 from theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. Black Hat 22 was held in Las Vegas last week, the same time as theCUBE's SuperCloud event. Unlike AWS Reinforce, where words are carefully chosen to put a positive spin on security, Black Hat exposes all the warts of cyber and openly discusses its hard truths. It's a conference that's attended by technical experts who proudly share some of the vulnerabilities they've discovered. And of course, by numerous vendors marketing their products and services. Hello and welcome to this week's Wikibon Cube Insights Powered by ETR. In this Breaking Analysis, we summarize what we learned from discussions with several people who attended Black Hat and our analysis from reviewing dozens of keynotes, articles, sessions and data from a recent Black Hat attendees survey conducted by Black Hat and Informa. And we'll end with a discussion of what it all means for the challenges around securing the SuperCloud. Now, I personally did not attend, but as I said at the top, we reviewed a lot of content from the event, which is renowned for its hundreds of sessions, breakouts and strong technical content that is, as they say, unvarnished. Chris Krebs is the former director of US cybersecurity and infrastructure security agency, CISA. He gave the keynote and he spoke about the increasing complexity of tech stacks and the ripple effects that that has on organizational risk. Risk was a big theme at the event. Where reinforced tends to emphasize, again, the positive state of cybersecurity. It could be said that Black Hat, as the name implies, focuses on the other end of the spectrum. Risk, as a major theme of the event at the show, got a lot of attention. Now, there was a lot of talk, as always, about the expanded threat surface. You hear that at any event that's focused on cybersecurity and tons of emphasis on supply chain risk as a relatively new threat that's come to the CISA's minds. Now, there was also plenty of discussion about hybrid work and how remote work has dramatically increased business risk. According to data from Intel 471's Mark Arena, the previously mentioned Black Hat attendee survey showed that compromised credentials posed the number one source of risk followed by infrastructure vulnerabilities and supply chain risk. So a couple of surveys here that we're citing and we'll come back to that in a moment. At an MIT cybersecurity conference earlier last decade, theCUBE had a hypothetical conversation with former Boston Globe War correspondent Charles Sennett about the future of war and the role of cyber. We had similar discussions with Dr. Robert Gates on theCUBE at a Service Now event in 2016. At Black Hat, these discussions went well beyond the theoretical with actual data from the war in Ukraine. It's clear that modern wars are and will be supported by cyber, but the takeaways are that they will be highly situational, targeted and unpredictable because in combat scenarios, anything can happen. People aren't necessarily at their keyboards. Now, the role of AI was certainly discussed as it is at every conference and particularly cyber conferences. It was somewhat dissed as over hype, not surprisingly, but while AI is not a panacea to cyber exposure, automation and machine intelligence can definitely augment what appear to be and have been stressed out security teams. You can do this by recommending actions and taking other helpful types of data and presenting it in a curated form that can streamline the job of the SecOps team. Now, most cyber defenses are still gonna be based on tried and true monitoring and telemetry data and log analysis and curating known signatures and analyzing consolidated data, but increasingly AI will help with the unknowns, i.e. zero day threats and threat actor behaviors after infiltration. Now, finally, while much lip service was given to collaboration and public-private partnerships, especially after Stuxnet was revealed earlier last decade, the real truth is that threat intelligence in the private sector is still evolving. In particular, the industry really mid-decade, really tried to commercially exploit proprietary intelligence and do private things like private reporting and monetize that, but attitudes toward collaboration or trending in a positive direction was one of the sort of outcomes that we heard at Black Hat. Public-private partnerships are being both mandated by government and there seems to be a willingness to work together to fight an increasingly capable adversary. These things are definitely on the rise. Now, without this type of collaboration, securing the super cloud is gonna become much more challenging and confined to narrow solutions. I'm gonna talk about that a little later in the segment. Okay, let's look at some of the attendee survey data from Black Hat. Just under 200 really serious security pros took the survey. So not enough to slice and dice by hair color, eye color, height, weight and favorite movie genre, but enough to extract high-level takeaways. You know, these strongly agree or disagree survey responses can sometimes give vanilla outputs, but let's look for the ones where very few respondents strongly agree or disagree with a statement or those that overwhelmingly strongly agree or somewhat agree. So it's clear from this that the respondents believe the following. One, your credentials are out there and available to criminals. Very few people thought that that was unavoidable. Second, remote work is here to stay. And third, nobody was willing to really jinx their firms and say that they strongly disagree that they'll have to respond to a major cybersecurity incident within the next 12 months. Now, as we've reported extensively, COVID has permanently changed the cyber security landscape and the CSOS priorities and playbook. Check out this data that queries respondents on the pandemic's impact on cybersecurity. New requirements to secure remote workers, more cloud, more threats from remote systems and remote users and a shift away from perimeter defenses that are no longer as effective, e.g. firewall appliances. Note, however, the fifth response that's down there highlighted in green. It shows a meaningful drop in the percentage of remote workers that are disregarding corporate security policy. Still too many, but 10 percentage points down from 2021 survey. Now, as we've said many times, bad user behavior will trump good security technology virtually every time. Consistent with the commentary from Mark Arena's Intel 471 threat report, phishing for credentials is the number one concern cited in the Black Hat attendees survey. This is a people and process problem more than a technology issue. Yes, using multi-factor authentication, changing passwords, using unique password, passwords using password managers, et cetera. They're all great things, but if it's too hard for users to implement these things, they won't do it, they'll remain exposed and their organizations will remain exposed. Number two in the graphic, sophisticated attacks that could expose vulnerabilities in the security infrastructure. Again, consistent with the Intel 471 data. And three, supply chain risks. Again, consistent with Mark Arena's commentary. Ask most CSOs their number one problem and they'll tell you it's a lack of talent. That'll be on the top of their list. So it's no surprise that 63% of survey respondents believe they don't have the security staff necessary to defend against cyber threats. This speaks to the rise of managed security service providers that we've talked about previously on breaking analysis. We've seen estimates that less than 50% of organizations in the US have a sock. And we see those firms as ripe or MSSP support as well as larger firms augmenting staff with managed service providers. Now, after reinvent, we put forth this conceptual model that discussed how the cloud was becoming the first line of defense for CSOs and DevOps was being asked to do more. Things like securing the runtime, the containers, the platform, et cetera. And audit is that kind of that was that last line of defense. So a couple of things we picked up from Black Hat which are consistent with the shift and some that are somewhat new. First is getting visibility across the expanded threat service was a big theme at Black Hat. This makes it even harder to identify risk. Of course, this being the expanded threat surface. It's one thing to know that there's a vulnerability somewhere. It's another thing to determine the severity of the risk but understanding how easy or difficult it is to exploit that vulnerability and how to prioritize action around that. Vulnerability is increasingly complex for CSOs as the security landscape gets complexified. So what's happening is the sock, if there even is one at the organization is becoming federated. No longer can there be one ivory tower that's the magic godroom of data and threat detection and analysis rather the sock is becoming distributed following the data. And as we just mentioned, the sock is being augmented by the cloud provider and the managed service providers, the MSSPs. So there's a lot of critical security data that is decentralized and this will necessitate a new cyber data model where data can be synchronized and shared across a federation of socks, if you will or mini socks or sock capabilities that live in and or embedded in an organization's ecosystem. Now, to this point about cloud being the first line of defense, let's turn to a story from ETR that came out of our colleague, Eric Bradley's insight in a one-on-one he did with a senior IT person at a manufacturing firm. In a piece that ETR published called Saved by Zscaler, check out this comment. Quote, as the last layer, we are filtering all the outgoing internet traffic through Zscaler. And when an attacker is already on your network and they're trying to communicate with the outside to exchange encryption keys, Zscaler is already blocking the traffic. It happened to us, it happened and we were saved by Zscaler. That's pretty cool. So not only is the cloud the first line of defense as we sort of depicted in that previous graphic, here's an example where it's also the last line of defense. Now let's end on what this all means to securing the super cloud. At our super cloud 22 event last week in our Palo Alto Cube studios, we had a session on this topic on super cloud securing the super cloud. Security in our view is going to be one of the most important and difficult challenges for the idea of super cloud to become real. We reviewed in last week's breaking analysis a detailed discussion with Snowflake co-founder and president of products, Benoit Dejavel. How his company approaches security in their data cloud, what we call a super data cloud. Snowflake doesn't use the term super cloud, they use the term data cloud. But what if you don't have the focus, the engineering depth and the bank role that Snowflake has? Does that mean super clouds will only be developed by those companies with deep pockets and enormous resources? Well, that's certainly possible. But on the securing the super cloud panel, we had three technical experts, G Rittenhouse of Sky High Security, Piyush Sharma, who's the founder of Accurix who sold to Tenable and Tony Quay who's the former head of product at VMware. Now, John Furrier asked each of them, what is missing? What's it going to take to secure the super cloud? What has to happen? Here's what they said, play the clip. This is the final question. We have one minute left. I wish we had more time. This is a great panel. We'll bring you guys back for sure after the event. What one thing needs to happen to unify or get through the other side of this fragmentation and the challenges for super cloud? Because remember, the enterprise equation is solve complexity with more complexity. Well, that's not what the market wants. They want simplicity, they want SaaS, they want ease of use, they want infrastructure as code. What has to happen? What do you guys think, each of you? So I can start and extending to the previous conversation. I think we need a consortium. We need a framework that defines that if you really want to operate in super cloud, these are the 10 things that you must follow. It doesn't matter whether you take AWS, Azure, GCP, or you have all, and you will have the on-prem also, which means that it has to follow a pattern. And that pattern is what is required for super cloud, in my opinion. Otherwise security is going everywhere. They're like, they have to fix everything, find everything and so on and so forth. It's not gonna be possible. So they need a framework, they need a consortium. And this consortium needs to be, I think needs to led by the cloud providers because they're the ones who have these foundational infrastructure elements and the security vendor should contribute on providing more severe detections or severe findings. So that's, in my opinion, should be the model. Well, thank you, G. Yeah, I would think it's more along the lines of a business model. We've seen in cloud that the scale matters. And once you're big, you get bigger. We haven't seen that coalesce around either a vendor, a business model or whatnot, to bring all of this and connect it all together yet. So that value proposition in the industry, I think is missing, but there's elements of it already available. I think there needs to be a mindset. If you look, again, history repeating itself, the internet sort of came together around a set of IETF, RFC standards. Everybody embraced and extended it, right? But still there was at least a baseline. And I think at that time, the largest and most innovative vendors understood that they couldn't do it by themselves, right? And so I think what we need is a mindset where these big guys, like Google, let's take an example, they're not gonna win at all, but they can have a substantial share. So how do they collaborate with the ecosystem around a set of standards so that they can bring their differentiation and then embrace everybody together? Okay, so G's point about a business model is, you know, business model being missing. It's broadly true, but perhaps Snowflake serves as a business model, where they've just gone out and done it, or trying to set a de facto standard by which data can be shared and monetized. They're certainly setting that standard and mandating that standard within the Snowflake ecosystem with its proprietary framework. You know, perhaps that is one answer, but Tony lays out a scenario where there's a collaboration mindset around a set of standards with an ecosystem. You know, intriguing is this idea of a consortium or a framework that Piyush was talking about. And that speaks to the collaboration or lack thereof that we spoke of earlier. And his and Tony's proposal that the cloud providers should lead with the security vendor ecosystem playing a sporting role is pretty compelling. But can you see AWS and Azure and Google in a Kumbaya moment getting together to make that happen? It seems unlikely, but maybe a better partnership between the US government and big tech could be a starting point. Okay, that's it for today. I wanna thank the many people who attended Black Hat, reported on it, wrote about it, gave talks, did videos, and some that spoke to me that had attended the event. Becky Bracken, it was the EIC at Dark Reading. They do a phenomenal job. And the entire team at Dark Reading, the news desk there, Mark Arena, whom I mentioned, Garrett O'Hara, Nash Borges, Kelly Jackson, sorry, Kelly Jackson Higgins, Roya Gordon, Robert Lepofsky, Chris Krebs, and many others. Thanks for the great commentary and the content that you put out there. And thanks to Alex Meyerson, who's on production and Alex manages the podcasts for us. Ken Schiffman is also in our Malboro studio as well outside of Boston. Kristen Martin and Cheryl Knight, they helped get the word out on social media and in our newsletters and Rob Hof is our editor-in-chief at Silicon Angle and does some great editing helps with the titles of Breaking Analysis quite often. Remember these episodes, they're all available as podcasts wherever you listen, just search for Breaking Analysis Podcast. I publish each week on wikibon.com and siliconangle.com. And you could email me, get in touch with me at david.volante at siliconangle.com or you can DM me at dvolante or comment on my LinkedIn posts. And please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Volante for the Cube Insights powered by ETR. Thanks for watching and we'll see you next time on Breaking Analysis.