(bright music) >> Hello, and welcome to today's session of the 2021 AWS Global Public Sector Partner Awards. I'm your host, Natalie Erlich and today we'll highlight the best cybersecurity solution. I'm very pleased to welcome our next guests. They are Tina Thorstenson executive public sector strategist at CrowdStrike and Jennifer Dvorak information security architect for the State of Arizona. Thank you so much for being with me today. >> Thanks for having us. >> Yep, thank you. >> Perfect. Well you know obviously a really wild year with COVID and it certainly pushed a lot of boundaries. Cyber security resiliency also a hot topic as ransomware really spiked up. How have you addressed this concern and really accelerated this push with COVID-19 in the backdrop? I'd love it if either one of you would just like to jump in here. >> Well, CrowdStrike was one of our initiatives for 2020 and it was significantly increased, accelerated due to COVID. So we had to roll out in a matter of weeks when we had a matter of months previously and it really provided us the visibility that we needed for folks taking their computers home. We had no way of triaging any of our incidents when the computers were at home. So rolling out CrowdStrike as quickly as possible it gave us remote access, it gave us visibility and that was huge for our organization. >> Tina, if you could weigh in on this as well, that would be terrific. >> Sure absolutely. And you know, Jen with the State of Arizona is one of our premier customers but across the board with the 2021 global threat report that we issue each year, what we saw there was a fourfold increase in the number of intrusions. So to your point about the threat activity and it's not getting better. So what CrowdStrike is on a mission to do is stop regions and protect organizations against these bad actors so that they're, that we minimize disruptions. It's really been tremendous to see and build a ecosystem from a platform approach that started with visibility on the end point that Jen was just alluding to. >> And Jennifer, I'd love to get your insight how the public sector and the private sector can work better in tandem with each other in order to protect customers and also communities against ransomware attacks and other kinds of cybersecurity threats that we've seen coming from Russia for instance. >> Certainly so our state CISO Tim Roemer, he has definitely encouraged us to make partners with our private vendors. So that's one of his strategic initiatives and we really want partners in the private sector. We want folks that are going to come alongside us and help us with our security goals. And CrowdStrike has been one of those vendors. We don't want to just spend money and then the vendor runaway, we want somebody that's going to be with us every step of the way. We've had some incidents this past year and CrowdStrike was the first team to alert us because it was a different agency or a different part of our organization that we don't typically work with a lot. And that was really helpful because we were able to act quickly and address the issues that arose. So just having somebody that's looking out for your best interests and being a true partner is what we're really looking for. And that's the only way that we can circumvent these ransomware attacks. >> And Tina I'd love it if you'd weigh in as well. How do you see your role in this effort to protect the public evolving now in 2021? >> So I love that question and especially with the role of my role brand new in COVID interestingly enough, to create this bi-directional executive alignment with our customers and our internal teams and overall at CrowdStrike our goal, as I said is to stop breaches and it's really to bring, to minimize the frustration that comes sometimes with rolling out security tools. I've been at this a long time and tools like CrowdStrike are really game changers for security teams that are really about protecting organizations. And essentially what we do is we brought a single platform where when it, when the, when our software is deployed to an organization across their laptops, desktops, server and cloud infrastructure, we were born in the cloud kind of before it was cool and now we serve more than 11,000 customers. And that threat activity goes to a single AWS instance where we look across all of the threat activity. And then when we see activity in one area, we can protect all of our customers. That's the power of the cloud. >> Perfect and I'd love Jennifer's insights here too. What steps are you taking now to keep the public protected and the state cyber ready? >> And I like Tina's point about being born in the cloud. So State of Arizona is a cloud first state. We are also looking for solutions in the cloud, and I think by leveraging cloud solutions, we're able to be more nimble. We're able to pivot our approach to security and address anything that comes up more quickly. So being cloud first, even though it's, it wasn't embraced initially, I think that it's something that we've been driving towards and looking for more partners that support that cloud first initiative that we have. >> And Tina what's top of mind? What are some of the key initiatives that your team and teams are going to be focused on in the years ahead? What's the next phase for cybersecurity? >> Great question and we've talked quite a bit about the end point but where we're headed and really where we've invested heavily the last couple of years and we'll continue moving forward is now that we have, we've brought this game-changing visibility to our security teams on the end point of each one of the systems in their environment where we've expanded the platform to now include cloud services like I mentioned. Now include indicators of misconfigurations which are so detrimental to teams working in a hybrid cloud environment. And then we've also moved into the identity protection space. And essentially what we're doing there is the same thing we've been doing to protect workloads coming from desktops and laptops across the country and around the world and moved to a model where we're also in a zero trust principles way looking for threat activity coming in through identities, through people logging into these systems and doing the same real-time continuous monitoring and taking proactive action to protect organizations where we see malicious activity. >> Terrific, well, in light of COVID-19, we saw a big spike in ransomware and I'd love to hear specifically from Tina why do we need trusted partners rather than software vendors in this fight? >> You know, it's so important to get out in front of all of the adversaries and most recently that we've seen huge growth in the e-crime actors that are taking advantage of the tools that are unfortunately in the market today, sometimes even free that allow them to hold organizations hostage. And the reason that's so important to partner with organizations and companies like CrowdStrike, is that we've been thinking ahead and we are designed in a way to stop an individual, a breach or adversary attack from occurring but we've been watching how their adversary works and now we can see their activity very early on before they have a chance to gain a foothold in an organization's server or laptop or even a phone or a tablet. And really what we're doing is we're providing protection so that it doesn't even need to move to an analyst to do further review. We just stop it right at the gate before it causes harm. And the reason that this is so important probably is obvious, but we're about making sure that the organizations like the State of Arizona can continue on their business and without these kinds of disruptions. So we haven't designed against one particular adversary but we really designed an approach that works across them all because we've been watching so closely how they move through environments for years. And we use the power of artificial intelligence delivered from the cloud to protect against all things including ransomware. >> Right it's really an evolving process. You constantly have to be vigilant for the next threat. Now I'd love to hear how you see things change with your tech partners and providers at the moment. >> So from a CrowdStrike perspective, we aim to be absolutely the best in class for the products and services that we provide whether that's your products that you can purchase like our endpoint solutions or whether that's services like our 24/7 threat hunting teams or Falcon Complete Teams that basically serve as an extension of an organization's team. But it's absolutely critical that we move this direction and not try to be the best at everything and instead partner. So we have extensive partnerships with Zscaler and Proofpoint and so many others, Okta. I mean the list goes on and on with now hundreds. And we also have a CrowdStrike store. So once you're a customer we've reduced the friction to taking on and trying out new modules, either from us or new options that maybe you haven't considered before from our trusted partners, much like the AWS marketplace we've got the CrowdStrike store and it's a growing set of partnerships where we build those integrations. So, my prior life I was the CISO for Arizona State University most recently. And we spend an awful lot of time integrating these solutions in a CrowdStrike. We're about building those integrations so that the teams within the organizations that can get on to doing innovative things within their space, rather than having to spend all their time tying these technologies together. >> Yeah now shifting to Jennifer late last year we learned that suspected Russian hackers broke into the US government agencies including a county in Arizona. So what measures has the State of Arizona put in place now to ensure that something like that won't happen again or that at least the state is very vigilant and ready to protect citizens and the government against these threats? >> We're definitely partnering with products like or vendors like CrowdStrike. That's what we, we're looking to extend those partnerships. And not only that we're developing our information sharing program across state, local and territorial governments. So we're looking to partner with the cities, the counties. Cybersecurity is a team sport. Cybersecurity is, it takes everyone. It takes the whole state working together. And that's one of the things that we've been trying to build. So working in conjunction with the state fusion center, the Arizona Counter Terrorism Information Center, we've been working to do more indicators of compromise sharing, any intelligence that we've been gathering from these counties that maybe did have an incident or a breach. We want to make sure that the information is disseminated to everyone so that we can be stronger and protect against it. Additionally, we we're always looking for grants that we can extend so that we're able to extend our products that we use to some of the smaller cities and towns and counties so that they can leverage some of the same technologies like CrowdStrike in their environments at a fraction of the cost or paid for by a grant. >> Terrific, well, Tina how does your experience as a CrowdStrike customer now come into play in your current role? >> Well, how's it come into play? Well, I think that it makes it really easy for me to be a liaison internally and help internal teams understand what it's like to sit as a CISO or as a CIO or deputy CIO. And to understand the kinds of challenges that these teams are (indistinct) these leaders of these teams are facing as they're moving forward with their innovation agenda while making sure to make sure that they're gaining those operational efficiencies that are so important today and wowing their customers all the while, right? So I think really what I bring to it is that level of experience to make sure that the voices of our customers are heard internally and that we continue to build products and services that make sense for the needs of our customers additional capabilities. Like we just released Falcon X Recon is an example of one of our newer capabilities where we're basically looking at their deep and dark web activity and bringing that together in the single platform, single event console that we've leveraged for years now. And in highlighting that activity many, in many cases, pre breach. So before you'd ever see it hit your, in your organization's operational environment, we would detect it through that service. So, I think it's those, all those things combined. >> Terrific well, CrowdStrike won a number of key accolades this year, and I was curious, Tina what you attribute to this huge success. >> Well, I have to tell you that I've been in the security space for far too long. And what I can say is that until CrowdStrike came along, there wasn't a solution, a security solution that we could get software running on an end point that wasn't just frustrating across the board. There were conflicts with other software running or the software would work great for one platform but it wouldn't work for the other. So we really have this new approach. And I think that that's what's made us, in fact I'm sure it's certainly what made me a wildly happy customer is that staff, faculty, employees, if we hadn't told them the software was being rolled out, they wouldn't have even noticed. You know it doesn't impact the machines and it's really provided this amazing experience and bringing all that with 150 different adversary groups that we track and we take that on for the customers and just bring visibility for the immediate things they need to take action on. I think those are all of the things that got us to this point in building out this platform is going to be really amazing to see in the years to come as we expand across other areas within the security space, either developing our own or really driving partnerships to make it easier for our customers. >> Yeah, terrific. Well, I pulled up the stat here for us to examine because I think it's really important for our viewers to understand just how important cybersecurity is and how it's going to be even more important for customers and for the private citizens and public citizens. According to Cybersecurity Ventures, cyber crime costs will grow by 15% per year reaching 10.5 trillion by 2025. That's just in about four years. And not only that, cyber crime will become the third largest economy in the world after the United States and China. So, I mean, it's really terrific that you're stepping up. You know just if you could both, perhaps Jennifer can go first and then Tina, what are the key lessons that you have for even the federal government to take a more proactive stance against these threats? >> Well, I think it's clear that this is a very lucrative venture, business venture. It's treated like a business venture by these criminal actors and they have a formula and it works. So I don't see that it's going to be changing anytime soon. And it's also not something that is highly sophisticated, highly technical. It's very easy. It's very much phishing, you know, users clicking on emails and vulnerabilities and environments. It's really a very easy formula that they continue to repeat. So I think until the federal government has more ways to recoup some of these ransomware payments, or we're able to stop some of these ransomware as a service products from being used, I think it's going to continue. So we're defenders so we need to make sure that we're ready for anything that comes and using products that keep us safe is really the best way and training our users. >> Terrific and Tina? >> Thank you. So we are so passionate about making sure that our customers can sleep better at night. When it comes down to tips it really comes back to the basics in many regards but the basics are sometimes really hard to do. So they sound simple, but they aren't so easy to do. And it's basics like making sure your systems are patched. Every organization has just a growing number of devices and pieces of software and infrastructure and all of those things need to be patched nearly immediately to stay out in front of today's adversaries. And Jen's right, Some are sophisticated, some are not but the reality is if we leave those windows open, we will have adversaries, oh, you know walk into our house if you will. So the basics like that also making sure that you have great backups, right? So if you do run into an instance of a ransomware where your systems are locked that you have the ability to recover quickly, being proactive and making sure that you have the partnership arrangement ahead of time is a third really important thing to do. Many organizations now have IRR retainers that they, incident response retainers that you can use proactively in years where you don't find yourself on your heels in a reactive situation but then it's there when you need it. Sometimes it's hard to find great services when there are the flood of ransomware attacks like we've seen in recent months. And then lastly, and I should have started with this 'cause it's the most important part, train your people. It's so important to make sure that security is just a culture, a part of the culture, just like you lock your car and you lock your house. Making sure that you're thinking about those things that will help keep you safe and your organization safe. >> Really excellent points. Thank you both so much for your insights. That was Tina Thorstenson executive public sector strategist at CrowdStrike, as well as Jennifer Dvorak, information security architect for the State of Arizona. Again, really appreciate your insights. This was a fantastic conversation with you. And that's all for the 2021 AWS Global Public Sector Partner Awards or in this session of that. I'm your host Natalie Erlich and see you very soon. (bright music)

(upbeat music) >> We are entering a new era of cyber attacks. The SolarWinds hack it underscored a rising and very disturbing trend. Namely that tunneling in through an organization's supply chain. And you're hearing terms like island hopping and living off the land to becoming mainstream in the world of cybersecurity. And we're going to talk a little bit about ransomware and cyber with Manoj Nair, who is the GM of Metallic, a Commvault Company. And Tim Carben, is a Principal Systems Engineer with Mitchell International. Gents welcome. Thanks so much for coming on. Talk to me about this very important topic. So, Tim, I got to start with you, you're the practitioner. You got to fight this battle every day. You heard me upfront it feel like we are entering a new era. The adversary is highly capable, very well-funded. How are you thinking about changes in protecting your data and creating things like air gaps and what are you doing to solve this problem? >> I think the most important part. And this is just to start off with is patching, everything up to date. Most of the time someone's getting in, or most of the time one of these viruses is replicating between the different systems. It's due to unpatched environments. And then number two is training. If your resources don't know, not to click on something or to hover over something to look at it. Then, you are just going to be exposing your environment over and over and over again. But when it all boils down to it, and it comes back to what I'm doing in the data protection world in the backup and recovery, I have to look at not only how am I going to get this data back. Because if a system gets encrypted we are going to look for recovery first. That's it, look for recovery first. But we also need to make sure that our environment is protected. Lock down our media agents. Lock down our storage that we're connected to. And like you had mentioned before use an air gap. And no one... I mean, everyone's been moving away from tape and it's understandable. There's a lot of resource utilization involved. There's a lot of people that you need in there in your data center, moving things around. And it's a robotic machine, you have to rely on. Not only that, but recovery times can be slow. What I found is Commvault is gone out there and they've offered us SaaS storage. This SaaS storage is somewhere else. We could be in AWS. We could be in Azure. We could be in GCP but we can still connect to this SaaS storage. And we never have to worry about someone having access to a data center and getting to our tapes. We don't have to worry about someone having tenant access and deleting our backups off of a particular tenant. Which is something that we are going to see in the future if it's not out there already. So, there's a lot that we have to do and protecting ourselves is very important. And Commvault is making it a lot easier. >> Thank you, Tim. So, Manoj I mean, these things have probably been around for a while but we're seeing really sort of, I talked about mainstream and a couple of things that are really disturbing. We're seeing this malware come in and they're self forming. They're creating different signatures but we're also seeing this idea of living off the land very stealthily using your own tools against you. And then really disturbingly, we're seeing when you discover... When a victim discovers that they're being attacked and they respond... Their incident response is triggering a very aggressive counter attack by the hackers. Where they've already exfiltrated really sensitive data. Then they'll then they... And they've been stealing and making monetizing your data. And then they'll just encrypt it, hold it for ransom, threaten to release that sensitive data if you don't let them keep going. It's really, really disturbing. What's your perspective on this raising the bar that the bad guys have done and how we can keep pace? >> Yeah, Dave. I lived through the nation state attack that happened in 2012. The front door seat was at RSA as part of the leadership team. And at that time it was considered a this is a very unique and it's an advanced persistent threat. It took the resources of one of the biggest nations of the world to mount something like that. And fast forward, eight, nine years later, we're seeing that these kinds of techniques have now been mainstreamed. You've got a lot of people who are figuring out not just... They may not even care about your data but they know you care about your data. So they're not trying to exfiltrate the data maybe to look for sensitive data and monetize it. That's just harder. Why not take it directly from you. In Q1 of 2021, the average ransomware ransom went up 43%. It's like 250K or something. That's just the ransom. And we saw now that it's impacting day-to-day lives. You saw the long lines of the gas things gas pumps on the East coast a weekend before last and as somebody who had a ransomware attack as the news story say they'd paid for the ransom. And that was the recovery after paying 5 million was slow. So they had to go and figure out how to recover from the backups. And that was not fast enough. So defense in depth is something that has really been the mantra and just like protecting a home, you're not just looking at putting an alarm on the front door. You have sensors on your windows. You have a fire alarm. You've got to say if you got different things too in terms of really thinking through different trends. And Tim hit on a couple of those things. You really think about what is my weak link? What is my vulnerability? That vulnerability is now your software supply chain. So you're thinking about who am I buying things from? Are they taking care of stuff because they are now a new vector? And that's kind of the biggest I would say new thing that has not been mainstream. Like a lot of these techniques are getting mainstream but the fact that a software supply chain itself that is being deployed in mass is now vulnerable? And that will be monetized. It might've started with the nation state doing that but then you'll get the... People trying to take it for ransom. They'll start weaponizing those same vulnerabilities. So really that data and making sure that your crown jewels you have a very safe way of protecting them. And it's not just... You need to practice in readiness of that. Like any system. Just having that there it's not good enough, like can I detect issues? What is the ecosystem that's part of? How is my identity tracking who has got access to that? We've seen a lot of interesting things as part of why we started creating services like a air gap service in the cloud. The customer doesn't have to worry about managing credentials because even those were getting compromised. People were stealing the credentials to go delete the backup. So, the steps keep leaping forward. There's a lot of money going in the research and development of malware. And the industry in partnership with customers and partnership with local and federal authorities are going to have to figure out how to tackle this together. >> Yeah. So Tim, you don't mean Commvault, you don't think of being the cybersecurity space specifically, but those worlds are coming together the data protection and security space. And I would imagine for you as a practitioner it's challenging because you don't have a blank chequebook. I mean, yes, you can spend... You have to spend on cyber but you have all these... You talked about digital transformation in an earlier discussion that we had and you've got to figure out, how do I apply AI and automation? You've got a talent gap. I mean, you can't hire people that have the skills because you just can't keep throwing people at the problem. So, you don't have this unlimited budget. I saw a stat there's a company it's Cybersecurity Ventures. They said by 2025 we'll lose $10.5 trillion annually to cyber attacks. And I think if I look at it, who's ever numbers. You look at IDC I think has one of the higher numbers out there. It's like a hundred billion that we spend each year on cyber. So it's infinitesimal compared to the value that the bad guys are extracting. So, how are you dealing with that complexity, fragmented security tooling lack of talent turnover? I mean, all this stuff and the budget challenges. How do you deal with all that? >> It's... And I do not want to use this word, but it's as easy as research and staying on top of everything. Everyone knows, you update your virus definitions. You keep that up-to-date. You close your firewall holes. You have denies at the very end of every firewall. You make sure you keep track of these small things. At the same time, you leverage utilities that make it easier for you to do your job. The Commvault iDA has a feature that keeps track of changes or modifications on a server. So if I have a server, that's actively getting hit with a ransomware. Commvault reports me in a word and tells me, "Hey, we have had this many files modified within this time period. Look at it right now." So, on top of everything else we have because it's not a replacement for our virus protection but it does help us. And it does keep track of things in Commvault, as well as a lot of other companies out there, are doing some great things in closing up small little gaps and adding little features that could really help us move forward in the future. And keep us more protected, I guess I should say. >> Yeah. Well Manoj, I mean the backup Corpus is a sort of the last line of defense. It's also could be a first point of attack because all the valuable data is in there. So, I'll give you the last word here on the segment. Thanks for doing this with me guys. How do you think the industry needs to approach this? It's not a... You can't go on it alone. You definitely need to collaborate. Your final thoughts. >> Yeah, collaborate, share risk factors, making sure that systems are connected and they're not siloed. And that will really make sure our customers are getting the best out of all of us. And you have to build an intelligence of the product anything static. Just like you said, you need to backup the cyber crown jewels or they're going to go after that. So, your backup systems need to have AIML. They need to be able to detect any kind of suspicious activity. You can't just kind of code it in and just expect that what you thought would work in the lab is how it's going to behave. So, but it's a... And in general unless there's a bigger penalty in terms of the response to these kinds of attacks, as long as they keep getting paid, they're going to keep doing this thing. So you got to follow the money is a simple work. Let's take that a rich ecosystem, that's funding them and replace it with a tight partnership between companies and the customers and partners and governments. >> Guys. Well, I mean, the equation is pretty simple. Value equals benefit over cost. If you can increase the denominator for the bad guys it'll lower their ROI and that's kind of your job. And so keep up the good work, gents. Thanks so much for coming to theCUBE and talking to me about this very important topic. Really appreciate it. >> Thank you. Thank you for having us. >> And thank you for watching this CUBE Conversation. This is Dave Vellante. We'll see you next time. (upbeat music)

>> From The Cube Studios in Palo Alto in Boston, bringing you data-driven insights from The Cube in ETR. This is "Breaking Analysis" with Dave Vellante >> The pandemic not only accelerated the shift to digital but it also highlighted a rush of cyber criminal sophistication, collaboration, and chaotic responses by virtually every major company in the planet. The SolarWinds hack exposed supply chain weaknesses and so-called island hopping techniques that are exceedingly difficult to detect. Moreover, the will and aggressiveness of well-organized cybercriminals has elevated to the point where incident responses are now met with counter attacks, designed to both punish and extract money from victims via ransomware and other criminal activities. The only upshot is the cybersecurity market remains one of the most enduring and attractive investment sectors for those that can figure out where the market is headed and which firms are best positioned to capitalize. Hello, everyone. And welcome to this week's Wikibon Cube Insights powered by ETR. In this "Breaking Analysis" we'll provide our quarterly update of the security industry, and share new survey data from ETR and the Cube community that will help you navigate through the maze of corporate cyber warfare. We'll also share our thoughts on the game of 3D chess that Okta CEO, Todd McKinnon, is playing against the market. Now, we all know this market is complicated, fragmented and fast moving. And this next chart says it all. It's an interactive graphic from Optiv, a Denver, Colorado-based SI that's focused on cybersecurity. They've done some really excellent research and put together this awesome taxonomy, and it mapped vendor names therein. And this helps users navigate the complex security landscape. And there are over a dozen major sectors, high-level sectors within the security taxonomy and nearly 60 subsectors. From monitoring, vulnerability assessment, identity, asset management, firewalls, automation, cloud, data center, sim, threat detection and intelligent endpoint network, and so on and so on and so on. But this is a terrific resource, and going to help you understand where players fit and help you connect the dots in the space. Now let's talk about what's going on in the market. The dynamics in this crazy mess of a landscape are really confusing sometimes. Now, since the beginning of cyber time, we've talked about the increasing sophistication of the adversary, and the back and forth escalation between good and evil. And unfortunately, this trend is unlikely to stop. Here's some data from Carbon Black's annual modern bank heist report. This is the fourth, and of course now, VMware's brand, highlights the Carbon Black study since the acquisition, and to catalyze the creation of VMware's cloud security division. Destructive malware attacks, according to the recent study are up 118% from last year. Now, one major takeaway from the report is that hackers aren't just conducting wire fraud, they are. 57% of the banks surveyed, saw an increase in wire fraud, but the cybercriminals are also targeting non-public information such as future trading strategies. This allows the bad guys to front-run large block trades and profit. It's become a very lucrative practice. Now the prevalence of so-called island hopping is up 38% from already elevated levels. This is where a virus enters a company supply chain via a partner, and then often connects with other stealthy malware downstream. These techniques are more common where the malware will actually self-form with other infected parts of the supply chain and create actions with different signatures, designed to identify and exfiltrate valuable information. It's a really complex problem. Of major concern is that 63% of banking respondents in the study reported that responses to incidents were then met with retaliation designed to intimidate, or initiate ransomware tax to extract a final pound of flesh from the victim. Notably, the study found that 75% of CISOs reported to the CIO, which many feel is not the right regime. The study called for a rethinking of the right cyber regime where the CISO has increased responsibility and a direct reporting line to the CEO, or perhaps the COO, with greater exposure to boards of directors. So, many thanks to VMware and Tom Kellerman specifically for sharing this information with us this past week. Great work by your team. Now, some of the themes that we've been talking about for several quarters are shown in the lower half of the chart. Cloud, of course is the big driver thanks to work-from-home and to the pandemic. And the interesting corollary of course, is we see a rapid rethinking of end point and identity access management, and the concept of zero trust. In a recent ESG survey, two thirds of respondents said that their use of cloud computing necessitated a change in how they approach identity access management. Now, as shown in the chart from Optiv, the market remains highly fragmented, and M&A is of course, way up. Now, based on our research, it looks like transaction volume has increased more than 40% just in the last five months. So let's dig into the M&A, the merger and acquisition trends for just a moment. We took a five-month snapshot and we were able to count about 80 deals that were completed in that timeframe. Those transactions represented more than $20 billion in value. Some of the larger ones are highlighted here. The biggest of course, being the Thoma Bravo, taking Proofpoint private for a $12 plus billion price tag. The stock went from the low 130s and is trading in the low 170s based on the $176 per share offer. So there's your arbitrage, folks. Go for it. Perhaps the more interesting acquisition was Auth0 by Optiv for 6.5 billion, which we're going to talk about more in a moment. There was more private equity action we saw as Insight bought Armis, an IOT security play, and Cisco shelled out $730 million for IMImobile, which is more of an adjacency to cyber, but it's going to go under Cisco security and applications business run by Jeetu Patel. But these are just the tip of the iceberg. Some of the themes that we see connecting the dots of these acquisitions are first, SIs like Accenture, Atos and Wipro are making moves in cyber to go local. They're buying SecOps expertise, as I say, locally in places like France, Germany, Netherlands, Canada, and Australia, that last mile, that belly to belly intimate service. Israeli-based startups chocked up five acquired companies in the space over the last five months. Also financial services firms are getting into the act with Goldman and MasterCard making moves to own its own part of the stack themselves to combat things like fraud and identity theft. And then finally, numerous moves to expand markets. Okta with Auth0, CrowdStrike buying a log management company, Palo Alto, picking up dev ops expertise, Rapid7 shoring up it's Coobernetti's chops, Tenable expanding beyond Insights and going after identity, interesting. Fortinet filling gaps in a multi-cloud offering. SailPoint extending to governance risk and compliance, GRC. Zscaler picked up an Israeli firm to fill gaps in access control. And then VMware buying Mesh7 to secure modern app development and distribution service. So tons and tons of activity here. Okay, so let's look at some of the ETR data to put the cyber market in context. ETR uses the concept of market share, it's one of the key metrics which is a measure of pervasiveness in the dataset. So for each sector, it calculates the number of respondents for that sector divided by the total to get a sense for how prominent the sector is within the CIO and IT buyer communities. Okay, this chart shows the full ETR sector taxonomy with security highlighted across three survey periods; April last year, January this year, and April this year. Now you wouldn't expect big moves in market share over time. So it's relatively stable by sector, but the big takeaway comes from observing which sectors are most prominent. So you see that red line, that dotted line imposed at the 60% level? You can see there are only six sectors above that line and cyber security is one of them. Okay, so we know that security is important in a large market. But this puts it in the context of the other sectors. However, we know from previous breaking analysis episodes that despite the importance of cyber, and the urgency catalyzed by the pandemic, budgets unfortunately are not unlimited, and spending is bounded. It's not an open checkbook for CSOs as shown in this chart. This is a two-dimensional graphic showing market share in the horizontal axis, or pervasiveness in net score in the vertical axis. Net score is ETR's measurement of spending velocity. And we've superimposed a red line at 40% because anything over 40%, we consider extremely elevated. We've filtered and limited the number of sectors to simplify the graphic. And you can see, in the sectors that we've highlighted, only the big four are above that 40% line; AI, containers, RPA, and cloud. They exceed that sort of 40% magic waterline. Information security, you can see that as highlighted and it's respectable, but it competes for budget with other important sectors. So this is of course creates challenges for organization, because not only are they strapped for talent as we've reported, they like everyone else in IT face ongoing budget pressures. Research firm, Cybersecurity Ventures estimates that in 2021, $6 trillion worldwide will be lost on cyber crime. Conversely, research firm, Cannolis peg security spending somewhere around $60 billion annually. IDC has at higher, around $100 billion. So either way, we're talking about spending between 1 to 1.6% annually of how much the bad guys are taking out. That's peanuts really when you consider the consequences. So let's double-click into the cyber landscape a bit and further look at some of the companies. Here's that same X/Y graphic with the companies ETR captures from respondents in the cybersecurity sector. That's what's shown on the chart here. Now, the usefulness of the red lines is 20% on the horizontal indicates the largest presence in the survey, and the magic 40% line that we talked about earlier shows those firms with the most elevated momentum. Only Microsoft and Palo Alto exceed both high watermarks. Of course, Splunk and Cisco are prominent horizontally. And there are numerous companies to the left of the 20% line and many above that 40% high watermark on the vertical axis. Now in the bottom left quadrant, that includes many of the legacy names that have been around for a long time. And there are dozens of companies that show spending momentum on their platforms, i.e above single digits. So that picture is like the first one we showed you, very, very crowded space. But so let's filter it a bit and only include companies in the ETR survey that had at least 100 responses. So an N of 100 or greater. So it was a little easier to read but still it's kind of crowded when you think about it. Okay, so same graphic, and we've superimposed the data that determined the plot position over in the bottom right there. So there's net score and shared in, including only companies with more than 100 N. So what does this data tell us about the market? Well, Microsoft is dominant as always, it seems in all dimensions but let's focus on that red line for a moment. Some of the names that we've highlighted over the past two years show very well here. First, I want to talk about Palo Alto Networks. Pre-COVID as you might recall, we highlighted the valuation divergence between Palo Alto and Fortinet. And we said Fortinet was executing better on its cloud strategy, and Palo Alto was at the time struggling with the transition especially with its go-to-market and its Salesforce compensation, and really refreshing its portfolio. But we told you that we were bullish on Palo Alto Networks at the time because of its track record, and the fact that CIOs consistently told us that they saw Palo Alto as a thought leader in the space that they wanted to work with. They said that Palo Alto was the gold standard, the best, especially larger company CISOs. So that gave us confidence that Palo Alto, a very well-run company was going to get its act together and perform better. And Palo Alto has just done just that. As we expected, they've done very well and rapidly moving customers to the next generation of platforms. And we're very impressed by the company's execution. And the stock has generally reflected that. Now, some other names that hit our radar in the ETR data a couple of years ago, continue to perform well. CrowdStrike, Zscaler, SailPoint, and CloudFlare. Now, CloudFlare just reported and beat earnings but was off, the stock fell on headwinds for tech overall, the big rotation. But the company is doing very well and they're growing rapidly and they have momentum as you can see from the ETR data. Now, we put that double star around Proofpoint to highlight that it was worthy of fetching $12.5 billion from private equity firm. So nice exit there, supporting the continued consolidation trend that we've predicted in cybersecurity. Now let's turn our attention to Okta and Auth0. This is where it gets interesting, and is a clever play for Okta we think, and we want to drill into it a bit. Okta is acquiring Auth0 for big money. Why? Well, we think Todd McKinnon, Okta CEO, wants to run the table on identity and then continue to expand as TAM has to do that, to justify his lofty valuation. So Okta's ascendancy around identity and single sign-on is notable. The fragmented pictures that we've shown you, they scream out for simplification and trust, and that's what Okta brings. But it competes with some major players, most notably Microsoft with active directory. So look, of course, Microsoft is going to dominate in its massive customer base, but the rest of the market, that's like (indistinct) wide open. And we think McKinnon saw the opportunity to go dominate that sector. Now Okta comes at this from an enterprise perspective bringing top-down trust to the equation, and throwing a big blanket over all the discreet SaaS platforms and unifying employee access. Okta's timing was perfect. It was founded in 2009, just as the massive SaaSifiation trend was happening around CRM and HR, and service management and cloud, et cetera. But the one thing that Okta didn't have that Auth0 does is serious developer chops. While Okta was crushing it with its enterprise sales strategy, Auth0 was laser-focused on developers and building a bottoms up approach to identity. By acquiring Auth0, Okta can dominate both sides of the barbell and then capture the fat middle. So yes, it's a pricey acquisition, but in our view, it's a great move by McKinnon. Now, I don't know McKinnon personally, but last week I spoke to Arun Shrestha, who's the CEO of security specialist, BeyondID, they're a platinum services partner of Okta. And they're a zero trust expert. He worked for Okta for a number of years and shared with me a bit about McKinnon's style, and think big approach. Arun said something that caught my attention. He said, firewalls used to be the perimeter, now people are. And while that's self-serving to Okta and probably BeyondID, it's true. People, apps and data are the new perimeter, and they're not in one location. And that's the point. Now, unfortunately, I had lined up an interview with Diya Jolly, who was the chief product officer at Okta and a Cube alum for this past week, knowing that we were running this segment in this episode but she unfortunately fell ill the day of our interview and had to cancel. But I want to follow up with her, and understand how she's thinking about connecting the dots with Auth0 with devs and enterprises and really test our thesis there. This is a really interesting chess match that's going on. Let's look a little deeper into that identity space. This chart here shows some of the major identity players. It has some of the leaders in the identity market, and is a breakdown at ETR's net score. Now net score comprises five elements. The lime green is, we're adding the platform new. The forest green is we're spending 6% or more relative to last year. The gray is flat send plus or minus flat spend, plus or minus 5%. The pinkish is spending less. And the bright red is we're exiting the platform, retiring. Now you subtract the red from the green, and that gets you the result for net score which you can see super-imposed on the right hand chart at the bottom, that first column there. The far column is shared in which informs and indicates the number of responses and is a proxy for presence in the market. Oh, look at the top two players in terms of spending momentum. Now SailPoint is right there, but Auth0 combined with Okta's distribution channel will extend Okta's lead significantly in our view. And then there's Microsoft. Now just a caveat, this includes all of Microsoft's security offerings, not just identity, but it's there for context. And CyberArk as well includes this acquisition of adaptive, but also other parts of CyberArk's portfolio. So you can see some of the other names that are there, many of which you'll find in the Gartner magic quadrant for identity. And as we said, we really like this move by Okta. It combines positive market forces with lead offerings from very well-run companies that have winning DNA and passionate people. Now, to further emphasize what's happening here, take a look at this. This chart shows ETR data for Okta within SailPoint and CyberArk accounts. Out of the 230 CyberArk and SailPoint customers in the dataset, there are 81 Okta accounts. That's a 35% overlap. And the good news for Okta is that within that base of SailPoint and CyberArk accounts, Okta is shown by the net score line, that green line has a very elevated spending in momentum. And the kicker is, if you read the fine print in the right hand column, ETR correctly points out that while SailPoint and CyberArk have long been partners with Okta, at the recent Octane21 event, Okta's big customer event, The company announced that it was expanding into privileged access management, PAM, and identity governance. Hello, and welcome to co-opetition in the 2020s. Now, our current thinking is that this bodes very well for Okta and CyberArk and SailPoint. Well, they're going to have to make some counter moves to fend off the onslaught that is coming. Now, let's wrap up with what has become a tradition in our quarterly security updates. Looking at those two dimensions of net score and market share, we're going to see which companies crack the top 10 for both measures within the ETR dataset. We do this every quarter. So here in the left, we have the top 20, sorted by net score spending momentum and on the right, we sort by shared N. So it's again, top 20, which informs, shared N informs the market share metric or presence in the dataset. That red horizontal lines, those two lines on each separate the top 10 from the remaining 10 within those top 20. And our method, what we do is we assign four stars to those companies that crack the top 10 for both metrics. So again, you see Microsoft, Palo Alto Networks, Okta, CrowdStrike, and Fortinet. Fortinet by the way, didn't make it last quarter. They've kind of been in and out and on the bubble, but company is very strong, and doing quite well. Only the other four did last quarter. They were the same for last quarter. And we give two stars to those companies that make it in both categories within the top 20 but didn't make the top 10. So Cisco, Splunk, which has been steadily decelerating from a spending momentum standpoint, and Zscaler, which is just on the cusp. We really like Zscaler and the company has great momentum, but that's the methodology. That is what it is. Now you can see, we kept Carbon Black on the right most chart, it's like kind of cut off, it's number 21. Only because they're just outside looking in on net score. You see them there, they're just below on net score, number 11. And VMware's presence in the market we think, that Carbon Black is right really worth paying attention to. Okay, so we're going to close with some summary and final thoughts. Last quarter, we did a deeper dive on the SolarWinds hack, and we think the ramifications are significant. It has set the stage for a new era of escalation and adversary sophistication. Now, major change we see is a heightened awareness that when you find intruders, you'd better think very carefully about your next moves. When someone breaks into your house, if the dog barks, or if you come down with a baseball bat or other weapon, you might think the intruder is going to flee. But if the criminal badly wants what you have in your house and it's valuable enough, you might find yourself in a bloody knife fight or worse. Well, what's happening is intruders come to your company via island hopping or insider subterfuge or whatever method. And they'll live off the land stealthily using your own tools against you so that you can't find them so easily. So instead of injecting new tools in that send off an alert, they just use what you already have there. That's what's called living off the land. They'll steal sensitive data, for example, positive COVID test results when that was really, really sensitive, obviously still is, or other medical data. And when you retaliate, they will double-extort you. They'll encrypt your data and hold it for ransom, and at the same time threaten to release the sensitive information, crushing your brand in the process. So your response must be as stealthy as their intrusion, as you marshal your resources and devise an attack plan. And you face serious headwinds. Not only is this a complicated situation, there's your ongoing and acute talent shortage that you tell us about all the time. Many companies are mired in technical debt, that's an additional challenge. And then you've got to balance the running of the business while actually effecting a digital transformation. That's very, very difficult, and it's risky because the more digital you become, the more exposed you are. So this idea of zero trust, people used to call it a buzzword, it's now a mandate along with automation. Because you just can't throw labor at the problem. This is all good news for investors as cyber remains a market that's ripe for valuation increases and M&A activity, especially if you know where to look. Hopefully we've helped you squint through the maze a little bit. Okay, that's it for now. Thanks to the community for your comments and insights. Remember I publish each week on wikibon.com and siliconangle.com. These episodes, they're all available as podcasts. All you got to do is search breaking analysis podcasts, put in the headphones, listen when you're in your car, or out for your walk or run, and you can always connect on Twitter @DVellante, or email me at david.vellante@siliconangle.com. I appreciate the comments on LinkedIn and in Clubhouse, please follow me, so you're notified when we start a room and riff on these topics and others. And don't forget to check out etr.plus for all the survey data. This is Dave Vellante for The Cube Insights powered by ETR. Be well, and we'll see you next time. (light instrumental music)