Critical Infrastructure Security
Also: Microsoft’s Zero-Day and Broadcom’s Acquisition
In the latest weekly update, four ISMG editors discuss important cybersecurity issues, including the trending topics at this year’s RSA Conference, how security researchers are tracking a zero-day vulnerability in Microsoft Office and what Broadcom’s acquisition of VMware means for security.
The editors – Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; and Michael Novinson, managing editor, business – discuss:
- Anticipated hot topics at this year’s RSA Conference;
- How security researchers are tracking a zero-day vulnerability in Microsoft Office that’s being actively exploited by attackers to run malicious code on a vulnerable system;
- What Broadcom’s purchase of cloud and virtualization giant VMware for $61 billion means for security.
The ISMG Editors’ Panel runs weekly. Don’t miss our previous installments, including the May 20 edition discussing the case of the “Dr. Evil” of ransomware and the May 27 edition discussing highlights from the ISMG London Summit.
Anna Delaney: Hello, I’m Anna Delaney and this is the ISMG Editors’ Panel where we discuss the hottest themes in cybersecurity right now. And I’m very pleased to be joined this week by Matthew Schwartz, executive editor of DataBreachToday and Europe; and Michael Novinson, managing editor for ISMG business of cybersecurity. Great to see you both virtually and soon in person.
Matthew Schwartz: Off the heels of London, we’ll be in San Francisco soon.
Delaney: Yes, we are getting in the mood for RSA. And there’s a blue theme going on today with our skies. Matt, tell us about your sky.
Schwartz: This is spring time, possibly summer depending on how things go in Scotland. So this is just in the middle of Dundee. It’s an area called Magdalen Green, it used to be some kind of chapel probably back in the day. And then it used to be actually water as well – so bunch of reclaimed space. Now it’s a beautiful urban park where you can hang out, eat your lunch, see some music in the summer time, and soak up the sun when we get it.
Delaney: Love it. It has a vintage feel about it as well. Nice. Michael, do explain.
Michael Novinson: I will! Say hello to Nibbles Woodaway. This is also known as the Big Blue Bug. It is a long Interstate 95 in Providence, Rhode Island. It is the world’s largest artificial bug, nine feet tall, 58 feet long. I love these roadside attractions that give you a sense of place. I previously lived in Western Massachusetts, there is a giant inflatable polar bear for the Polar Seltzer. My husband grew up in Albany where there’s Nipper, the dog – a giant foundation on top of the building and then I grew up in Detroit, where there’s a 200 foot Uniroyal Tire on the road between the airport and downtown Detroit. It’s always nice passing these quirky roadside attractions, especially after being away for a while. It gives you a sense that you’re back to home.
Delaney: And this one, of course, has a mask.
Novinson: Yes, it does. This photo is from the early days of COVID. They do dress it up for the holidays, puts on Santa hat for Christmas, puts on a costume for Halloween, different companies can sponsor it and dress it up for life. On the Providence local news, you’ll often see the Big Blue Bug dressed up for the season.
Delaney: Very good! Responding to the times in real time. I am getting in the mood for RSA. This is, of course, in San Francisco. This was has taken on my last trip there in 2019. So hopefully, we’ll get some equally blue skies next week. Perhaps RSA is a good place to start. What do you expect to be the hot topics this year at the conference? Matt?
Schwartz: It depends who you’re speaking with, of course, but from a review of the key notes that are going to be happening, a few of the dominant trends: privacy, once again; public private partnerships, especially with CISA now being a government agency, helping spearhead the business resilience push in the United States. We’re going to see a lot of discussion about that. Topically or thematically, I think we’ll see a lot on zero trust, enterprise detection and response or extended XDR is also always hot. There’s going to be a lot of the business cybersecurity. We’ve seen a lot of M&A activity, I’m sure Michael will touch on that. And also securing the supply chain. We’ve got discussion continuing about his talks about bill of materials, and know thy supplier, which always means also know thy suppliers. So deep, difficult issues, ripe for discussion. And I’m sure those will just be some of the topics that we hear about this year in San Francisco.
Delaney: Very good. And I noticed they have the cryptographers’ panel back.
Schwartz: I noticed that too. I’m so excited. That was not initially on the schedule. And I was doing a review of it recently to write a preview. And I noticed that it’s back. And at its usual time, late on Tuesday morning. They’ve rescheduled the keynotes a little bit. They used to always be Tuesday morning in their entirety. Now they have some Monday afternoon, and they’ve sprinkled the rest around. But we’ve still got some Tuesday morning. I doubt there’s going to be a music, dance and light show that they used to have like they used to have on Tuesday mornings. That was always fun. They bring in a celebrity who would do a monologue. Will they do that again? I don’t know. I guess we have to wait and see.
Delaney: They’re good. Michael, what’s on your mind?
Novinson: Matt covered a lot of the big points. But I think specifically on the business side, we do still have the storm clouds hanging over us. And I think especially for the VC firms in attendants and for the startups, it’s going to be a lot of thinking around, what the future looks like for them. I know it is a somewhat smaller conference. As in previous years looks like about 400 vendors on the show floor rather than the 650 we were seeing in 2020. But I think there will be a lot of questions around when’s the money coming next and what does it look like? We had the high profile lease work, which would raise just $1.3 billion six months ago, announcing that it will be laying off 20% of its staff, roughly 200 people just last week. And I think that is kind of a sign of the time. I’m sure a lot of startups both late stage and even getting into early century have to think about how can they extend their runway and make the money they have last longer. So I think that’s going to be a major theme at the show, along with some thoughts around for some of these longtime public companies like Qualys, and what their future looks like. Our valuations are down. We’ve seen private equities have been looking for a good deal. And I think there’s going to be some discussion around if we should expect to see some more value-based acquisitions of publicly-traded companies by PE firms.
Delaney: And Michael, what do you hope to gain from the event?
Novinson: I’m hoping to broaden my horizons. I definitely do want to hear more on the supply chain side, what’s going on there, and from a policy standpoint, some around the software bill of materials, as well as some of the policy-based stuff around ransomware attacks. But in terms of any policies around governing when folks can pay and rules around disclosure. In the past 18 months, we’ve seen more proactive response from the US government in terms of trying to get involved with cybersecurity. I’m interested in hearing from some of the policy makers in terms of what they’re thinking going forward.
Delaney: Matthew, how much of Ukraine, Russia will dominate conversations, or maybe not at all?
Schwartz: Definitely the Russia-Ukraine cyber war, although it never was, except for maybe the Viasat satellite disruption, is going to be a huge topic. That has been something everybody thought was going to explode. And it’s been occurring at a much lower level than predicted. That has reshaped a lot of notions about cyber war. Not that that’s necessarily something that we talk about a lot, because it’s not as much of a business concern. Unless, you’re in Ukraine right now. But some of the other topics, I think we’ll be hitting include Colonial Pipeline. It’s been about a year since that happened. That’s an arbitrary date. We could talk about it six months ago, six months from now, but I think that a lot of people are using it as a touchstone, like Michael was talking about, we were having a big discussion with the government talking about how to get better ahead of ransomware. And I think it’s a useful thing to look a year later from that attack at what all has changed. That’s just the cybercrime aspect of it as well. We’ve seen so much with the rush at the beginning of the pandemic, to remote work. So the threats and risks that that has created, I think will be a huge thing. This is the first RSA that we’ve had in person. We had it virtually last year as a stand in. But now that we’re all back in person, hopefully coexisting peacefully, I think that the fact of our new existence is going to be a huge topic. All of the remote working security challenges haven’t gone away. Digital transformation is still happening at a huge pace. And I think a lot of organizations and a lot of IT administrators, CISOs are worried and trying to keep up with all of that.
Delaney: I look forward to comparing notes as we go next week. So many other topics this week, other news stories: security researchers are tracking a zero day vulnerability in Microsoft Office. Matt, tell us more.
Schwartz: Yes, it wouldn’t be a United States holiday weekend without some major flaw coming to life. It was just Memorial Day weekend in the States, and security researchers unearthed a Microsoft Office zero day attack. Now, with zero day attacks, it’s tough to tell how many are out there in terms of how many new ones are being discovered, stockpiled, put to use, or not put to use. But this one appears to date from April. It’s been spotted being used in some campaigns that reference to that. Now, no attribution has been made about any of this, but you may remember phishing emails disguised as Tibet lures from such previous campaigns is those involving China. Not pointing any fingers, just noting. It could be a false flag, could be China, we don’t know. But it’s very interesting because this is a zero day exploit as I mentioned, which manages to bypass a lot of the protections built into Office. Microsoft has confirmed the flaw is working on patches. What’s innovative about this is it abuses another piece of software that shouldn’t necessarily have a connection with Microsoft Office. Specifically, there’s a support tool called Microsoft Support Diagnostics Tool, or MSDT. I know it rolls off the tongue, but it’s designed to collect information that can be sent to Microsoft so their support people can handle problems. What the attack does is it invokes this capability, uses it to execute some arbitrary code, PowerShell scripting, and then that PowerShell script is built to download malware and to infect the system. Voila! So again, these attacks were seen in April. The attacks that we’re seeing specifically point to some websites, which are no longer active. That attack isn’t happening anymore, but the vulnerability persists. Is there a big cause for panic here? Not at all. Microsoft has detailed some mitigations. And from a cybersecurity interest standpoint, it’s always fascinating to see what the latest, greatest unexpected exploit is, because attackers continue to be so innovative. They continue to pummel Windows in ways that probably nobody anticipated and defined vulnerabilities like this, which security researchers would have expected wouldn’t have existed. There’s no reason you should be able to call this functionality in the way that it’s being called. Microsoft has a little bit of work ahead of it. It hasn’t said when it will patch the issue yet. But hopefully, we will see a patch soon.
Delaney: So right now, what’s your advice to security teams?
Schwartz: Review your exposure. Look at the applications that you have, currently. Multiple versions, but not all versions of Office are at risk. See if you are logging the kinds of calls that would get made by this attack, because it’s abusing this functionality in unexpected ways. You would not typically be logging the behavior that this attack would demonstrate. So if you go back and try to look for evidence that you’ve been exploited in this manner, you’re not going to find it, unless you now specifically go and put the right kind of logging in place. And at the same time you do that, you can create alerts as well, in case someone tries to exploit this. That way, your security team, your security operations center, will get a heads-up that someone’s trying to do something with this exploit.
Delaney: Great analysis and advice, Matt. So Michael, talk to us about Broadcom. Interesting news this week.
Novinson: Of course! Broadcom announced on Thursday that they’d be acquiring VMware for $61 billion. This is the second largest enterprise software acquisition of all time behind only Dell’s acquisition of EMC, which closed back in September of 2016. From a security standpoint, it’s interesting that the security businesses of both companies get somewhat overlooked. But from a revenue standpoint, we’re talking about some pretty sizable businesses. And neither company has disclosed their security revenues very recently, but the last time Broadcom did, they said that they had $1.61 billion of revenue from the Symantec business, or VMware was talking about having about roughly a billion in security revenue as recently as 2020. So you bring the two of those businesses together, and you’re talking about one of the probably five largest security vendors in the world by revenue behind the likes of Microsoft and Cisco and Palo Alto Networks and Fortinet, but not too many others. So I think a lot people are nervous right now. Broadcom has made acquisitions before in the software space. Notably, they bought CA Technologies back in 2018, and then Symantec in 2019. And a lot of people haven’t seen them as a very good steward that it’s going to cost take out play. Granted, neither of those companies were growing. In the case of Symantec, they were both their enterprise business. The business that Broadcom acquired was both flat in terms of growth and was losing money. So Broadcom’s strategy was to take out costs. They cut operating margins up from the high 30s into the 70s. They cut R&D, they had massive layoffs, and the Broadcom strategy historically for all of their technology has been to focus on the largest enterprise. It’s the largest 600 or so companies in the world and focus on selling to them and broadening their stack. And then essentially, letting the tail-end wither, anybody below that doesn’t receive much support or much service. So what that meant for Symantec in particular, was that they had a lot of endpoint customers, antivirus customers, endpoint protection customers, who just stopped having their phone calls returned whether it was end customers or partners that just couldn’t reach Broadcom at all and now that a large portion of those have switched over to Sophos, to Webroute, to ESET, to any other company that answers their phone calls. I mean, IDC just put out data yesterday on endpoint security market share. Broadcom’s endpoint security market share is down or their endpoint security business is down 10.6% from 2020 to 2021. They’re the only company who saw their endpoint security business strength between those two years. Broadcom was trying to reassure folks in the VMware side that this time is going to be different. That VMware is a different company, they’re a company that is growing double digit growth. They’re a market leader in virtualization, they’re a technologically forward company. And in particular, they talked about, during the call with investors, that VMware has a lot of small and midsize customers 300,000 customers using vSphere. They’re not looking to abandon those customers, they’re looking to continue to leverage the channel that VMware has built with value-added resellers and managed service providers to continue to service those customers, which would probably bleed into the security business as well. From a security-specific standpoint, the biggest things you have coming together here is the old Symantec business, which was of course endpoint but also was data loss protection with secure web gateway from the acquisition of Bluecoat Software. And you have that coming together with VMware security business, which is the Carbon Black endpoint business, along with some VMware investments they’ve made around application security and container security and cloud security. To speak specifically on the endpoint side, just because we do have this new IDC data, in endpoint, Broadcom was the sixth largest vendor by revenue in 2021. VMware was eight so you bring the two of them together, and they become the fifth largest endpoint security vendor in the world behind CrowdStrike, Microsoft, Trend Micro, and Trellix, with Trellix being the combination of McAfee and FireEye. So yeah, Broadcom-VMware combination would make it the fifth largest endpoint security vendor in the world that leapfrogs over Sophos now falls to six. On a final note, I would say is that from a structural standpoint, Broadcom is clear that they are essentially folding in Symantec and Broadcom into VMware. So they’re going to become business units within the VMware organization. They’re going to go to market under the VMware brand.
Schwartz: It’s fascinating to see how the antivirus market continues to evolve. Interesting that they’re deciding to try to jettison the brand names. I’m curious to see if it works out. McAfee tried to do that. And it didn’t work at least once or twice. And then eventually now they’ve tried it again with Trellix. So, fascinating how the longevity of these businesses is. That’s all I wanted to say.
Novinson: Yeah, that is interesting. Because Broadcom bought the rights to the Symantec name, the consumer business now those by NortonLifeLock. And they didn’t use the Symantec name much. They sunsetted the website, they sunsetted their social media pages. In the past six months, they started going back to the Symantec name. The Twitter account woke up after being asleep for two years. So I think that you realize that Symantec has a brand power. Similarly, we’ve seen with Cylance, which was acquired by BlackBerry several years ago, that they retired Cylance pretty much altogether and then their executives have been talking about how that was a mistake. And when people hear BlackBerry, they think of mobile phones, and they realize that Cylance meant something to people. They’ve been trying to reinvigorate the Cylance name there. I don’t know going forward if they’re going to use the Symantec name in any fashion, even for antivirus, or if that’s going to now be called Carbon Black, VMware Carbon Black, or VMware. But yeah, certainly the Symantec brand has power. So I think they should think carefully about what they want to do.
Delaney: Great comments, Michael. Thank you very much. Well, as we are approaching RSA and conference season in general, what has been the most memorable moment for you? Any conference moment that stands out.
Schwartz: I’ll go first, if I may. I flashback to the year 2000. A fateful year in computer circles, when I was a cub reporter covering the DEF CON conference in Las Vegas. We were getting a briefing, or we’re meant to be getting a briefing in the press room from the CIA of all organizations. But there was this wonderful delay where the brass attache for DEF CON came into the room with a bit of delay, and said, “I apologize for the delay. CIA is caucusing in the men’s room.”
Delaney: Michael, can you beat that moment?
Novinson: I cannot. I have been through a number of conferences over the years. I’ve heard a lot of interesting speakers. I think the most interesting I’ve heard was the captain of the US Airways plane who landed it on the water just outside of New York.
Novinson: I heard him a couple of years ago, and then Thomas Dolby, the musician behind ‘She Blinded Me With Science’ was randomly on the stage of the show and performed that using instruments on stage, which I can say I never expected to hear live. So that was a very unusual surprise.
Delaney: And I was going to say there was that party I gate-crashed once at the last RSA…
Schwartz: A party, Anna, you didn’t say.
Delaney: Rooftops and cocktails. I’m not sure that will happen again. I’m not sure I can get away with that. But we were all young once. So looking forward to next week. Thank you very much, Matt, Michael. Always a pleasure.
Schwartz: I can’t wait. I will see you in San Francisco.
Novinson: Can’t wait to meet you both in San Francisco.
Delaney: Exciting! And thanks so much for watching. Until next time!