Open Source MFA, Layoffs, Krit, AWS Incident Response, & Product Led Growth Talk – ESW #287

$14M Series A led by Insight Partners and Sequoia India. Privado scans code repos for PII use and points where private data is sent to third parties. An interesting take on the resurgence of data security startups we've seen, organizations definitely need a better handle on data flows and responsibility for customer data.

An add-on round to BalkanID's seed, making the round larger than some Series A raises we see. From what I can tell, BalkanID discovers security issues within the spaghetti mess of permissions and access controls across all of a company's cloud and SaaS use.

Krit was a well-known, but small cybersecurity product UI/UX consulting firm. GreyNoise needed product management and design help and has funding, so this acquihire made a lot of sense for them.

NSO has a mess to work through. The CEO is stepping down again, the company is sanctioned in the US, and the company is viewed as quite the villain in the press. The word is that the company will be looking for a buyer.

Following with layoff trends, another Endpoint Security vendor tightens its belt.

A sourcing team of 25 was let go. This is a fraction of a percent of Okta's total workforce, so nothing much to worry about for other employees or Okta customers.

Quickly stand up a local, fully containerized Elastic Stack, complete with Kibana, Fleet, and Detection Engine!

Along with the Elastic Container Project for Security Research, we're seeing some amazing free security tools popping up lately!

PLG = Product Led Growth. In short, PLG is all about focusing on building a product compelling enough that it becomes the primary driver of sales. Typically accompanied by transparent pricing, a freemium tier, and self-service billing, to reduce sales friction. Slack is a key example. In short, it's Tyler Shield's favorite term and you should get his opinion on this story ;)

As much as I hate the fact that the authors are trying to make "SaaSBOM" a thing, the article asks some excellent and pertinent questions about SBOMs and their SaaS equivalent.

The trend of requiring popular package maintainers on package repos to use MFA continues, as it becomes more and more common to see malicious code inserted into open source projects.

Twilio is the kind of 3rd party supply chain breach we've worried about for years - a one-to-many situation. 1. The attackers spearphish some Twilio employees, stealing their credentials 2. The attackers hit Cloudflare, but failed due to use of security keys 3. Signal users were targeted with data from the Twilio breach 4. 93 Authy users affected; attackers attached devices to their accounts to hijack 2FA 5. DOORDASH was affected, with some customers' data exposed 6. Twilio claims only 176 customers were affected, but it seems clear the damage done goes much deeper than the numbers suggest (and might go much further than what's currently known to the public)

Big deal, or nothingburger?

CISA has expanded their known exploited vulnerabilities catalog yet again (and apparently we're using the KEV acronym now?) Notable additions include Apple operating systems, PEAR Archive_Tar, WebRTC, Grafana, CouchDB, and dotCMS. If you're not actively using this list of sure-to-get-you-hacked items to prioritize your vuln mgmt work, you probably should be.

$15.6B isn't "staggering" when compared to the DoD budget (which is where most of this money is going), but compared to the entire cybersecurity industry's revenue - it's a TENTH of it. $2.9B of it is going to CISA, however, which is encouraging. CISA has been doing some great work over the past few years (some of which we're highlighting in the news today!) There's a good breakdown of where the money is going here: https://rollcall.com/2022/07/12/house-appropriators-back-over-15-6-billion-for-cybersecurity/

Wiz has hired nearly 250 employees in the last 6 months. I initially misread the subtitle of this story as "only 146 of the 150 person goal had been hired". The actual number hired is only FOUR. DHS hasn't been able to hire more than FOUR people through this program in the last 9-10 months? The original press release for this program had an ambitious title: "DHS Launches Innovative Hiring Program to Recruit and Retain World-Class Cyber Talent" What's wrong? I'm not sure... looking at some of these openings (e.g. https://www.usajobs.gov/job/672059700), the pay seems decent, many positions are remote, I don't see a CISSP requirement anywhere and many openings require as little as 2 years of security experience. Maybe there's just too much competition for candidates with 3-5 years of experience? Maybe they didn't market it very well.

Starting as an informal group at the start of the pandemic, The Forte Group now has 90 members and is now a non-profit. The non-profit's mission is to "offer career assistance, advocacy, mentoring, and educational programs for women an the infosec and technology fields."

The picture of janky, hot-glued micro-SD cards are worth the click alone.