from the cube studios in palo alto in boston bringing you data-driven insights from the cube and etr this is breaking analysis with dave vellante the pandemic not only accelerated the shift to digital but also highlighted a rush of cyber criminal sophistication collaboration and chaotic responses by virtually every major company in the planet the solar winds hack exposed supply chain weaknesses and so-called island hopping techniques that are exceedingly difficult to detect moreover the will and aggressiveness of well-organized cyber criminals has elevated to the point where incident responses are now met with counterattacks designed to both punish and extract money from victims via ransomware and other criminal activities the only upshot is the cyber security market remains one of the most enduring and attractive investment sectors for those that can figure out where the market is headed and which firms are best positioned to capitalize hello everyone and welcome to this week's wikibon cube insights powered by etr in this breaking analysis we'll provide our quarterly update of the security industry and share new survey data from etr and thecube community that will help you navigate through the maze of corporate cyber warfare we'll also share our thoughts on the game of 3d chest that octa ceo todd mckinnon is playing against the market now we all know this market is complicated fragmented and fast moving and this next chart says it all it's an interactive graphic from optiv a denver colorado based si that's focused on cyber security they've done some really excellent research and put together this awesome taxonomy and mapped vendor names therein and this helps users navigate the complex security landscape and there are over a dozen major sectors high-level sectors within the security taxonomy in nearly 60 sub-sectors from monitoring vulnerability assessment identity asset management firewalls automation cloud data center sim threat detection and intelligent endpoint network and so on and so on and so on but this is a terrific resource and can help you understand where players fit and help you connect the dots in the space now let's talk about what's going on in the market the dynamics in this crazy mess of a landscape are really confusing sometimes now since the beginning of cyber time we've talked about the increasing sophistication of the adversary and the back and forth escalation between good and evil and unfortunately this trend is unlikely to stop here's some data from carbon black's annual modern bank heist report this is the fourth and of course now vmware's brand highlights the carbon black study since the acquisition and it catalyzed the creation of vmware's cloud security division destructive malware attacks according to the recent study are up 118 percent from last year now one major takeaway from the report is that hackers aren't just conducting wire fraud they are 57 of the bank surveyed saw an increase in wire fraud but the cyber criminals are also targeting non-public information such as future trading strategies this allows the bad guys to front run large block trades and profit it's become very lucrative practice now the prevalence of so-called island hopping is up 38 from already elevated levels this is where a virus enters a company's supply chain via a partner and then often connects with other stealthy malware downstream these techniques are more common where the malware will actually self-form with other infected parts of the supply chain and create actions with different signatures designed to identify and exfiltrate valuable information it's a really complex problem of major concern is that 63 of banking respondents in the study reported that responses to incidents were then met with retaliation designed to intimidate or initiate ransomware attacks to extract a final pound of flesh from the victim notably the study found that 75 percent of csos reported to the cio which many feel is not the right regime the study called for a rethinking of the right cyber regime where the cso has increased responsibility in a direct reporting line to the ceo or perhaps the co with greater exposure to boards of directors so many thanks to vmware and tom kellerman specifically for sharing this information with us this past week great work by your team now some of the themes that we've been talking about for several quarters are shown in the lower half of the chart cloud of course is the big driver thanks to work from home and the pandemic to pandemic and the interesting corollary of course is we see a rapid rethinking of endpoint and identity access management and the concept of zero trust in a recent esg survey two-thirds of respondents said that their use of cloud computing necessitated a change in how they approach identity access management now as shown in the chart from optiv the market remains highly fragmented and m a is of course way up now based on our research it looks like transaction volume has increased more than 40 percent just in the last five months so let's dig into the m a the merger and acquisition trends for just a moment we took a five month snapshot and we were able to count about 80 deals that were completed in that time frame those transactions represented more than 20 billion dollars in value some of the larger ones are highlighted here the biggest of course being the toma bravo taking proof point private for a 12 plus billion dollar price tag the stock went from the low 130s and is trading in the low 170s based on 176 dollar per share offer so there's your arbitrage folks go for it perhaps the more interesting acquisition was auth 0 by octa for 6.5 billion which we're going to talk about more in a moment there's more private equity action we saw as insight bought armis and iot security play and cisco shelled out 730 million dollars for imi mobile which is more of an adjacency to cyber but it's going to go under cisco's security and applications business run by g2 patel but these are just the tip of the iceberg some of the themes that we see connecting the dots of these acquisitions are first sis like accenture atos and wipro are making moves in cyber to go local they're buying secops expertise as i say locally in places like france germany netherlands canada and australia that last mile that belly-to-belly intimate service israel israeli-based startups chalked up five acquired companies in the space over the last five months also financial services firms are getting into the act with goldman and mastercard making moves to own its own part of the stack themselves to combat things like fraud and identity theft and then finally numerous moves to expand markets octa with zero crowdstrike buying a log management company palo alto picking up devops expertise rapid seven shoring up its kubernetes chops tenable expanding beyond insights and going after identity interesting fortinet filling gaps in a multi-cloud offering sale point extending to governance risk and compliance grc zscaler picked up an israeli firm to fill gaps in access control and then vmware buying mesh 7 to secure modern app development and distribution services so tons and tons of activity here okay so let's look at some of the etr data to put the cyber market in context etr uses the concept of market share it's one of the key metrics which is a measure of pervasiveness in the data set so for each sector it calculates the number of respondents for that sector divided by the total to get a sense for how prominent the sector is within the cio and i.t buyer communities okay this chart shows the full etr sector taxonomy with security highlighted across three survey periods april last year january this year in april this year now you wouldn't expect big moves in market share over time so it's relatively stable by sector but the big takeaway comes from observing which sectors are most prominent so you see that red line that dotted line imposed at the sixty percent level you can see there are only six sectors above that line and cyber security is one of them okay so we know that security is important in a large market but this puts it in the context of the other sectors however we know from previous breaking analysis episodes that despite the importance of cyber and the urgency catalyzed by the pandemic budgets unfortunately are not unlimited and spending is bounded it's not an open checkbook for csos as shown in this chart this is a two-dimensional graphic showing market share in the horizontal axis or pervasiveness and net score in the vertical axis net score is etr's measurement of spending velocity and we've superimposed a red line at 40 percent because anything over 40 percent we consider extremely elevated we've filtered and limited the number of sectors to simplify the graphic and you can see in the sectors that we've highlighted only the big four four are above that forty percent line ai containers rpa and cloud they exceed that sort of forty percent magic water line information security you can see that is highlighted and it's respectable but it competes for budget with other important sectors so this of course creates challenges for organization because not only are they strapped for talent as we've reported they like everyone else in it face ongoing budget pressures research firm cybersecurity ventures estimates that in 2021 6 trillion dollars worldwide will be lost on cyber crime conversely research firm canalis pegs security spending somewhere around 60 billion dollars annually idc has it higher around 100 billion so either way we're talking about spending between one to one point six percent annually of how much the bad guys are taking out that's peanuts really when you consider the consequences so let's double click into the cyber landscape a bit and further look at some of the companies here's that same x y graphic with the company's etr captures from respondents in the cyber security sector that's what's shown on the chart here now the usefulness of the red lines is 20 percent on the horizontal indicates the largest presence in the survey and the magic 40 percent line that we talked about earlier shows those firms with the most elevated momentum only microsoft and palo alto exceed both high water marks of course splunk and cisco are prominent horizontally and there are numerous companies to the left of the 20 percent line and many above that 40 percent high water mark on the vertical axis now in the bottom left quadrant that includes many of the legacy names that have been around for a long time and there are dozens of companies that show spending momentum on their platforms i.e above single digits so that picture is like the first one we showed you very very crowded space but so let's filter it a bit and only include companies in the etr survey that had at least a hundred responses so an n of a hundred or greater so it's a little easy to read but still it's kind of crowded when you think about it okay so same graphic and we've superimposed the data that determined the plot position over in the bottom right there so it's net score and shared n including only companies with more than 100 n so what does this data tell us about the market well microsoft is dominant as always it seems in all dimensions but let's focus on that red line for a moment some of the names that we've highlighted over the past two years show very well here first i want to talk about palo alto networks pre-covet as you might recall we highlighted the valuation divergence between palo alto and fortinet and we said fortinet was executing better on its cloud strategy and palo alto was at the time struggling with the transition especially with its go to market and its sales force compensation and really refreshing its portfolio but we told you that we were bullish on palo alto networks at the time because of its track record and the fact that cios consistently told us that they saw palo alto as a thought leader in the space that they wanted to work with they said that palo alto was the gold standard the best especially larger company cisos so that gave us confidence that palo alto a very well-run company was going to get its act together and perform better and palo alto has just done just that as we expected they've done very well and they've been rapidly moving customers to the next generation of platforms and we're very impressed by the company's execution and the stock has generally reflected that now some other names that hit our radar and the etr data a couple of years ago continue to perform well crowdstrike z-scaler sales sail point and cloudflare a cloudflare just reported and beat earnings but was off the stock fell on headwinds for tech overall the big rotation but the company is doing very well and they're growing rapidly and they have momentum as you can see from the etr data and we put that double star around proof point to highlight that it was worthy of fetching 12 and a half billion dollars from private equity firm so nice exit there supporting the continued control consolidation trend that we've predicted in cyber security now let's turn our attention to octa and auth zero this is where it gets interesting and is a clever play for octa we think and we want to drill into it a bit octa is acquiring auth zero for big money why well we think todd mckinnon octa ceo wants to run the table on identity and then continue to expand his tam he has to do that to justify his lofty valuation so octa's ascendancy around identity and single sign sign-on is notable the fragmented pictures that we've shown you they scream out for simplification and trust and that's what octa brings but it competes with some major players most notably microsoft with active directory so look of course microsoft is going to dominate in its massive customer base but the rest of the market that's like jump ball it's wide open and we think mckinnon saw the opportunity to go dominate that sector now octa comes at this from an enterprise perspective bringing top-down trust to the equation and throwing a big blanket over all the discrete sas platforms and unifying employee access octa's timing was perfect it was founded in 2009 just as the massive sasification trend was happening around crm and hr and service management and cloud etc but the one thing that octa didn't have that auth 0 does is serious developer chops while octa was crushing it with its enterprise sales strategy auth 0 was laser focused on developers and building a bottoms up approach to identity by acquiring auth0 octa can dominate both sides of the barbell and then capture the fat middle so yes it's a pricey acquisition but in our view it's a great move by mckinnon now i don't know mckinnon personally but last week i spoke to arun shrestha who's the ceo of security specialist beyond id they're a platinum services partner of octa and there a zero trust expert he worked for octa for a number of years and shared with me a bit about mckinnon's style and think big approach arun said something that caught my attention he said firewalls used to be the perimeter now people are and while that's self-serving to octa and probably beyond id it's true people apps and data are the new perimeter and they're not in one location and that's the point now unfortunately i had lined up an interview with dia jolly who was the chief product officer at octa in a cube alum for this past week knowing that we were running this segment in this episode but she unfortunately fell ill the day of our interview and had to cancel but i want to follow up with her and understand how she's thinking about connecting the dots with auth 0 with devs and enterprises and really test our thesis there this is a really interesting chess match that's going on let's look a little deeper into that identity space this chart here shows some of the major identity players it has some of the leaders in the identity market and there's a breakdown of etr's net score now net score comprises five elements the lime green is we're adding the platform new the forest green is we're spending six percent or more relative to last year the gray is flat send plus or minus flat spend plus or minus five percent the pinkish is spending less and the bright red is where exiting the platform retiring now you subtract the red from the green and that gets you the result for net score which you can see superimposed on the right hand chart at the bottom that first column there the far column is shared in which informs and indicates the number of responses and is a proxy for presence in the market oh look at the top two players in terms of spending momentum now sales sale point is right there but auth 0 combined with octa's distribution channel will extend octa's lead significantly in our view and then there's microsoft now just a caveat this includes all of microsoft's security offerings not just identity but it's there for context and cyber arc as well includes its acquisition of adaptive but also other parts of cyberarks portfolio so you can see some of the other names that are there many of which you'll find in the gartner magic quadrant for identity and as we said we really like this move by octa it combines positive market forces with lead offerings from very well-run companies that have winning dna and passionate people now to further emphasize emphasize what what's happening here take a look at this this chart shows etr data for octa within sale point and cyber arc accounts out of the 230 cyber and sale point customers in the data set there are 81 octa accounts that's a 35 overlap and the good news for octa is that within that base of sale point in cyber arc accounts octa is shown by the net score line that green line has a very elevated spending and momentum and the kicker is if you read the fine print in the right hand column etr correctly points out that while sailpoint and cyberarc have long been partners with octa at the recent octane 21 event octa's big customer event the company announced that it was expanding into privileged access management pam and identity governance hello and welcome to coopetition in the 2020s now our current thinking is that this bodes very well for octa and cyberark and sailpoint well they're going to have to make some counter moves to fend off the onslaught that is coming now let's wrap up with what has become a tradition in our quarterly security updates looking at those two dimensions of net score and market share we're going to see which companies crack the top 10 for both measures within the etr data set we do this every quarter so here on the left we have the top 20 sorted by net score or spending momentum and on the right we sort by shared n so again top 20 which informs shared end and forms the market share metric or presence in the data set that red horizontal lines those two lines on each separate the top 10 from the remaining 10 within those top 20. in our method what we do is we assign four stars to those companies that crack the top ten for both metrics so again you see microsoft palo alto networks octa crowdstrike and fortinet fortinet by the way didn't make it last quarter they've kind of been in and out and on the bubble but you know this company is very strong and doing quite well only the other four did last quarter there was same four last quarter and we give two stars to those companies that make it in both categories within the top 20 but didn't make the top 10. so cisco splunk which has been steadily decelerating from a spending momentum standpoint and z-scaler which is just on the cusp you know we really like z-scaler and the company has great momentum but that's the methodology it is what it is now you can see we kept carbon black on the rightmost chart it's like kind of cut off it's number 21 only because they're just outside looking in on netscore you see them there they're just below on on netscore number 11. and vmware's presence in the market we think that carbon black is really worth paying attention to okay so we're going to close with some summary and final thoughts last quarter we did a deeper dive on the solar winds hack and we think the ramifications are significant it has set the stage for a new era of escalation and adversary sophistication now major change we see is a heightened awareness that when you find intruders you'd better think very carefully about your next moves when someone breaks into your house if the dog barks or if you come down with a baseball bat or other weapon you might think the intruder is going to flee but if the criminal badly wants what you have in your house and it's valuable enough you might find yourself in a bloody knife fight or worse what's happening is intruders come to your company via island hopping or inside or subterfuge or whatever method and they'll live off the land stealthily using your own tools against you so they can you can't find them so easily so instead of injecting new tools in that send off an alert they just use what you already have there that's what's called living off the land they'll steal sensitive data for example positive covid test results when that was really really sensitive obviously still is or other medical data and when you retaliate they will double extort you they'll encrypt your data and hold it for ransom and at the same time threaten to release the sensitive information to crushing your brand in the process so your response must be as stealthy as their intrusion as you marshal your resources and devise an attack plan you face serious headwinds not only is this a complicated situation there's your ongoing and acute talent shortage that you tell us about all the time many companies are mired in technical debt that's an additional challenge and then you've got to balance the running of the business while actually affecting a digital transformation that's very very difficult and it's risky because the more digital you become the more exposed you are so this idea of zero trust people used to call it a buzzword it's now a mandate along with automation because you just can't throw labor at the problem this is all good news for investors as cyber remains a market that's ripe for valuation increases and m a activity especially if you know where to look hopefully we've helped you squint through the maze a little bit okay that's it for now thanks to the community for your comments and insights remember i publish each week on wikibon.com and siliconangle.com these episodes they're all available as podcasts all you do is search breaking analysis podcast put in the headphones listen when you're in your car out for your walk or run and you can always connect on twitter at divalante or email me at david.valante at siliconangle.com i appreciate the comments on linkedin and in clubhouse please follow me so you're notified when we start a room and riff on these topics and others and don't forget to check out etr.plus for all the survey data this is dave vellante for the cube insights powered by etr be well and we'll see you next time [Music] you