Lessons from 10 years running the first cyber-exclusive investment firm – Bob Ackerman – ESW #342
Full Audio
View Show IndexSegments
1. Lessons from 10 years running the first cyber-exclusive investment firm – Bob Ackerman – ESW #342
Bob Ackerman argues that, from an investment perspective, cybersecurity is like life sciences - a complex, nuanced field that is difficult field to invest in part-time. So his firm, Allegis Cyber, became one of the first to focus exclusively on investing in cyber startups. In this segment, we'll discuss one of Allegis's recent investments, SixMap, and Bob's other investment/accelerator vehicle, Data Tribe. Data Tribe sources investments from national intelligence, with examples like Dragos that came through this program.
Hosts
2. Carbon Black’s Solo Venture, Cybersecurity in Space, Rethinking Human Error, & More! – ESW #342
This week in the enterprise news, we explore the harsh realities of the startup world with a look at recent failures and shutdowns, investigating the factors leading to these setbacks. Meanwhile, Carbon Black makes headlines by breaking away from VMware in what seems like a divestiture within an acquisition, raising questions about the future of the company. We'll also discuss the European Space Agency's venture into cybersecurity for the space industry, revealing that even the vastness of outer space isn't immune to digital threats. Tune in for all this and more!
Hosts
- 1. DIVESTITURE(?): Carbon Black breaks from VMware, embarks on independent journey within Broadcom
Adrian: "I guess you could think of this as a divestiture within an acquisition? Not sure if this is a positive thing or not. I've heard a lot about Carbon Black falling behind the rest of the market under VMware ownership, and last week we heard about layoffs following the completion of the VMware acquisition, so maybe this is good news, maybe not. Time will tell."
- 2. TRENDS: The European Space Agency Explores Cybersecurity for Space Industry
Cyberz in Spaaaaaaaace!
- 3. CONCEPTS: NO view of Human Error
Adrian: "Someone posted this in response to a LinkedIn post on not blaming employees when their mistakes result in cybersecurity issues. I've added it here for two reasons: 1) because I think it's important to remember that some of the issues we security folks run into have often already been solved in other, older disciplines, and 2) many security folks still seem to have a hard time with understanding that the direct cause of a cascading failure (like a breach) isn't necessarily responsible for it.
For example - when a bridge fails, we wouldn't blame the people driving on it at the moment it failed, right? Damn that Doug White and that extra cheeseburger he had at Five Guys today! He made the bridge fall!
Of course not! Instead, we aim to understand more about how the bridge was constructed, maintained, monitored, and inspected to understand the (more than likely) groups of factors that played a part in the failure.
An organization's computer systems, applications, networks, and other components are also a complex system, and when failures occur, it is also typically groups of factors that all contribute."
- 4. CONCEPTS: CISA’s Goldstein wants to ditch ‘patch faster, fix faster’ model
Adrian: "We're seeing a lot of shifting from traditional models and assumptions now that failures (mostly ransomware) is hitting companies hard, and often. We've long had the data telling us that using patching as a defensive measure requires extremely quick response. Quicker than most organizations can muster.
If vulns are going to be exploited, they'll generally happen in hours or days. At that scale, there are only a few options:
- fully automate software updates and skip QA/safety testing altogether
- put mitigations in place very quickly (e.g. virtual patching, vuln/exploit-specific mitigations)
- design systems/networks to be more resilient to attacker actions in general (e.g. isolation, zerotrust, principle of least privilege, etc)
We saw the latter two in action following Okta's latest breach, as BeyondTrust, Cloudflare, and 1Password seemed to detect the attacks very quickly, and (according to them, at least) were able to isolate and eradicate the attackers.
In another example, the folks that fared best during the Log4Shell debacle were those that denied outbound comms by default for servers or any other systems that didn't really need it. Turns out that malicious code can't do much damage if it can't communicate back out!
In conclusion, I hate to say that traditional vuln management seems like a waste of time, but... I don't think getting OT vendors to switch to rust, as CISA suggests, is the solution either."
- 5. ATTACKS: SQL Brute Force leads to Bluesky Ransomware – The DFIR Report
Adrian: "I'm sorry, did you say XP-CMDSHELL???
What Year is It.GIF"
- 6. SQUIRREL: ‘FYI Pickleball DRAMA’: Local Governments Overwhelmed By Tennis-Pickleball Turf Wars, Documents Show
- 7. SQUIRREL: T’was the Night Before the Breach — 2023 Edition
- 1. From Unicorns to Zombies: Tech Startups run out of Time and Money
News Article detailing some of the latest fails and shutdowns.
