Netskope debuts as a Leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge Get the report

  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,400 customers worldwide including more than 30 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

A Leader in SSE.
Now a Leader in Single-Vendor SASE.

Learn why Netskope debuted as a leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge

Get the report
Customer Visionary Spotlights

Read how innovative customers are successfully navigating today’s changing networking & security landscape through the Netskope One platform.

Get the eBook
Customer Visionary Spotlights
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

The Convergence of CIO & CISO Roles
Join host Max Havey on the latest episode of Security Visionaries as he sits down with guest Jadee Hanson, CISO at Vanta.

Play the podcast
The Convergence of CIO & CISO Roles
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is SASE?

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working
Post Thumbnail

In this episode of Security Visionaries, we sit down for a conversation with Ray Canzanese, Director of Netskope Threat Labs, to discuss some of the big takeaways from the just released October 2023 Cloud and Threat Report. Ray digs into why he chose to focus on the adversary this time around, what surprised him about his findings, and how security folks and beyond can best use the findings from this report.

Read the latest Cloud and Threat Report at:

The thing you learn by looking at adversaries’ trends and tactics is what is special about your industry, or your region, that you should maybe be doing something slightly different, and more targeted toward the adversary that you’re up against. And oftentimes where you can get intel on this is talking to your peer organizations.

—Ray Canzanese, Director, Netskope Threat Labs
Ray Canzanese



*(0:01): Introductions*(8:22): What was surprising about your findings?
*(0:47): Background on the Cloud and Threat Report*(10:06): Why should security folks be taking note of those sorts of anomalies and outliers?
*(1:38): What was the focus for this report?*(11:37): What’s one takeaway you want to impart from this report?
*(3:45): How was the approach different writing it this time?*(16:13): Closing thoughts
*(5:18): Big takeaways and findings from the report


Other ways to listen:

green plus

On this episode

Ray Canzanese
Director, Netskope Threat Labs


Robert Arandjelovic

Ray is the Director of Netskope Threat Labs, which specializes in cloud-focused threat research. His background is in software anti-tamper, malware detection and classification, cloud security, sequential detection, and machine learning.

LinkedIn logo

Max Havey
Senior Content Specialist at Netskope


Max Havey

Max Havey is a Senior Content Specialist for Netskope’s corporate communications team. He is a graduate from the University of Missouri’s School of Journalism with both Bachelor’s and Master’s in Magazine Journalism. Max has worked as a content writer for startups in the software and life insurance industries, as well as edited ghostwriting from across multiple industries.

LinkedIn logo

Robert Arandjelovic

Ray is the Director of Netskope Threat Labs, which specializes in cloud-focused threat research. His background is in software anti-tamper, malware detection and classification, cloud security, sequential detection, and machine learning.

LinkedIn logo

Max Havey

Max Havey is a Senior Content Specialist for Netskope’s corporate communications team. He is a graduate from the University of Missouri’s School of Journalism with both Bachelor’s and Master’s in Magazine Journalism. Max has worked as a content writer for startups in the software and life insurance industries, as well as edited ghostwriting from across multiple industries.

LinkedIn logo

Episode transcript

Open for transcript

Max Havey [00:00:00] Welcome to Security Visionaries, a podcast powered by Netskope focused on bringing you conversations with senior executives from the world of cybersecurity, technology, trust and networking. This episode features a conversation with Ray Canzanese, director of Netskope Threat Labs. Ray sits down to chat with us about his latest quarterly Cloud and Threat Report. Talking through why he chose to focus on the adversary this time around, what surprised you most about his findings and how security folks and beyond can use the findings from this report. Here's our conversation with Ray. Hello and welcome to Security Visionaries. I'm your host, Max Harvey. And today we're sitting down for a conversation about the October Cloud and Threat report with Ray Canzanese director of Netskope Threat Labs. Ray, welcome to the show. How are you doing today?

Ray Canzanese [00:00:44] I'm doing all right, Max. As good as I can on a monday. How about you?

Max Havey [00:00:47] I'm doing I'm doing solid doing. So glad to be having this conversation. So? So as a director of Netskope Threat Labs, Ray is responsible for writing our quarterly cloud threat report. To get things started off here, Ray, can you sort of give us a little bit of background about sort of the interim report, how long you've been doing it and sort of why we do it?

Ray Canzanese [00:01:06] Sure. We started writing these reports in 2020, so this will be our third complete year of writing these reports. We put a new one out every quarter and we cover a slightly different topic or angle every time we put a new report out. The goal of these reports are to provide strategic, actionable threat intel to the reader. So that's what we're hoping comes through in all of these, but especially the latest report we just put out.

Max Havey [00:01:38] Absolutely. And so can you tell us sort of what the focus for this most recent report was and sort of your approach for writing this report?

Ray Canzanese [00:01:45] Sure. So previous reports have covered topics like where we see malware getting downloaded by victims. We've talked about where they're encountering phishing links. We've talked about risks with A.I., Right. We've talked about insider threat risks. So we've taken all these different views, many of them about a external adversary. And for this latest report, we decided to focus on that adversary. Right. So instead of focusing on a specific thing like phishing or or malware or exploits, let's look at the adversaries. Let's look at the adversaries that are most active against Netskope customers. And let's see if we can learn anything from that. Let's see if we can learn, for example, what are the top tactics and techniques that are being used, regardless of which adversary we're talking about? Or let's look at whether if I'm working in a specific industry, in a specific geo, if there's a particular adversary I should be worried about and therefore a specific set of tactics and techniques that are favored by that adversary that I should focus my defenses on.

Max Havey [00:02:59] Definitely. So a sense of, you know, sort of knowing your enemy so that you can better sort of do things on your end.

Ray Canzanese [00:03:05] Exactly right. And sometimes I feel like we get a little abstract when we talk about cybersecurity, like we're talking about where malware comes from and where you're encountering malware. And this is kind of taking that step back and reminding ourselves there's somebody else doing that, right? There's somebody sending those links, right? There's somebody trying to convince your users to do these things that compromised your systems. So let's really focus on who that is. Right. Who that adversary is on the other side of this this sort of like offense defense type battle that we're up against in cybersecurity.

Max Havey [00:03:45] How did having sort of that perspective sort of change the way that you approached writing this report compared to, you know, previous reports that you've done?

Ray Canzanese [00:03:52] Sure. So first off, it changed the approach of, let's call it the 12 months up to writing this report. In other words, what we needed to change first to even write this report, right, is to more closely and more accurately try to track the adversary. Right. So the first thing that changes for us is that we start spending, you know, even more time when we're detecting malware, when we see somebody visiting a phishing page, when we see command and control traffic exiting an endpoint, trying to collect as much information about that as we can, to then try to attribute that back to one or more of the adversary groups that we are tracking. Right. So all of that work, you know, and I save roughly a year, right. Which is more or less what this report covers. We end up starting talking about, you know, beginning of 23 to today. So that's that's where we begin, right, is tracking. And then when it comes time to start writing the report, what you're looking at as well, are there any adversaries that were more active than others? Right. Are there any that were more active within a certain population than others? And then just start looking at those tactics that are floating to the top, right. To see what are those interesting trends, those stand out things that are going to then guide us in our defensive strategy moving forward.

Max Havey [00:05:18] Definitely sort of a more qualitative approach there. Well, so then with with that in mind, sort of what were some of the big takeaways and some of the big findings that you had coming out of this report?

Ray Canzanese [00:05:27] Sure. So the big takeaway, the first and maybe easiest takeaway is that throughout all of the adversaries that we were tracking, right. And there were, I think, around 50 total groups that we tracked for this report. There were a few techniques that stood out of just everybody is using them. Right. So if I'm taking that know your adversary approach, right. There's this one angle to it that's well, I don't really care which of the 50 adversaries it is. They're likely to be doing these six things and these six things in pretty substantial volume. Right. And those six things we had tracked them in terms of the MITRE ATT&CK framework. So the MITRE ATT&CK framework gives us a really nice language to talk to each other in cybersecurity about tactics, about techniques, and about the groups that are using them. So we picked that common language to write this report in and in that common language, we talk about initial access, the techniques that adversaries use to get into a target system. We talk about execution, which is how they're running malicious code once they're in that system, we talk about command and control, which is obviously once they've compromised the system, how are they then talking to it? And then finally, data exfiltration, Right. How do they, if their ultimate goal is to, for example, try to blackmail you, they're going to have to steal something to blackmail you with, right? So they need to exfiltrate some data back to their systems. So we look at six specific techniques in those categories and basically found across the board. Every adversary that we were tracking was doing them. And they centered around phishing, they centered around getting users to execute malware, and then they centered around doing all the command and control and the exfiltration over HTTP and HTTPS, basically to blend in with all the other stuff on the network.

Max Havey [00:07:40] So essentially breaking down what sort of the key tactics and tips that you're seeing a lot of these different adversaries are, they're all applying and then kind of breaking those down sort of by industry, by geo and a lot of other factors once you sort of laid those out. Right.

Ray Canzanese [00:07:55] Right. And we started with those because if you're if you're just trying to get from this report, what should I do differently? Those are the ones that everybody is getting targeted with, Right? So if you're going to start somewhere, start with the ones that are common because your defensive strategy is going to work against virtually every group. Right. Then the next step after you go through those six tactics and techniques are to look at what's happening in your industry and your geo.

Max Havey [00:08:22] Definitely. And as you sort of drill down further into those geos and industries, is there anything that really jumped out at you as sort of surprising in these findings?

Ray Canzanese [00:08:30] Yes, there was one thing that that really surprised me. So if you look just across the adversaries that we're tracking, they're very roughly in two groups. They are either financially motivated or they are geopolitically motivated. Right. They're either cyber criminals. Right. Or they're some sort of state-sponsored or state-affiliated geopolitical actor. And so looking in those two groups and across sort of our entire network, it's no surprise, I think, to anybody working in cybersecurity that the overwhelming volume is cyber crime, right? It's mostly cyber criminal activity. The geopolitical activity as a percentage of total volume of attacker activity is much lower. Now, there were some standouts, right? So on the industry side, in financial services and in healthcare, the geopolitical adversaries were more active than they were in other industries. Similarly, there were standouts in the the geographical regions where it's pretty much the opposite. There were two standouts, the standouts being Australia and North America that had much lower geopolitical adversary activity than other regions. So really, you know, it was those standouts that were the surprising bit here, right, in terms of whether it was cyber crime or geopolitical activity that we were seeing.

Max Havey [00:10:06] Absolutely. And so what were those specific standouts so interesting, and why should, you know, sort of folks who are like cybersecurity leaders or other folks within security organizations, why should they be taking note of those sorts of anomalies and outliers within within this sort of research?

Ray Canzanese [00:10:22] Right. So if you work in one of those outlier regions. Right. That tells you something about the adversary that you're up against. Right. And so it's not just. Look at whether it's geopolitical or criminal. Right. But you can then use the MITRE ATT&CK framework to look at of those top geopolitical adversaries in those regions. What are the tactics and techniques that they are using? Right. And how well are your defenses tuned against them? So in other words, the thing you learn by looking that is what is special about your industry, or your region, that you should maybe be doing something slightly different, and more targeted toward the adversary that you're up against. And oftentimes where you can get intel on this is talking to your peer organizations, right? So talk to other people in your industry, other people in your industry that are operating in the same region as you. You can often, you know, find an ISAC or some other group, right, that you can join and share with each other what's going on. How your peers are building up their defenses. What you can do differently, learning from them to to defend against the particular adversaries you're up against.

Max Havey [00:11:37] And that's a that's a good broad takeaway, especially as we're, you know, kind of in the midst of Security Awareness Month right now, and sort of thinking about that, just zooming out a little bit further, if you had to offer sort of one key tactic or tip coming out of this report to the broader security organizations, security folks who are technical, non-technical, non threat, you know, folks out there in security. What's one takeaway you would offer to them?

Ray Canzanese [00:12:01] Sure. So I know that one of our favorite topics that talk about in Cybersecurity Awareness Month is phishing. So let me talk about phishing for a minute, because when we think about phishing, we often think about email, right? A lot of our phishing training focuses around how do you how do you know whether it's safe to open that email? What we found is that email is becoming a less and less common way in which people are falling for phishing. Right? And that's one because you train everybody to be suspicious of email, and two, because you build up all your anti-phishing defenses around email. And so what we're starting to see is that it's not email, it's text messages, it's phone calls, it's DMs on Instagram, it's fake reviews on Facebook. It's weird search results that you found in Google when you search for a really specific thing that you wanted to know about some software you use or some hardware you use that an attacker managed to get a phishing page listed on the Google search results for that. So in other words, the I think the phishing story is that phishing isn't email, right? Phishing is somebody else trying to trick you into giving up your username or your password or logging into something when they're kind of looking over your shoulder virtually. And that can begin anywhere and it can begin outside of email. So if you're worried about phishing from a technical perspective because you work in cybersecurity, make sure your phishing defenses go beyond email. If you're just a regular old person out there who's a little paranoid and worried about phishing, easy solution, never click on links ever. Never go to websites that other people tell you to go to. In other words, if I want to log into my bank's website, I open my browser and I type in the URL of my bank's website. There's no other way that I will ever log into my bank's website. No dire sounding text message. No Instagram DM, no Snapchat, no Facebook, nothing. There's nobody anywhere that's ever going to convince me to log to anything important any other way.

Max Havey [00:14:29] Well, and that's a good point too, noting that how this phishing has evolved, like we saw even in the news recently with the MGM attack, where that was done through through voice phishing, through through a phone call, through to helpdesk. So like, there are these examples of how this is continuing to develop and grow and change. And I think that's I think that's an excellent point to have there.

Ray Canzanese [00:14:48] Yeah, absolutely. And I mean, I don't know how common this is, but I probably get a dozen phone calls and text messages a day that are certainly scams of some sort. So they're either, you know, phishing for credentials are trying to get me to send them money. Right. But there's something going on there. So I think I think people might be familiar with some of these higher volume ones. But when you start getting into the lower volume, more nuanced ones is where people start getting tricked. So stop thinking about the channel and start thinking about like, what's actually going on. Somebody is trying to get you to go to a fake website. So just don't give anybody those opportunities, Right? Just never, never click on links. Right. Easy solution. Unplug that computer.

Max Havey [00:15:37] Stop thinking about the channel and focus on the outcome. Feels like the the real big takeaway here. I feel like that's something that is easy enough for everyone in our audience to remember and to keep in mind as they're operating out of the Internet.

Ray Canzanese [00:15:50] Right. Because, you know, I give all those examples of what it is today, right? But tomorrow it's going to be, I don't know, Mastodon or some other platform that is not as popular now, but as it becomes popular will become a channel where phishers, scammers, cyber criminals, geopolitical actors, they'll all go there as well.

Max Havey [00:16:13] Yeah, absolutely. I think that brings me to the end of my questions here. Is there anything further that you'd like to add that we haven't we haven't covered in this conversation so far?

Ray Canzanese [00:16:22] Well, if we if we weren't going to give the pitch, I'll give the pitch. Right. This report is live on On our website you'll find more details about everything we talked about here today. And every month you'll see new monthly reports go up on our website. We'll talk about interesting threats live as they're happening on our blog. And every quarter you'll see another one of these big reports. If you can't keep up with all of this exciting stuff that we're doing, I also have a mailing list that you'll find at that exact same website that is

Max Havey [00:17:04] Absolutely. And for everybody who wants to check this out on their own, I will have a link to this in the show notes for the episode. But until then, until we have another report for you. Ray, thank you so much for taking the time. It's always illuminating, talking to you about all the all the interesting new stuff you're uncovering over at Netskope Threat Labs.

Ray Canzanese