The AI-est news segment ever, now with even more AI! – ESW #357
This week, Tyler and Adrian discuss Cyera's $300M Series C, which lands them a $1.4B valuation! But is that still a unicorn? Aileen Lee of Cowboy Ventures, who coined the term back in 2013, recently wrote a piece celebrating the 10th anniversary of the term, and revisiting what it means. We HIGHLY recommend checking it out: https://www.cowboy.vc/news/welcome-back-to-the-unicorn-club-10-years-later
They discuss a few other companies that have raised funding or just come out of stealth, including Scrut Automation, Allure Security, TrojAI, Knostic, Prompt Armor.
They discuss Eclipsium's binary analysis tooling, and what the future of fully automated security analysis could look like.
Wiz acquired Gem, and Veracode acquired Longbow. Adrian LOVES Longbow's website, BTW.
They discuss a number of essays, some of which are a must read:
- Daniel Miessler's Efficient Security Principle
- Subsalt's series on data privacy challenges
- Lucky vs Repeatable, a must-read from Morgan Housel
- AI has Flown the Coop, the latest from our absent co-host, Katie Teitler-Santullo
- Customer love by Ross Haleliuk and Rami McCarthy
We briefly cover some other fun - reverse typosquatting, AI models with built-in RCE, and Microsoft having YET ANOTHER breach.
We wrap up discussing Air Canada's short-lived AI-powered support chatbot.
Announcements
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
On the evening of Monday, May 6, 2024, W2 Communications and CyberRisk Alliance are bringing CYBERTACOS back to San Francisco! If eating FREE tacos, sipping on margaritas and mingling with cyber professionals from all over the world sounds good to you, make sure to register to secure your spot! Visit securityweekly.com/cybertacos to RSVP today!
Hosts
- 1. FUNDING: AI data security startup Cyera confirms $300M raise at a $1.4B valuation
- 2. FUNDING: Scrut Automation Raises $10M in Funding
- 3. FUNDING: Allure Security Closes $10 Million Series A to Help Companies Protect Their Brands Online
$10M Series A led by Curql. I find it interesting that online brand protection is still a category with early stage vendors. Checks the boxes you'd expect - fraudulent website discovery, takedown, social media protection, and mobile app protection.
Perhaps, as cybercriminals turn to AI to automate creating website clones, fake mobile apps, etc this kind of brand protection is going to become a standard product all businesses need?
- 4. FUNDING: TrojAI Raises $5.75M in Seed Funding to Secure AI in the Enterprise
- 5. FUNDING: Knostic Emerges From Stealth With Enterprise Gen-AI Access Controls
$3.3M Seed round, with Shield Capital, Pitango First, DNX Ventures, Seedcamp, and several angel investors participating. Founders Sounil Yu and Gadi Evron are well known and should have no trouble finding design partners and early adopters.
The company is building products designed to limit the problem of "oversharing" LLMs, which we have a few examples of in our other news stories today!
Knostic's launch blog, also pointing out that it is an RSAC Launch Pad Finalist
- 6. NEW COMPANY: PromptArmor
I believe they raised some seed as well, but couldn't find a link to details on that. Yet another LLM security vendor, looks like.
- 7. NEW PRODUCTS: Multiplying Security Research: How Eclypsium Automates Binary Analysis at Scale – Eclypsium
- 8. ACQUISITIONS: Wiz completes $350 million acquisition of Gem Security to expand CDR offering
Sounds like something out of a D&D campaign. Remember when Wiz, Orca, and Lacework's marketing was all about how terrible it was that Palo Alto was growing by acquisition, and they were better because they didn't do that? Awkward...
- 9. ACQUISITIONS: Veracode Connects Security from Code to Cloud with the Acquisition of Longbow Security
Still sounds like something out of a D&D campaign.
- 10. ESSAYS: Efficient Security Principle (from Daniel Miessler)
- 11. ESSAYS: Cautionary Tales: Learning from the Frontlines of Data Privacy and Security – Part 3 of 3 – Apr 08, 2024
A great series - I learned a lot!
- 12. ESSAYS: Lucky vs. Repeatable
A very good one - well worth the read. I've always hated the concept of "Lucky". Most things that get this label applied to them are explainable. Call it what you will, but luck is usually the right move + the right skills + the right people + at the right time.
I think that some people can manufacture something vaguely similar to luck by working really hard, but I think the true key to the stuff worthy of calling "luck" is due to great timing, and that can't be manufactured, as this essay demonstrates through multiple interesting examples.
- 13. ESSAYS: AI has Flown the Coop…
The latest from our very own Katie!
- 14. ESSAYS: Customer love: a recipe for building winning cybersecurity startups
We've seen writeups on PLG before, but this one is a bit different. It focuses in on one particular aspect of PLG that makes it work: customer love. It's a long read, but the most comprehensive I've seen on this one crucial aspect of product-led growth that really gets things moving.
In a world where most vendor discussions are angry grumbles about broken products and bad support, when buyers see their peers, seemingly unprompted, sharing their love for an enterprise cybersecurity product, they naturally want to know more!
Curious to hear from Tyler on whether or not this effect could be created without going full PLG. Are there examples of this?
- 15. AI PROBLEMS: Air Canada must honor refund policy invented by airline’s chatbot
- 16. AI PROBLEMS: AI bots hallucinate software packages and devs download them
- 17. POST MORTEM: Zach Whittaker’s this week in security newsletter covers Adrian’s CSRB Microsoft Breach thread
Late last week, I live tweeted thoughts and insights as I went through the Cyber Safety Review Board's review of last year's Microsoft Breach (the one that compromised all of M365).
This kills two stories with one stone:
- Zach's newsletter is great, subscribe to it
- Click the embedded Mastodon toot in the beginning of this week's newsletter to read my thread
For folks that don't like threads, a blog post is coming soon.
- 18. VULNERABILITIES: Hugging Face works with Wiz to strengthen AI cloud security
Some very interesting AI-model-related vulnerabilities that my girlfriend had to explain to me for me to understand.
- 19. SUPPLY CHAIN: Researchers Observed Visual Studio Code Extensions Stealing Users’ Sensitive Data
- 20. LEGAL: Google to Delete Billions of Browsing Records in ‘Incognito Mode’ Privacy Lawsuit Settlement
- 21. DUMPSTER FIRE: Microsoft left internal passwords exposed in latest security blunder
Uh, Microsoft, could we wait until I'm done writing up a post mortem analysis of last summer's breach before we have more???
