This week, Richard Stiennon, Chief Research Analyst with IT-Harvest and industry executive, joined us for the inaugural episode of the Security on Cloud Podcast. Listen in as Richard gives insight on some of the bigger and most known data attacks in reference to what we’re learning for future avoidance, what “true cloud security” is, how companies can move this security to the cloud, what needs to happen next to see larger security models fully deployed in the cloud, and more.
John Vecchi: Welcome, everybody! You’re listening to the Security on Cloud Podcast, live on Anitian radio. I’m your host, John Vecchi.
Scott Emo: I’m Scott Emo. In this episode, we want to talk about what’s going on in security, and specifically in cloud security.
John Vecchi: That’s right. We’re going to get fantastic perspective today on cloud security, and what’s happening there. With that, I’d like to introduce our very special guest this week. He’s presented on the topic of cybersecurity in 29 countries, on six continents. He’s a lecturer at Charles Sturt University, Australia, and he is the author of Secure Cloud Transformation: The CIO’s journey, Surviving Cyberwar, and the Washington Post bestseller, There Will Be Cyberwar. He writes for Forbes and The Analyst Syndicate. He’s a member of the advisory board at the Information Governance Initiative and sits on the Responsible Recycling Technical Advisory Committee, the standard for electronic waste. He’s been a Chief Strategy Officer, Chief Marketing Officer, and VP of Threat Research at many Silicon Valley giants, as well as a VP of Research at Gartner. His latest book, which is available and you can get it on Amazon right now, which we’ll talk about today by the way, is titled Security Yearbook 2020. It’s our pleasure to have you with us today, analyst, Richard Stiennon. Welcome to the show!
Richard Stiennon: Hey, John. Thanks for having me. Hi, Scott.
John Vecchi: Fantastic. Look, it’s a joy, Richard. Over the years, it’s usually been me and the teams that I’ve been with, with security companies answering your questions, so it’s a treat to actually get to ask you some questions on our podcast today. Look, we have a lot to talk about today, including your latest Security Yearbook. I know you’re busy writing your next yearbook and we’re going to dive into an article you wrote in Forbes recently over the summer, but I’d be remiss if I didn’t talk about the recent events surrounding the SolarWinds cyberattack. It’s pretty much dinner conversation. Every time you turn on the news, you’re seeing about it. We’re learning more about that every day, but I wanted to just start with getting your thoughts. I know you’ve spoken about this, and you’ve been interviewed many times about it, but I just want to get your thoughts. Given everything we know, how should we think about this attack, and what should we learn from it?
Richard Stiennon: Practically every new attack, with new methodologies, it uncovers weaknesses that we had in our overall security architectures. In this case, this is something we’ve all talked about, and we’ve known that third parties are a great avenue into the enterprise. Right? With a target being compromised by somebody coming in with the access that they’re granted because they’re an HPAC vendor, or maybe Lockheed Martin being attacked through a compromised RSA SecurID token because RSA had been compromised by… I think China’s who we blame for that one.
John Vecchi: Right.
Richard Stiennon: A lot of people talk about third-party risk, but their solution is always just to automate the process of scanning every one of your suppliers remotely and then managing all the questionnaires that you have to go through in a survey to determine if their security maturity is at the level you expect, but then we completely neglect the fact that we all trust software updates, and we always have, and yet there are dozens of examples of software updates being compromised.
The most famous of which is NotPetya in Ukraine. The NSA has used them as well in the Flame malware toolkit that actually pretended to be a Microsoft update. Now we’ve learned this. We’ve seen the best foothold that we’ve given to an attacker attributed to the Russian RSV, their spy agency. Just a fantastic intelligence coup for them, right? Because they’ve embedded, now, in dozens of organizations including US Treasury commerce department, DHS, maybe SISA as part of DHS, but nuclear safety organization in the United States that manages our nuclear arsenals. Obviously, a lot of potential for damage there and, obviously, a lot of potential for really valuable intel that the attackers have been able to gather over a nine-month period of being able to dwell inside an organization.
John Vecchi: Wow. It’s incredible. I recently posted on this, that we’re learning more and more every day, but it seems as though the attackers were able to insert this SunBurst malware into the Orion… That was the update. The SolarWinds’ Orion update, by compromising the CI/CD build process and pipeline, which I found interesting. Obviously, there are multiple methods and tactics, and procedures they use, but that’s certainly one that’s interesting because to me it brings to the forefront this idea of bring security into that process. Everyone’s trying to get builds into the cloud and release these things, but what happens to security, right? Will that be a potential lesson from this in the scope of all the lessons we’re going to learn from this attack?
Richard Stiennon: Yeah. I think that’s one of the two valuable lessons. On the supplier’s side, somehow build in the assurance that you need. That your development process isn’t compromised in some way. Then on the consumer side, how do you build up assurance that the software provider isn’t giving you a bad update. The first one, I think we have pretty good tools. That’s just security as usual. Just do a better job of protecting credentials in your active directory, and all the rest. The other one, I’m not so sure. How can you validate software updates? Because you’re not getting source code updates. You’re only getting compiled updates. They’re digitally signed with the correct signatures, and that’s what we used in the past, is we just check the signatures, see if they’re okay. See if the hashes are right for what you’re downloading. Now we have to come up with a way, and I don’t know what the answer is right now. Should it be a third party? Should you just rotate signatures so rapidly that an attacker has to continuously try and compromise them? I don’t know the answer.
John Vecchi: Yeah. It’s interesting. Well, appreciate your thoughts on that. We’re going to follow this one, and I’m sure we’ll be talking about it more on further episodes.
Scott Emo: Yeah. That’d be good to have a follow-up on this particular thing once they dig in and learn more. That’ll be great.
Richard Stiennon: Yes, because there’s going to be hundreds of more of victims, and then there’s going to be some next step using stolen data, or compromising the organizations and hurting them in some way.
Scott Emo: Yeah. Just the remediation of this is going to be fascinating to figure out how to find out, okay, we know we were attacked, but where? Right?
Richard Stiennon: Yeah.
Scott Emo: It’s been great. Richard, let’s switch gears a bit. You recently wrote an article for Forbes that was entitled, “There is No Cloud Security Segment.” That’s quite a claim given that there’s over 2000 security vendors in your new directory that you wrote. The Security Yearbook. What did you mean by that statement, “There Is No Cloud Security Segment.” I can’t quite grok that. Can you elaborate?
Richard Stiennon: Yeah. The evolution was that I had written a book on secure cloud transformation. How to do that well, and it was actually at the book launch for that, that I was inspired to write the history of the IT security industry. Security Yearbook 2020, and include in that finally, the directory that I’ve been putting together for 10 years. I’ve been collecting all this information because as a industry analyst that just covers cybersecurity vendors, I’m frustrated that I can’t find out all the companies that have gone out of business. There’s no list anywhere of all those. I’ve started collecting all the data so that I can go back later and say, yeah in 2020 there were X number of vendors, and then by 2021, X percent have gone out of business, or had been acquired, or got new funding. Tons and tons of data that I’m putting together, and the hardest part of that is after you’ve found the vendors through looking at every single security conference and the vendors that were presenting there, looking at other people’s lists, compiling them, deduping them, I can outsource the data collection to my team in India to…
Every quarter, for instance, they look on LinkedIn and tell me, and record the number of employees at each of these companies, so I can see who’s growing, and who’s shrinking. Super valuable stuff. The one thing that’s impossible to outsource for an industry analyst is the categorization because, let’s be frank, vendors say a lot of things about who, and what they are that are just wrong. They are. Or they just don’t say. I got hundreds of pages where I have to dig down into the product spec sheets before I could figure out, oh, they’re a SIM. All that AI and ML stuff, and threat hunting and all the rest. Now, they’re just a logging tool…
John Vecchi: That’s Scott’s fault, by the way. He’s our marketing guy.
Scott Emo: Let’s not bring the marketing guys here. I think we’re going in the wrong direction here.
John Vecchi: That’s right.
Richard Stiennon: I’m just expressing my frustration because it takes me a long time to do that, and as a matter of fact, over the holidays, I went through 800 additional vendors and had to categorize them to solve that over and over again. I think my eyes are failing me now because I’ve looked at so many web pages.
John Vecchi: Oh man.
Richard Stiennon: The last year, as I collected it, I would see a vendor and they would say, right on their front page with big images of clouds, “We are your complete cloud security solution.” I’d just put an entry in, for a major category for cloud security. Before the book went to press last time, I had to go back and rationalize all my categories, and then I realized I’m looking at cloud security. Okay, what are they doing in the cloud? I need my next column or some category. Oh, they do network security in the cloud. Okay, they’re a network security vendor. Boom. Done with that. Then you go, “Oh, this guy does Container Security. Some Kubernetes, or something.” Well, that’s endpoint security. It’s the same as server security, which I’ve always said is endpoint security.
Richard Stiennon: I move them into the endpoint, and then I’ll find folks that do just cloud monitoring for governance risk in clients. That’s GRC. Boom. By the time I was done, I could not find a single vendor that belonged in a category of cloud security. I’m not saying you don’t need cloud security. There’s plenty of security to be applied in the cloud, but it still fits the old model of you need data security, encryption, and all the rest. You need network security, you need endpoint security, you need governance, risk, and compliance. All those categories still exist in the cloud. Think of a cloud as just a big instance of a data center. You still need all that stuff in the cloud.
Richard Stiennon: Luckily, in many, many cases it’s easier to do. It’s more complete. A lot easier to monitor. I’m still a fanatic when it comes to get to the cloud as fast, and as soon as you can, because you’ll have all these advantages, and have better capability at lower cost to stay secure.
John Vecchi: Yeah. It’s interesting. Really, I think what you ended up doing is saying, “Look, there are two distinct categories of these vendors.” Which you just talked about. Right? Vendors that have these solutions for deployments and monitoring, alerting, logging, blocking, all of this stuff. Then, of course, I guess you could say the CrowdStrikes, and these guys which offer a cloud service in the cloud… A security service in the cloud. I guess it begs the question, right? What would be a cloud security segment? I think what we’re seeing is, there are vendors who offer solutions, which have traditionally, frankly, been deployed in the… On-premise, right? Then they say, “Oh, we’ve got that now in the cloud, or you have security vendors who start off by saying, “We’re a company that delivers our security service in the cloud from the start, and only in the cloud.” You have that, and as you have shown, those categories are there, but what would a real cloud security segment look like if there was one, or should there be one, or will there be one?
Richard Stiennon: There could be one. I’ve thought of that, and the only answer I can come up with is a vendor that sells a security product to Amazon, to secure AWS, for Amazon.
John Vecchi: Right.
Richard Stiennon: Then move over to doing it for Azure, Google, Rackspace, and whoever else wants to offer a cloud service, but not something you layer in that just gets sold through to their customers. Something that actually protects Amazon from being hacked. That may be something that’s a shim. That fits between every virtual instance, right? So, you can’t do side-channel attacks. Something like that.
John Vecchi: Interesting.
Richard Stiennon: I haven’t run across a single one like that. If there are any, they don’t even have to advertise, or market what they do, or anything. All they have to do is talk to the right people at Amazon, and sell their product.
John Vecchi: Right. Right. Well, interesting. I guess like I said, we’re on Anitian radio, so we talk — and we will always talk in this podcast series — about a vision we have, and a mission we have, which is actually automating security in the cloud, and in some respects trying to do what you just outlined there, which is, what if there was a pre-automated, pre-built, pre-engineered complete security environment that you stand up in your AWS, or as your account, which provides this, like I said, a pre-built security environment that consolidates multiple, multiple different solutions, whether it’s endpoint, encryption, network, web application, firewall, unified threat management. All of those things in an automated way. Is something like that closer to what a cloud security segment might actually, or should actually look like?
Richard Stiennon: Yeah. I think you could build that case if you break down what Anitian does, right? They do security for cloud environments in every single category, right? They do it in network, in endpoint, in data security, and then provide the monitoring and support for compliance on top of that. It is a general purpose. It’s almost a meta solution to do that. Similar, I assume that what you get when you go to a full-fledged security consulting company… Ernst & Young, or Deloitte. Or Booz Allen is probably the best example. They come in and they just do it all for you. Now, mind you, it’s a lot harder when it’s not in the cloud. It takes them forever. You’re talking about several years to get all that done for you by a third party that you’ve essentially outsourced your security.
John Vecchi: Right.
Richard Stiennon: I think from my perspective Anitian is leveraging the cloud, and all the great things I was talking about the cloud delivers for you, making something new possible, which is you if you have a cloud environment for delivering a product, or a service, you can add all the security quickly and easily, and have it all in one place. Managed in one place.
John Vecchi: Right. I think it’s something to watch in what is a cloud security segment. One of the reasons we want people to listen to this podcast is just to learn about, what is the meaning. Our world is now fully in the cloud, and given the year we are just almost completing now, which changed everything, I think even Richard, it’s safe to say those organizations who thought they were going to the cloud, this year really truly went to the cloud, and so I think that given that the cloud is everything, when we think in terms of cloud security, it’s really about allowing these enterprises, businesses, organizations, to move to the cloud, but do it in a way that’s easier for them.
John Vecchi: It’s hard, right? I think following this cloud security segment will be interesting because I think the day that there is one, Richard, maybe that means it’s easier to actually digitally transform and move to the cloud, and do the things you want to do more powerfully there. I think that’s perhaps something Scott will be watching as we troll through this series of security on cloud. Right?
Richard Stiennon: Yeah. Yeah.
John Vecchi: Exactly.
Richard Stiennon: You’ll see the next thing that we need to make all those come together, which is 5G widely deployed because then everybody’s got a direct connection to all these cloud services. Each individual with their handset or their 5G enabled laptop will just be part of it immediately, right? That’s when you can start talking about bigger security models that layer on top of everything. Maybe I don’t need endpoint security for my device if I’m going through a filtering service offered by the telecom provider, for instance, where they just don’t allow bad stuff to happen to my device from a network side.
John Vecchi: Exactly. Interesting.
Scott Emo: Richard, I had another question. This may be a little off-topic, but in a recent quote, I heard you say — and I’m going to quote this — “There’s a massive amount of overlapping… Overlap amongst cybersecurity vendors. There are far more companies trying to build something better instead of building something different.” I wanted to get your thoughts on that quote. What was your thinking behind that? Aren’t they people doing something different?
Richard Stiennon: Yeah. I saw that quote too, and I guess it struck me as, ‘Hey, did I really say that?” I must have because it was on a podcast. Because when I think about it, my thinking is that yes there… First of all, the reason for so many companies is that, quite often, you can start a security company that does… That solves the exact same problem as somebody else, but because you, the founders, the investors, are in a particular region, say you’re in the UK, you could find the 20 or 50 customers you need before they even know about a person in Singapore who is doing the same thing. You get regional disparity all the time, and that doesn’t tend to go away. There are very, very few instances of roll-ups of regional to create a global. As a case in point is antivirus, right?
Richard Stiennon: There are 150 antivirus vendors. When Symantec was on a roll and buying everything in sight, why did they buy antivirus vendors, right? There was never any consolidation in the industry, and that’s never happened. Or UTM vendors. There are over 50 UTM vendors, including a brand new one I ran into at a conference in Asia back when people used to go to travel and stuff called Red Piranha. They’re in Perth, Australia, and they’ve got a killer little hardware appliance that they sell to people, and people are still buying them, even though the future says you’ll never, ever need another hardware appliance because everything’s in the cloud, so what do you need a gateway for anyways? Yeah. There they are, and there are new ones starting every single day. That explains a lot of what is now — I’m announcing for the first time — 3,000 security vendors. That explains why there’re so many, and then there are…
Scott Emo: You heard it first here! You heard it first on our podcast.
Richard Stiennon: That’s right!
John Vecchi: Right, 3,000!
Richard Stiennon: There are different approaches to everything, right? For every problem, there are several solutions, and startups grab onto one of them, and try and take it to the market. The winner wins. If signature-based antivirus was how we used to do things, it got to where we had to look deeper into memory, and look at processes and all that, and that gave rise to the CrowdStrikes, and Cylances, and SentinelOne’s of the world. That appears to be better, and people like that, or maybe it’s just it’s a better add-on to what you get for free from Microsoft anyways, nowadays, and that’s created. CrowdStrike is now the highest valuation security vendor in the world. Last time I looked it was $48 billion, which is… It could be the highest any security company has ever been valued.
John Vecchi: Correct.
Richard Stiennon: Verisign used to be the highest valued, but they actually weren’t security anymore when they got to that.
John Vecchi: Now you’ve got SentinelOne going to go IPO soon and beyond their curtails and we’ll see what happens there. You’re right, we’re seeing this huge jump, and I think the good news is that these are companies built to do what they do in the cloud, right? Which is good, but, you’re right.
Richard Stiennon: Well, actually CrowdStrike and SentinelOne… They’re still endpoint solutions. Right?
John Vecchi: Yeah. Yeah.
Richard Stiennon: They’re worried about PCs basically. A few Linux boxes and all the rest, which, that’s not cloud anything. That’s still endpoint.
John Vecchi: Right.
Richard Stiennon: But they’ve incorporated better ways to get to their instances, and they’ve done that in the cloud and they give you a cloud interface. It’s multi-tenant, so you don’t worry about mixing your data with your competitors, but they’re just an example of companies that have leveraged the cloud and demonstrated how fantastic it is to take advantage of the cloud, which goes across the board for any company, right? Every company should be going to the cloud. After one word of warning for all of us is, cloud adoption is still thinly penetrated. Despite how huge it is, despite all the valuations you can see, and the revenue, you can see at AWS for Amazon and Azure… The two companies being two of the biggest in the world now, there are still many more companies that haven’t moved to the cloud.
John Vecchi: Right.
Richard Stiennon: As an analyst, I’m always thinking that this is the way of the world, It’s a better way. Boom. We’re already there. 10 years from now, we’ll still be talking about people moving from their data centers and hosting data somewhere else. It’s just-
John Vecchi: It’s really true, and it’s one of the reasons we find this topic so fascinating, and I think, again, if you look at 2020, what’s happened is we woke up one day, and work was something we did and wasn’t a place we went, and everyone’s suddenly was working from home, and everything changed, and I think it certainly has… There was always a trend of everyone moving to the cloud, as you’ve said, and digital transformation has been here for a while, but I think in 2020, we’re seeing some companies actually find that they have to move to the cloud to adapt and to survive, and pivot in this new COVID economy we have, right? I think it’s a… Like you said, this is still going to happen for a while.
John Vecchi: I think, Scott, we could have this webcast for the next 10 years, and we’d still be having fantastic conversations about why people need to move to the cloud and why. Relative to your last quote that Scott asked you about, vendors need to build things differently to allow companies to do that better, faster, easier, more secure, right? That’s probably why, Richard, we could probably have you as a guest for many years, and never run out of things to talk about in this topic about cloud security.
Scott Emo: Yeah. It looks like we’re setting up another date for at least next year to have you on again.
Richard Stiennon: Alright. We’ll bring whiskey next time.
John Vecchi: Absolutely. We’ll do that! I know Richard, as you’ve said, you’re in the process of writing your next book, which is the next edition. It’s the 2021 edition. I think that’s correct, and that’s coming, and so we want to make sure people look for that. I’m assuming you’re going to finish that, and like your 2020 book, it’ll be available on Amazon. Is that right?
Richard Stiennon: Actually, I’m debating moving it off of Amazon. You’ll have to come to my website to get it.
John Vecchi: Got it.
Richard Stiennon: So, I’d have a little more control over the quality of the printing, but it’s coming together fast. I had to wait until 2020 was over to collect all the data, and thankfully I usually launch at RSA Conference in San Francisco. First, they moved it to May, and then they went completely virtual, so I don’t have that pressure to print enough books to ship to San Francisco in May. The book will launch in May. It’s basically got the updated directory in it, and then fill out the history. There are always more stories to tell, and I’m interviewing pioneers in the industry. This time I’ve interviewed Amit Yoran to get the story of the early MSSP days because he was at Riptech before he went on. Now he’s CEO of Tenable. Then a summary of what happened in 2020. It’s neatly bookended by COVID on the front end, and SolarWinds on the backend.
John Vecchi: Yes, fantastic! Well, we can’t wait. Richard, it was just a treat to have you with us today with all your thoughts and wisdom. Can’t thank you enough for being our guest today, and sharing all of your knowledge with us on the topic of cloud security.
Richard Stiennon: Anytime.
John Vecchi: Thanks again to our very special guest, Richard Stiennon, and don’t forget to get his latest book, Security Year Book 2020, which is available on Amazon, or directly on Richard’s website at www.it-harvest.com/shop.
Scott Emo: The Security on Cloud Podcast is brought to you by Anitian. The leading cloud security and compliance automation provider, delivering the fastest path to security, and compliance in the cloud.
John Vecchi: Thanks, Scott, and thanks again to our guest, Richard Stiennon.
About Our Guest
Richard Stiennon – Chief Research Analyst, IT-Harvest
He has presented on the topic of cybersecurity in 29 countries on six continents. He is a lecturer at Charles Sturt University in Australia. He is the author of Secure Cloud Transformation: The CIO’s Journey and Surviving Cyberwar (Government Institutes, 2010) and Washington Post Best Seller, There Will Be Cyberwar. He writes for Forbes and The Analyst Syndicate. He is a member of the advisory board at the Information Governance Initiative and sits on the Responsible Recycling Technical Advisory Committee, the standard for electronic waste. Stiennon was Chief Strategy Officer for Blancco Technology Group, the Chief Marketing Officer for Fortinet, Inc., and VP Threat Research at Webroot Software. Prior to that, he was VP Research at Gartner, Inc. He has a B.S. in Aerospace Engineering and his MA in War in the Modern World from King’s College, London.