Getting Vulnerability Management Back on the Rails – Patrick Garrity – ESW #356

$100M Series D, led by One Peak. This brings funding to a total of $255M in the last 2 years for the startup. It's easy to see why they need the money. Going after the SME market requires resources, channel partners, and a product that checks a lot of boxes.

It looks like that's exactly what they're trying to execute on - their platform has modules for endpoint security, email security, and cloud app protection. There's a SASE offering, and managed offerings for all of the aforementioned modules.

$30M Series B led by Khosla Ventures. Described as a "data privacy vault" company, it definitely looks like Skyflow is going after some of the core concerns that exist between GenAI services and customers. What's not clear is how this solution works, exactly. The company's website suggests a tool that reminds me of data-focused CASB products like CipherCloud and Perspecsys. It sounds like the intent is to:

1. detect sensitive data
2. "de-identify it" (sounds like tokenization, maybe?)
3. polymorphic encryption is mentioned - maybe as an alternative to tokenization? Is polymorphic encryption similar to homomorphic encryption?
4. audit it

It sounds like it would have to be in-line, would need some modern DLP classifiers, tokenization tech, and encryption tech to do all this. It is certainly possible - the CASB market built a ton of these tools a decade ago. I'm curious as to why and how this product will be different. Would be interesting to have a chat with them.

$30M Series A led by Sequoia Capital and Cyberstarts. "Zafran Risk & Mitigation Platform defuses threat exploitation by mobilizing existing security tools"

Intriguing, but I'm still trying to zero in on exactly what they do. Direct competitor with VulnCheck?

$18.5M Series A led by Altimeter Capital. Permiso claims to help detect and defend against identity-based cloud attacks, which is a great product to be selling at the moment, as the CSRB review of Microsoft's 2023 email breach points to a lack of identity security as the core of the problem. The product comes across as a detection/response product for the cloud (with "over 200 detection signals").

Also, the website is delightful. Well done to whomever came up with this design, it REALLY stands out in all the best ways.

$10M Seed round led by Greylock. Great timing, as this funding announcement comes around the same time that they're announced as an Innovation Sandbox finalist!

They're aiming to help with data security, particularly around LLMs.

$8.5M Seed round led by Crosslink Capital. Focused on security analytics and SIEM replacement? Suggesting that alert data should be streamed and analyzed in real time, not stored and queried. SIEMs already do this, but additionally store it because most folks have retention requirements. Just look at the state of Microsoft in this CSRB report!

Looks interesting though, I'd love to learn more about what they're doing here.

Oversubscribed $8.5M seed round led by Crosslink Capital, Rally Ventures, and Liquid 2 Ventures. AI-powered SIEM? "Next-gen SIEM is not a SIEM" <- okay, you've got my attention. "Legacy SIEM isn't providing business value" <- okay, now you've REALLY got my attention. Appears to be analyzing security event/log data in real time using AI, rather than storing and querying it?

Looks very interesting, I'd love to learn more.

$8M Series A led by Blueprint Equity. Continuous pentesting solution.

$7M Series A led by Korea Investment Partners. Singapore-based with R&D in South Korea. Darkweb intel startup.

$2.5M seed round led by RTP Global and Picus Capital. Reportedly helps developers "stay clear of LLM vulnerabilities, including the lesser-known ones" throughout the dev lifecycle. Has 3 AI-focused products. The first is in beta now, and the others are labeled "Coming Soon":

• SydeBox: seems like a fuzzer/automated QA tester for LLM-enabled apps
• SydeGuard: reviews prompts for threats, and assigns a risk score - no automated blocking at the moment, just logs the data for analysts to review, and gives options to block, monitor, do nothing, or use a honeypot to deceive the user into thinking nothing was done
• SydeComply: "Dynamic Compliance Gap Assessment"

Competes with other LLM security-focused vendors, like Lakera and Prompt Security

Syde note (ha) - very cool Transformers vibe, VentureBeat!

Undisclosed round from SV Investment and the Korea Development Bank. They have a product called the "Desilo Data Cleanroom" that appears to be using homomorphic encryption.

Montreal-based Flare picks up US-based Foretrace. This deal seems to be all about EASM, though the press release mentions "Threat Exposure Management" (TEM).

A very tempting, feature-filled "personal cloud" product. The attack surface on these things always makes me nervous though - there have been no shortage of personal/small business NAS devices getting ransomed over the years.

A comprehensive report that pulls no punches on perceived inadequacy in Microsoft's security culture, controls, and programs. TL;DR - the board recommends that Microsoft take their foot off the innovation gas and start pumping the security brakes.

I'll be writing up a full essay/post with my thoughts after I finish reading the full report.

I did a bit of a doubletake at this one. Vulnerability management has been going through a lot of chances, and one of the key ones is the traditional vuln mgmt process. As we'll likely talk about in the interview with Patrick Garrity before this news segment, the traditional scan-driven approach just takes too long to be useful for defending against emerging threats.

This essay does a good job of capturing the traditional approach to vuln mgmt, which still works for compliance and regulatory use cases, where vulnerabilities must be fixed, even if they aren't currently a risk. But most orgs I talk to today are moving towards an intelligence-driven approach, or just doing away with vuln mgmt as a process, preferring to fully automate patching instead (at least, for COTS systems, this doesn't work for in-house applications, obviously).

A great analysis of the current state of the SIEM market, and the dilemmas buyers are having to deal with, as the market goes through growing pains.

Rich Mogul, analyst and longtime cloud security expert does a great job of summarizing what we've all been talking about for a while: Microsoft has really been dropping the ball with regards to security in Azure, and Azure-dependent products, and it has GOT to change.

We're getting close to RSAC, which means we get to start talking about my favorite part of the conference: Innovation Sandbox! This is a competition where hundreds of startups submit videos and the top 10 are chosen to compete in-person at RSAC. Each startup will have 3 minutes to pitch a panel of judges (and a fairly large audience), and then have a few minutes to answer some of the judges' questions.

It's a hugely entertaining event, and I look forward to it every year!

This year, we've got:

1. Aembit: "The First Workload Identity and Access Management Platform", "Manage Access, Not Secrets"
2. Antimatter: "The Sensitive Data Platform", "Define policies for LLMs"
3. Bedrock Security: "Frictionless Data Security", "Use GenAI Safely"
4. Dropzone AI: "AI SOC Analysts that never sleep. So you can."
5. Harmonic: "Accelerate secure AI adoption without risking the security and privacy of your data."
6. Mitiga: "Cloud Incident Response"
7. P0 Security: "Access is our Priority Zero", "Secure cloud access for all identities - human and machine - without disrupting developer workflows."
8. RAD Security: "Behavioral Cloud Native Detection and Response"
9. Reality Defender: "Leveraging AI to detect AI-generated threats"
10. VulnCheck: "Exploit Intelligence for Vulnerability Prioritization"

What's this? Good news? CSPs are relaxing egress fees? What's the catch? The article calls it a "change of heart", but I don't buy it. I think there had to be some pain point or lever that forced CSPs to reduce these fees. Perhaps customer pressure finally did it?

Apple is all over the place at the moment. They've promised some AI magic for their event this summer, and they've been releasing their own AI models, while there are rumors that they're in talks with Google to use Gemini on their devices as well. This reminds me a bit of their difficulty in finding anyone to build their now-abandoned self-driving car project. Is Apple just a difficult partner/customer? Too demanding?

We'll have to wait to see what happens this summer, but it seems like Siri is getting shaken up in some way!

This will address a lot of privacy and data residency concerns, but there will likely be tradeoffs. With smaller, more performant on-device models, the risk of hallucination may increase. There are also projects to put GPT models entirely into web browser tabs as well, so expect to see a lot more versatility and options when it comes to GenAI implementations.

To date, I've done nearly 20 advisory calls on Microsoft Copilot, and understanding how to get value out of LLMs is one of the most challenging problems right now. Sure, people are concerned about risks, but a lot of folks don't even see the point of paying $360/year per employee for this tool.

It's a mixture of not understanding the technology, what it's good at, what it's bad at and needing to see lots of examples to get the imagination going on how this tech could be used. "It's a copilot, not an autopilot", one Microsoft employee said, referring to the need to train users on how to write effective prompts.

A great writeup on risk-based vulnerability management, with lots of examples.

NVD is saved... maybe?

There are a LOT of takes on the xz backdoor. This one was written pretty early, so it might be missing some of the latest news, but it's a pretty solid take on the incident and an easy read.

Can't make this up. I suspected someone had, but looked a little deeper, and it seems legit.

Absolutely insane - the most bonkers case of gaslighting I've ever seen. Largely because of how long it was carried out!

Not an April Fool joke, this is totally serious, and seems like some awesome, potentially life-saving scientific research.

This doesn't worry me at all. Nope!