 From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. The pandemic not only accelerated the shift to digital, but also highlighted a rush of cyber-criminal sophistication, collaboration, and chaotic responses by virtually every major company in the planet. The SolarWinds hack exposed supply chain weaknesses and so-called island hopping techniques that are exceedingly difficult to detect. Moreover, the will and aggressiveness of well-organized cyber criminals has elevated to the point where incident responses are now met with counterattacks designed to both punish and extract money from victims via ransomware and other criminal activities. The only upshot is the cybersecurity market remains one of the most enduring and attractive investment sectors for those that can figure out where the market is headed and which firms are best positioned to capitalize. Hello and welcome to this week's Wikibon Cube Insights powered by ETR and this Breaking Analysis will provide our quarterly update of the security industry and share new survey data from ETR and the CUBE community that will help you navigate through the maze of corporate cyber warfare. We'll also share our thoughts in the game of 3D chest that Octa CEO Todd McKinnon is playing against the market. Now we all know this market is complicated, fragmented and fast moving and this next chart says it all. It's an interactive graphic from Optiv, a Denver Colorado based SI that's focused on cybersecurity. They've done some really excellent research and put together this awesome taxonomy and they've mapped vendor names therein and this helps users navigate the complex security landscape and there are over a dozen major sectors, high level sectors within the security taxonomy and nearly 60 sub-sectors from monitoring, vulnerability assessment, identity, asset management, firewalls, automation, cloud, data center, SIM, threat detection and intelligent endpoint, network and so on and so on and so on. But this is a terrific resource I'm going to help you understand where players fit and help you connect the dots in the space. Now let's talk about what's going on in the market. The dynamics in this crazy mess of a landscape are really confusing sometimes. Now, since the beginning of cyber time we've talked about the increasing sophistication of the adversary and the back and forth escalation between good and evil and unfortunately this trend is unlikely to stop. Here's some data from Carbon Black's annual modern bank heist report. This is the fourth and of course now VMware's brand highlights the Carbon Black study since the acquisition and it catalyzed the creation of VMware's cloud security division. Destructive malware attacks according to the recent study are up 118% from last year. Now one major takeaway from the report is that hackers aren't just conducting wire fraud. They are 57% of the bank surveyed saw an increase in wire fraud but the cyber criminals are also targeting non-public information such as future trading strategies. This allows the bad guys to front run large block trades and profit. It's become very lucrative practice. Now the prevalence of so-called island hopping is up 38% from already elevated levels. This is where a virus enters a company's supply chain via a partner and then often connects with other stealthy malware downstream. These techniques are more common where the malware will actually self form with other infected parts of the supply chain and create actions with different signatures designed to identify and exfiltrate valuable information. It's a really complex problem. Of major concern is that 63% of banking respondents in the study reported that responses to incidents were then met with retaliation designed to intimidate or initiate ransomware attacks to extract a final pound of flesh from the victim. Notably, the study found that 75% of CISOs reported to the CIO, which many feel is not the right regime. The study called for a rethinking of their right cyber regime where the CISO has increased responsibility in a direct reporting line to the CEO or perhaps the COO with greater exposure to boards of directors. So many thanks to VMware and Tom Kellerman specifically for sharing this information with us this past week. Great work by your team. Now, some of the themes that we've been talking about for several quarters are shown in the lower half of the chart. Cloud of course is the big driver thanks to work from home and the pandemic. And the interesting corollary of course is we see a rapid rethinking endpoint in identity access management and the concept of zero trust. In a recent ESG survey, two thirds of respondents said that their use of cloud computing necessitated a change in how they approach identity access management. Now, as shown in the chart from Optiv, the market remains highly fragmented and M&A is of course way up. Now, based on our research, it looks like transaction volume has increased more than 40% just in the last five months. So let's dig into the M&A, the merger and acquisition trends for just a moment. We took a five month snapshot and we were able to count about 80 deals that were completed in that timeframe. Those transactions represented more than $20 billion in value. Some of the larger ones are highlighted here. The biggest of course being the Tom Abravo taking proof point private for a 12 plus billion dollar price tag. The stock went from the low 130s in his trading in the low 170s based on the $176 per share offer. There's your arbitrage, folks, go for it. Perhaps the more interesting acquisition was Auth0 by Octa for 6.5 billion, which we're going to talk about more in a moment. There's more private equity action we saw as Insight bought Armas in IoT security play and Cisco shelled out $730 million for IMI mobile. Which is more of an adjacency to cyber but it's going to go under Cisco security and applications business run by G2 Patel. But these are just the tip of the iceberg. Some of the themes that we see connecting the dots of these acquisitions are first. SIs like Accenture, Atos and Wipro are making moves in cyber to go local. They're buying SecOps expertise, as I say locally in places like France, Germany, Netherlands, Canada and Australia that last mile, that belly to belly intimate service. Israel is really based startups chalked up five acquired companies in the space over the last five months. Also financial services firms are getting into the act with Goldman and MasterCard making moves to own its own part of the stack themselves to combat things like fraud and identity theft. And then finally, numerous moves to expand markets with us zero crowd strike, buying a log management company Palo Alto picking up DevOps expertise rapid seven shoring up its Kubernetes chops, tenable expanding beyond insights and going after identity, interesting. Fortinet filling gaps in a multi-cloud offering sale point extending to governance, risk and compliance GRC Zscaler picked up in Israeli firm to fill gaps in access control. And then VMware buying mesh seven to secure modern app development and distribution services. So tons and tons of activity here. Okay, so let's look at some of the ETR data to put the cyber market in context. ETR uses the concept of market share. It's one of the key metrics which is a measure of pervasiveness in the data set. So for each sector, it calculates the number of respondents for that sector divided by the total to get a sense for how prominent the sector is within the CIO and IT buyer communities. Okay, this chart shows the full ETR sector taxonomy with security highlighted across three survey periods April last year, January this year and April this year. Now you wouldn't expect big moves in market share over time. So it's relatively stable by sector, but the big takeaway comes from observing which sectors are most prominent. So you see that red line, that dotted line imposed at the 60% level. You can see there are only six sectors above that line and cybersecurity is one of them. Okay, so we know that security is important in a large market, but this puts it in the context of the other sectors. However, we know from previous breaking analysis episodes that despite the importance of cyber and the urgency catalyzed by the pandemic, budgets unfortunately are not unlimited and spending is bounded. It's not an open checkbook for CISOs as shown in this chart. This is a two-dimensional graphic showing market share in the horizontal axis or pervasiveness and net score in the vertical axis. Net score is ETR's measurement of spending velocity and we've superimposed a red line at 40% because anything over 40% we consider extremely elevated. We've filtered and limited the number of sectors to simplify the graphic. And you can see in the sectors that we've highlighted only the big four or above that 40% line, AI, containers, RPA and cloud, they exceed that sort of 40% magic waterline. Information security, you can see that is highlighted and it's respectable but it competes for budget with other important sectors. So this of course creates challenges for organization because not only are they strapped for talent as we've reported, they like everyone else in IT face ongoing budget pressures. Research firm Cybersecurity Ventures estimates that in 2021, $6 trillion worldwide will be lost on cyber crime. Conversely, research firm Candelus peg security spending somewhere around $60 billion annually. IDC has it higher around a hundred billion. So either way, we're talking about spending between one to 1.6% annually of how much the bad guys are taking out. That's peanuts really when you consider the consequences. So let's double click into the cyber landscape a bit and further look at some of the companies. Here's that same XY graphic with the company's ETR captures from respondents in the cybersecurity sector. That's what's shown on the chart here. Now the usefulness of the red lines is 20% on the horizontal indicates the largest presence in the survey and the magic 40% line that we talked about earlier shows those firms of the most elevated momentum. Only Microsoft and Palo Alto exceed both high watermarks. Of course, Splunk and Cisco are prominent horizontally and there are numerous companies to the left of the 20% line and many above that 40% high watermark on the vertical axis. Now in the bottom left quadrant that includes many of the legacy names that have been around for a long time. And there are dozens of companies that show spending momentum on their platforms i.e. above single digits. So that picture is like the first one we showed you very, very crowded space. But so let's filter it a bit and only include companies in the ETR survey that had at least 100 responses. So an N of 100 or greater. So it's a little easy to read but still it's kind of crowded when you think about it. Okay, so same graphic and we've superimposed the data that determined the plot position over in the bottom right there. So there's net score and shared N including only companies with more than 100 N. So what does this data tell us about the market? Well, Microsoft is dominant as always. It seems in all dimensions but let's focus on that red line for a moment. Some of the names that we've highlighted over the past two years show very well here. First I want to talk about Palo Alto networks. Pre COVID as you might recall, we highlighted the valuation divergence between Palo Alto and Fortinet. And we said Fortinet was executing better on its cloud strategy and Palo Alto was at the time struggling with the transition, especially with its go to market and its Salesforce compensation and really refreshing its portfolio. But we told you that we were bullish on Palo Alto networks at the time because of its track record and the fact that CIOs consistently told us that they saw Palo Alto as a thought leader in the space that they wanted to work with. They said that Palo Alto was the gold standard, the best, especially larger company CISOs. So that gave us confidence that Palo Alto a very well-run company was going to get its act together and perform better. And Palo Alto has done just that, as we expected. They've done very well and they've been rapidly moving customers to the next generation of platforms and we're very impressed by the company's execution and the stock has generally reflected that. Now some other names that hit our radar and the ETR data a couple of years ago continue to perform well. CrowdStrike, Zscaler, SailPoint and Cloudflare. Now Cloudflare just reported and beat earnings but was off the stock fell on headwinds for tech overall, the big rotation. But the company is doing very well and they're growing rapidly and they have momentum as you can see from the ETR data. And we put that double star around Proofpoint to highlight that it was worthy of fetching $12.5 billion from private equity firm. So nice exit there supporting the continued consolidation trend that we've predicted in cybersecurity. Now let's turn our attention to Okta and Auth0. This is where it gets interesting and is a clever play for Okta, we think and we want to drill into it a bit. Okta is acquiring Auth0 for big money, why? Well, we think Todd McKinnon, Okta's CEO wants to run the table on identity and then continue to expand his TAM. He has to do that to justify his loft evaluation. So Okta's ascendancy around identity and single sign on is notable. The fragmented pictures that we've shown you, they scream out for simplification and trust and that's what Okta brings. But it competes with some major players, most notably Microsoft with Active Directory. So look, of course, Microsoft is going to dominate in its massive customer base but the rest of the market, that's like jump ball. It's wide open. And we think McKinnon saw the opportunity to go dominate that sector. Now Okta comes at this from an enterprise perspective bringing top-down trust to the equation and throwing a big blanket over all the discrete SaaS platforms and unifying employee access. Okta's timing was perfect. It was founded in 2009 just as the massive SaaSification trend was happening around CRM and HR and service management and cloud, et cetera. But the one thing that Okta didn't have that Auth0 does is serious developer chops. While Okta was crushing it with its enterprise sale strategy, Auth0 was laser focused on developers and building a bottoms up approach to identity. By acquiring Auth0, Okta can dominate both sides of the barbell and then capture the fat middle. So yes, it's a pricey acquisition but in our view, it's a great move by McKinnon. Now, I don't know McKinnon personally but last week I spoke to Arun Shrestha who's the CEO of security specialist Beyond ID. They're a platinum services partner of Okta and they're a zero trust expert. He worked for Okta for a number of years and shared with me a bit about McKinnon's style and think big approach. Arun said something that caught my attention. He said firewalls used to be the perimeter. Now, people are. And while that's self-serving to Okta and probably Beyond ID, it's true. People, apps and data are the new perimeter and they're not in one location and that's the point. Now, unfortunately, I had lined up an interview with Dia Jolly who was the chief product officer at Okta and a CUBE alum for this past week knowing that we were running this segment in this episode but she unfortunately fell ill the day of our interview and had to cancel but I want to follow up with her and understand how she's thinking about connecting the dots with Auth0, with devs and enterprises and really test our thesis there. This is a really interesting chess match that's going on. Let's look a little deeper into that identity space. This chart here shows some of the major identity players. It has some of the leaders in the identity market and it's a breakdown of ETR's net score. Now net score comprises five elements. The lime green is we're adding the platform new. The forest green is we're spending 6% or more relative to last year. The gray is flat spend plus or minus 5%. The pinkish is spending less and the bright red is we're exiting the platform, retiring. Now you subtract the red from the green and that gets you the result for net score, which you can see superimposed on the right-hand chart at the bottom, that first column there. The far column is shared in, which informs and indicates the number of responses and is a proxy for presence in the market. Oh, look at the top two players in terms of spending momentum. Now sale point is right there but Auth0 combined with Octa's distribution channel will extend Octa's lead significantly in our view. And then there's Microsoft. Now just to caveat, this includes all of Microsoft's security offerings, not just identity, but it's there for context and CyberArk as well, includes its acquisition of adaptive but also other parts of CyberArk's portfolio. So you can see some of the other names that are there, which you'll find in the Gartner Magic Quadrant for identity. And as we said, we really like this move by Octa. It combines positive market forces with lead offerings from very well-run companies that have winning DNA and passionate people. Now to further emphasize what's happening here, take a look at this. This chart shows ETR data for Octa within sale point and CyberArk accounts. Out of the 230 CyberArk and sale point customers in the data set, there are 81 Octa accounts, that's a 35% overlap. And the good news for Octa is that within that base of sale point and CyberArk accounts, Octa as shown by the net score line, that green line has a very elevated spending and momentum. And the kicker is, if you read the fine print in the right hand column, ETR correctly points out that while sale point and CyberArk have long been partners with Octa at the recent Octane 21 event, Octa's big customer event, the company announced that it was expanding into privileged access management, PAM, and identity governance. Hello and welcome to co-opetition in the 2020s. Now our current thinking is that this bodes very well for Octa and CyberArk and sale point. Well, they're going to have to make some counter moves to fend off the onslaught that is coming. Now, let's wrap up with what has become a tradition in our quarterly security updates. Looking at those two dimensions of net score and market share, we're going to see which companies crack the top 10 for both measures within the ETR data set. We do this every quarter. So here in the left, we have the top 20 sorted by net score of spending momentum. And on the right, we sort by shared end. So again, top 20, which informs shared end informs the market share metric or presence in the data set. That red horizontal lines, those two lines on each separate the top 10 from the remaining 10 within those top 20. And our method, what we do is we assign four stars to those companies that crack the top 10 for both metrics. So again, you see Microsoft, Palo Alto networks, Octa, CrowdStrike, and Fortinet. Fortinet, by the way, didn't make it last quarter. They've kind of been in and out and on the bubble, but you know, the company's very strong and doing quite well. Only the other four did last quarter. They were same four last quarter. And we give two stars to those companies that make it in both categories within the top 20, but didn't make the top 10. So Cisco Splunk, which has been steadily decelerating from a spending momentum standpoint, and Zscaler, which is just on the cusp. You know, we really like Zscaler and the company has great momentum, but that's the methodology. That is what it is. Now you can see we kept Carbon Black on the rightmost chart. It's like kind of cut off to number 21, only because they're just outside looking in on NetScore. You see them there? They're just below on NetScore, number 11. And VMware's presence in the market, we think that Carbon Black is really worth paying attention to. Okay, so we're going to close with some summary and final thoughts. Last quarter, we did a deeper dive on the SolarWinds hack, and we think the ramifications are significant. It has set the stage for a new era of escalation and adversary sophistication. Now, major change we see is a heightened awareness that when you find intruders, you'd better think very carefully about your next moves. When someone breaks into your house, if the dog barks, or if you come down with a baseball bat or other weapon, you might think the intruder is going to flee. But if the criminal badly wants what you have in your house, and it's valuable enough, you might find yourself in a bloody knife fight or worse. What's happening is intruders come to your company via island hopping or insider, subterfuge or whatever method, and they'll live off the land stealthily using your own tools against you so that you can't find them so easily. So instead of injecting new tools in that send off an alert, they just use what you already have there. That's what's called living off the land. They'll steal sensitive data, for example, positive COVID test results when that was really, really sensitive, obviously still is, or other medical data. And when you retaliate, they will double extort you. They'll encrypt your data and hold it for ransom. And at the same time, threaten to release the sensitive information crushing your brand in the process. So your response must be as stealthy as their intrusion as you marshal your resources and devise an attack plan. You face serious headwinds. Not only is this a complicated situation, there's your ongoing and acute talent shortage that you tell us about all the time. Many companies are mired in technical debt. That's an additional challenge. And then you got to balance the running of the business while actually affecting a digital transformation. That's very, very difficult. And it's risky because the more digital you become, the more exposed you are. So this idea of zero trust, people used to call it a buzzword. It's now a mandate along with automation because you just can't throw labor at the problem. This is all good news for investors. As cyber remains a market that's ripe for valuation increases and M&A activity, especially if you know where to look. And hopefully we've helped you squint through the maze a little bit. Okay, that's it for now. Thanks to the community for your comments and insights. Remember, I publish each week on wikibon.com and siliconangle.com. These episodes, they're all available as podcasts. All you got to do is search, breaking analysis podcasts, putting the headphones, listen when you're in your car or out for your walk or run. And you can always connect on Twitter at D-Valante or email me at david.valante at siliconangle.com. I appreciate the comments on LinkedIn and in Clubhouse. Please follow me so you're notified when we start a room and riff on these topics and others. And don't forget to check out ETR.plus for all the survey data. This is Dave Vellante for theCUBE Insights, powered by ETR. Be well and we'll see you next time.