Operational Technology (OT) , Security Information & Event Management (SIEM) , Security Operations
ISMG Editors: Industry Impact of Cisco's Splunk Acquisition
Also: OT Security Trends, Challenges; FDA Medical Device Guidance Anna Delaney (annamadeline) • September 29, 2023In our latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including key takeaways from a recent discussion forum for security leaders focused on developing a proactive strategy for OT security, final guidance issued by the U.S. Food and Drug Administration on cybersecurity in medical devices, and how the acquisition of Splunk by Cisco might affect the overall cybersecurity industry.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, ISMG business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discussed:
- Highlights from a recent roundtable on how to build a proactive approach to OT security;
- How the FDA has issued final guidance on how medical device makers should approach cybersecurity in their products to meet new requirements for including cyber details in their premarket product submissions;
- How Cisco's proposed $28 billion buy of Splunk will allow businesses to move from threat detection and response to threat prediction and prevention by combining XDR and SIEM.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 15 edition on whether frequently used usernames are a security risk and the Sept. 22 London Summit special edition.
Transcript
Anna Delaney: Hello and welcome back to the ISMG Editors Panel. I'm Anna Delaney, and this is our weekly editorial overview of what's hot and what's not in the world of cyber and information security. The ISMG editors joining me today include Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, and Michael Novinson, managing editor for ISMG business. Very good to see you all.
Tom Field: Good to be seen.
Marianne McGee: Thanks for having us.
Michael Novinson: Thanks for having us.
Delaney: Tom, you moderated a roundtable earlier this week - that's why you were on this plane in Houston - on the topic of OT security. What are some of the current trends challenges for security leaders that you picked up on?
Field: Well, you noticed I went to Houston, I didn't come back with any iconic photos. There you go. It was a terrific discussion, because it was talking about OT security and how to have a more proactive incident response. And this was a session that was sponsored by Mandiant, which, of course is now part of Google Cloud. And it featured as a subject matter expert, Paul Shaver, was the global head of the OT practice for Mandiant. And for Google, so excellent expertise there. We had participants in the room from financial institutions, from oil and gas, from manufacturing, so a great mind share of OT interests, and they found that there were some common concerns among them, and probably not surprising to any of us here. One is just the legacy equipment within their OT infrastructure, particularly when you get into oil and gas and the devices that are out there, managing these huge rigs out on the ocean. But even in trucking, and in manufacturing, there's so much legacy equipment, extremely low visibility into the equipment to be able to see if there are issues within these environments, you always come across the cultural issue, IT vs. OT. And that was evident even as we went around the table because I have one participant saying, well, we've got this OT culture and they're always saying, hey, stay out of our stuff, keep away from us, we take care of our own. And you went up to people and someone raise a hand and say yeah, I'm one of those OT people that says stay out of our stuff. What is do our own? So the culture is always an issue there. And the human factor, the idea of - rather a malicious insider, or a compromised insider making a costly mistake within the OT environment came up in the conversation. I think one of the bigger themes, and it's something we don't talk about nearly enough, often when there is an OT incident is something has to go down or be taken down. That impacts production. You impact production, suddenly, you impact revenue. And that's an issue that a lot of people in the room were grappling with in terms of being able to detect fast enough and respond quick enough when the pressure is just get back online, forget what the cause is, and what's happened, get us back online. And the other sort of wildcard factor that was brought in particularly from Paul Shaver with Mandiant is the threat landscape. And that adversaries, particularly nation states, are paying a lot more attention to the OT environment now in targeting it partially because of legacy equipment, lack of visibility and the cultural issues. And the notion that you take down OT, you take down an organization. It's more than just a shot across the bow. You're crippling an organization. So some of the common concerns that were raised in the discussion, eye-opening, honestly!
Delaney: And since you spoke with ... what's their appetite for implementing emerging technologies such as AI, machine learning? Is there appetite for those sorts of technologies?
Field: It only took 25 minutes before generative AI came into the conversation. Yes, I do time this now. So yes, there's an appetite there. But you've got an issue with being able to get the board's attention for this and to get the resources necessary. And OT just doesn't have the attention that it deserves. Even in the room that we were in, I would say didn't have the attention it deserved. We had an executive participating who said okay, can you define what OT is. And we'll surprise we're having that conversation in 2023. But I even see instances of one of our participants talked about the local municipal transportation system, the bus system, their payment system, and runs on Windows NT. We heard about another municipality, where brand new buses were delivered in their video screens, or these brand new buses are built on Windows NT. There is so much end-of-life technology that's out there still being used on legacy equipment, that this just becomes almost an impossible task to reckon with. And yet, it's something that we have to pay some attention to, because critical infrastructure runs on this. So I'm afraid I don't have any solutions for you. There was an appetite within the room to address this. But I think we need a greater appetite within the boardrooms around the world to tackle this, to the degree it needs to be tackled.
Delaney: The OT aspect or sort of focus came up in a recent interview I did with ... which, we just posted the other day or yesterday with Ali Youssef, who is the person in charge of medical devices at Henry Ford Health System in Michigan. And OT is one of the things that keeps them up at night, besides the medical devices, which, are getting fortunately more attention, but hFax systems, lighting systems, all these critical systems that are OT that doctors depend on in the operating room. Everything has to be a perfect sort of temperature for patients. And these things are safety issues as well especially in healthcare.
Field: They are, in fact, it was an obvious loss in the room that we didn't have anybody in there participating from healthcare. So I would have loved to have had that perspective. We talked about it within the group but didn't have anyone there representing. So it just a huge issue that doesn't get nearly enough attention when we're talking about generative AI in it and other things. OT is one that I mean, Colonial Pipeline, should have been a warning, couple years back. OT is one we've got to pay a lot more attention to just in regards to critical infrastructure.
Delaney: Well-said! Well, Marianne, the FDA has recently issued final guidance on how medical device makers should address cybersecurity in their products. So can you provide an overview of the guidelines and why they are considered crucial for the healthcare sector?
Delaney: Sure! Well yeah, as you say, the FDA issued this final guidance this week pertaining to the cybersecurity of pre-market medical devices. And the guidance finalizes draft guidance that the FDA issued in April of 2022. And this new guidance also replaces earlier medical device cybersecurity guidance for pre-market products that the FDA issued almost a decade ago in October of 2014. And as we all know a lot has changed on the cyberthreat landscape over the last 10 years since that first guidance was issued, including the surge of ransomware and other hacking incidents that could affect the safety and security of connected medical devices. This new guidance from the FDA also comes as the FDA is sort of officially kicking off its new refuse to accept policy for pre-market medical devices and their cybersecurity. Under this new Refuse to. Accept Policy, which again kicks in on October 1. The FDA says it will immediately reject a manufacturers pre-market medical device submission if it lacks newly required cybersecurity details that the makers now have to submit as part of their application to the FDA for approval for these products. Those details include a vendor's plan to address post-market vulnerabilities, a method for coordinated disclosures of exploits, and a software bill of materials that includes commercial, open-source and off-the-shelf software components. Now, the FDA has Refuse to. Accept Policy has existed for many years for various other medical device products. But the policy previously did not apply to the cybersecurity of medical devices. The policy for medical devices went into effect on March 29. But the FDA essentially gave sort of a grace period for device makers to prepare for the October 1 date when it said it would begin rejecting submissions that lack cyber details. Now, the FDA was granted this enhanced authority over medical device cybersecurity by the U.S. Congress as part of an omnibus funding bill that was signed into law last December by President Biden. Meanwhile, the recommendations in the new FDA guidance are just that they're non-binding suggestions for how medical device makers should approach cybersecurity in their products. But regardless of whether a device maker follows the FDA recommendations or takes other approaches, the vendor must still provide those cyber details to the FDA as part of the agency's review process. Now, some of the experts I spoke to this week about the guidance and this new policy going into effect, including Phil Englert who heads medical device cyber issues for the Health Information Sharing and Analysis Center, said that it'll take a while for the healthcare delivery organizations that use these products to see an impact of these new requirements. Englert tells me that healthcare organizations in the near term should not read too much into that Refuse to Accept Policy. He says it's mostly a screening process for the FDA to more effectively use their own staff resources, and time to evaluate complete submissions from medical device makers. He also said that the review process is not a qualitative assessment of the adequacy of the submissions involving cybersecurity controls that are applied to the devices. But nonetheless, in the long run, healthcare organizations can leverage the fact that medical device manufacturers have produced cybersecurity artifacts for their submissions to the FDA. And these documents should be helpful in healthcare organizations understanding the cybersecurity profile of a device, and its cybersecurity lifecycle requirements. Englert also says that this information should be helpful to medical device users to deal with the various cybersecurity aspects of the technologies as they look for ways to provide better and safer ways to care for patients.
Delaney: Just thinking about smaller or say less established medical device manufacturers, are there any considerations or even specific challenges that they should keep in mind when implementing these cybersecurity measures, accordingly?
Delaney: Yeah, that's a good point. Because when I talk to people about these policies and the guidance, and FDA has been talking a lot about like software bill of materials and things like that even prior to this Refuse to Accept Policy prior to this new guidance, and some of the more established medical device makers have been taking this to heart but as you say, some of the smaller, maybe more sort of specialized companies, if they've got an advantage and then they've got a disadvantage. Their advantage is that they're newer they probably are more well aware of some of these issues that the legacy medical device makers have kind of ignored for years. But if they're a smaller company, they might have less resources to sort of dedicate to some of the cybersecurity issues that the FDA is concerned about. So we will have to see what happens again, it could take years sometimes for these medical device products to get approval. They have a lot of other things they have to show how effective is it and is it dangerous for using with patience, all sorts of things. And the cybersecurity aspect is just now, a small but formal part of that whole process.
Delaney: Yeah, just quickly, Marianne, you mentioned that the FDA is enhanced authority granted by Congress. What change has this introduced? I mean, how's this change impacted the FDA's role in regulating cybersecurity and medical devices?
Delaney: Well, again, like, going back to the guidance, these are recommendations are not required. But now it's not just up to the manufacturer, if they want to ... let's focus more on cybersecurity. What Congress did, basically, was amended the Federal Food, Drug and Cosmetic Act, I think I'm getting that right. Which added it's a long-term sort of, legal document that the FDA operates under and they edit or amendment in this formally to ensure that cybersecurity is addressed by medical device makers. So now it's part of law, so you got to do it.
Delaney: Very good. Well, progress, I think. Michael, it's been another crazy week in the cybersecurity marketplace. Cisco last week announced its intention to acquire Splunk for about $28 billion. Chunky amount! What do we know so far?
Novinson: Absolutely. And thank you for this opportunity, Anna. So the announcement somehow came as a surprise, even though it feels like it shouldn't have. So there was a lot of media reports about a Cisco-Splunk deal back in February of 2022. To that point, the Wall Street Journal reported it, the New York Times corroborated that there were talks. The acquisition at that point would have been north of $20 billion, then radio silence for about 19 months. And then on 21st day of September, I don't know where $28 billion deal. So the first thing is that's kind of remarkable, because Splunk is worth 40%, more than it was in February 2022, when the market was humming along. There aren't many companies who are 40% more valuable today than 19 months ago, other than maybe an early stage showed up like Wiz. So shows that they've done some work riding the ship there at Splunk. They got a new CEO Gary Steele in April of 2022. He was the founder and longtime CEO over at Proofpoint and his candor operations in order to help to continue that transition from licenses to subscription on-premises to cloud-based that they've been undertaking the past couple of years. And it's gotten them focused on moving into ancillary technology areas. So this is an enormous feat for Cisco. And it's different than most of the M&A activity we see from cybersecurity vendors. If you were to look at how UltraNetworks or CrowdStrike that they love going after these early stage startups and adjacent technology categories. So browser isolation, enterprise browsers, application security posture management, data security posture management. The idea is they take these early stage companies, and then they essentially take the technology and consolidate into their existing customer base and use their Salesforce to take this promising technology global. The start was Cisco's very different one. Everybody's heard of SIEM, it's been around for a couple of decades. And yeah, it's an effort to try to bring together security operations with everything that Cisco does already from their network firewalls to their work and identity and authentication. And then in particular, to the investments that they've made recently around extended detection and response, XDR. They rolled out a brand new XDR offering, generally available at the start of August of this year. They want to align that XDR piece that they have with the SIEM capability that Splunk had for a couple of decades. So two notable bets here. So the first is that enterprise organizations are going to be interested in consuming both XDR and SIEM rather than using one or the other. And certainly we've seen a lot of XDR vendors position themselves as a SIEM replacement saying that SIEM is clunky and expensive and all of that. But Cisco is betting that SIEM is not going anywhere that at least in the large enterprise that the robustness of SIEM - the ability for it to be customized and to handle large volumes of data that XDR can't replace that that yes, that's XDR is likely in the next year is flexible. But if you have highly customized, highly specific needs that XDR isn't sufficient to address those. So in that way Cisco's making a big bet that SIEM is going to be around for a long time or else why buy a SIEM vendor? And then secondly, that they're making a bet that they're going to be able to bring all of this together. And this is hard to do. I know I had spoken to Allie Mellen over at Forrester. And she had put out a separate piece saying the Cisco-Splunk deal is good for Cisco. But is it good for Splunk customers? And certainly there's a fair amount of concern in the Splunk customer base, given Cisco's track record with major acquisitions in the past, the perception that Cisco is where innovation goes to die or a perception that Cisco is a hardware vendor, given their heritage in the network firewall, and routers and switches, and what do they know about software? So I think there's going to be a lot of negative perceptions to overcome on Cisco and reassuring Splunk customers, I think something a lot of people are watching for is - is Splunk going to be allowed to run independently? Will it just be a separate operating division within Cisco the way that a rubra run separately of Hewlett Packard Enterprise is not going to happen? And if so, how can they make Splunk more profitable because it's losing money now, and that's something investors want to see. And then yeah, there's SIEM marketplace, finally, here, it's just getting competitive that and I mean, you have to start with Azure Sentinel, that was only introduced in 2019, it was the highest rated SIEM offering by Gartner just three years later, which is remarkable. And they're certainly smiling blood in the water here with all these Splunk customers. Are looking to switch? They probably already use Microsoft OS. So there's some synergy there. So that and then , you also have Chronicle from Google, which may see an opportunity to try to poach lung customers, plus all of these pureplay security operations vendors who can promise dedication and focus that may be Splunk seem to get lost in the messiness part of Cisco. So there's going to be a lot of displacement, or acquisition that they are taking a year and a close. So their competitors have a lot of time to stir up fear, uncertainty and doubt. There's a question of how much Cisco can say because there's always antitrust concerns. The Biden's administration's been much stricter on antitrust than nearly scuttled Thoma Bravo's acquisition of ForgeRock on antitrust grounds. So I don't know how public Cisco or Splunk are going to be in talking about this acquisition until close. So there's going to be a lot to digest here, and a sense of our Splunk customers confident that there's going to continue to be a lot of innovation in the technology, as part of Cisco.
Delaney: Given them this significant investment in Splunk by Cisco, how might this acquisition impact the overall cybersecurity market? You said that we might have a year or a few months of FUD? But what are the thoughts?
Novinson Yeah, so there's always this talk, are we going to see this wave of consolidation, and this is meaningful consolidation, because you have the almost certainly the market share leader in security operations, it's them coming together with one of the top two or three market cheerleaders in network security technology. So are we going to see other folks doing this, there's still, there still are questions that I think I'm in kind of a pessimist by nature. So everybody's said this is what, consolidation is going to happen. And I mean, the interest rates are high, the Euro free money is over. And it's going to be a question of who has deep enough pocketbooks to do this with the cash on hand, because nobody wants to borrow money right now. So could Microsoft, could Google, could IBM, and could Oracle, could AWS make a multibillion dollar security acquisition? Absolutely, they have the money on hand. But for ... and private equity firms do as well. But in terms of other companies, in terms of the pure plays the Palos, and the CrowdStrikes, and the Zscalars, nobody wants to borrow money right now. It's too expensive, investors would hammer you for it. In the market, I mean, Okta never recovered from the money spent Auth0, back in 2021. So maybe some of the deep pocketed folks will make some big bets in cyber. But I think the market environment makes it tough. So I think to me, this is going to be an exception, I think we're going to see more of those Series A, Series B type acquisitions for in the ballpark of a half a billion, quarter of a billion because I think those are easier to digest. And I think there's at least the big security players have the money on hand to easily pull those off.
Delaney: Very good. Excellent insight. Thank you, Michael. And finally, and just for fun, if you could interview an AI-powered chatbot that had access to the world's most classified cybersecurity secrets, what's the first question you'd ask it?
Delaney: Who shot JFK? I'm kidding. For me, I would be looking for some juicy healthcare breaches that I don't know about.
Field: I'd start with what is Vladimir Putin's password. Might open some doors.
Novinson: I was just thinking about all the smart devices, the Nest and the Ring, and all of those and the features, and how much do they know about us? How much are they are listening into the conversations and who are they feeding that information to?
Field: You suddenly start getting ads for penguins, won't you?
Delaney: Yes. I'm going to have to ask them what are the top threats that they think organizations and governments should be focused on and let's compare. Are they similar to the ones we're focusing on our sites? An interesting question. So these are great!
Field: Putin's password would help you too.
Delaney: Well, thank you very much, Michael, Marianne, Tom. It's been a pleasure and as always great fun.
Novinson: Thanks for speaking with us.
Field: Until next time!
Delaney: Thanks so much for watching. Until next time!