The dark side of security leadership, will agentic be a thing, OWASP AI resources – ESW #394
In this week's enterprise security news, we've got
- 5 acquisitions
- Tines gets funding
- new tools and DFIR reports to check out
- A legal precedent that could hurt AI companies
- AI garbage is in your code repos
- the dark side of security leadership
- HIPAA fines are broken
- Salt Typhoon is having a great time
- Don't use ChatGPT for legal advice!!!!!
All that and more, on this episode of Enterprise Security Weekly.
Hosts
- 1. FUNDING: Tines – Announcing our $125M Series C fundraise
- 2. ACQUISITIONS: List of acquisitions in title
We've got a bunch of mergers and acquisitions this week, so we've compiled them here.
- CyberArk Acquires Zilla Security to Reshape Identity Governance and Administration for the Modern Enterprise
- Drata to Acquire SafeBase, Accelerating Trust Management within Enterprise Governance, Risk, and Compliance - SafeBase always felt like a feature intended to slot into a OneTrust, Vanta, or Drata eventually, so no shock here.
- AttackIQ Acquires DeepSurface - Unsurprising, as we're seeing all the BAS vendors pivot towards attack surface management, posture management, CTEM, and "adversarial exposure validation" (automated pentesting, basically)
- The SolarWinds $4.4 billion acquisition gives CISOs what they least want: Uncertainty
- https://www.cnbc.com/2025/02/10/appdynamics-founder-jyoti-bansal-merges-startups-harness-traceable-.html
- 3. NEW COMPANIES: Hello, World. 7AI Emerges from Stealth. Here We Go.
- 4. TOOLS: GitHub – HuskyHacks/cazadora: Simple hunting script for suspicious M365 OAuth Apps
- 5. DFIR: Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
- 6. AI TRENDS: Thomson Reuters wins AI copyright ‘fair use’ ruling against one-time competitor
IT'S HAPPENING
If this ruling stands, the courts might be wide open for anyone whose data was scraped and trained on by tech companies that have built foundation models. It's too early to guess how serious this could be, but the list of folks who had data scraped is nearly everyone with a public presence on the Internet.
If you're dependent on generative AI tech, it might be good to have a business continuity plan in place if your chosen product/vendor gets sued into oblivion. This kind of David/Goliath scenario is absolutely possible - we saw Apple recently forced to disable the blood oxygen sensors in its line of smartwatches after a much smaller competitor sued to enforce its patent rights.
- 7. AI TRENDS: Mike Mason on LinkedIn: AI Copilot Code Quality: 2024 Data Shows 4x More Code Cloning
- 8. AI TRENDS: OWASP Dramatically Expands GenAI Security Guidance with Guides for Handling Deepfakes, Building an AI Security Center of Excellence, and a GenAI Security Solutions Landscape
OWASP just dropped a ton of super useful AI resources!
In particular, I think their AI security solutions landscape is super useful.
There is also an AI security solutions cheat sheet, a guide to preparing for deepfake events, and an LLM and Generative AI Security Center of Excellence Guide.
- 9. ESSAYS: The Dark Side of Security Leadership
- 10. FINES: UHG Increases Change Healthcare Data Breach Victim Count to 190 Million
"The maximum financial penalty for a HIPAA violation set by the HITECH Act is $1.5 million, and adjusted for inflation is just over $2.1 million."
Do WHAT? If this was the EU, UHG would be getting hit with a $1B+ fine. I had no idea that HIPAA fines had so little bite. Why bother even fine - it's less than 10% of the ransom they paid the attackers!
