Funding, Trustwave/Cybereason, NVIDIA Morpheus AI SOC, and the job situation is bad – ESW #384

Not a lot of funding this week - only 2 of 6 that I found interesting:

1. $100M Series B for Upwind Security, an Israel-based CNAPP. I don't know this area terribly well, but I'm immediately wondering if there's enough cheddar to go around to support another cloud security unicorn alongside Wiz, Orca, Palo Alto, Crowdstrike, and everyone else already here and more mature at this point.
2. $6M Seed for Embed Security, funded by Paladin Capital Group. This is another GenAI powered SecOps platform, aiming to "enhance, not replace" analysts. I find it interesting that GenAI SecOps startups are split on this with some saying straight up that they're replacing lower level SOC analysts, while others are quick to say that they're not looking to replace anyone. I wonder which approach finds the most traction with customers (or if any of these products are actually working for early adopters).

This shouldn't be a big surprise, as:

1. we knew Cybereason was in trouble - we've talked about their massive valuation loss in the past (~90% loss in valuation, leaving them upside down on money invested)
2. Singtel sold their majority stake in Trustwave to a growth equity firm in October 2023 (which we also reported on)

Trustwave, in their heyday (mid-2010s) was an interesting services company to study. Instead of whitelabeling the products they'd use in their MSSP services, they acquired or built the technology. This was long before it became common for companies to build both product and services in house. Even folks like Red Canary, who built a lot of valuable IP, were still fundamentally built on top of a whitelabeled EDR tool.

What does the future hold for TrustReason? My crystal ball is murky. If Cyberwave prices things right, they could find a niche, or perhaps their niche is a geography - we already know Cybereason has a solid foothold in Japan. Perhaps select geography is where the combined company doubles down and builds from.

I'm not going to sugarcoat my thoughts here. I love the idea of AI automating mundane tasks for us, but I hate everything about this demo (I'm referring to the video demo here)

• I hate the avatar and his stupid face
• I hate the terrible synthesized speech model they used. This cannot be the best that NVIDIA has on offer, can it?
• I hate that they included an avatar at all - the last thing security analysts want is to have to talk to a computer to investigate an incident
• I hate that they used an example that can and should be automated by a 3-line python script if your SIEM doesn't already automatically do all this, which it should. Worst case, it's a fully automated SOAR playbook.

No security analyst should be talking to a discount Grand Theft Auto villain to figure out if an employee clicked a link to a known malicious webpage.

We're not done talking about this one yet. We covered cyberisfull.com a while back and discussed it with a few folks who specialize in providing career assistance, especially to newcomers.

Here, I want to focus a bit more on the reason for what solidly looks like stagnation in the cybersecurity job market.

• Companies that know what they want can't find it.
• Most companies don't know what they need
• Hiring more security people wasn't solving any problems - if anything it was creating them
• The regulatory environment is busy scaring off security leaders with legal threats and personal liability
• This trend of layoffs has been going on since June 1st 2022, when it was coincidentally kicked off by Cybereason
• Everyone in tech is doing layoffs, with AMD the latest to let go 1000 employees - so some portion of this is just the state of the larger job market in general

Coming out of this (whenever that happens), we need a better idea of who we need, what skills they should have, how we're going to use them, how to retain them, and a LOT more folks need to be willing to hire junior folks and build those talent pipelines.

Or not? But then we end up in a weird place - with a bunch of cybersecurity degree holders doing something outside the industry. What an odd future that would be.

This is largely an unremarkable writeup that looks like someone asked AI, "write a generic article about cyber incident response". The reason I included it is that it leans in hard on resilience, which is a buzzword I'm going to be using until people are sick of it.

The author here leans in HARD on training and testing incident response. I think this is something we lack throughout our security programs: confidence that we're ready for the incident. That we can handle the breach and survive it, largely unscathed.

I don't think tabletops are enough. I think they're necessary starting out, but they don't get you even close to what I could consider "confidence" in an IR capability.

I'm a general fan of runZero, but for a while now, I noticed they've been posting stuff with repetitive headlines. Headlines like:

• How to find Fortimanager instances on your network
• How to find Palo Alto Network firewalls running PAN-OS
• How to find Citrix Virtuall Apps and Desktops software on your network
• How to find Rockwell Automation devices
• How to find SolarWinds Web Help Desk services on your network
• How to find SuperMicro BMCs
• How to find OpenPrinting CUPS services on your network

I was intrigued to see what these posts were like. Each one is dead simple, but SO useful. Like many asset management or CAASM platforms, runZero has a query language you can use to find stuff. The formula is basically:

1. Take the latest 0day everyone is worried about
2. List the relevant CVEs
3. summarize the impact
4. share the query to find it in runZero

• Want to find CUPS? protocol:ipp-browse has:ippBrowse.userAgent
• Want to find SuperMicro BMCs? (hw:"Super%micro" or os:"Super%micro)
• Want to find Rockwell Automation devices? vendor:"Rockwell Automation" AND tcp:2031
• Want to find Palo Alto Networks' Expedition migration tool? html.title:="Expedition Project"

The really nice thing here is that a lot of these queries can be easily adapted to other asset management systems. The hard part is to actually find one of these devices and figure out a handy way to identify them. Maybe it's the HTML Title, a certain protocol in use on a specific port - but it also highlights how good a job runZero does with asset identification. Want to find Fortimanager? You just query hw:FortiManager.

This story is wild. WILD.