WEBVTT 1 00:00:00.240 --> 00:00:02.940 Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm 2 00:00:02.940 --> 00:00:06.090 Anna Delaney, and this is our weekly review and analysis of 3 00:00:06.090 --> 00:00:09.900 the trending cybersecurity news stories. Joining me today are 4 00:00:09.900 --> 00:00:13.020 the three Ms, the three musketeers: Marianne Kolbasuk 5 00:00:13.080 --> 00:00:16.680 McGee, executive editor of HealthcareInfoSecurity; we have 6 00:00:16.680 --> 00:00:19.620 Mathew Schwartz, executive editor of DataBreachToday and 7 00:00:19.620 --> 00:00:23.280 Europe; and Michael Novinson, managing editor for business. 8 00:00:23.400 --> 00:00:24.480 Very good to see you all. 9 00:00:25.170 --> 00:00:25.770 Marianne McGee: Hi, Anna. 10 00:00:26.680 --> 00:00:27.910 Michael Novinson: Thank you for having me. 11 00:00:27.000 --> 00:00:34.050 Anna Delaney: You got to say, well done. I couldn't help it. 12 00:00:27.540 --> 00:00:30.030 Mathew Schwartz: One for all, somebody has to say. 13 00:00:34.230 --> 00:00:38.100 Michael, gorgeous setting today. Where are you? 14 00:00:38.990 --> 00:00:41.390 Michael Novinson: Thank you for that. I am at the Providence 15 00:00:41.390 --> 00:00:44.810 Performing Arts Center in Providence, Rhode Island. Now 16 00:00:44.810 --> 00:00:47.480 it's say Broadway show house that dates back to the late 17 00:00:47.480 --> 00:00:50.870 1920s. Originally, movie theater, then had rock concerts 18 00:00:50.870 --> 00:00:53.750 for many decades, nearly torn down in the late 1970s, and then 19 00:00:53.750 --> 00:00:58.700 was rehabbed, brought back to its original 1928 form, enlarged 20 00:00:58.700 --> 00:01:01.280 it so it can host Broadway touring groups. I was actually 21 00:01:01.280 --> 00:01:06.230 seeing ... but this was from Jagged Little Pill. So I would 22 00:01:06.230 --> 00:01:09.080 highly recommend it if you are a child of the 1990s. So you enjoy 23 00:01:09.110 --> 00:01:10.670 all raka wonderful plan. 24 00:01:11.500 --> 00:01:14.380 Anna Delaney: Brilliant. I'm glad they didn't bring it down 25 00:01:14.380 --> 00:01:17.950 and that they were sorted. Gorgeous. Marianne, you always 26 00:01:17.950 --> 00:01:19.210 bring us a beautiful view. 27 00:01:20.530 --> 00:01:24.040 Marianne McGee: I'm in New Bedford, Massachusetts, which is 28 00:01:24.490 --> 00:01:29.440 sort of a fishing community. Years ago, it was a big whaling 29 00:01:30.550 --> 00:01:37.210 community or area. So it was nicer weather when I went there, 30 00:01:37.240 --> 00:01:40.540 like months ago, but you know, we're looking forward to summer. 31 00:01:41.290 --> 00:01:44.500 Anna Delaney: Oh, yes, for sure. And Matt, beautiful view as 32 00:01:44.000 --> 00:01:48.230 Mathew Schwartz: Thank you. I'm keeping it local. This is the 33 00:01:44.500 --> 00:01:44.950 well. 34 00:01:48.230 --> 00:01:54.140 RRS Discovery, the Antarctic research vessel, which took 35 00:01:54.140 --> 00:01:58.520 Captain Scott and Ernest Shackleton down to Antarctica to 36 00:01:58.550 --> 00:02:02.780 some acclaim and brought them back. So all is well. I think I 37 00:02:02.780 --> 00:02:05.960 think they survived anyway. Right? Scott, Shackleton, maybe 38 00:02:05.960 --> 00:02:06.740 you grew up with that? 39 00:02:08.190 --> 00:02:13.020 Anna Delaney: I should know this. I love the pink and purple 40 00:02:13.020 --> 00:02:16.770 in the sky. Gorgeous. Well, I thought I'd dig out some street 41 00:02:16.770 --> 00:02:20.400 art from Spain. This is a trip last year to Valencia when I 42 00:02:20.400 --> 00:02:27.420 encountered a heart in an alleyway. So, as you do. Matt, 43 00:02:27.420 --> 00:02:30.570 earlier this month, you wrote about a global ransomware 44 00:02:30.570 --> 00:02:37.320 campaign targeting VMware ESXi servers by exploiting a known 45 00:02:37.350 --> 00:02:39.960 two-year old software vulnerability. Tell us more 46 00:02:39.000 --> 00:02:41.400 Mathew Schwartz: It is a mouthful, isn't it? So yeah, 47 00:02:41.466 --> 00:02:45.466 we've got this small problem in the form of unpatched VMware 48 00:02:45.533 --> 00:02:49.000 ESXi servers running hypervisors. So they're hosting 49 00:02:49.066 --> 00:02:53.200 virtual machines. And one of the challenges with this story is 50 00:02:53.266 --> 00:02:57.133 the fact that the ransomware is being used by attackers to 51 00:02:57.200 --> 00:03:01.267 target unpatched machines. Has this mouthful name. It's being 52 00:03:01.333 --> 00:03:05.400 referred to as the ESXiargs - sounds like a pirate ransomware 53 00:03:05.467 --> 00:03:09.533 campaign, so args - the reason that's in the title is because 54 00:03:09.600 --> 00:03:13.334 systems that get messed with by attackers have got .args 55 00:03:13.400 --> 00:03:17.534 appended to the files. So this ransomware goes after the kinds 56 00:03:17.600 --> 00:03:21.667 of files it'll be running on hypervisors, pretty much virtual 57 00:03:21.734 --> 00:03:25.934 machines. And as of last week, we know that there were at least 58 00:03:26.000 --> 00:03:29.334 2,800 victims that had been amassed. That's really 59 00:03:29.401 --> 00:03:33.401 interesting how we know this, the attackers don't seem to be 60 00:03:33.467 --> 00:03:37.467 ultra sophisticated. Not my words, I was talking to security 61 00:03:37.534 --> 00:03:41.201 experts, and they've been looking at the way that these 62 00:03:41.267 --> 00:03:45.067 attacks have gone down, and they're highly automated. And 63 00:03:45.134 --> 00:03:49.134 when these VMware servers are getting hit, in the first wave 64 00:03:49.201 --> 00:03:53.334 of attacks, what would happen is there'll be a ransomware note 65 00:03:53.401 --> 00:03:57.534 that would get dropped, and each of the ransomware notes had a 66 00:03:57.601 --> 00:04:01.401 unique cryptocurrency wallet address to which the victims 67 00:04:01.468 --> 00:04:05.735 were supposed to remit payment. So the good news is, only a very 68 00:04:05.801 --> 00:04:09.868 few number of victims have used these cryptocurrency wallets, 69 00:04:09.935 --> 00:04:14.068 researchers can see if there's any funds flowing into them. It 70 00:04:14.135 --> 00:04:18.468 also allowed them again to count how many had been hit, and to do 71 00:04:18.535 --> 00:04:22.868 some analysis using showdown and other Internet search engines to 72 00:04:22.935 --> 00:04:27.002 see where these victims appear to be located. The majority in 73 00:04:27.068 --> 00:04:30.868 France but a fair few also in the United States, Germany, 74 00:04:30.935 --> 00:04:34.735 Canada, U.K., Netherlands, Finland, and beyond. So, as so 75 00:04:34.802 --> 00:04:39.002 often happens when researchers publicize this sort of thing and 76 00:04:39.069 --> 00:04:43.069 say, Oh, look at these amateur attackers, the attackers have 77 00:04:43.135 --> 00:04:47.002 revised their attack code and done a couple of things. The 78 00:04:47.069 --> 00:04:50.469 first thing is they've gotten rid of the hard coded 79 00:04:50.535 --> 00:04:54.202 cryptocurrency wallet addresses the unique one in every 80 00:04:54.269 --> 00:04:58.269 different ransom note. Instead, they just tell the victim to 81 00:04:58.336 --> 00:05:02.269 contact them and they'll give them an address. So it's very 82 00:05:02.336 --> 00:05:06.536 difficult now to count victims. Another thing they seem to have 83 00:05:06.602 --> 00:05:10.536 done is the vulnerability they were targeting was two years 84 00:05:10.603 --> 00:05:14.469 old. It was a vulnerability in protocol that allows VMware 85 00:05:14.536 --> 00:05:18.603 systems to look for other VMware systems on the network. It's 86 00:05:18.669 --> 00:05:22.669 called Open SLP. And in the first wave of attacks, it seemed 87 00:05:22.736 --> 00:05:26.536 like the systems getting hit hadn't patched this open SLP 88 00:05:26.603 --> 00:05:30.603 flaw, which was patched back in February 2021. So in theory, 89 00:05:30.670 --> 00:05:34.536 everybody should have had this patch installed. Nearly two 90 00:05:34.603 --> 00:05:38.736 years later, longtime attackers, they hit all the systems that 91 00:05:38.803 --> 00:05:42.670 haven't done so. In the second wave of attacks, though, it 92 00:05:42.737 --> 00:05:46.737 seems like some of the systems that are getting hit did have 93 00:05:46.803 --> 00:05:50.937 open SLP either patched or not exposed to the internet. And if 94 00:05:51.003 --> 00:05:54.937 it's not exposed, supposedly, this is one way of mitigating 95 00:05:55.003 --> 00:05:58.870 the vulnerability from being exploited. So it's not really 96 00:05:58.937 --> 00:06:03.204 clear what's happening with this second wave. Some experts think 97 00:06:03.270 --> 00:06:07.337 that there's a different flaw in VMware that's getting hit by 98 00:06:07.404 --> 00:06:11.737 these attackers, again, in these highly automated attacks. So all 99 00:06:11.804 --> 00:06:15.404 this is bad news. The Cybersecurity Infrastructure and 100 00:06:15.471 --> 00:06:19.337 Security Agency in the United States has come out and told 101 00:06:19.404 --> 00:06:23.671 federal agencies that need to do what CISA says that it needs to 102 00:06:23.737 --> 00:06:27.204 have this updated pronto. They've set an early March 103 00:06:27.271 --> 00:06:31.537 deadline, but they want them to ensure they've got mitigation in 104 00:06:31.604 --> 00:06:35.471 place to block these attacks from happening until they can 105 00:06:35.538 --> 00:06:39.271 get a patch in place. Why haven't all these systems just 106 00:06:39.338 --> 00:06:43.404 been patched? That's a question I've been asking experts. And 107 00:06:43.471 --> 00:06:47.471 one of the challenges apparently with hypervisors is they're 108 00:06:47.538 --> 00:06:51.471 really easy to deploy. But they're more difficult to patch, 109 00:06:51.538 --> 00:06:55.138 because you need to take everything on that hypervisor 110 00:06:55.205 --> 00:06:59.205 and swap it over to a different system. And they can be very 111 00:06:59.271 --> 00:07:03.471 big. Patch that first system and then copy it all back. And one 112 00:07:03.538 --> 00:07:07.738 of the things I've been hearing is, it'd be nice if VMware made 113 00:07:07.805 --> 00:07:11.805 this easier to do, because as you can see, you have a lot of 114 00:07:11.872 --> 00:07:15.938 unpatched systems still running around. So we do seem to have 115 00:07:16.005 --> 00:07:20.205 fewer systems that are internet exposed since this flaw started 116 00:07:20.272 --> 00:07:23.872 getting hit, which is great news. But we still do have 117 00:07:23.939 --> 00:07:27.472 systems that are internet exposed, the admin panel is 118 00:07:27.539 --> 00:07:31.805 internet exposed, which is what needs to be addressed. The other 119 00:07:31.872 --> 00:07:36.072 thing to note really briefly is, when a hypervisor gets hit, on 120 00:07:36.139 --> 00:07:40.272 average, it'll have five to 10 virtual machines running on it. 121 00:07:40.339 --> 00:07:44.339 But there could be many more if it's a service provider, for 122 00:07:44.406 --> 00:07:48.206 example. So even though we're talking about maybe 120-800 123 00:07:48.272 --> 00:07:52.539 organizations getting hit, it's not clear by extension, how many 124 00:07:52.606 --> 00:07:55.739 different companies or businesses may have been 125 00:07:55.806 --> 00:07:59.806 impacted. We're not sure if their data has been exfiltrated. 126 00:07:59.873 --> 00:08:03.673 And these attacks as well. So there's a lot that we don't 127 00:08:03.739 --> 00:08:07.339 know, but short and sweet: If you've got a VMware ESXi 128 00:08:07.406 --> 00:08:11.940 hypervisor and an unpatched one, you need to get on that right away. 129 00:08:13.670 --> 00:08:15.800 Anna Delaney: And it just the question hypervisors, and is 130 00:08:15.800 --> 00:08:18.020 this a new threat to hypervisors? 131 00:08:19.050 --> 00:08:21.210 Mathew Schwartz: There's a risk with hypervisors, because they 132 00:08:21.210 --> 00:08:25.680 will run multiple virtual machines. And if you are getting 133 00:08:25.680 --> 00:08:28.950 that through a service provider, you may be only one of the 134 00:08:28.950 --> 00:08:35.040 clients. So if an attacker can get on to that hypervisor, and 135 00:08:35.070 --> 00:08:38.430 somehow get root, then they can access everything running on 136 00:08:38.430 --> 00:08:42.780 that system. This is a problem with any kind of hosted service. 137 00:08:42.960 --> 00:08:46.920 But certainly when you have managed hosting like this, if 138 00:08:47.190 --> 00:08:49.260 that's what you're doing, you want to make sure that your 139 00:08:49.290 --> 00:08:52.740 service provider has got some guarantees in place, in case 140 00:08:52.740 --> 00:08:56.130 this sort of thing happens. If your data gets breached, as a 141 00:08:56.130 --> 00:08:58.440 result, you're still going to look bad, but at least if you've 142 00:08:58.440 --> 00:09:01.710 got contracts in place, possibly you can transfer some of the 143 00:09:01.740 --> 00:09:04.830 cleanup costs or liability onto your hosting provider. 144 00:09:06.400 --> 00:09:08.020 Anna Delaney: Well, thanks for that, Matt. That was very clear 145 00:09:08.020 --> 00:09:11.380 insight. Moving on. Marianne, both you and Matt actually 146 00:09:11.380 --> 00:09:16.330 reported on the GoAnywhere MFT hack this week. So Marianne, the 147 00:09:16.330 --> 00:09:19.450 question is, how did the data of about one million patients end 148 00:09:19.450 --> 00:09:20.800 up being compromised? 149 00:09:21.710 --> 00:09:26.810 Marianne McGee: Well, what we know and this is all based on a 150 00:09:26.810 --> 00:09:31.610 community health systems which reported the breach actually not 151 00:09:31.610 --> 00:09:35.000 to HHS and not to any of the state regulators yet but to 152 00:09:35.000 --> 00:09:40.370 actually the U.S. Securities and Exchange Commission that it was 153 00:09:40.370 --> 00:09:46.640 recently notified by Fortra which is the vendor that sells 154 00:09:46.640 --> 00:09:53.780 GoAnywhere MFT secure file transfer software, that CHS was 155 00:09:53.780 --> 00:09:57.770 informed by Fortra that Fortra had had a security incident and 156 00:09:58.070 --> 00:10:03.860 the filing by CHS to the SEC doesn't really go into details 157 00:10:03.860 --> 00:10:08.840 of exactly what happened. But as Matt also wrote about Fortra 158 00:10:09.140 --> 00:10:13.430 recently was the subject of a security alert about a 159 00:10:13.490 --> 00:10:19.850 pre-authentication remote code execution vulnerability in the 160 00:10:19.850 --> 00:10:25.340 GoAnywhere MFT product. And there's been reports of the zero 161 00:10:25.340 --> 00:10:28.700 day vulnerability being exploited by various attackers, 162 00:10:29.000 --> 00:10:33.500 including the ransomware group Clop, which claims to have 163 00:10:33.500 --> 00:10:39.290 stolen data from about 130 organizations. So, so far, 164 00:10:39.440 --> 00:10:44.630 there's no confirmation that CHS was among those 130 165 00:10:44.660 --> 00:10:50.420 organizations that were victimized by Clop. But it does 166 00:10:50.420 --> 00:10:55.790 seem like the timing kind of fits when, again, CHS won't say 167 00:10:56.060 --> 00:11:02.450 Fortra doesn't return requests for a comment on the issue. But 168 00:11:02.480 --> 00:11:05.870 in the bigger picture, this is like the latest incident where a 169 00:11:05.870 --> 00:11:09.410 major health data breach is being reported to regulators, 170 00:11:09.680 --> 00:11:15.230 involving vendors. Many of the large, and some of the largest 171 00:11:15.230 --> 00:11:18.470 health data breaches that were reported last year involve 172 00:11:18.470 --> 00:11:24.140 vendors, whether it was like electronic health record vendors 173 00:11:24.140 --> 00:11:27.050 or other sorts of technology vendors. Some of these incidents 174 00:11:27.050 --> 00:11:32.000 involved ransomware, some of them involved misconfigurations 175 00:11:32.000 --> 00:11:35.360 that maybe lead to something else. But the bottom line is 176 00:11:35.390 --> 00:11:39.260 this latest incident with CHS reporting that one million 177 00:11:39.260 --> 00:11:45.500 patients were impacted by this Fortra incident is a reminder of 178 00:11:45.500 --> 00:11:49.610 not only vendor risk issues, but also in the case of other 179 00:11:49.610 --> 00:11:53.330 organizations that are using the GoAnywhere product that they 180 00:11:53.330 --> 00:11:57.230 need to apply this patch that Fortra has issued as soon as 181 00:11:57.230 --> 00:12:01.760 possible. So I'm sort of keeping my eyes on what happens with the 182 00:12:01.760 --> 00:12:08.030 CHS breach, what other details might get revealed once the 183 00:12:08.030 --> 00:12:11.360 organization reports it to the Department of Health and Human 184 00:12:11.360 --> 00:12:16.610 Services, and there's always fallout after these things come 185 00:12:17.990 --> 00:12:21.230 out in the open, how much details do we get, we'll see, 186 00:12:21.380 --> 00:12:23.510 but we'll also see if there's other healthcare organizations 187 00:12:23.510 --> 00:12:26.960 or other organizations in other sectors that matter that wind up 188 00:12:26.960 --> 00:12:31.100 reporting breaches related to this GoAnywhere incident. And, 189 00:12:31.130 --> 00:12:33.650 Matt, I don't know if you've been hearing anything more about 190 00:12:33.650 --> 00:12:37.010 other organizations that have come out saying that we've had 191 00:12:37.010 --> 00:12:39.620 breaches related to this, but I'll be interested in seeing 192 00:12:39.620 --> 00:12:40.610 what happens next. 193 00:12:40.930 --> 00:12:42.790 Mathew Schwartz: I haven't seen any reports before the one that 194 00:12:42.790 --> 00:12:47.410 you put out that suggests, like you said, they haven't stated 195 00:12:47.590 --> 00:12:50.950 for certain that this is how they were breached. But I 196 00:12:50.950 --> 00:12:55.930 suspect that there are a lot of organizations looking into 197 00:12:56.020 --> 00:12:59.710 whether or not this was used against them. That's one of the 198 00:12:59.710 --> 00:13:04.780 recommendations that's been made is to go in and look at your log 199 00:13:04.780 --> 00:13:07.750 files. There's a GoAnywhere.log file that you can look out for 200 00:13:07.750 --> 00:13:12.370 signs of suspicious activity, which can include I feel medical 201 00:13:12.370 --> 00:13:17.380 side effects alert. But if there's unexpected admin 202 00:13:17.380 --> 00:13:21.280 accounts, unexpected users, new accounts created at weird times 203 00:13:21.280 --> 00:13:24.370 of the day like three in the morning, when nobody really 204 00:13:24.370 --> 00:13:28.090 should be at work. That's the sort of advice that users are 205 00:13:28.090 --> 00:13:31.960 getting, which obviously isn't ideal. The company is telling 206 00:13:31.960 --> 00:13:36.280 them to look back to I think, around January 25, is when they 207 00:13:36.310 --> 00:13:39.040 think that the signs of this ... where they think the attack 208 00:13:39.040 --> 00:13:43.060 first began. Some organizations might not have those log files 209 00:13:43.060 --> 00:13:46.060 still, hopefully they do. And so they're looking for signs of 210 00:13:46.390 --> 00:13:51.760 suspicious activity. The typical investigation cycle we see can 211 00:13:51.760 --> 00:13:54.760 stretch for four to four to six weeks, maybe sometimes eight 212 00:13:54.760 --> 00:13:58.210 weeks before you see companies come back after they've 213 00:13:58.210 --> 00:14:01.360 commissioned incident responders to say what was found and all 214 00:14:01.360 --> 00:14:04.300 that. So I suspect there are a lot of organizations at the 215 00:14:04.300 --> 00:14:09.310 beginning of this, where "oh, no, we were hit, bringing 216 00:14:09.310 --> 00:14:13.180 outside help to figure out how we were hit" cycle. And we're 217 00:14:13.180 --> 00:14:16.300 going to be hearing a lot more about this the next month or so. 218 00:14:17.200 --> 00:14:21.430 Marianne McGee: Yeah. And then, again, CHS didn't provide a lot 219 00:14:21.430 --> 00:14:26.020 of details to the SEC, but they did say that when they learned 220 00:14:26.020 --> 00:14:29.860 about the incident from Fortra, they investigated to see if any 221 00:14:29.860 --> 00:14:35.050 of their systems were impacted or disrupted. And so far, they 222 00:14:35.050 --> 00:14:38.110 haven't found that's the case. But when they said disrupted, 223 00:14:38.140 --> 00:14:41.470 they should think maybe there was some sort of ransomware 224 00:14:41.470 --> 00:14:44.620 attempt or something involved. But again, I don't want to speak 225 00:14:44.620 --> 00:14:46.360 for the company. We'll see what happens. 226 00:14:47.680 --> 00:14:49.720 Anna Delaney: And Matt, just going back to the Clop group for 227 00:14:49.720 --> 00:14:53.260 a second, is this attack characteristic of their tactics 228 00:14:53.260 --> 00:14:56.350 and correct me if I'm wrong, but were they not behind the 229 00:14:56.350 --> 00:14:58.540 Accellion attacks of 2020? 230 00:14:59.530 --> 00:15:02.130 Mathew Schwartz: I believe if they were behind Accellion, 231 00:15:02.195 --> 00:15:06.226 that's a great point to bring up. Because this wouldn't be the 232 00:15:06.291 --> 00:15:09.867 first time that a ransomware group has gained access to 233 00:15:09.932 --> 00:15:13.768 systems using some kind of vulnerability. And back in 2020, 234 00:15:13.833 --> 00:15:16.824 apparently, that was a vulnerability that this 235 00:15:16.889 --> 00:15:21.115 ransomware group had either paid somebody to find, or if somebody 236 00:15:21.180 --> 00:15:25.341 found it and brought it to them. And they were able to use it to 237 00:15:25.406 --> 00:15:29.307 really good effect to, as you mentioned, also hit users of a 238 00:15:29.372 --> 00:15:33.338 widely used product that was used for storing files. And they 239 00:15:33.403 --> 00:15:37.044 stole that data. They didn't encrypt those systems, they 240 00:15:37.109 --> 00:15:41.010 stole the data and held it to ransom, and did apparently get 241 00:15:41.075 --> 00:15:45.041 some ransom payments off of it. So we don't have proof or all 242 00:15:45.106 --> 00:15:49.137 solid proof that it is Cop. Clop has claimed that it was them. 243 00:15:49.202 --> 00:15:53.428 There's also one incident report that's been put out by a company 244 00:15:53.493 --> 00:15:57.524 called Huntress, which said it investigated a breach and found 245 00:15:57.589 --> 00:16:01.100 Clop-like activity on a server that was designated for 246 00:16:01.165 --> 00:16:05.391 GoAnywhere managed file transfer activity. So they didn't recover 247 00:16:05.456 --> 00:16:08.772 the smoking gun, if you will. But there is a lot of 248 00:16:08.837 --> 00:16:12.673 coincidental stuff happening around this. It does look like 249 00:16:12.738 --> 00:16:16.574 Clop, it does look like we've been here before with Clop as 250 00:16:16.639 --> 00:16:18.070 well as you mentioned. 251 00:16:17.520 --> 00:16:20.975 Anna Delaney: Well as ever, it's a story to be continued. But for 252 00:16:21.043 --> 00:16:25.177 now, thank you, both of you, for updating us. Michael, you've 253 00:16:25.244 --> 00:16:28.903 written this week about Checkpoint's decision to enter 254 00:16:28.971 --> 00:16:31.140 the SD-Wan market. Tell us more. 255 00:16:32.770 --> 00:16:35.410 Michael Novinson: Absolutely. And I appreciate you having me 256 00:16:35.410 --> 00:16:38.830 here. So it was an interesting announcement. Monday morning, 257 00:16:38.830 --> 00:16:42.580 that Checkpoint did decide to do an SD-Wan offering of its own. 258 00:16:42.580 --> 00:16:45.670 It certainly took me by surprise. SD-Wan at this point 259 00:16:45.670 --> 00:16:48.880 is a fairly mature market. You've had a lot of companies 260 00:16:48.880 --> 00:16:51.280 climb their way into that space, some companies build their own 261 00:16:51.280 --> 00:16:54.490 SD-Wan products. But at this point, it's a market that's been 262 00:16:54.490 --> 00:16:57.040 around for many years, there's clear leaders, there's 263 00:16:57.040 --> 00:17:00.220 meaningful market share in the space. So to see a company like 264 00:17:00.220 --> 00:17:03.460 Checkpoint in 2023 decide they want to enter the space is 265 00:17:03.460 --> 00:17:06.910 certainly a little unusual. I mean, you can contrast where 266 00:17:06.940 --> 00:17:09.760 they're positioned against the three biggest competitors, the 267 00:17:09.760 --> 00:17:12.550 three other major companies in that network/firewall market, 268 00:17:12.550 --> 00:17:15.370 that being Fotinet, Palo Alto Networks, as well as Cisco 269 00:17:15.370 --> 00:17:18.100 Systems. All three of those companies according to Gartner, 270 00:17:18.100 --> 00:17:21.040 are leaders in SD-Wan. Fortinet built its own SD-Wan 271 00:17:21.040 --> 00:17:24.160 capabilities on its own using its own proprietary ASIC chip 272 00:17:24.160 --> 00:17:27.700 technology. And then Palo Alto Networks bought into the space 273 00:17:27.700 --> 00:17:31.990 in 2020 when they acquired CloudGenix. Cisco leveraged its 274 00:17:31.990 --> 00:17:35.920 acquisitions of Meraki and Viptela, in 2012 and 2017. So 275 00:17:35.920 --> 00:17:38.200 these companies or the assets they've acquired, they've been 276 00:17:38.200 --> 00:17:41.530 playing in SD-Wan for many years. So certainly Checkpoint 277 00:17:41.560 --> 00:17:44.050 is going to have a lot of catching up to do. I know their 278 00:17:44.050 --> 00:17:48.040 CEO Gil Shwed was saying on Monday that they did consider an 279 00:17:48.040 --> 00:17:50.800 acquisition as well. And they looked pretty seriously at one 280 00:17:50.800 --> 00:17:54.220 company, but ultimately decided that the technology just wasn't 281 00:17:54.220 --> 00:17:57.400 good enough. And I know that's often been a critique of 282 00:17:57.640 --> 00:18:00.850 companies that lean into a buy heavy strategies in terms of 283 00:18:00.880 --> 00:18:05.860 user experience, integration, the ability for different pieces 284 00:18:05.860 --> 00:18:08.110 of technology to talk to one another that if you're just 285 00:18:08.110 --> 00:18:11.020 buying a bunch of different technology and smashing it all 286 00:18:11.020 --> 00:18:13.990 together, that it detracts from the user experience, I know 287 00:18:13.990 --> 00:18:16.360 that's been a knock down. Palo Alto Networks, given how many 288 00:18:16.360 --> 00:18:18.790 acquisitions they've done, that's also been something 289 00:18:18.790 --> 00:18:21.490 that's been discussed around Cisco, given how many 290 00:18:21.490 --> 00:18:24.370 acquisitions they've made actually. Jeetu Patel, the head 291 00:18:24.370 --> 00:18:27.340 of their security practices in our studios, talking about some 292 00:18:27.340 --> 00:18:29.710 of the actions they're taking to really create a more seamless 293 00:18:29.710 --> 00:18:33.430 experience across everything they bought. So it's consistent. 294 00:18:33.820 --> 00:18:36.400 So the context of Checkpoint, then they decided that they 295 00:18:36.400 --> 00:18:40.000 wanted to build into SD-Wan and they really wanted to have a 296 00:18:40.000 --> 00:18:43.990 tight connection between SD-Wan and their firewalls. It's 297 00:18:43.990 --> 00:18:47.920 essentially just a blade that operates off of their firewalls, 298 00:18:48.070 --> 00:18:51.460 as well as to make sure that it's able to interact with 299 00:18:51.460 --> 00:18:55.420 networking code, and that it's able to leverage some of the 300 00:18:55.480 --> 00:18:58.420 research and the analysis that checkpoint does in terms of 301 00:18:58.420 --> 00:19:01.900 looking out for threats. So they are entering the market. It 302 00:19:01.900 --> 00:19:06.370 we'll be, I think, an obvious opportunity would be for 303 00:19:06.550 --> 00:19:08.860 customers who are already Checkpoint shops, they use the 304 00:19:08.860 --> 00:19:12.460 firewalls and maybe they use email security or some of their 305 00:19:12.460 --> 00:19:15.610 cloud security products. And then they want to consolidate, 306 00:19:15.610 --> 00:19:18.070 they don't want to have a one vendor for SD-Wan and one vendor 307 00:19:18.070 --> 00:19:20.950 for firewalls. So there's maybe some consolidation 308 00:19:20.950 --> 00:19:24.160 opportunities. At this point, it's hard to imagine that 309 00:19:24.160 --> 00:19:27.280 they're going to be leading with SD-Wan, since it's just a brand 310 00:19:27.280 --> 00:19:31.360 new business. I think a final point I'll make is just if you 311 00:19:31.360 --> 00:19:34.030 do take a step back, I think what you're looking at 312 00:19:34.030 --> 00:19:36.400 obviously, there's been so much dialogue in the industry around 313 00:19:36.400 --> 00:19:40.570 SASE or secure access service edge, at this point Gartner has 314 00:19:40.570 --> 00:19:43.840 put out a Magic Quadrant for an SD-Wan for a number of years. 315 00:19:43.840 --> 00:19:46.780 They put up their first ever Magic Quadrant for security 316 00:19:46.780 --> 00:19:52.060 service edge that cause DLP and swing side. They put their first 317 00:19:52.240 --> 00:19:55.360 MQ out last year. The expectation is that this year 318 00:19:55.360 --> 00:19:57.880 they're going to put out their first ever Magic Quadrant for 319 00:19:57.880 --> 00:20:01.270 SASE as a whole. So that's putting a lot of pressure on 320 00:20:01.270 --> 00:20:06.070 vendors. Because Gartner has been very clear that they expect 321 00:20:06.130 --> 00:20:09.250 If folks are serious about SASE, they expect them to be able to 322 00:20:09.250 --> 00:20:12.970 deliver both SD-Wan and SSE organically, that integrations 323 00:20:12.970 --> 00:20:16.720 partnerships are not good enough. if folks want to be 324 00:20:16.720 --> 00:20:20.710 recognized by Gartner. So if you go back to 2022, you saw 325 00:20:20.710 --> 00:20:24.730 Netskope acquire WootCloud. Netskope really did the SSE 326 00:20:24.730 --> 00:20:27.070 piece, and they bought their way into SD-Wan. So they could offer 327 00:20:27.070 --> 00:20:31.630 single-vendor SASE. And then similarly, this product launch 328 00:20:31.630 --> 00:20:36.880 from Checkpoint means that they can have a single-vendor SASE 329 00:20:36.880 --> 00:20:39.490 and can be considered by analysts firms like Gartner or 330 00:20:39.490 --> 00:20:43.750 customers who really want that single-vendor SASE solution 331 00:20:43.750 --> 00:20:44.500 going forward. 332 00:20:45.790 --> 00:20:47.440 Anna Delaney: Michael, why do you think it took so long for 333 00:20:47.440 --> 00:20:49.600 Checkpoint to enter the space? 334 00:20:49.000 --> 00:20:51.369 Michael Novinson: It's a good question. Strategically they are 335 00:20:51.423 --> 00:20:54.655 an interesting company, and that they kind of fall somewhere 336 00:20:54.709 --> 00:20:57.940 between Cisco and Palo Alto Networks, or rather Fortinet and 337 00:20:57.994 --> 00:21:01.225 Palo Alto Networks, and I'll call them out since they're the 338 00:21:01.279 --> 00:21:04.619 pure play security companies; all three of them started off as 339 00:21:04.672 --> 00:21:07.688 firewall companies. And then they had to decide how they 340 00:21:07.742 --> 00:21:11.189 wanted to evolve their business. So you have on one extreme, you 341 00:21:10.330 --> 00:23:48.190 Yeah, well, let's see how they fare with this move. Thank you 342 00:21:11.243 --> 00:21:14.421 have Palo Alto Networks, which under the cache are over the 343 00:21:14.475 --> 00:21:17.491 past four years has made a ton of acquisitions and said, 344 00:21:17.545 --> 00:21:20.453 essentially, they realized that network firewalls, the 345 00:21:20.507 --> 00:21:23.738 traditional network perimeter wasn't necessarily the fastest 346 00:21:23.792 --> 00:21:27.185 growing area, and they wanted to expand their platform. So they 347 00:21:27.239 --> 00:21:29.986 bought aggressively into cloud security. They about 348 00:21:30.040 --> 00:21:33.056 aggressively to security operations, they bought some in 349 00:21:33.110 --> 00:21:36.395 the endpoint security market. And they really wanted firewall 350 00:21:36.449 --> 00:21:39.519 to be a piece in a broader security platform so that they 351 00:21:39.573 --> 00:21:42.535 could really sell this consolidation story. And as part 352 00:21:42.589 --> 00:21:46.036 of that they did by CloudGenix. So they can combine the firewall 353 00:21:46.090 --> 00:21:49.106 and the SD-Wan. And when Palo Alto Networks moves into a 354 00:21:49.160 --> 00:21:52.445 space, they're very clear that they want to be ... they don't 355 00:21:52.499 --> 00:21:55.784 feel they can be top two, or top three in a market, that they 356 00:21:55.838 --> 00:21:59.123 don't move in. Fortinet's very different, that they've really 357 00:21:59.177 --> 00:22:02.463 stayed much more narrow. They have used their own chip for 20 358 00:22:02.517 --> 00:22:05.533 years now. And they realized that that would give them a 359 00:22:05.586 --> 00:22:08.872 compute advantage if they were to move in SD-Wan. And so they 360 00:22:08.926 --> 00:22:11.565 made that move, really in 2016-2017 timeframe. It 361 00:22:11.619 --> 00:22:14.581 surprised a lot of people because at that point, SD-Wan 362 00:22:14.635 --> 00:22:17.543 was really thought of as networking technology that it 363 00:22:17.597 --> 00:22:20.559 was going to be the Ciscos, potentially the VMwares the 364 00:22:20.613 --> 00:22:23.414 world that we're going to dominate and the idea of a 365 00:22:23.468 --> 00:22:26.914 security company during SD-Wan, was a little foreign. But I mean 366 00:22:26.968 --> 00:22:30.254 Fortinet's after number two in the market share right now, so 367 00:22:30.308 --> 00:22:33.485 clearly their division there. And they've moved off into OT 368 00:22:33.539 --> 00:22:36.178 security and critical infrastructure. But they've 369 00:22:36.232 --> 00:22:39.464 really tried to stick to the on-premises world. They've made 370 00:22:39.517 --> 00:22:42.803 it clear, they're not looking to move into cloud, they're not 371 00:22:42.857 --> 00:22:46.088 looking to be all things to all people. Checkpoint's kind of 372 00:22:46.142 --> 00:22:49.427 somewhere between the two. So they've done some acquisitions, 373 00:22:49.481 --> 00:22:52.874 they bought some cloud things, not as much as Palo. They bought 374 00:22:52.928 --> 00:22:55.944 into email security, they launched an MDR platform. They 375 00:22:55.998 --> 00:22:59.230 now are doing SD-Wan. So they've kind of dabbled in a lot of 376 00:22:59.284 --> 00:23:02.677 different areas, but not in kind of the way that like Palo Alto 377 00:23:02.730 --> 00:23:05.854 Networks went all in and spent tons of money to buy market 378 00:23:05.908 --> 00:23:09.032 leader. So they kind of have dabbled in a lot of different 379 00:23:09.086 --> 00:23:12.102 markets. So yeah, I think in terms of SD-Wan things were 380 00:23:12.156 --> 00:23:15.441 expensive, the market was good. There were a lot of companies 381 00:23:15.495 --> 00:23:18.296 being scooped up for acquisitions, maybe they missed 382 00:23:18.349 --> 00:23:21.150 the window to acquire kind of some of the top SD-Wan 383 00:23:21.204 --> 00:23:24.489 companies. And when they looked around, they didn't feel like 384 00:23:24.543 --> 00:23:27.936 what was there was up to par. So it's a late entry. But I mean, 385 00:23:27.990 --> 00:23:31.114 they just last year announced they were going to enter the 386 00:23:31.168 --> 00:23:34.561 managed detection and response space. And I mean, you certainly 387 00:23:34.615 --> 00:23:37.846 can say, starting MDR in 2022 is pretty late too. So it's an 388 00:23:37.900 --> 00:23:41.078 interesting strategy, and it will be interesting to see how 389 00:23:41.132 --> 00:23:44.363 much traction they can gain, given how crowded SD-Wan market 390 00:23:44.417 --> 00:23:45.010 already is. 391 00:23:48.190 --> 00:23:48.970 very much, Michael. 392 00:23:49.510 --> 00:23:50.260 You're very welcome. 393 00:23:50.620 --> 00:23:53.230 Anna Delaney: And finally, just a bit of fun. Your next 394 00:23:53.230 --> 00:23:57.040 Hollywood blockbuster award winning movie is all about - 395 00:23:57.430 --> 00:24:00.070 wait for it - cybersecurity. What would you call it? 396 00:24:03.070 --> 00:24:05.710 Michael Novinson: I'll go first. I'll take inspiration from 397 00:24:05.830 --> 00:24:09.310 Roland Emmerich, thinking of the mid-2000s, maybe "The Day After 398 00:24:09.310 --> 00:24:12.760 Tomorrow." I go for The One After SolarWinds. That was 399 00:24:12.760 --> 00:24:16.180 really a seismic event in the industry. We all assumed code 400 00:24:16.180 --> 00:24:18.910 was secure by default that we didn't have to worry about 401 00:24:18.910 --> 00:24:21.670 things in the production environments. That was the 402 00:24:21.700 --> 00:24:25.000 pre-SolarWinds thinking, and the day after SolarWinds, it's a 403 00:24:25.000 --> 00:24:27.880 whole new world. And we see people having to think about 404 00:24:27.880 --> 00:24:30.640 things from a security perspective that, at least to a 405 00:24:30.640 --> 00:24:32.410 layman, they weren't ever considering before. 406 00:24:33.580 --> 00:24:35.080 Anna Delaney: I like that. That's very good. 407 00:24:35.620 --> 00:24:37.810 Mathew Schwartz: Wow, that's got some thought behind it and 408 00:24:37.840 --> 00:24:41.020 nuanced. Well, it's so different from what I came up with, which 409 00:24:41.020 --> 00:24:44.890 is just Cyber Wars. I mean, I grew up with Star Wars and so 410 00:24:44.890 --> 00:24:48.880 any ability to emulate that, I mean, Cyber Wars, right? It can 411 00:24:48.880 --> 00:24:54.100 be really overdone and something really schlocky that has 412 00:24:54.100 --> 00:24:57.790 absolutely no bearing to reality. Or you can also use it 413 00:24:57.790 --> 00:25:01.120 for something a bit more nuanced. You know your news 414 00:25:01.120 --> 00:25:03.910 magazine, deep dive sort of thing looking at the rise of 415 00:25:03.940 --> 00:25:07.180 nation-state attacks and what not. I've watched both 416 00:25:07.180 --> 00:25:10.780 personally, so I'll just leave it at that. And we'll see what 417 00:25:10.780 --> 00:25:11.320 comes out. 418 00:25:11.890 --> 00:25:14.080 Anna Delaney: It works for the ISMG Editors' Panel, that's for 419 00:25:14.080 --> 00:25:14.380 sure. 420 00:25:16.660 --> 00:25:18.760 Marianne McGee: Mine's very similar to what Matt just said. 421 00:25:18.760 --> 00:25:22.810 I was going to say War Games II, sort of building on the 1983 422 00:25:22.840 --> 00:25:27.040 movie with Matthew Broderick, who is just like a young child, 423 00:25:27.700 --> 00:25:31.180 hacking into military systems or something like that. 424 00:25:31.180 --> 00:25:31.750 Mathew Schwartz: NORAD. 425 00:25:32.590 --> 00:25:35.620 Marianne McGee: NORAD, right. Lot of possibilities there, I 426 00:25:35.620 --> 00:25:37.300 think, that are kind of scary. 427 00:25:37.780 --> 00:25:40.180 Anna Delaney: Yeah, we definitely do a part two, also 428 00:25:40.210 --> 00:25:41.110 maybe a remake. 429 00:25:42.220 --> 00:25:44.500 Mathew Schwartz: Matthew Broderick, yeah, he's older 430 00:25:44.500 --> 00:25:46.660 maybe no wiser. I don't know. 431 00:25:48.040 --> 00:25:50.350 Anna Delaney: I was thinking Denial of Service. 432 00:25:50.470 --> 00:25:52.000 Mathew Schwartz: Oh, that's horrible. 433 00:25:52.830 --> 00:25:56.741 Anna Delaney: You know that definitely embodies the drama of 434 00:25:56.826 --> 00:26:01.929 an Oscar. First I thought Wizard of Oz. You get that mystery 435 00:26:02.014 --> 00:26:03.630 behind the curtain. 436 00:26:03.000 --> 00:26:07.470 Mathew Schwartz: And the sequel, Anna, Blue Screen of Death. 437 00:26:07.830 --> 00:26:11.430 Anna Delaney: Oh, there you go. Wow! Like all this creativity, 438 00:26:11.460 --> 00:26:14.970 juicy creativity. Love it. Well, thank you very much, Marianne, 439 00:26:14.970 --> 00:26:21.000 Matt, Michael, always a pleasure. Thank you so much for 440 00:26:21.000 --> 00:26:22.380 watching. Until next time.