一些頂級安全專家表示,SolarWinds黑客和COVID-19大流行加速了網絡安全支出。
Not only must chief information security officers secure an increasingly distributed workforce, but they now must also be wary of software code coming from reputable vendors, including the very patches designed to protect them against cyberattacks. Organizations are increasingly prioritizing zero-trust approaches, including simplified identity access management, better endpoint protection and cloud security. And while leading solutions in these sectors are gaining momentum, traditional legacy offerings are being managed down from a spending perspecti當前,首席信息安全官不僅要確保越來越分散的員工隊伍的安全,他們還必須提防一些來自信譽良好的供應商的軟件代碼,包括一些本來是用來保護他們免受網絡攻擊的補丁代碼。企業現在更加優先考慮各種零信任(Zero-trust)方法,包括簡化身份訪問管理、更好的端點保護和云安全等方法。這些領域的領先解決方案的發展勢頭不錯,而從支出的角度來看,傳統的老舊產品則日漸式微。
In this Breaking Analysis, we’ll summarize CISO sentiments from a recent Enterprise Technology Research VENN session and provide our quarterly update of the cybersecurity market. In an upcoming episode we’ll be inviting Erik Bradley of ETR to provide deeper analysis on these trends. Here we’ll give you a first look and initial reading of what’s happening in the information security sector as we kick off 2021.
我們將在本文里總結一下最近的企業技術研究VENN會議上CISO(首席信息安全官的英文縮寫)的觀點,同時也將提供我們對網絡安全市場的季度更新。我們還將為讀者初步解讀一下2021年頭兩月信息安全領域的態勢。
### SolarWinds attack: ‘Like nothing we’ve ever seen’
SolarWinds攻擊:“我們從未見過這樣的情況”
It’s been covered in the press but in case you don’t know the details, SolarWinds is a company that provides software to monitor many aspects of on-premises infrastructure, including network performance, log files, configuration data, storage, servers and the like. Like all software companies, SolarWinds sends out regular updates and patches. Hackers were able to infiltrate the update and “trojanize” the software — meaning when customers installed the updates, the malware just went along for the ride.
媒體報道過SolarWinds攻擊,但假若讀者并不知道細節的話,SolarWinds公司提供的軟件用于監控企業內部基礎架構許多方面的運行,包括網絡性能、日志文件、配置數據、存儲、服務器等等。SolarWinds和所有其他軟件公司一樣也會定期發布更新和補丁。而黑客則成功滲透了SolarWinds的更新并植入“木馬”,這意味著客戶在安裝更新時,植入的惡意軟件就搭上了順風車。
The reason this is so insidious is that often hackers will target installations that haven’t installed patches or updates and identify vulnerabilities in the infrastructure that exist as a result. In this case, the very code designed to protect organizations actually facilitated a breach. According to experts, this was quite a sophisticated attack with multiple variants that most believe was perpetrated by the Russian hacker group Cozy Bear, an advanced persistent threat or APT as classified by the U.S. government.
這種情況下的中招很隱蔽,原因是黑客往往會瞄著那些沒有安裝補丁或更新的系統,然后找到存在的基礎架構漏洞。在這種情況下,用作保護組織的代碼實際上還促進了漏洞的發生。據專家介紹,這次的SolarWinds攻擊屬于高級攻擊,而且有多個變種,大多數人認為是出自俄羅斯黑客組織Cozy Bear的手筆。Cozy Bear被美國政府歸類為高級持久性威脅,或APT。
It is suspected that somehow they phished their way into a GitHub repo and stole username and password access to allow them to penetrate the supply chain of software that is delivered over the Internet. But public information on this attack is still spotty. What is known is that the attackers had been lurking since March of last year and had nine months to exfiltrate troves of data from the U.S. government and numerous other companies, including Microsoft Corp. and Cisco Systems Inc.
據推測,Cozy Bear是以某種釣魚方式進入一個GitHub庫并竊取了用戶名和密碼訪問權限,進而滲透到經互聯網交付的軟件供應鏈里。但關于這次攻擊的公開信息還是很零散。已經知道的信息是攻擊者去年3月就潛伏下來,在9個月的時間從美國政府和眾多其他公司(包括微軟公司和思科系統公司)那竊取了大量數據。
### What CISOs say about the attack
CISO們對SolarWinds攻擊的看法
Last year, right after the attack, friend of theCUBE Val Bercovici of Chainkit said to us on Twitter that he thinks the government hack will have permanent implications on how organizations approach cybersecurity. CISOs seem to agree. Here are some verbatim comments from the CISO roundtable moderated by ETR in late January:
去年我們的CUBE朋友 Val Bercovici of Chainkit在攻擊發生后發給我們的推特消息表示,他認為政府被黑將對以后組織如何對待網絡安全產生永久性影響。CISO們似乎都同意這個觀點。以下是1月底由ETR主持的CISO圓桌會議上的一些評論原文。
> The impact of the breach is profound. It really turned on its head a lot of conventions about cybersecurity.… I don’t think the threat has been exaggerated in the media.
- 這次泄露的影響是深遠的,真的顛覆了很多關于網絡安全的慣例,我不認為媒體夸大了威脅。
- > We’re now in a situation where we have to monitor the monitors.我們現在所處的情況是,我們必須監控那些監控機構。
- > This attack didn’t have any signatures of a previous attack… so you got down to the code level.這次攻擊不具有任何過去攻擊的特征……所以是到了代碼層面。
- > 80-90% of that code is being downloaded from the internet…. It’s bringing DevOps security processes and making us rethink how to reinvent security.那些代碼的 80-90%都是從網上下載的……。事關DevOps安全流程,我們得重新思考如何重塑安全。
### What can be done?
可以做什么?
That’s the question every CISO is wrestling with right now. Security pros will tell you they’re rethinking their practices, tools and approaches, but there’s no one answer.
這是每個CISO現在都在糾結的問題。安全專家會告訴你,他們正在重新考量自己的實踐、工具和方法,但沒有答案。
Below is a tag cloud summarizing some of what we hear in theCUBE community and in the VENN roundtable from security practitioners:
下圖是個標簽云,總結了我們在CUBE社區和VENN圓桌會議上從安全從業者那里聽到的一些情況。
You hear CISOs talk a lot about zero trust and many are leaning into identity access management and PAM, privileged access management. We’re hearing mandates around two factor authentication. We’ve written extensively about identity and firms such as Okta Inc., Sailpoint Technologies Inc. and CyberArk Software Inc. And Microsoft is coming up more and more in this conversation, especially as Okta is seen as setting a price umbrella – there’s definitely some frustration there among CISOs. Auth0, which does authentication as a service, is hitting our radar as well.
可以聽到CISO們經常談論零信任機制,許多人都在傾向于用身份訪問管理和特權訪問管理,即PAM。我們也聽到關于必須用雙因素認證的說法。我們過去寫過大量關于身份和公司的文章,如Okta公司、Sailpoint技術公司和CyberArk軟件公司。微軟在這場對話里出現得越來越多了,尤其是業界認為Okta設置了一個價格保護傘,CISO們肯定會有一些沮喪。Auth0是個做身份驗證即服務的公司,Auth0也出現在我們的雷達上。
Endpoint security, of course, gets attention as the work-from-home trend has become much more important. You can see it in the growth of CrowdStrike Holdings Inc. and as you’ll see in a moment we’re seeing some traction with VMware Inc. and Carbon Black in the ETR survey data as well as momentum with Tanium Inc.
當然,端點安全受到關注,在家工作的趨勢已經變得更加重要。從CrowdStrike Holdings Inc.的增長中可以看到這一點,過一會兒就可以看到,從ETR調查數據中可以看到VMware和Carbon Black以及Tanium的發展勢頭。
CISOs aren’t going to just rip out what they have so Cisco, especially with Umbrella and Duo, come up in the conversation. As does Palo Alto Networks Inc. We’ve said many times that they’re seen as a thought leader and CISOs like Palo Alto as well as Fortinet Inc. Fortinet buyers tend to be more cost conscious and often midmarket customers.
CISO們不會隨便摘掉自己的東西,所以思科(尤其是Umbrella和Duo)出現在談話中。還有Palo Alto Networks公司。我們說過很多次,他們被視為思想領袖,CISO們喜歡Palo Alto以及Fortinet公司。Fortinet買家往往更注重成本,他們往往是一些中等市場客戶。
And so it goes with analytics and micro segmentation and cloud security with Zscaler Inc. and even robotics process automation to automate certain tasks; UiPath Inc. has come up in the conversation more and more in a security context.
分析和微觀細分市場方面、云安全方面的Zscaler公司也是這樣,甚至實現某些任務自動化的機器人流程自動化公司。UiPath公司 出現在談話中,還有更多的公司也是在安全場景下出現。
So you look at this tag cloud above and there’s no one answer – as is the case with cyber – lots of tools, lots of disciplines and a very capable adversary who has learned to, as the saying goes, “live off the land,” using your own infrastructure and tooling against you.
因此,看了上面的這個標簽云后,沒有答案,網絡這一塊也一樣,很多工具,很多學科,還有一個非常有力的對手,已經學會了俗話說的"靠天吃飯",學會了用自己的基礎架構和工具來對付你。
### Security budgets are not limitless
安全預算并非無限
The common narrative is that security is a top priority with CIOs and CISOs and budgets will be up. Boards of directors are aware and willing to spend. So let’s look at that.
比較一致的說法是,安全是CIO和CISO的重中之重,預算會增加。董事會意識到了重要性也愿意花費。那我們就來看看這一點。
The fact is this is only somewhat true. The chart above shows Net Scores or spending momentum for various sectors across the ETR taxonomy and we’ve highlighted the Information Security segment. Yes, it’s up relative to the October survey, but it doesn’t stand out.
事實是,只是在某種程度上是這樣。上圖顯示了整個ETR分類里各行業的凈得分或支出的趨勢,我們高亮了信息安全板塊。是的,相對于10月份的調查,安全板塊的支出是上升了,但并不突出。
Everything’s up, as we’ve reported, coming off a down year in tech spending – minus 4% – and we’re forecasting a plus 6% to 7% increase this year depending on the pace of the recovery. But the point is cyber is one of many budget items and organizations aren’t simply writing a blank check to the CISO.
一切都在上升,就像我們所報道過的,前一年的科技支出下降,是負4%,我們預測今年會有正6%到7%的增長,取決于復蘇的速度。但問題是,網絡是眾多預算項目里的一項,組織并不是簡單地給CISO一張空白支票。
### Firms are heavily invested in security already
一眾公司已經在安全方面做了大量投資。
The graphic above shows several sectors in context and we’ve highlighted security in the red box. The vertical axis shows Net Score or spending velocity and the horizontal axis is Market Share or presence in the data set. And you can see that security has a big presence – it’s pervasive, of course.
上圖顯示了幾個行業的場景,我們用紅框標出了安全。縱軸顯示的是凈得分或支出速度,橫軸是市場份額或在數據集中的位置。可以看到,安全的位置很靠右,當然,安全無處不在。
But it lags some of the top sectors in terms of spending velocity because organizations have lots of priorities. And of course as you’ll see below, like most mature markets, security has some companies with off the charts spending patterns and others that lag.
但安全在支出速度上卻落后一些頂級行業,因為組織有很多的優先事項。當然,正如在下面將要看到的那樣,安全領域也和大多數成熟市場一樣,有些公司在這方面的支出爆棚,也有一些公司的支出模式落在后面。
#### Vendors in identity, endpoint and cloud have spending momentum
身份識別、端點和云計算領域廠商具消費動力
Below you see that same XY graphic and we’ve plotted a number of selected security players:
下圖是同樣的XY坐標圖,列出了一些選定的安全玩家的數據。
Several points stand out from the above data:
從上圖可以看出幾點。
* First **Microsoft** , as usual, is off the charts to the right and amazingly, has an elevated Net Score of 48%.
- 首先,微軟一如既往,遠遠地拋開其他商家處于圖右邊,令人驚奇的是,凈得分也提升了48%。
* **Okta** continues to lead this pack as it has in the last several surveys with a Net Score of 61.5%, up from last quarter’s survey.
- Okta在過去幾次調查里一直處于領先地位,凈得分為61.5%,比上一季度的調查凈得分高。
* Okta, **Crowdstrike** , **CyberArk** , **Fortinet** , **Proofpoint** and **Splunk** , all up nicely from last quarter’s survey.
- Okta、Crowdstrike、CyberArk、Fortinet、Proofpoint和Splunk均比上一季度調查的凈得分有很好的增長。
* Also we want to highlight **Carbon Black**. The company’s Net Score last quarter was 23.9% with 134 mentions and this quarter its Net Score shot up to nearly 38% — a meaningful and noticeable move for VMware’s $2.1 billion acquisition that it made in the summer of 2019.
- 我們還要特別提一下 Carbon Black。該公司上個季度的凈得分為23.9%,被提及134次,本季度的凈得分飆升至近38%。VMware在2019年夏天花21億美元收購Carbon Black,這樣明顯的增長也是不負這次的收購。
So we see a number of companies with momentum, which stems from a rebound in tech spending generally but also the shift in security spend that we’ve highlighted. And you can see a couple of legacy security firms losing spending momentum – FireEye Inc. and RSA in particular, but there are many others in the ETR data set that are in the red zone.
我們看到了一些公司的好勢頭,一方面是源于科技支出的普遍反彈,但也源于我們強調提出的安全支出的轉變。我們也可以看到有幾家傳統安全公司失去了支出動力,尤其是FireEye公司和RSA公司,但在ETR數據集中還有許多其他公司也處于紅色區域。
### Microsoft, Palo Alto Networks, Okta and CrowdStrike: notable momentum and market presence
微軟、Palo Alto Networks、Okta和CrowdStrike:顯著的好勢頭和市場位置。
Let’s dig deeper into the data and the vendor performance.
下面我們來深入了解一下數據和廠商的表現。
Below is a view of the data we first showed you in 2019. The tables depict the Net Score (spending velocity) and the Shared N which identifies the number of mentions within the sector and is an indicator of presence in the market. The leftmost chart is sorted by Net Score and the right hand chart is sorted by Shared N. To make the cut and get into this chart, we required a vendor to have had at least an N of 50 mentions in the sector within the survey.
下表是我們在2019年首次展示的數據視圖。這張表顯示了凈得分(支出速度)和分享N指標,分享N指標表示在業界被提及的次數,是個市場存在指標。左邊的表是按凈得分排序,右邊的表按分享N指標排序,入選被考慮之列并出現在圖表里的供應商在調查時間范圍內至少在業內被提及50次。
You can see on the leftmost chart that Okta (61.5%) and Sailpoint (59.5%) lead in Net Score and Microsoft has the largest presence in the sector (518 Shared N) along with Cisco (305) and Palo Alto (278).
可以從左邊的表看到,Okta(61.5%)和Sailpoint(59.5%)在凈得分上領先,微軟在業界的存在指標數最大(518共享N),思科(305)和Palo Alto(278)排第二、第三。
#### Four-star and two-star companies
四星級公司和兩星級公司
Something we started two years ago was if a vendor shows up in the top 10 for both Net Score and Shared N, we anoint them with four stars. So **Microsoft** , **Palo Alto** , **Okta** and **CrowdStrike** are the four cybersecurity vendors that fall into the four-star group.
我們在兩年前開始用星級評等方法,如果一家廠商的凈得分和分享N指標都出現在前十名,我們就會給四顆星。所以微軟、Palo Alto、Okta和CrowdStrike四家都是四星級網絡安全廠商。
And we give two stars to those companies that make the top 20 in both categories. So **Cisco** because of Umbrella and Duo, **Splunk** , **Proofpoint** , **Fortinet** , **Zscaler** , **CyberArk** and **Carbon Black** (now owned by VMware). Carbon Black is new to the two-star list thanks to its rapid rise in Net Score.
而那些在這兩個類別中進入前20名的公司則獲得兩顆星。Cisco(由于Umbrella和Duo的關系)、Splunk、Proofpoint、Fortinet、Zscaler、CyberArk和Carbon Black(現屬VMware)都是兩星級網絡安全廠商。Carbon Black由于凈積分的快速上升成為兩星榜單新廠商。
#### A quick aside on Carbon Black
關于Carbon Black的一個小插曲
At VMworld 2019, Pat Gelsinger told theCUBE that he felt like he got a great deal picking up Carbon Black for $2.1 billion.
在2019年的VMworld活動上,Pat Gelsinger告訴theCUBE,他覺得花21億美元的價格拿下Carbon Black是一筆好的大買賣。
His logic was in part based on the valuation of CrowdStrike, a Carbon Black competitor. At the time CrowdStrike, as you can see on the chart below, had a valuation that was nine times higher than that of Carbon Black. And you can see from the trailing-12-month revenue that CrowdStrike was a bigger company by more than $100 million, but the real story was the company’s growth at more than 100%. CrowdStrike at the time was growing much faster than Carbon Black’s 22%, justifying a significantly higher relative value.
他這樣說的邏輯一部分是基于Carbon Black競爭對手CrowdStrike的估值。CrowdStrike當時的估值(如下圖)是Carbon Black的9倍。而且可以從尾部12個月的營收里看到,CrowdStrike是一家規模更大的公司,營收比Carbon Black高一億多美元,但故事的核心是CrowdStrike的增長達100%。CrowdStrike當時的增長速度遠高于Carbon Black的22%,證明其相對價值明顯更高。
Of course, the thinking from VMware was that it could pick up Carbon Black at a discount to the market leader and inject growth and profitability into the asset by bundling into VMware’s increasingly capable security offerings. VMware created a cloud security group headed by Carbon Black Chief Executive Patrick Morley, which underscores a commitment to the sector.
當然,VMware的想法是可以以低于市場領導者的價格折價收購Carbon Black,然后通過將其捆綁到VMware日益強大的安全產品上為該資產注入增長和盈利能力。VMware創建了一個由Carbon Black首席執行官Patrick Morley領導的云安全集團,凸顯了在該領域的承諾。
Now in VMware’s recent earnings call, it said Carbon Black had “good” bookings performance. Who knows exactly what that means, but if it were significantly more than 22% (Carbon Black’s growth rate at acquisition time), our guess is that VMware would have been more effusive. So let’s assume that since the acquisition Carbon Black growth has been flattish relative to its growth at acquisition as VMware figures out how to integrate the company.
VMware在最近的財報電話會議上表示,Carbon Black的預訂表現 "良好"。誰都不知道這到底是什么意思,但如果增長率明顯超過22%(收購時Carbon Black的增長率是22%),我們猜VMware的溢美之詞可能會更夸張一些。我們不妨假設自收購后,Carbon Black的增長相對于收購時的增長更趨向于平緩,VMware在這一段時間不是在想辦法整合這個公司嘛。
Nonetheless, we would still peg its valuation as having increased substantially since the time of acquisition – perhaps in the $3 billion-to-$5 billion range. So it’s a nice pickup for VMware in our view, which has a good track record of acquiring companies and monetizing the assets. And we think the value of Carbon Black inside of VMware will likely grow from here. Further, the ETR data on Carbon Black is encouraging.
盡管如此,我們仍會認為Carbon Black的估值自收購時起已大幅上升了,或許在30億至50億美元之間。所以在我們看來,對VMware而言是宗不錯的收購,VMware在收購公司及將資產貨幣化方面有良好的記錄。而且我們認為,置于VMware內部的Carbon Black的價值可能會從這里開始增長。此外,Carbon Black的ETR數據也令人鼓舞。
### Cybersecurity valuations continue to skyrocket for the leaders
領軍企業的網絡安全估值持續飆升
Let’s look at how the valuations in this sector have changed since before COVID.
我們來看看自新冠以來這個行業的估值是如何變化的。
Above is an updated view of our valuation matrix since just before the pandemic hit the U.S. in earnest. You can see the S&P is up 16% from that timeframe and the Nasdaq composite up 43%. Now look at the others. Only Splunk really hasn’t seen a big uptick in valuation. And Proofpoint’s valuation hasn’t kept pace. But the others have either risen noticeably, such as CyberArk and SailPoint, bounced up such as Palo Alto, held nicely such as Fortinet or exploded as with Crowdstrike, Okta and Zscaler.
上表是我們的估值矩陣最新視圖,時間段為自美國爆發新冠大流行病前夕以來。可以看到,標準普爾指數比那個時間段上漲了16%,納斯達克綜合指數上漲了43%。現在來看看其他的股票。只有Splunk的估值真的沒有大的提升。Proofpoint的估值也沒有跟上。但其他公司要么漲幅明顯,如CyberArk和SailPoint,要么反彈上漲,如Palo Alto,要么保持良好,如Fortinet,要么大爆發,如Crowdstrike、Okta和Zscaler。
So one would think Carbon Black as a VMware asset has done pretty well along with these names and will make long-term contributions to VMware.
那大家會大致會覺得VMware的資產Carbon Black也會和這些公司一樣做得很好吧,會對VMware做出長期的貢獻。
In addition, we would expect that the tech spending rebound this year combined with the heightened concerns over the SolarWinds hack and the tectonic shifts from the accelerated work-from-home and digital business transformation will continue to bode well for many of these names… for some time.
此外,我們預計,由于今年科技支出的回升,加上對SolarWinds黑客事件的高度關注以及從在家工作和數字化業務轉型構造性轉變的加速,這些公司將持續向好......在一段時間內。
### Factors to watch in cyber
網絡方面的關注因素
As we exit the pandemic and are experiencing a new digital reality, cyberthreats have never been greater. Each January if you looked back on the prior year you’d be able to say the same thing for the past several decades. And the reality is that the budget allocations and subsequent spending on cyber are asymmetric to the economic risks. In other words, the $125 billion or so spent on cybersecurity doesn’t square with the trillions of dollars in value lost each year to cybercrime. We don’t spend enough as it is and probably can’t spend our way out of this problem.
我們退出大流行,同時也在經歷一個新的數字現實,這時的網絡威脅空前嚴重。每年的一月,如果回顧上一年的情況,我們就會說出和過去幾十年同樣的話。而現實情況是,網絡預算分配和后續支出與經濟風險是不對稱的。換句話說,1250億左右的美元花在網絡安全上,每年因網絡犯罪而損失達數萬億美元的價值,二者并不對等。我們現在花的錢還不夠多,但可能也無法靠花錢解決這個問題。
CISOs have to balance their legacy installed base security infrastructure with the shift to zero-trust, accelerated endpoint, new access management challenges and an ever-expanding cloud. And much more. Very few have the benefit of a blank sheet of paper.
CISO們必須平衡在自己的傳統安裝基礎安全基礎架構以及向零信任的轉變、加速端點、新的訪問管理挑戰和不斷擴展的云之間取得平衡。還有做更多的事情。很少有人能夠像一張白紙一樣沒有過去的包袱。
Lack of talent remains the single biggest challenge for organizations, which are stretched thin — making investments in automation a trend that is not going to abate any time soon.
人才的缺乏仍然是企業面臨的最大挑戰,企業已經捉襟見肘了,因此在自動化上的投資就成為一種趨勢,這種趨勢是不會在一段時間內減弱的。
In cyber, all the cliches apply: There is no silver bullet. There is no rest for the weary. The adversaries are well-funded and extremely capable and they have to succeed only once to create a business disaster for an organization, whereas an organization must succeed every minute of every day. So expect more of the same with no end in sight in terms of complexity, fragmentation and Whac-A-Mole approaches to fighting cyber crime.
在網絡方面,各種陳詞濫調仍然有效:不存在靈丹妙藥。無暇喘息,仍要疲于奔命。對手的資金充足,能力也極強,他們只需成功一次,就能給一個組織帶來商業災難,而一個組織每時每刻都必須成功。因此,準備好應付更多相同情況的出現,打擊網絡犯罪時的復雜性、分散性和“打地鼠”(Whac-A-Mole)法等等都是沒有盡頭可言的。
It hurts to say this, but it just means the fundamentals for this sector just keep getting better. That’s bad news, but it’s the reality for organizations trying to protect their data — and it’s good news with lots of opportunities for investors.
這樣說很痛苦,但這樣說只是意味著這個行業的基本面正在不斷改善。而對于試圖保護自己數據的組織來說,這就是現實。而這對投資者來說是個好消息,機會多多。
第3期 2021/02/26
