Flood of new startups coming out of stealth, new newsletters, hiding breaches – ESW #313

At one point, Cybereason and Crowdstrike could have been considered competitors. Last week, Crowdstrike's venture arm puts $100M+ into an investment, and this week Cybereason raises a $100M round from Softbank.

It's a stark reminder of how crazy Crowdstrike's success has been, compared to the rest of the NGAV/EDR field.

$20M Series A-2 round led by SignalFire (also, TenEleven, Kevin Mandia, Jack Huffard). Founders' previous roles were at Mandiant and SecureAuth.

Outside of the movie "The Big Short", I've never heard the term "tranche" used until now.

Not quite user awareness training, but definitely overlaps with UAT. Looks more general purpose and modeled after DuoLingo's mobile UI/UX.

A new remote web browser play. In 2023???

"Blyss uses homomorphic encryption to secure user data"

"Create S3-like buckets. Store any key-value data. Then perform completely private retrievals."

"Real-time supply chain security, enabling security teams to target and coordinate vulnerability remediation without toil."

"An open-source end-to-end encrypted platform to sync secrets and configs across your team and infrastructure."

"Passwordless Workforce IAM"

It is very cool to see product folks homing in on what AI LLMs are very, very good at. Mimicry, details, consistency are all things ChatGPT can easily do all day, at scale. Of course, I'd recommend spot checking results often, and especially any time the LLM model changes.

Exciting to see how quickly AI is being used to automate the stuff humans hate doing manually. Lots of easy wins out there.

Matt Johansen has lived several security lives in a relatively short amount of time and has a lot of wisdom to share. He has a new newsletter and I highly recommend it for any blue teamers, or anyone interested in keeping up with InfoSec trends and norms.

Threat Prompt is a newsletter that focuses on the intersection of generative AI and cybersecurity. Lots of good food for thought in this issue, that will help you better form and align (heh) your AI threat models.

The latest edition of ThinkstScapes is out and has some great summaries of research released in Q4 2022. It's even multi-mode! You can read through the 24 page PDF, or listen to the 20 minute audio summary.

At the low price of nothing, it's a nice resource. No paywall, no reg form - just an mp3 file and a pdf. Kudos to the Thinkst Labs team (Jacob and Casey) for putting these together every quarter.

An interesting report from Kelly Shortridge and Josiah Dykstra (coincidentally, the speakers adjacent to my talk at the last USENIX Enigma conference) that explores how we could/should be thinking about deploying security's finite resources. There are a lot of things we could do, but at what cost? Every choice we make restricts subsequent choices, and you have to look at the big picture to ensure they're the right ones.

No one asked for more examples of how to handle vulnerability disclosure and remediation badly, but here we are.

IT'S HAPPENING!

It is a long time coming, but finally, there's some real traction in enforcing medical device cybersecurity requirements. Cybersecurity and safety are closely linked, but particularly so when we're talking about devices connected to human bodies.

One of the biggest markets for buying and selling credentials - especially stolen tokens/OAuth keys (hence the title of the takedown: Operation Cookie Monster)

Some good analysis here of the market itself and related malware. Good to see this level of sharing and coordination between law enforcement, private industry, and even volunteers/community efforts.

I've included this story for one reason that made me chuckle. This guy, Shevlyakov went through all this trouble to try to acquire a Metasploit Pro license, which cracks me up, because Metasploit Framework is free. Do you really need to risk sanctions to avoid having to use the CLI??

I LOVE this. Basically, my understanding is that Android is pushing for users to not only uninstall apps from their phones, but also delete their accounts and all SaaS-stored data at the same time!

Lots of services make it a pain to remove your data and/or account and it needs to stop.

A great primer on quantum computing and the security implications from Mike Privette - the same guy behind Security, Funded, the newsletter that informs a lot of the funding stories we cover.

This is excellent timing, as we have a Quantum Special edition of ESW coming out during RSA week, where we interview two of IBM Quantum's best and brightest about both quantum computing and post-quantum cryptography! Be sure to check that episode out on April 27th.

Database of breaches that notifies you & tells you if your data is included in the breach. I wasn't aware of this service from Mozilla before now.

Equal parts alarming and unsurprising for me. 71% of IT/security professionals in the US say they've been told to keep a breach quiet, and 44% in the UK. I wonder if this survey was completed before or after the Joe Sullivan case went to court?

I imagine regulations have to pull these numbers down, or we'll likely see a LOT of heavy SEC/FTC fines in the near future. Possibly more whistleblowers also.

Now THESE are proper predictions. Some interesting ones in here.

• Through 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs to minimize operational friction and maximize control adoption.
• By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10% of organizations will have successfully weaponized privacy as a competitive advantage.
• By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.
• By 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility – up from 41% in 2022.
• By 2025, 50% of cybersecurity leaders will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making.
• By 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors.
• By 2026, 70% of boards will include one member with cybersecurity expertise.
• Through 2026, more than 60% of threat detection, investigation and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today.

Not surprising, but important to get the conversation out into the open so we can address it.

The reasoning sounds solid - Lloyd's is trying to avoid systemic risk by creating exceptions for "state actions", which they're pitching as equivalent to acts of (cyber)war. The question is whether that's a fair comparison, and whether insurers will abuse this clause if Lloyd's convinces them to add it. Attribution is famously difficult, making KYC, ransom payments, and now insurance policy payouts increasingly difficult to navigate for those impacted by cyber attacks.

My understanding is that Lloyd's has a lot of pull in cyberinsurance, so the outcome of this could have a big impact in how likely policyholders are to get payouts.

TIP: Use an Incognito window to read. Also, shaaaaaaade:

"Some of the people whose jobs are most vulnerable: writers, web and digital designers, financial quantitative analysts, and—just in case you were thinking of a career change—blockchain engineers."

Things are moving... fast.

Is this a record? Seems like a record. I wonder how many of these 401 companies can really afford to be at RSAC. I mean, they probably paid for everything nearly a year ago, but RSAC pricing has to hurt for those struggling to raise the next round right now.

I plan to wander the expo floor, and I'm curious to see how many unattended 'ghost' booths we'll see (either due to acquisition, or lack of funding).

I LOVE prosthetics tech. If I ever decided to leave InfoSec, it would probably be to get into robotics and designing prosthetics. Not just for folks missing limbs/mobility, but also to enhance and go beyond our bodies current abilities!

Am I outing myself as "that guy that tries to bring in all the groceries in one trip"? You bet I am.

This is definitely a bizarre one, but the title is a bit hyperbolic.

This isn't a far stretch from a creator prompting their audience to give them feedback in their YouTube comments, or Elon Musk saying he'll "respect the outcome of a Twitter poll". You're voting on decisions that the creator has already decided to let the public vote on, and even then, they don't have to abide by the results. I think calling it harmless is a stretch, but saying it lets you "control another person's life" is a HUGE stretch.