CEO stands up, and look, I'm not calling out Thomas Kurian, every CEO does this, and talks about how important their customers are, and they'll do whatever is right by the customer, so, look, I'm telling you, I'm rolling my eyes on that. Now let me also comment, AWS has figured this out. They're killing it in database. If you take Redshift for example, it's still growing, as is Aurora, really fast growing services and other data stores, but AWS realizes it can make more money in the long-term partnering with the Snowflakes and Databricks of the world, and other ecosystem vendors versus sub optimizing their relationships with partners and customers in order to sell more of their own homegrown tools. I get it. It's hard not to feature your own product. IBM chose OS/2 over Windows, and tried for years to popularize it. It failed. Lotus, go back way back to Lotus 1, 2, and 3, they refused to run on Windows when it first came out. They were running on DEC VAX. Many of you young people in the United States have never even heard of DEC VAX. IBM wanted to run every everything only in its cloud, the same with Oracle, originally. VMware, as you might recall, tried to build its own cloud, but, eventually, when the market speaks and reveals what seems to be obvious to analysts, years before, the vendors come around, they face reality, and they stop wasting money, fighting a losing battle. "The trend is your friend," as the saying goes. All right, last pull quote on data, "The hardest part is transformations, moving traditional Informatica, Teradata, or Oracle infrastructure to something more modern and real time, and that's why people still run apps in COBOL. In IT, we rarely get rid of stuff, rather we add on another coat of paint until the wood rots out or the roof is going to cave in. All right, the last key finding we want to highlight is going to bring us back to the cloud repatriation myth. Followers of this program know it's a real sore spot with us. We've heard the stories about repatriation, we've read the thoughtful articles from VCs on the subject, we've been whispered to by vendors that you should investigate this trend. It's really happening, but the data simply doesn't support it. Here's the question that was posed to these practitioners. If you had unlimited budget and the economy miraculously flipped, what initiatives would you tackle first? Where would you really lean into? The first answer, "I'd rip out legacy on-prem infrastructure and move to the cloud even faster," so, the thing here is, look, maybe renting infrastructure is more expensive than owning, maybe, but if I can optimize my rental with better utilization, turn off compute, use things like serverless, get on a steeper and higher performance over time, and lower cost Silicon curve with things like Graviton, tap best of breed tools in AI, and other areas that make my business more competitive. Move faster, fail faster, experiment more quickly, and cheaply, what's that worth? Even the most hard-o CFOs understand the business benefits far outweigh the possible added cost per gigabyte, and, again, I stress "possible." Okay, other interesting comments from practitioners. "I'd hire 50 more data engineers and accelerate our real-time data capabilities to better target customers." Real-time is becoming a thing. AI is being injected into data and apps to make faster decisions, perhaps, with less or even no human involvement. That's on the rise. Next quote, "I'd like to focus on resolving the concerns around cloud data compliance," so, again, despite the risks of data being spread out in different clouds, organizations realize cloud is a given, and they want to find ways to make it work better, not move away from it. The same thing in the next one, "I would automate the data analytics pipeline and focus on a safer way to share data across the states without moving it," and, finally, "The way I'm addressing complexity is to standardize on a single cloud." MonoCloud is actually a thing. We're hearing this more and more. Yes, my company has multiple clouds, but in my group, we've standardized on a single cloud to simplify things, and this is a somewhat dangerous trend, because it's creating even more silos and it's an opportunity that needs to be addressed, and that's why we've been talking so much about supercloud is a cross-cloud, unifying, architectural framework, or, perhaps, it's a platform. In fact, that's a question that we will be exploring later this month at Supercloud2 live from our Palo Alto Studios. Is supercloud an architecture or is it a platform? And in this program, we're featuring technologists, analysts, practitioners to explore the intersection between data and cloud and the future of cloud computing, so, you don't want to miss this opportunity. Go to supercloud.world. You can register for free and participate in the event directly. All right, thanks for listening. That's a wrap. I'd like to thank Alex Myerson, who's on production and manages our podcast, Ken Schiffman as well, Kristen Martin and Cheryl Knight, they helped get the word out on social media, and in our newsletters, and Rob Hof is our editor-in-chief over at siliconangle.com. He does some great editing. Thank you, all. Remember, all these episodes are available as podcasts wherever you listen. All you've got to do is search "breaking analysis podcasts." I publish each week on wikibon.com and siliconangle.com where you can email me directly at david.vellante@siliconangle.com or DM me, @Dante, or comment on our LinkedIn posts. By all means, check out etr.ai. They get the best survey data in the enterprise tech business. We'll be doing our annual predictions post in a few weeks, once the data comes out from the January survey. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching, everybody, and we'll see you next time on "Breaking Analysis." (upbeat music)

>>Kicking things off for Netscout's latest threat intelligence reports. I'm Lisa Martin with Richard Hummel manager of threat intelligence at NetScout. We're going to be talking about DDoSs for hire. It's a free for all Richard, welcome to the program. >>Thanks for having me. At least that's always a pleasure to do interviews with you here on acuity. >>Likewise. So, which are the dark web is a dangerous place. We know that we're adversaries own and operate DDoS for hire platforms and botnets to launch everything from free tests to high powered multi-vector attacks. What did you find? What kind of attacks are being launched on the dark web, >>Sadly, any and every type of attack you. And I think you put it eloquently that it's free a little while ago. I got a question come in from a media journalists that I was talking to and they asked me what is the average cost of a DDoS attack? And my gut reaction was mad, 10, 20 USD. I even asked another reporter later on, what do you think it costs? And he came out with two or 300 USD. And so that was kinda my expectations. Well, just because of that question, I broke up my lab and I said, you know what? I'm just going to kind of sleuth a little bit. And so I started logging in, I started looking at these underground platforms and I spend time on 19 of hundreds. There's a website out there that lists all with like three or 400 of these things, but I just chose the top 19. >>And when I started looking at these, every platform that I evaluated had some form of free attacks during launch. And these are the typical for your five attacks like NTP, cl doubt, DNS amplification. These are the, the rope or routine types of attacks we see in the DDoS threat landscape and it's free. And then it scales from there. You have $5 entry fees to do trials. You have a week trial, you can go all the way up to 6,500 USD. And the adversary reports to launch one terabit per second attack with that costs. There's another one that says, Hey, we have 150,000 button-up nodes. He has $2,500, and then you can launch it from this platform. And they also have customization. They have these little sliders on there. You can go in and say, you know what? I have five targets. I want to launch 10 attacks at once. I want it to last this many minutes. These are the vectors I want to use. And then it just tells you here's what you got to pay. Now, it used to be, you needed to have a crypto wallet to even launch a DDoS attack. Well, that's no longer the case. Second. It used to be crypto currency. Well, now they take PayPal. They take wire transfers. They do Western union transfers. And so yeah, this barrier to entry, it doesn't exist anymore. >>Wow. The evolution of data also attacks the low barrier to entry. The customization. You mentioned that you researched the top 19 validated DDoS for hire services. You guys captured the types of attacks, reported number of users and the costs to launch what you went through. What are some of the things that really stuck out to you that you found? >>I think the biggest thing, the biggest outlier that I saw with a lot of these things is that this, the sheer amount of attacks or tech types that they purport to launch that combined with one other metric that I'll, I'll tell you in just a minute. But when I started adding all of these out, I came out with a list of something like 450 different line items. This is taking the attack types from all 19 of these platforms and putting it into a spreadsheet. And then when I actually got rid of the duplicates and I started looking at each one of these to see, did they call it this? And then this one called it, this, there was still 200 different types of attacks. And these attacks are not just your typical volume metric things or your typical like botnet net related things. I mean, they're going after applications. >>They're going after capture pages. They're going after some website based anti DDoSs stuff. They're going after specific games, grand theft, auto Counter-Strike, all of these things. And they have specific attacks designed to overwhelm those layers. And you can actually see in some of the, the, the news or the update boxes they have on their platforms that they put rolling updates similar to like what you would see with Microsoft update. Here's what changed. And so they'll list, oh, we added this capture bypass, or we tweak this bypass, or guess what? We added a new server. And now you have this, this more power to launch bigger attacks. The other thing that really surprised me was the sheer number of users and attacks that they put for it to have and have launched. So across these 19 platforms, I counted over 1 million registered users. Now it could be that multiple users are registered across multiple platforms. >>And so maybe that's a little redundant, but a million or 19. And then the attacks, just whatever they showed in their platform. Now, I don't know what time segment that says it could be all time. It could be a certain snapshot, whatever, 19 of several hundred of these things, more than 10 million attacks. Now, if we look at 2020, we saw 10 million attacks on the whole year, 2021, we saw 9.7 million. So you can just see it. I mean, we're not seeing the whole breadth of the threat landscape. We see about a third probably of the world's internet traffic. And so if what they say is true, there's a lot more attacks out there than even. We talk about >>A lot more attacks than, than are even uncovered. That's shocking. The evolution of DDoSs is, is also quite shocking. One of the things I noticed in the first half 2021 threat intelligence report that NetScout published was some of the underground services offer blacklists or delisting services to prevent attacks. And I thought that sounds like a good thing, but what does that really mean? >>So actually, when we were writing the last chart report, a colleague of mine role in Dobbins had actually talked about this and he's like, Hey, I saw this thing where it's this quasi illegal organization. And they were talking about listing you as this. And they actually turn around and sell these lists. And so I started researching that a little bit. And what it turns out is these organizations, they report to be VPN services. Yeah. And they also say, you know what, we're offer these kinds of lists or block lists. We offer this VPN service, but we are also collecting your IP address. And so if you don't want us to basically resell that to somebody else, or if you want us to add that so that people can attack you based on what they're seeing on the VPN, then you can pay us money and you can do like different tiers of this. >>You can say, block me for a week or a block me for a lifetime and all of these different platforms. I wouldn't say all of them, probably four of the 19 that I looked at had this service. Now as a user, I'm not going to go to every single DDoS for hire platform. I'm not going to purchase the VPN from every single one of these. I'm not going to go and add myself to their denialist across all of these things. That's, that's kind of way too much work for one. And the cost is going to be in the thousands, if not tens of thousands, as you start to add all of these things together. And so they, they report to do something good and in turn, take your information and sell it. And what's worse is they actually assign your username or your handle or your gamer tag to that IP address. >>And so now you have this full list of IPS with gamer tags. And so an adversary Alto that has no qualms or scruples about launching DDoS attacks can then purchase that list. And guess what, Hey, this, this gamer over here who has this gamer tag, he always tells me I don't, I don't want to face them anymore. So anytime I see him in a match, I'm going to go over here to this DDoS for hire platform. And I'm going to just launch attack against him, try to knock them off of them. And so that's the kind of shady business practices that we're seeing here in the underground forums. >>Well, I knew that wasn't a good, I knew that you would actually give me the skinny on what that was. So another thing that I was wondering if it was a good, you know, despite this, you talked about the incredible diversity of these platforms, the majority of attack types that you sign are recognized and mitigated by standard defensive practices. Is that another good, bad disguise as good? >>No, in this case, it is very much good. So I, as far as I've seen, there's not a single DDoS attack type from a Google stressor service to date that you can't mitigate using preparation and your, your typical DDoSs platforms, mitigation protection systems. And even, even the bandwidth, the throughput, what some people call the size or the speed of attacks. We don't really see anything in the terabit per second range from these services. Now they'll, they'll boast about having the capability to do X number of packets per second, or this size of an attack. And so some of them will even say that, Hey, you pay us this money and we're going to give you a one terabit per second attack to date in the four years that I've been here on NetScout. And even some of my colleagues who've been around the space for decades. >>They have yet to see an attack source from one of these details for higher platforms that exceed one terabit per second in bandwidth or volume. And so they might talk a big game. They might boast about these things, but oftentimes it's, it's smoke and mirrors. It's a way to get people into their platforms to purchase things. If I had to pick kind of an average volume or size of attacks for these beer stressors on the high-end, I would say around the 150 to 200 gigabit per second. Now they're a small organization that might seem huge, but to a service provider, that's, that's probably a drop in the bucket and they can easily saturate that across their network, or observe, absorb that even without the top of the line mitigation services. So just being able to have something in place, understand how adversaries are launching these attacks, what attack vectors they are, you know, do some research. >>We have this portal called ominous threat horizon, where you can actually go in there and into your industry segment and your country. And you can just look to see, are there attacks against people like me in my country? And so, but understanding if you are the target of attacks, which it's not, if it's a win, then you can understand, okay, I need to probably have provisions in place for up to this threshold and ensure there's a tax that will exceed that. But at least you're doing due diligence to have some measure of protection, understanding that these are the typical kinds of attacks that you can expect. >>Yeah. That due diligence is key. Richard, thanks for joining me talking about DDoSs for hire a lot of interesting things there that was uncovered in a moment. Richard and I are going to be back to talk about the rise of server class bot net armies.