Corelight Smart PCAPs, Shifting Left, Tenable AD Security, & Tube Vulns – ESW #237

Struggling a bit through the word salad in this one also. This article is about "SentinelOne Storyline Active Response" (STAR), which is going to "transform XDR" Does that mean it isn't XDR? Is it supplemental? It integrates with SentinelOne's ActiveEDR. Replaces the need for manual and one-off EDR activities... by allowing customers to manually create automated rulesets? But then, SentinelOne's Singularity XDR platform is built on top of STAR, apparently. So EDR + STAR = XDR, sounds like. EDR pulls the data and performs the actions, while STAR enables practitioners to create detection rules and pair them with automated responses. Oh, no - STAR is actually one of a pile of XDR "power tools", so this is more like a module that plugs into Singularity XDR. They also have: - Extended Data Retention (which sounds more like extra hard drives, not a feature or tool) - Binary Vault (analyze new, unknown binaries - like WildFire or VirusTotal) - Remote Script Orchestration (collection of pre-made scripts for various stuff - Cloud Funnel (redirect EDR data to a different tool)

The overall trend of XDR is strong, and as we've mentioned on previous episodes is evolutionary, not revolutionary. A somewhat newer trend, however, is XDR offerings from MSSPs and in general, MSSPs trying to move towards valuations that look more like software companies than services companies. This started with the move from MSSP (we'll keep it running) to MDR (we'll find the attackers) and now to XDR (we'll find the attackers better). SecureWorks built an XDR offering out of their Red Cloak EDR product, Arctic Wolf is being valued at software startup multiples, and Bishop Fox has taken funding from Forgepoint to create and market a subscription product. The big question is: can they do a better job of running security than we can? Should we welcome this change? Optiv is using Devo as the back end for its XDR product, which also begs the question: when a reseller gets into the software/ARR game, is it going to hurt their relationship with competing products that they sell? How does SentinelOne feel about Optiv's XDR offering? Also, get a load of this word soup and what it takes to make a qualifying statement that's unique in this insanely crowded market: "Optiv MXDR is the only managed cloud-based, next-gen advanced threat detection and response service that ingests data across various layers of technologies to correlate, normalize, enrich, and enable automated responses to malicious activity in real-time"

$30m Series A is healthy, especially with names like Dmitri Alperovich attached to it. It's apparently using a number of different methods, including AI, to determine if a DNS entry is malicious or not. If it's a website, they do image analysis on it, like PIXM. They analyze the website content. They look at where the IP is hosted, who owns the domain, age of domain, etc. Some of that isn't new, some of it is, but a DNS firewall still seems like an approach worth investing in. At least, as long as it doesn't impact performance or run into too many false positives. Also, through this article, I learned that GCHQ's National Cyber Security Center runs something called "Active Cyber Defense", or ACD. The idea is that they'll run secure services for the whole nation (including secure DNS), but it's only available to government institutions so far. Read more about ACD here: https://www.securityweek.com/inside-uks-active-cyber-defense-program

YesWeHack isn't new, it's a bug bounty platform provider that has actually been around for a while. Because it caters specifically to Europe and European challenges (researcher residency) and constraints (GDPR), we don't hear about it as much over here in the US. The $18.8m raise is a series B, which sounds about right for this market. I'm still not sure if the jury is in on whether these platforms can be profitable or how to value them properly. We haven't seen an exit in this market and I'm not even sure what an exit would look like - I've struggled to imagine who an acquirer might be.

This one is yet another scorecard vendor - the 7th on my list so far. The interesting bit here is that BT Group led the round, which got them exclusive rights to resell it.

Daniel Miessler always has good pieces to make you think and this one is no exception. Talk content is often full of boring stuff from vendors and people generally want better content. The paradox lies in that a lot of the best experts that you want to hear from work for vendors. TL;DR here, in my opinion, is that the problem isn't vendors giving talks, it's vendors giving BAD talks. It's not so much a vendor issue as a quality issue. Personally, I've probably seen more crappy talks given by non-vendors than vendors and this is always a challenge for event planners - how do you pick the best talks based on a 350-word abstract?

SolCyber was founded by ForgePoint and was kicked off with a $20M round. They're an MSSP and seem like they're aimed squarely at some of that giant ArcticWolf valuation!

" Organisations can immediately use the checks to assess their exposure to a range of risks, including Kerberoasting attacks, poorly configured or managed passwords and vulnerable encryption protocols. From there, security teams can take remedial action to close these potential attack paths before they are used against them." - This is great but 1) I want to automate fixing them as best I can 2) I want to know once the control has drifted back to a vulnerable state 3) I still need lots of monitoring as some things in AD can't be easily fixed (This is not Tenable's problem or fault, though I think they can do better in #1 and #2).

The concept is pretty simple: You can't just "Shift left" and magically have a secure application. Security testing and remediation must be applied to all stages of software development and application deployment stages. Wow, I made that sound easy, it's not. You need automation and workflow processes and tools. For example, each time a new version of code is submitted (let's say via Git), you should build the application, then scan it, then send the results back to someone who can fix it. The complicated parts: How many code commits should trigger a build? What should the application be scanned for and how? What results stop the build from going to production?

And here I thought these were just used in banks: "nine critical vulnerabilities in the Nexus Control Panel, which powers all current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare. The Translogic PTS system is a critical infrastructure for healthcare used in more than 3,000 hospitals worldwide. The system is responsible for delivering medications, blood products, and various lab samples across multiple departments of a hospital. The discovered vulnerabilities can enable an unauthenticated attacker to take over PTS stations and gain full control over the tube network of a target hospital. This type of control could enable sophisticated ransomware attacks that can range from denial-of-service of this critical infrastructure to full-blown man-in-the-middle attacks that can alter the paths of the networks’ carriers, resulting in deliberate sabotage of the workings of the hospital."

This session: "Taming Vulnerability Management Overload" is described as "unpacks the importance of vulnerability patching to discuss why companies fail to patch promptly - even when patches are available - and other barriers companies face that delay patching.". I really thought we'd be done talking about this, but we're not. Also, Qualys has done a great job of enabling you to just apply the patch when a vulnerability is found. So, yea, you should just do that.

"Smart PCAP is a new licensed feature that offers a cost-effective alternative to full packet capture, delivering weeks to months of packet visibility interlinked with Corelight logs, extracted files, and security insights for fast pivots and investigation. Unlike other solutions that offer selective PCAP capabilities, Corelight Smart PCAP is encryption-aware, tracks protocol activity across ports, and directly integrates with the security gold standard for network evidence, Zeek. With Corelight, analysts can configure and selectively capture packets based on:" - So are Smart PCAPs full PCAPs, or just the most significant bits?

Do you believe this case should just be thrown out?

"Code42® Incydr™ product with Rapid7 InsightIDR. Security teams using InsightIDR with the Code42 Incydr integration will have the ability to identify, prioritize and triage the most critical insider threat events – data leakage, theft or malicious attempts to conceal file exfiltration. Code42 Incydr is the first data source dedicated to insider threat events to be accessible to InsightIDR users."

Light on details, but I like where this is going: "Application security testing tools today are too often focused on finding issues, rather than fixing them, generating a constant flow of security alerts that overwhelms organizations. Meanwhile, processes for deciding what security issues to address first, and then fixing these issues are manual and time-intensive. This also requires security knowledge that even experienced developers, who are at the heart of the shift left revolution, might lack -- let alone novice ones. WhiteSource Cure relieves the application security workload through automation, providing developers with code they can trust."