The Cyber Why

THE CYBER WHY: What We Read This Week

Tyler Shields — Wed, 08 Apr 2026 00:26:01 GMT

We’re BACK! Yep that’s right, after nearly 18 month away we’ve decided to pick up the pen and get back after it. The cyber world is a completely different place then when you last saw us. AI has taken over the world and cybersecurity is no different. We’ve been staring at the newsfeed for the last seven days and every single article is about AI. AI agents doing pentesting. AI agents replacing SaaS. AI agents that need their own security stack. Sequoia is telling us the next trillion-dollar company sells work, not tools. Karpathy is telling us engineers are irrelevant to their own workflows. And eleven keynote speakers at RSAC 2026 all agreed on exactly one thing: we need to secure AI agents, all while agreeing on exactly zero ways to actually do it. It’s giving “everyone knows the house is on fire but nobody can find the extinguisher” vibes. We’re glad to be back and we hope you love the new content - more coming soon!

[AI + Security]

AI Code Security: Enterprise Governance for AI Generated Code (Latio)

James Berthoty over at Latio dropped a killer piece that should be required reading for every CISO trying to figure out what to do about the influx of AI-generated code flooding their repositories. We're watching a brand new security category emerge in real time, AI Code Security, and it's distinct from traditional SAST, DAST, or SCA. The problem isn't that AI writes bad code (though it does). The problem is that AI writes code at scale, without context, and without the institutional memory that a human developer carries about why certain patterns exist in a codebase.

The governance challenge isn’t about scanning output. It’s about understanding intent, provenance, and drift. When a junior dev uses Cursor to generate an authentication module, who owns the security posture of that code? The dev who prompted it? The AI that wrote it? The platform team that approved the model? Traditional AppSec tooling wasn’t built for this question because the question didn’t exist eighteen months ago. The companies that figure out AI code governance first (think policy engines that sit between the model and the merge request) are building the next foundational layer of the DevSecOps stack.

The security industry spent decades learning to secure code humans write. We now have approximately twenty months to figure out how to secure code that nobody wrote.

FOR INVESTORS: AI Code Security is an (re)emerging category with no clear incumbent. First movers that nail the governance layer (not just scanning) will own the workflow. Watch for Series A/B companies positioning here in 2026.

[STARTUP / VC]

Services: The New Software (Sequoia Capital).

Sequoia put out a thesis piece that should make every cybersecurity SaaS vendor deeply uncomfortable. They believe we’re moving from “software as a service” to “service as software.” The next trillion-dollar company won’t sell you a tool and a dashboard, it’ll sell you the outcome. Copilots and chat interfaces are simply the transition drug. Agents are the destination. The companies that get there first capture the margin that currently sits with the systems integrators, MSSPs, and consulting firms extracting value from the complexity your tools created in the first place.

Image from Sequoia Capital - Go the complete post for details.

Apply this to cybersecurity and the implications are enormous. Think about what an MSSP actually does: they take your SIEM, your EDR, your SOAR, your threat intel feeds, and they provide the human labor to make all of it work together. If an AI agent can do that (triage alerts, investigate incidents, write detection rules, tune policies) then the $30B managed security market isn’t a services market anymore. It’s a software market. And the vendors that make that transition eat the services revenue. The ones that don’t become commoditized infrastructure underneath someone else’s agent.

This is the most important strategic piece I’ve read this quarter. It reframes every vendor evaluation, every competitive analysis, every market sizing model. The question isn’t “how big is the EDR market?” anymore. It’s “how much of the SOC analyst’s job does your product replace end-to-end?”

The next war in cybersecurity isn’t over features. It’s over which vendors use agents to eliminate the need for services entirely.

FOR INVESTORS: Incumbents that complete the services-to-software transition will trade at infrastructure multiples. The ones that don’t become commodity inputs. The gap between those two outcomes is where the alpha lives.

[INDUSTRY]

SaaS is Dead: Why Your Next Security Tool Should Be a “Vibe-Coded” Agent (CISO Tradecraft).

CISO Tradecraft picked up the Sequoia thread and ran it through the practitioner lens. Their take is that the next generation of security tools won’t be dashboards you configure, they’ll be agents you describe. “Vibe coding” applied to security operations. You tell the agent what you want (”monitor my cloud configs for drift against CIS benchmarks and auto-remediate anything below critical”) and it builds the workflow, executes it, and reports back. No playbook authoring. No integration mapping. No three-month professional services engagement to get value from the thing you already bought.

The article is a bit off in places, (NO we’re not twelve months away from fully autonomous SOCs) but the directional argument is right. The SOAR market failed because it required security teams to become software developers to write playbooks. Agentic AI flips that. The security team describes the outcome and the agent figures out the implementation. That’s a fundamentally different value proposition, and it explains why every major security vendor at RSAC was demoing “agentic” capabilities whether they had them or not.

SOAR failed because it asked security analysts to become developers. Agentic AI succeeds by asking them to just be analysts again.

[INDUSTRY]

I Watched All 11 Main Stage Keynotes at RSAC 2026 (Defenders Initiative).

My good friend Adrian Sanabria did the Lord’s work and sat through all eleven RSAC 2026 main stage keynotes so the rest of you could go drink at the expo area instead. He found that the industry has reached violent agreement that AI agents need securing, but nobody has a coherent framework for how to do it. Every keynote mentioned “agentic AI.” Every vendor had an “agentic” demo. And the actual substance behind most of it ranged from “we added an LLM to our workflow engine” to “we’re thinking about thinking about agent security.”

The useful signal buried in the noise is that identity is the new perimeter for AI agents (who is the agent acting as?), observability is the blind spot (most orgs can’t see what their AI is doing in production), and the supply chain risk from AI model dependencies makes traditional software supply chain look like a safe little puppy. The conference effectively confirmed that “AI Agent Security” is the next major category but we’re in the “twenty vendors, zero standards” phase. Sound familiar? It should. This is cloud security circa 2016.

Everyone at RSAC agreed AI agents need securing. That’s the easy part. The hard part is that the agents are already deployed and nobody’s watching them.

[AI + SECURITY]

AI Is Breaking Security Categories (Frank Wang).

Frank Wang wrote the piece that every analyst (myself included) needed to read. His thesis is that AI-native security companies don’t fit into existing market categories, and Gartner’s Magic Quadrants are going to look increasingly absurd trying to classify them. When a product uses an AI agent to do continuous pentesting, automated remediation, AND compliance reporting, is that a vulnerability management tool? A GRC platform? A pentesting service? The answer is yes, and also no, and also the categories are the wrong question.

This resonates deeply with what I’m was seeing as an analyst at Omdia. We’re building market models for categories that are actively merging and splitting in real time. The AI-native startups aren’t building “better SIEM” or “better EDR” they’re building agents that collapse multiple security functions into a single workflow. That’s not an incremental improvement. That’s a category extinction event for vendors who defined themselves by a single Gartner box. Next time a vendor tells you they’re the “leader” in a Gartner category, ask them which category they’ll be in when that quadrant doesn’t exist anymore.

Gartner’s category taxonomy was built for a world where products did one thing. AI agents do twelve things. The map no longer matches the territory.

FOR INVESTORS: Category convergence means TAM models based on existing categories are increasingly unreliable. The winners will be companies that own entire process flows, not categories. Diligence needs to shift from “what category are you in?” to “what job are you eliminating?”

[AI + WORKFORCE]

Andrej Karpathy: The AI Workflow Shift Explained 2026 (The AI Corner).

Karpathy laid out the trajectory that every technical leader needs to internalize, we’re moving from humans writing code with AI assistance to AI writing code with human oversight. The human role shifts from creator to reviewer, from architect to editor. More importantly, the review bottleneck is already real. When AI can generate code 100x faster than a human can review it, the security implications aren’t theoretical, they’re operational. You cannot manually review AI-generated pull requests at the rate they’re being created. The math doesn’t work.

This connects directly to the Latio piece above. If humans are becoming reviewers rather than authors, then the tooling needs to shift from “help developers write secure code” to “help reviewers verify AI-generated code is secure.” That’s a different product. A different workflow. A different buyer. And most AppSec vendors are still building for the old model. Go look at your last five merged PRs. How many were AI-generated? Now ask yourself how long the security review took on each one. If the answer is “the same as always,” your review process is already underwater.

Engineers aren’t being replaced by AI. They’re being promoted to AI supervisors. The problem is nobody trained them for the new job.

THE WRAPUP

The thread running through every article this week is the same: the AI agent era isn’t coming, it’s already here, and the cybersecurity industry is scrambling to figure out the implications in real time. Sequoia says the business model shifts from tools to outcomes. Karpathy says the human role shifts from creator to reviewer. RSAC confirmed the industry agrees this is happening while demonstrating it has no idea what to do about it. And meanwhile, AI-generated code is flooding production repositories faster than anyone can review it, new security categories are emerging and collapsing simultaneously, and the old analyst frameworks for understanding this market are breaking under the weight of products that refuse to fit in a single box. The gap between “we know this is a problem” and “we have a plan” is the widest I’ve seen in twenty-five years. That gap is also where every interesting company in 2026 is being built.

Also worth your time this week:

Katie Moussouris warns of a “tyranny of optimization”: The AI revolution doesn’t just create security problems, it creates governance problems. When algorithms optimize for efficiency at the expense of resilience, we get systems that work perfectly until they don’t. Worth reading for the policy lens alone.
Bessemer maps five frontiers for AI infrastructure in 2026: Reasoning, multimodal, edge, simulation, and trust/safety. The trust and safety frontier is where security and AI infrastructure converge and it’s the least funded of the five. That tells you something.

If you've made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it.

The Cyber Why: What We Read This Week...

Tyler Shields — Wed, 04 Sep 2024 03:45:48 GMT

After a long weekend of family time, TCW is back at it again with a new drop!

This week, the TCW team learns about the “Agentic Economy,” debates the Telegram CEO’s arrest, and cries over a city playing the blame game with a researcher. We discuss the issue of cybersecurity delusion and learn one million checkbox lessons in creativity. All this and more in this week’s The Cyber Why!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

WOAH - Agent Smith is BACK!

The Agentic Economy: How Billions of AI Agents Will Transform Our World (Kyle Gomez)

We will open this week’s TCW with a bit of futurism. The article explores the rise of the "Agentic Economy," where autonomous AI agents will handle everything from shopping to complex negotiations on our behalf. These digital minions could transform industries, labor markets, and even our day-to-day lives by making us either incredibly efficient or utterly irrelevant. While the idea of AIs doing our light work sounds appealing, the author also hints at the unsettling possibility of these agents outpacing human control, making decisions that could redefine what it means to work and exist in the economy.

The future of human work in an "Agentic Economy" looks both promising and unsettling. On one hand, AI agents could free us from mundane tasks and boost productivity, giving us more time for creative or meaningful pursuits. On the other hand, these same agents might outcompete humans in many jobs, leading to potential job displacement and a rethinking of what "work" even means. In short, AI might be our new colleague—or our biggest competition. I’d love to hear your thoughts in the comments below!

Telegram’s CEO Is Going To Be Staying In France Longer Than Expected

Telegram CEO Durov placed under formal investigation and banned from leaving France (France24)
Who Is Pavel Durov? Telegram CEO Charged With Multiple Crimes In France (Forbes)
Telegram CEO Pavel Durov’s Arrest Linked to Sweeping Criminal Investigation (WIRED)

(Rick pick) Telegram CEO Pavel Durov is currently under formal investigation in France and facing serious charges related to criminal activities linked to his Telegram platform. French authorities detained him but later released him on €5 million bail. Forbes estimates he has a net worth of $15.5B, so making bail was trivial. The charges against him include enabling illicit transactions, child pornography, drug trafficking, and money laundering. The arrest has caused quite a stir, upsetting free speech and privacy advocates, while others have said this is politically motivated as Durov is a Russian/French dual citizen. Durov has five different passports. $15.5B buys you many nationalities. I know some folks are upset about this. For me, anything potentially disrupting the crime on the Telegram platform is a win. I recognize it's not all bad, but that place is a cesspool for illegal activities. Tracking the cybercriminal underground shift here over the years has been interesting.

Russian “hacktivist” group Killnet recruiting on Telegram

Stop Blaming The Researcher - They Aren’t The Problem

Researcher sued for sharing data stolen by ransomware with media (Bleeping Computer)
Columbus investigates whether data was stolen in ransomware attack (Bleeping Computer)
He proved the Columbus data leak hurts the public. Now, the city has silenced him (NBC4i.com)

The City of Columbus, Ohio, has sued security researcher David Leroy Ross for illegally downloading and sharing data stolen by the Rhysida ransomware gang during a July 2024 attack. The lawsuit claims Ross's actions caused community concern and interfered with police investigations, seeking damages over $25,000 and a restraining order to prevent further dissemination of the stolen data. Ross disputed claims that the leaked data was unusable, revealing sensitive information about individuals, including police officers and crime victims.

What a waste of city resources! Money and time are spent chasing down someone doing good for the community by helping them stay educated and informed on the risks of the breach. The city argues that the researcher's actions caused serious public inconvenience and alarm, and the researcher claims he’s simply trying to help. The worst part about this is that the case remains “ongoing,” with a pretrial conference scheduled for September 2025! Yes.. a year away. What a clusterf*&#.

Here’s a link to the court complaint PDF for those who are morbidly interested.

Cybersecurity Is Delusional

Cybersecurity's Delusion Problem (Resilient Cyber)

Cybersecurity lives in a state of constant delusion. We believe that the world revolves around us, and we have a tendency to take an ego-centric view when thinking of the incentive structure of cybersecurity. This thought-provoking article from Chris Hughes at Resilient Cyber sheds light on this and many other intriguing concepts. These cyber earworms have been whispered from the shadows for ages but generally aren’t called out to be debated in the light of day. Approaching topics such as "cybersecurity not being the center of the universe,” “security tools are overhyped,” and “cybersecurity is a big echo chamber,” this article takes aim at an issue we have in our industry concerning misaligned incentives and insufficient consequences. Thanks for writing this piece, Chris. I hope we can get better soon.

One Million Lessons In Creativity

One Million Check Boxes - A Badass Thread (@itseieio)

This fantastic thread on X details a fascinating story about a website called "One Million Checkboxes" (OMCB), where users can check or uncheck boxes globally. The creator initially worried about hacking but discovered that users—mainly creative teens—used the checkboxes to send secret messages, including URLs, by encoding them in binary. This led to the discovery of a Discord group of these teens who creatively used the site to draw and communicate in unexpected ways, highlighting the creative potential of constrained online environments. This is a must-read thread!

Quick Hits and Hidden Gems

TL;DR: Every AI Talk from BSidesLV, Black Hat, and DEF CON 2024 (tl;dr sec) - WOW. If you want to know anything about security and AI, read this post! Fantastic work from the goat of cyber influencers, Clint Gibler.
Investors are already valuing OpenAI at over $100B on the secondaries market (TechCrunch) - To think, I passed on this investment at a $23B valuation. Oops!

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

The Cyber Why: What We Read This Week...

Tyler Shields — Sun, 25 Aug 2024 16:28:52 GMT

In this week's edition of The Cyber Why, we explore what happens behind the scenes when a venture capital firm decides to invest in a startup, blush at the drama surrounding the collapsed CrowdStrike-Action1 deal, and consider the implications of a Microsoft-CrowdStrike summit and its potential impact on the industry. We take a brief look at the DOJ's suing Georgia Tech as a stark reminder of the consequences of neglecting cybersecurity compliance and learn that the Oracle fed Neo a cookie (TIL)! All this and much more in this week’s The Cyber Why!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

Sequoia’s YouTube Investment Memo Circa 2005

The confidential YouTube Investment Memo by Sequoia you were never meant to see (Alexander Jarvis)

Have you ever wondered exactly what happens after you’ve pitched your new company to a big-name investor? They disappear for a while, do a bunch of “research,” and if you are lucky, come back to you with an answer about their investment. But what really goes on behind the scenes? How do they grade you against the thousands of other investment opportunities they are likely to see in any given year?

Thanks to a lawsuit between Viacom and Google, we can read, in its entirety, the investment memo created by Sequoia partner Roelof Botha in 2005 as he and the firm analyzed their decision to invest in YouTube's super early seed stages.

What’s interesting in this article is the depth that Sequoia went to when analyzing the opportunity. The best investors aren’t just “dumb money” who follow simple signaling patterns to decide where to invest capital. The best approach will focus on the business fundamentals, the market, the competition, the founding team, AND the technology. Without all of that in alignment, a startup will never succeed. If you are building a startup and considering taking funding, you must read this piece and look at it through the eyes of the author. I promise that it will be enlightening!

The Game of M&A (aka A Game of Thrones)

CrowdStrike-Action1 deal collapses over user concerns (CSO Online)
Gur Talpaz comments on LinkedIn Post (LinkedIn)

The flames of the cyber drama dumpster fire continue to burn, as this week’s finger-pointing involves CrowdStrike vs. Action1. Cloud-based patch management and vulnerability remediation provider Action1 publically stated that it had rebuffed a $1B offer from Crowdstrike to acquire the company in the wake of the largest IT crash in history. Action1 placed the blame for the deal falling apart on feedback from customers after an email leaked about the acquisition. The customers felt the acquisition would erode trust in Action1, positioning them unfavorably in the market. But like any good who-done-it flick, we have a plot twist…

In response to Action1’s public statements, Gur Talpaz, VP of Corporate Development at Crowdstrike, took to Twitter to explain how he and presumably Crowdstrike see it. Crowdstrike barely had a 45-minute conversation with Action1 and never even approached an offer, let alone a deep discussion of acquisition. The LinkedIn post calls out Action1 for playing up a single meeting to get press and continued interest in their business. This move and the resulting counter-move bring into question other failed cybersecurity acquisitions over the last few years. It’s impossible to say exactly what happened when a he-said, she-said situation like this occurs, but it certainly raises doubt in one’s mind about so many other times this movie has played out.

Microsoft To Hold Cybersecurity Summit

Microsoft to host cybersecurity summit after CrowdStrike-induced IT outage (Reuters)
Microsoft plans September cybersecurity event to discuss changes after CrowdStrike outage (CNBC)

(Katie pick) Microsoft has announced its plan to host a cybersecurity summit in September, aiming to discuss how to improve security systems. After the faulty update that caused a global IT outage affecting 8.5 million devices, it seems like an intelligent move—though one might wonder why it took this Microsoft gaff to make it happen. It also begs the question of whether Microsoft will finally take steps following the summit to improve its own security program and commercial technology offerings, which are the frequent targets of (successful) attacks.

CrowdStrike has indicated their involvement, which will be critical, given the widespread impact of the outage on the company’s huge install base. With billions in market value lost and legal claims piling up, there’s a lot on the line. Here’s hoping this summit leads to real solutions rather than just more talk.

Security Isn’t OPTIONAL - DOJ Has Said SO!

DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts (Cyberscoop)

(Katie pick) It looks like Georgia Tech is in hot water with the Justice Department, and it's not for flunking an exam. Instead, the DOJ is pulling out the big guns by suing the university for allegedly skimping on some pretty important cybersecurity homework tied to Pentagon contracts.

The DOJ is dusting off the Civil War-era “False Claims Act” to advance this case, suggesting that the cybersecurity lapses at Georgia Tech's Astrolavos Lab were more "bug" than "feature." Apparently, not installing anti-malware software and submitting a questionable cybersecurity assessment score didn’t earn them any gold stars from the Pentagon.

For its part, Georgia Tech argues that the government was fully aware of its research's nature and that no classified information was ever at risk. According to Georgia Tech spokespeople, this case is more about miscommunication than malfeasance. It looks like we’ll have to wait and see how this one plays out over time!

Neo Eats a Cookie

For story #5 this week, I bring you a simple meme. I have been a huge fan of The Matrix since it first came out. I saw every one of them on release day in the theaters, and I have even tried to force them onto my children as some of the best movies in history (yes, I failed). I’ve even gone so far as to break down as much of each movie as I can from a technical perspective trying to find the hidden computer science and hacker references in the films. That being said - it was this week when I saw this meme and nearly spit out of my morning coffee. Now I have to go back and watch them all over again just in case I missed something else.

Quick Hits and Hidden Gems

Tech Layoffs Reach 132,000 8 Months Into 2024 (PYMTNS) - This has to be close to the bottom.. right? Please, someone, say it’s going to get better soon.
Cybersecurity tool sprawl is out of control – and it’s only going to get worse (SiliconAngle) - This article almost made the top 5. The author does a great job breaking down the state of tool sprawl in modern enterprises.
CrowdStrike unhappy with “shady commentary” from competitors after outage (ARS Technica) - More pissing match drama. SentinelOne, PAN, and Crowdstrike are all going after each other like kindergarteners fighting for the one open swing.
Five Thoughts From DefCon (Frank Wang) - I was recently having similar thoughts about going back to my technical roots, and Frank’s write-up expresses my thoughts very well. Thanks for the piece, Frank!
Cyber optimist manifesto: why we have reasons to be optimistic about the future of cybersecurity (Venture In Security) - We could all use a dose of optimism right about now. Here’s what’s GOOD in cybersecurity today.

Share The Cyber Why

The Cyber Why: What We Read This Week...

Tyler Shields — Mon, 19 Aug 2024 13:37:13 GMT

After two full weeks of travel, one of which was Vegas for Hacker Summer Camp, I’m ready to dive back in and bring you our most exciting articles and stories of the week.

In this issue of The Cyber Why newsletter, we surface the “3 Billion People” hack that “may not be” at National Public Data, Tyler’s views on hitting the bottom of the VC investment cycle (tl;dr it’s up from here), the White House spends a whopping $11M on open source supply chain security (that’s all?!), measuring security debt as a new paradigm for understanding risk, and last but not least, what happens when a Tesla Cybertruck ends up in the hands of a Chechen Warlord (oh my!). All this and more in this week’s The Cyber Why!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

A US-Wide Compromise That May Not Be Real

Inside the "3 Billion People" National Public Data Breach (Troy Hunt)

Is it real? The “billions of compromised accounts” question. A massive data breach involving National Public Data (NPD) has sent shockwaves through the internet, but the true extent and legitimacy of the leaked information remains a mystery.

Initially, hackers claimed to have stolen data on nearly 3 billion people, including sensitive information like Social Security numbers. However, as more details emerge, a complex puzzle forms. Different batches of data appeared online, varying in size and content. Some information seemed accurate, while other parts appeared to be random or even fabricated. As outlined by blog author Troy Hunt, the challenge lies in determining which data is genuine and which is simply noise added to create confusion. With conflicting reports and a lack of transparency from those involved, unraveling the truth about this breach is proving to be an arduous task. Thanks, Troy, for tracking this one down and providing a life preserver in a murky pond.

Venture Bottom or Death Spiral?

VC Fund Performance: Q1 2024 (Carta Report)

In an article posted on August 16th, the Carta data research team noted that venture capitalists are having a rough go of it. With interest rates soaring and IPOs as scarce as a meth head’s teeth, money managers are in dire need of returns. Based on a view into over 1,803 venture funds, Carta's latest report paints a really tough picture. Funds from 2022 have deployed only 43% of their cash after two years, the slowest pace ever. And don't even get started on returns – less than 10% of 2021 funds have seen a dime back from their investments after three years.

If you think things are bad for VCs, wait until you hear about the businesses they are funding. The data on graduation rates is downright depressing. Fewer and fewer seed-stage companies are making it to Series A, suggesting a sad outlook for many new ventures. Are we simply at the bottom of a venture down cycle, or should we be worried about something more drastic occurring? In my opinion, we should see a positive bounce over the next few vintages. Fingers crossed!

Subscribe now

A Whole $11M for Open Source Security in Critical Infrastructure?!?!

White House details $11M plan to help secure open source (Cybersecurity Dive)

(Katie Pick) Last week during DEFCON 32, National Cyber Director Harry Coker Jr. revealed a plan by the White House and Department of Homeland Security (DHS) that will focus on helping secure open source software used in operational technology. Coker shared that the plan is to invest $11M USD in a program they’re calling the “Open Source Software Prevalence Initiative.”

Now, on the one hand, this is great! Any time initiatives like this come down from the top, it’s a signal to public and private organizations that it’s time to step up their game. In the case of open source — or open source-based — software, it’s past time. The threat surface is enormous. According to various sources, attacks on software, particularly those targeting the software supply chain, have increased by 300-400% in the last three years. Driven by increased reliance on open source codebases and the complexity of modern software development, there are no signs of these attacks slowing down. Given that critical infrastructure (CI) increasingly relies on traditional software (versus purpose-built, air-gapped components), the sector is at least as vulnerable to software and supply chain attack as any other industry (i.e., very high risk) or likely higher, given the impact of a CI compromise.

On the other hand, what does it say that the government is offering less than most seed rounds for organizations to make substantive changes in software development and open source security? Though this isn’t the only initiative or government-supplied help organizations can get in this realm, it feels a little like offering a single nail to fix a leaky bucket.

Security Debt - A Metric NOW With Meaning

Contextual Vulnerability Management With Security Risk As Debt (Ari Kalfus and Tim Lisko)

Vulnerability management has existed since the birth of cybersecurity as an industry. As new vulnerabilities are discovered, enterprises have to determine if they are affected and then remediate those issues programmatically. Over the years, things have gotten way more complicated than simply fixing issues when they arise. The growth in the number of CVEs discovered each year has become overwhelming. To make matters worse, security teams have no way to properly prioritize the fixes without severely impacting the output of the business as a whole.

Enterprise security groups need a better way to create urgency for remediation within their engineering and development teams without being perceived as the group slowing down business. Enter the concept of “security debt.” Much like financial or technical debt, security debt can be measured by adding context to the decision tree for recommended remediation time and then adding a time element (let’s call this “security interest”) to the equation so that the longer issues remain, the more security debt is accumulated. DigitalOcean security leaders Ari Kalfus and Tim Lisko wrote a very interesting blog post outlining how they are working towards implementing a security debt metric at their firm. It’s a fantastic read, and I love the innovation around metrics. We can adapt this type of math to many more fields, and I look forward to seeing how this grows over time.

A Cybertruck War Machine Is A BAD Idea

Ecstatic warlord mounts machine gun on Cybertruck, invites Musk to visit after hailing billionaire’s ‘genius’ (NY Post)

A Chechen warlord, Ramzan Kadyrov, has acquired a Tesla Cybertruck and mounted it with a massive machine gun on the back. Please try to ignore any discussion or implication to the actual conflict in Ukraine and give this video a watch simply for the stupidity that is a Cybertruck with a machine gun. There are TONS of Cybertruck fails on YouTube and after you watch this video, go check out this one that features an old-school pickup truck saving the day when a cybertruck gets STUCK!

Quick Hits and Hidden Gems

Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes (Wired) - Sam Kamkar of MySpace Worm fame resurfaces a legend from the 90s and brings it to life! I’ve been “hearing this for decades.” Now it’s real.
Meet AI Goat: The First Open Source AI Security Learning Environment Based on the OWASP Top 10 ML Risks (Orca Security) - An exciting environment for learning about AI security. While I like education, I’m more interested in the “how” to secure it problem.
Fuzzing Bests Formal Verification (Dan Guido) - Super technical yet awesome. I guess my formal methods courses really were an annoying waste of time! Long Live “ZED!”

Share The Cyber Why

The Cyber Why: What We Read This Week...

Tyler Shields — Sun, 04 Aug 2024 15:17:23 GMT

Happy day before Blackhat week! The annual trek to Las Vegas, lovingly known as “Hacker Summer Camp,” is back and ready to educate, innovate, dehydrate, and over-stimulate you. It’s a time to make new friendships and rekindle old ones. I fly in Monday morning and will be there through Friday if you want to grab a coffee. Hit me up in the DMs, and I’ll give you a free The Cyber Why sticker! Now onto the newsletter!

This week in The Cyber Why, we bring you a new record for a single ransomware amount, worry about Crowdstrike’s future potential legal woes, update you on the cyber M&A landscape, watch as Ferrari brakes hard on Deepfake scams, and last and certainly least, we bring you the CyberCasket - Tesla Tech Bros REJOICE!

Get the most from your security team’s email alert budget

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Material Security takes a pragmatic approach to email security – stopping new flavors of phishing and pretexting attacks before reaching the user’s mailbox, while searching through everyone else’s mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view.

Free up more of your alert budget so your team can spend it on what really matters. See how much time you can give back to your security team with Material.

Visit Material Security

Angels or Demons - A Ransomware Record

Record-Breaking $75 Million Ransom Paid To Dark Angels Gang (Forbes)

Well, well, well. The Dark Angels gang just hit the jackpot, raking in a whopping $75 million, a new record for a single ransomware amount. This eye-watering sum smashes the previous record of $40 million paid by CNA Financial in 2021. Apparently, these "angels" are more like demons, targeting a select few high-value organizations and making off with 10-100 terabytes of data. Talk about going big or going home!

Meanwhile, global ransomware attacks are up 18% year-on-year, with the US getting hammered 93% more than last year. Manufacturing is taking it on the chin, suffering more than twice as many attacks as healthcare and technology combined. But hey, at least we have "Ransomware Awareness Month" to save us! Because nothing says "effective cybersecurity" like a gimmicky PR campaign, right? Maybe instead of awareness months, companies should try being aware every day and patch their damn systems before the Dark Angels come knocking.

CrowdStrike’s Legal Woes Are Just Beginning

Delta CEO Says CrowdStrike Tech Outage Cost It $500 Million (WSJ)
Delta CEO: ‘When was the last time you heard of a big outage at Apple?’ (The Verge)
CrowdStrike Is Now Being Sued By Investors (Forbes)

(Rick Pick) It’s been a rough two weeks for CrowdStrike and its customers. This week, we saw legal responses to the incident emerge. First, Delta's CEO came out swinging. He claimed that the outage would cost Delta Airlines $500 million and that they would seek legal damages from both CrowdStrike and Microsoft. Delta took longer to recover than any other airline. Additionally, the Plymouth County Retirement Association pension fund filed a class action lawsuit (PDF) in Texas. The lawsuit claims that CrowdStrike:

"... repeatedly touted the efficacy of the Falcon platform while assuring investors that CrowdStrike’s technology was “validated, tested, and certified.” This complaint alleges that these statements were false and misleading..."

I’m not a lawyer and don’t play one on TV, so I won’t wade into waters over my head, but I can say that these cases, along with others that will follow, are a costly distraction for a company that must regain the trust of its customers. These cases won’t be resolved quickly, so this embarrassing outage will continue to periodically make its way into the headlines. I’m interested in reading upcoming SEC Form 8-K filings to see how the outage has impacted other public companies.

Cybersecurity Acquisitions Drop Dramatically…or Have They?

Security Week Analysis: 178 Cybersecurity M&A Deals Announced in First Half of 2024 (Security Week)

(Katie Pick) Eduard Kovacs is up to his always-excellent analysis of the cybersecurity market. In this piece, published on July 29, 2024, Kovacs shares data about cybersecurity M&A activity in the first half of 2024. He specifically shares that the number of deals has dropped dramatically — ~75% since H2 2021 and 17% since H1 2023.

According to the analysis, Europe's companies are the hardest hit, while M&A for companies in Australia, Canada, Germany, and Israel has stayed relatively steady.

What’s interesting about the analysis, however, is that while the total number of deals has shrunk, the valuations of acquired companies have expanded. Specifically, six deals were valued at over $1B USD. Kovacs writes, “It’s worth pointing out that the number of deals exceeding $1 billion is already the same as in the entire year of 2023.”

We’ll have to watch the trends over the next few quarters, but if deal sizes continue to increase, we're either seeing overvaluation (again) in the cybersecurity market or a reshaping of the market. A reshaping could mean more small companies get scooped up for big bucks or squashed by the larger players before they even have a chance to get there.

Ferrari Slams The Brakes On AI Deepfake Scam

‘I Need to Identify You': How One Question Saved Ferrari From a Deepfake Scam (Bloomberg)
Ferrari CEO Impersonated by AI in Deepfake Scam Attempt (Yahoo)
Ferrari Thwarted an AI Deepfake Scammer Posing as Its CEO With an Age-Old Trick (The Drive)

(Rick Pick) The deepfake problem is accelerating. Earlier this year, a Hong Kong finance worker got taken for a $25 million joyride after joining a multi-person video conference with fake participants. This week, Ferrari was in the crosshairs. A deepfake scammer reached out to a Ferrari executive via WhatsApp but was thwarted when the executive asked a question only Ferrari’s CEO could answer. The bar for creating deepfakes is getting lower. Security Awareness Training has become a compliance checkbox punchline, but performing targeted deepfake training for executives is something that defenders need to do. If you are at Summer Camp in Vegas next week, the DEF CON AI Village will have a Deepfake Demo lab. DARPA will even have a deep fake analysis system there. I’ll be there too, so say hi if you are around!

Tech Bros Rejoice - The CyberCasket Is Launched

The CyberCasket (Titan Casket)

Starting today, if you kick the bucket, you won’t have to give up that Tesla vibe; instead, get yourself a HyperCasket (aka CyberCasket). With a recessed latch similar to Tesla doors, vegan leather (what is vegan leather anyway?), and a 12-gauge stainless steel exterior to match your cybertruck, you can now rest in peace in an amazing CyberCasket. Don’t forget to purchase the optional seatbelt and self-burying technology (no lie, these are on the ordering form.) For only $9,999 (add-ons not included), you, too, can spend the rest of eternity in Elon Musk’s good graces! Here’s a copy of one of the user reviews from their site:

I passed away 2 months ago and decided to go with the CyberCasket. Let me tell you it's the BEST PURCHASE EVER! I decided to upgrade to the self-burying model as I didn't want to pay an opening and closing fee at the cemetery. I would recommend purchasing the seatbelt as well as the ride tends to be a bit bumpy, I did fall out of the casket once. The Wi-Fi cuts in and out at times and makes it a bit difficult to post my daily TikTok's but other than that this is a great product, if I were to die a second time, I would definitely purchase this product again with the seat belt added! → link to actual review

Quick Hits and Hidden Gems

How New-Age Hackers Are Ditching Old Ethics (Dark Reading) - Times have certainly changed. When I was a “hacker,” web defacements were about as bad as we got. For-profit never even hit our radar. Today the ethics are out the window as younger attackers gun straight for the profits.
Monoculture Hype (Marcus J. Ranum) - Marcus Ranum, cyber security luminary and inventor of many cyber concepts and technologies wrote a 2003 retort to the monoculture paper by Geer et al. that we discussed in last week’s The Cyber Why here. It’s short, but I’m glad I found it, as it’s an interesting counterpoint to the original piece. I wonder how Marcus perceives the issues after the Crowdstrike debacle.

Share The Cyber Why

G-Wiz, RockYou2024, SEC and Chevron Deference, and Ransom Payments - TCW EP5

Tyler Shields — Tue, 30 Jul 2024 23:30:40 GMT

Welcome to TCW Pod #5, where we serve up the latest in cybersecurity with a side of snark and wit. In today's episode, we belatedly discuss the acquisition of Wiz by Google (until it wasn’t), the RockYou2024 password list is a nothing burger, the debate around cybersecurity being “full,” some political chat around the SEC weakening the state of cyber in the US along with the death of Chevron Deference, and how paying a ransom happens and the conflicts of interest within. All this and more as we blend serious insights with a splash of humor, making the world of cybersecurity both enlightening and entertaining. Let’s dive in!

TCW POD #5 SHOW NOTES

On this episode, hosts Tyler Shields, Katie Teitler-Santullo, & Adrian Sanabria tackle the following key points:

01:04 - Introductions and Cold Open

Welcome to The Cyber Why! Let’s goooooo!

03:40 - Show Sponsor - Material Security

Get the most from your security team’s email alert budget

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Material Security takes a pragmatic approach to email security – stopping new flavors of phishing and pretexting attacks before reaching the user’s mailbox, while searching through everyone else’s mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view.

Free up more of your alert budget so your team can spend it on what really matters. See how much time you can give back to your security team with Material.

Visit Material Security

04:30 G-Wiz - Wiz in Talks to be Acquired by Google (Until It Wasn’t)

It’s crazy how fast the markets move. The $23B+ acquisition is a massive play by Google to push harder into the cybersecurity market. This pod was recorded on July 14th, the day that the acquisition rumors spread on the Internet. By the time we got to push this pod live, the story was already out of date. Less than two weeks later, Wiz called off the marriage, citing goals to pursue an IPO. Listen to check out our initial coverage of the announcement and see how it compares to how things ended up. Hindsight being 20/20, this is quite an interesting discussion.

20:20 RockYou2024 Datadump is a Nothing Burger!

The RockYou2024 massive password data dump is a waste of time. We’ll waste our breath on this podcast, so you don’t have to. If you are wasting time using this enormously large text file as a password list, you are not being nearly as effective as possible. Is the RockYou2024 file a troll attempt, or is it just someone’s bad attempt at valuable research? You decide.

34:40 Cybersecurity is Full (or is it)?

The link cyberisfull.com sparked a bunch of discussion and debate in the Twittersphere and Linkedin universe two weeks ago. Contrary to the marketing headlines that come around every six months, according to the website cyberisfull.com, cybersecurity does not have any entry-level jobs remaining. It’s becoming increasingly more challenging to enter the cybersecurity field as even the “entry-level jobs” require many years of experience and advanced certifications and degrees. The panel debates if cyber is genuinely full and, if so, how we solve the hiring and job issues within the cyber industry.

50:11 SEC is Weakening The Cybersecurity Posture of the United States

The panel responds to an essay written by well-known cyber analyst and former CISO Ed Amoroso. The article argues that the SEC's current actions weaken the United States' cybersecurity posture by placing undue pressure on CISOs. This has led to several negative behaviors, including minimizing written communication, increased legal consultations, scrutiny of past decisions, mandatory filings leading to stressful SEC interactions, and deterring talent from the CISO profession. The author urges the SEC to shift its focus from CISOs to CEOs to better protect national cybersecurity without compromising the effectiveness of cybersecurity professionals. What do you think? Is the CISO role safe and desirable for top cyber leaders, or is there way too much risk in making the job a career goal?

1:04:34 WTF is Chevron Deference and Why Does it Matter to Cyber?

Q: How do the herring fishing industry, Supreme Court rulings, and cybersecurity unite to make the world a better place? Answer: it doesn’t, but I learned much about these topics from this segment. The team, led by Katie’s research and knowledge, discusses how the recent “Chevron Deference” Supreme Court ruling limited the importance of expert witnesses and the impact on the CISO role. The herring fishing discussion is a cool chat on the history of the term Chevron Deference, so we have that going for us as well.

1:14:11 How Do Companies Go About Paying A Ransom

What does the process of paying a ransom look like? Do you put $24M into a bunch of suitcases and swap vans under a bridge? Obviously, that isn’t how the funds transfers happen in the world of cryptocurrency and digital hacking (but the visual is funny). Adrian helps break down the process of paying a ransom, using a ransom negotiator, how that business model works, and some of the inherent conflicts of interest that might exist here.

1:22:22 Story #5 - Free AIM VR Shoes

Free Aim VR shoes are funky treadmill boots that remove the need for an omnidirectional treadmill when in VR. Gotta check out the video to get a good understanding of what these things are. It’s only a few thousand dollars to look like a goofball.

Share TCW with your friends. Baby kittens will thank you!

The Cyber Why: What We Read This Week...

Tyler Shields — Sun, 28 Jul 2024 01:26:50 GMT

As I watch the opening ceremonies and early events of the Olympic games, I am struck by just how many countries and people there are in the world. I am in awe that almost 5,000 of you have opted in to receive our little slice of commentary every week. I appreciate each of you who follow our writing, and I want to say thank you for being along for the ride. We love you all! Now, onto the fun…

This week in The Cyber Why, we bring you a phenomenal cyber market research report from , discuss a unique remote work inside threat model, flashback to 2003 and learn about concentration risk and homogeneity, debate the WHY behind the G-Wiz break up, and for story number five, Southwest Airlines can dodge bullets. All this and more in this week’s TCW!

Get the most from your security team’s email alert budget

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Visit Material Security

More Evidence of Market Consolidation

WTF is Cloud Application Detection Response (Latio Tech James Berthoty)

I rarely read a report, especially one from an independent analyst, that nails a future prediction so directly on the head that you can’t help but know they are right. This piece by from Latio Tech is absolutely amazing. In addition to nailing the technical requirements for a product roll-up in application and cloud detection and response, he also manages to go from 7+ acronyms down to just one (THANK GOD!)

Latio Tech has a strict “one new acronym per 7 dead ones” rule.

This report makes a very strong case that the following seven cyber markets should be rolled up into something more significant. They constitute a group of features and isolated products today and shouldn’t over the long term.

Application Detection Response (ADR)
Cloud Detection Response (CDR)
Kubernetes Detection Response (KDR)
Cloud Workload Protection Platform (CWPP)
Cloud Native Application Protection Platform (CNAPP)
Continuous Threat Exposure Management (CTEM)
API Security

As an industry, cybersecurity builds too many point products and not nearly enough groupings of features that make singular, powerful solutions. Cybersecurity has only existed for about 30 years (give or take). When an industry is young, solving very pointed problems and selling products that help customers solve unique issues makes sense. It’s a time of rapid innovation and expansion of new ideas. As markets mature, they group smaller, feature-sized products into platforms that deliver outsized value. Eventually, highly mature markets will consolidate into three dominant market participants.

We have entered the start of an era where cybersecurity must come to terms with a decrease in product counts and a simultaneous increase in customer value. The next decade of cybersecurity is going to be fun to watch as vendors broaden their technologies by acquisition and adjacent market consolidation.

The Hermit Kingdom Makes Headlines

North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers (DOJ)
North Korean hacking group makes waves to gain Mandiant, FBI spotlight (Cyberscoop)
Incident Report Summary: Insider Threat (Knowbe4)
APT45: North Korea’s Digital Military Machine (Mandiant)

(Rick Pick) North Korea made headlines this week via a couple of stories. First, the Security Awareness Training company Knowbe4 released a blog discussing how they hired a remote software engineer who turned out to be a North Korean insider threat. The threat actor was a "real person using a valid but stolen US-based identity." Kudos to Knowbe4 for releasing this blog.

Next up, the Department of Justice indicted a North Korean, Rim Jong Hyok, for "his involvement in a conspiracy to hack and extort U.S. hospitals and other health care providers." North Korea has long funded its regime through cybercrime, and this case is another potential example. Hyok is a member of the threat actor group APT45. Mandiant also released a deep dive on the group here.

Editors Note: It’s crazy to me how easy it is to get an inside threat into US-based enterprises. This risk has only increased with the rise of remote work. This type of threat is real and very difficult to discover. Be vigilant out there, people! BTW: TIL what the Hermit Kingdom is!

CyberInsecurity: The Cost of Monopoly

What the Crowdstrike outage means for the security industry? (Frankly Speaking)
CyberInsecurity: The Cost of Monopoly (Dan Geer and others)

By now, everyone has heard of the global IT outage caused by a software update issued by the cyber security vendor Crowdstrike. The cyber and IT social media universe has been abuzz discussing how it happened, how to fix the issue so it doesn’t happen again, and what the long-term impact on the business world will be.

On the back of the fallout, the main concern that comes to my mind is not about hacks, updates, or technology failure - instead, it is the concept of homogeneity. When a system that contains a given level of risk is deployed uniformly throughout an entire section of space, the risk to that space increases. To state it in a “less nerdy” way, the risk of issue or compromise grows if you deploy the same software everywhere. Attackers love concentration risk. It gives them a higher level of potential compromise with less effort.

The Crowdstrike issue was exacerbated by concentration risk because, as of January 31, 2023, CrowdStrike had 23,019 subscription customers, a 41% increase year over year. They analyze over 30 billion endpoint events daily from millions of sensors across 176 countries. That’s a MASSIVE deployment size and a MASSIVE concentration risk. High concentration risk plus an automatic update system make for a perfect path to MASSIVE damage.

This problem reminds me of the 2003 paper written by Dan Geer et al. entitled “CyberInsecurity: The Cost of Monopoly.” I remember the time vividly as I was working with Dan at @stake when he published the paper for which he was famously fired. Looking back, it seems like he was right; he just had the wrong company in his line of sight. This seminal paper is a must-read. Go check it out!

The great Dr Geen presented to Congress in 1997

Security Theater Continues with Wiz Rejecting Google Offer

Google Talks to Acquire Cybersecurity Startup Wiz Fall Apart (Wall Street Journal)
Google Talks to Buy Wiz for $23B Reportedly End (Bloomberg)
Wiz Rejects Google’s $23 Billion Offer, Seeks IPO Instead (FOO)

(Katie pick) By now, you’ve definitely heard the news: Wiz walked away from a $23 billion dollar acquisition offer from Alphabet (Google’s parent company) to focus on preparing for an IPO instead. The initial announcement about the intent to acquire shocked the security community, both because of the sheer financials thrown around in media publications and because the deal, had it gone through, would have drastically changed the cloud vendor security landscape.

This was never a typical acquisition proposal, so the “ifs” were abundant.

But what I find most interesting is the timing of the offer and the decline. Few founders would reject the kind of money offered. Even with all the funding raised ($1.9B USD to date), the multiples were off the charts, especially for a four-year-old company. But to reject that kind of deal so quickly indicates to me that some sort of security theater may have been at play. In other words, Wiz might never have had any intention of selling. The founders have been bullish on this topic from the start — their goal is to become the biggest security company of all time. So why allow the media to get into a frenzy? Why even let it get to the media if the Wiz team had already decided to stay solo?

The short answer: Press and media attention. Market attention. All right before filing for IPO. I suppose it’s no different than an NFL coach hyping up his team right before the “Big Game.” But is this what we need in cybersecurity? Wouldn’t it just be better to build products that are really really really good and save the drama for the Kardashians?

Editors Note: Do you think it was security theater or was Google or Wiz spooked by some other reason? Comments below…

Southwest Airlines - Dodging Bullets, Baby!

A Windows version from 1992 is saving Southwest’s butt right now (Yahoo)

If this is true (it may not be), it’s absolutely NUTS. Southwest is the only airline that didn’t go down or suffered significant issues during the Crowdstrike debacle last week, and the reason is… get this… they still use Windows 95 and 3.11? I am not sure I believe the story, which is why I put it in as Story #5 this week, but if it’s true, they have a lot of work to do. Here’s a pick of Southwest Airlines when they learned they had dodged a bullet. (HT SuttonimpaQT)

Share The Cyber Why

Crowdstrike Update Causes Blue Screen of Death

Katie Teitler-Santullo — Fri, 19 Jul 2024 14:43:00 GMT

The below is a post written by The Cyber Why author and first posted on the Ox Security blog.

Happy almost weekend, everybody… or not, if you’re in IT… trying to travel… or get medical attention... or just get your work done and start the weekend off with a bang.

Many of us have woken up to the news of a massive global outage caused by a Crowdstrike Falcon endpoint sensor update for Windows hosts. From airlines to banking systems, emergency services to media outlets, businesses around the world are dealing with the dreaded Blue Screen of Death (BSOD) to kick their weekend into high gear.

NOTABLY… this is not a cyber attack. As far as we know, malintent is not an issue.

This image was added by TCW Editors - Not in the original post

According to the company’s website, the outage was caused by “a defect in a single content update for Windows hosts. Mac and Linux hosts are not affected.” Further, the company says that the issue was “identified, isolated and a fix has been deployed.”

Good news! Except, according to sources, this isn’t the simple fix it’s being positioned as.

Source: Reddit: https://www.reddit.com/r/crowdstrike/comments/1e6vmkf/bsod_error_in_latest_crowdstrike_update/

While attempting to triage the fix, many customers are reporting that they’re stuck in a boot loop and being forced to manually reset impacted servers, which could result in hours — or possibly days — of downtime and uncountable amounts of lost productivity and revenue.

The Cyber Why: What We Read This Week...

Tyler Shields — Sat, 13 Jul 2024 20:52:43 GMT

Welcome back, Cyber Why readers! Buckle up because this week’s newsletter is a rollercoaster of digital drama and tech intrigue. We kick off with the fall of hacker kingpin ‘Tank,’ whose ego finally caught up with him. Then, we dive into the murky waters of a $25M auto dealer ransom—CDK Global, we're looking at you! Next, we take a nostalgic detour with a $200K Lego heist that would make any childhood collector weep. For our finance and startup geeks, we’ve got a deep dive into the evolving world of SaaS and AI pricing strategies, predicting seismic shifts in the industry. And for a sprinkle of absurdity, we present Story #5 - VR shoes that promise to take you everywhere and nowhere at the same time. Let’s dig in and dissect the chaos together!

Email security that protects from the outside in and inside out

There’s more than one way in to exploit email as an attack vector. Plus, even more to target once inside the mailbox. Material Security takes a holistic approach to email security that covers the full threat landscape – stopping new flavors of phishing and pretexting attacks in their tracks, while also protecting accounts and data from exploit or exposure.

Visit material.security to learn more about their multi-layered detection and response toolkit for email.

Visit Material.Security

When Ego Takes Over - Criminals Fall

Notorious Hacker Kingpin ‘Tank’ Is Finally Going to Prison (WIRED)

I’m a sucker for the “Hacker Kingping” going to jail story. We have reported on a number of them over the last year and a half, including early details on this particular arrest, and I still find them absolutely intriguing. What would make a person go down a path of crime that is so heinous and despicable? People think the answer lies in greed and money, but if you read between the lines, you often find that the real reason most of these disgusting people do what they do is ego.

Vyacheslav Penchukov, a Russian national, was the mastermind behind the Zeus malware operation. He orchestrated the creation and distribution of malware that infected millions of computers worldwide. Penchukov aimed to steal banking information and commit financial fraud, generating substantial illegal profits. He was involved from November 2018 to at least February 2021, officials say. Investigators found he kept a spreadsheet detailing his $19.9 million income in 2021 alone.

That’s pure ego - nothing more. I, for one, am glad to see this guy going away for such a long time. Enjoy your time in jail, Vyacheslav; I don’t think DJs are needed very often on the inside.

I wonder if they will have turntables in the clink for you to use?

Auto Dealers Back Online - I’m Left With Questions

How did the auto dealer outage end? CDK almost certainly paid a $25 million ransom (CNN)

There’s a lot to unpack in this story. According to the article on CNN, auto dealership software company CDK Global appears to have paid a $25M ransom to get their systems and dealer networks back online. On June 21st, a roughly $25M crypto payment was tracked as delivered to what is believed to be the ransomware group “BlackSuit,” but neither the sender nor the target of the money can be confirmed at this time. As I read the article, I was left with three questions that maybe my readers can help me with:

How do companies actually go about PAYING a ransom like this? I can’t imagine that CDK Global had the technical chops in-house to figure out how to pay $25M in crypto to get their systems back online — they most likely had to have used a third-party service to deliver the payment. Who offers this type of service, and how much money do THEY make on the deal?! Wow, this is most definitely a morally grey area product offering.
$25M is a LOT of money. My initial concern was how does a global auto dealership software vertical SaaS offering like CDK Global have $25M lying around. Apparently, they are much larger than I thought! CDK Global was acquired in April 2022 for over $8B, and the parent holding company, Brookfield Business Partners, is MASSIVE. But what if they DIDN’T have it available - where do they go to get the money (gov? insurance?), and if they can’t get it liquid, do they just POOF out of business?
With over $1.1B in ransomware payments occurring last year, how concerned are we that this will grow in the future? I’ve seen tons of different incentive structures for hackers over the last 20+ years but this one shares the SHIT outta me. This is HUGE money, and I don’t see how attackers will ever move off of this approach if they can extort such massive financial windfalls. I only see this getting worse in the next year or two. What are your thoughts - can we limit ransomware? If so, how, when, and what will finally help us lower the risk?

Stolen Legos Worth Over $200K Recovered

Oregon police recover over $200,000 worth of Lego sets in massive bust (NBC News)

Legos are a big deal. I’ve always been a fan of Lego. Since I was a little kid and got my first set, I have collected, assembled, and destroyed more Lego objects than I care to admit. What I never really understood is the collectible nature of the damn things. I mean, all they are is bricks and a book that tells you how to put them all together. So simple.. yet so amazing. Apparently, Lego has turned into a big business, and these criminals figured it out. Throughout a three-month investigation, Oregon police built a case against a store owner who had been “knowingly purchasing stolen sets” of Lego. The total value of the recovered Lego sets was over $200K. I should have kept all those bins from back in the day… instead, they are in the local dump alongside my baseball cards and old Beanie Babies. C’est la vie!

SaaS Must Adapt To Survive

AI Pricing Strategies for SaaS Companies Offering Copilots (Tomasz Tunguz)
No SaaS! How AI Agents Will Change Software Pricing (Tomasz Tunguz)
Avenir x SaaS - What’s Gone Wrong in Software and Why We’re Optimistic (Avenir)
SaaS: Have reports of my death been greatly exaggerated? (Next Big Teng)

Warning - This is a LONG ONE.. I went full nerd on this post.

Lately, I’ve been pondering the idea that we may have seen the height of the software-as-a-service (SaaS) approach to business and are facing the next wave of foundational change. How will AI impact business, and in particular, will SaaS as an offering die over time?

The research conducted by Avenir in their slide deck entitled “What’s Gone Wrong in Software and Why We’re Optimistic” examines the impact of COVID on SaaS solutions, positing that the pandemic has catapulted SaaS business models straight through adolescence and directly into maturity. We’re seeing this in nearly all metrics around high-growth software-based companies in this cohort. Revenue growth has slowed, and by force, these companies must become more efficient in order to maintain any level of foundational financial success. The best quote in the article is, “What management teams have referred to as “tough macro” is likely a “new normal.”

Prediction: SaaS is already mature and has long passed its days as a growth investment.

Two new posts from Tomasz Tunguz expand on the concept, detailing how AI agents will change pricing models in the software business. According to Tomasz, AI agents are 2.5x-3x more efficient than human counterparts, yet we are only charging an uplift of, on average, 70% against non-AI, traditionally seat-based SaaS solutions today. There is room for price increases, and SaaS companies will likely hop on this trend over the next few years. It’s why we’re seeing so much vendor-side investment in AI and copilots - there is a ton of upside if they can increase margins and add AI-based feature sets for their customers to consume.

Prediction: AI will increase prices for tools and technology to run our businesses, matching an offset in human resource requirements.

If companies rationally attempt to solve their SaaS efficiency problems by removing human resources and replacing them with AI-based automation, the result will be a massive increase in AI-based demand and a new wave of business fundamentals away from SaaS and into SaaS-enabled AI agent-driven automation. This will change how we tactically operate day to day, how we are charged for our products and services, and how businesses manage themselves to meet the new market needs.

Prediction: Over time, SaaS decreases in value in favor of AI-based systems potentially delivered in a SaaS model, but more likely via some type of new interface will overtake the SaaS UI.

AI will drastically change how software is written, consumed, and charged for and, in time, completely rewrite how software businesses are run. Just as software was a massive paradigm shift that took a decade or more to understand, AI is on the same trajectory. I know this was a nerdy post, but thanks for bearing with me. I encourage you to read all three pieces and clap back at me with healthy debate and discussion. See you in the comments!

These Shoes Were Made For (VR) Walking!

Freeaim VR Shoes (Freeaim)

For our Story #5 this week, we bring you - Freeaim VR Shoes! If you don’t want to overpay for a VR-enabled treadmill designed to allow you to walk in virtual worlds, you can instead spring for brand-new virtual reality shoes! They may not look like the latest Jordans, but they are just as much of a waste of money. These shoes are designed to connect with your VR system to provide you with a fully immersive ability to walk around and not actually GO ANYWHERE! They aren’t cheap either - the current dev kit is $4999, and they hope to have the final retail version available for around $1000 USD. Just a word of caution: the “Swivel Caster Frame” is not included, and they have yet to figure out how to allow you to walk backward. Buyer beware!

Quick Hits and Hidden Gems

Barcelona anti-tourism protesters fire water pistols at visitors (CNN) - First, it won’t work. Second, it’s just stupid. Why are you bothering them?
AT&T says hacker stole some data from 'nearly all' wireless customers (ABC News) - They stole all the things.. ALL OF EM! Yet another massive breach.
Ticketmaster finally notifies customers, omits important details (Cybernews) - We knew about this one for a while. More massive breaches going down.

Share The Cyber Why

"DR" Word Soup: A Long and Winding Road

Katie Teitler-Santullo — Wed, 10 Jul 2024 14:02:10 GMT

The acronym word soup game is strong in cybersecurity. It’s easy for practitioners to forget how confusing it can be. We spit out these character combos as if they’re brand names and expect others in the organization to understand exactly what we mean. We also anticipate that business leaders and boards will buy into the fact that no security program can exist without the latest XYZ technology. Looking at security from the inside, it makes perfect sense to have 301 different letter-based categories; they align with analysts’ definitions and ranking systems, and (of course) vendors jump on these acronyms to remain relevant and attract attention in a very crowded marketplace.

Acronym SOUP - Specifically DR Soup is holding back cybersecurity efficacy

Over the years, “new” categories — and thus their acronyms — have emerged from perfectly descriptive former terms. For example, “data security” morphed into “data loss prevention”/”data protection” morphed into “data security posture management,” a term we use today to basically describe “data security” as it exists in 2024 versus how it existed in 1994.

Another trend that’s taken hold more recently is the tendency to add on to established terms. That is, take a category and chunk it into subcategories, thus allowing for disparate tools creation underneath the broader heading. The most current crazes I see are:

Security posture management: All the SPMs: CSPM, SSPM, DSPM, ASPM, I(A)SPM, and Orca’s latest addition: SCM-PM, “source code management posture management”
Detection and response: All the DRs: EDR, NDR, XDR, ITDR, DDR, MDR, ADR, MLDR, TDR

The rest of this post will focus on the “DR”s. There’s plenty to say about the posture management category, but I’ll save that for later.

The evolution of cybersecurity detection and response

Presumably, most of you reading this post work in security and know the history. But just in case you’re not a security pro or need a refresher — Cybersecurity emerged from more general IT in the late 1980s. At that time, and for about ten years, cyber threat detection and response (DR) primarily focused on signature-based analysis and provided the birth of antivirus (AV). If you’re old enough to have lived through or near those days, you might remember that identifying known malware patterns via signatures was tedious, highly manual, and not hugely effective. I mean, if you were a cybercriminal and knew that some newfangled software was looking for known patterns, wouldn’t you simply change the patterns? Yes, exactly.

AV software evolved to account for polymorphic viruses and became slightly more effective.

By the mid-1990s, no one in their right mind would have based their DR program on AV. It was a nice complement to other tools, one that would catch the “low-hanging fruit,” but not enough to be successful. What came next was intrusion detection and intrusion prevention systems (IDS/IPS). While IDS/IPS provided broader detection capabilities than AV, they were still based on patterns and were hamstrung by limited response actions.

The next decade brought SIEM, enhanced IDS/IPS, broader use of VPNs, heuristic detection capabilities, email filtering and spam detection, stateful firewalls, and more. These were (and continue to be) DR mechanisms in some form or another. As time passed, advanced persistent threats grew in popularity (both as a buzzword and a real-life potential attack) and tools developers needed to move toward greater detection and response efficacy. It became obvious that automation was needed and that reactivity wouldn’t cut it.

That’s when we first started hearing terms like “network detection and response,” “endpoint detection and response,” and the catch-all, “extended detection and response.” All these technologies emerged as a response to the evolving threat landscape. They were not completely new technologies but rather extensions of previous tools that existed, and they were built to fit modern-day computing requirements.

The exploding cyber tools ecosystem?

Of course, DR solutions cannot stand on their own; there are many other categories of tools — and related acronyms — deployed throughout organizations’ digital estates. As a result, the ecosystem of cybersecurity tools has exploded, and what we have today is a giant pool of tools to aid security teams in their quests to conquer the entire attack surface.

While detection and response is a well-understood category, the hyper segmentation of terms and acronyms has muddied the space. Many DR tools now don’t only focus on detection and response, as their name implies; they’ve added identification components that, presumably, can help security teams pinpoint problems before they turn into active compromise. What we’re left with is an accumulation of acronyms that don’t mean the same thing to everyone. On top of that, if you stop and drill into the various subcategories, it feels like we’ve got some duplicative efforts—or, at least, the ability to consolidate, as is the stated desire of many practitioners.

What do I mean?

Theoretically, XDR was developed to encompass NDR and EDR — the first iterations of DR tools. MDR offers the managed services version. Shouldn’t XDR cover everything, including managed DR? Logically, “extended” could mean coverage of identity threat detection and response (ITDR), data detection and response (DDR), application detection and response (ADR), “cloud detection and response,” and whatever comes next. It would be much simpler, wouldn’t it? The catch-all acronym “XDR” would clarify the soup.

But since security pros are so fond of acronyms, the creation of micro categories allows us to continue the trend and develop more siloed tools that will likely all converge “n” years from now. In the meantime, though, we have to have a place for each distinct subsection of DR. ITDR, for instance, is an approach for managing identities — both user and system. Cloud detection and response (CDR) clearly focuses on monitoring and managing cloud activity. Not necessarily identities of cloud-based systems and users (because that’s ITDR, at least to some vendors), but it could, couldn’t it? Wouldn’t that equate to “extended detection and response”? Gosh, this is getting confusing.

DDR is focused on protecting sensitive data (the artist formerly known as “data security”) for data in on-prem networks, cloud environments, applications…but then we have a separate category of ADR; ADR is much more specific to application runtime behavior, but it also analyzes things like user interactions (“identity”?), data flows (“data”?), and network calls (“network”?).

So What?

At the heart of the matter, the real question is: Are all these DR technologies necessary? The answer, I think, is yes. But are they necessary as standalone categories? If my crystal ball worked, it might say that many or even most of these acronymic categories will converge into one larger category, much like how SASE converged complementary categories into one integrated engine.

What’s amusing to me, though, is that, at least from this vantage point, the category they would roll into is…detection and response, which is the top-level umbrella category from which they emerged. In all likelihood, some analyst at one of the top two firms will concoct a creative term that can easily be turned into a catchy acronym that will be splashed across RSA and Black Hat conference booths. Two years later, the tides will turn again, and there will be another attention-grabbing category. For now, “DR” is all the rage. There are plenty of effective products to choose from if you want to swim in the DR soup. Sometime in the near future, though, expect your XDR vendor to buy your ITDR or ADR vendor — so negotiate your contracts well.

The Cyber Why: What We Read This Week...

Tyler Shields — Fri, 05 Jul 2024 16:28:45 GMT

Happy “try not to explode your fingers” week! That’s right, it’s the fourth of July and The Cyber Why is here to bring you all the cyber news that will “blow” your mind! This week the TCW crew reminisces about the first time we saw a web browser, discusses how GTM in cyber is different, generative AI breaks reality, Cloudflare gives the finger to AI crawlers, and a wake boarding beer drinking gem from the great Zuck! All this and more in this week’s The Cyber Why!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have a few 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

Marc Andreessen and the History of Netscape

The true story -- as best I can remember -- of the origin of Mosaic and Netscape (Marc Andreessen Substack)

I’m a sucker for historical content. I love documentaries, historical data analysis, and learning about the past to help us with the future. I specifically remember the first time I saw a “web browser”. It was the Mosaic browser on a Sun SPARC Station in 1993. I was freshman at the Rochester Institute of Technology and one of my classmates loaded up Mosaic to introduce me to the “World Wide Web”. I was simultaneously amazed and bored. It was super cool to have interesting data at your fingers tips yet a total waste of time because it was impossible to find anything of real value (this was pre search engines). Essentially it felt a lot like ChatGPT does today! If you are into the history of the Internet, check out this great content on the “true story of the origin of Mosaic and Netscape.”

Marc Andreessen Substack

The true story -- as best I can remember -- of the origin of Mosaic and Netscape.

Listen now

2 years ago · Marc Andreessen

Go To Market in Cyber is Just DIFFERENT!

Cybersecurity technology adoption cycle and its implications for startups and security teams (Venture In Security)

Another excellent article from from . This time with the help of , Ross breaks down the cybersecurity adoption cycle and how it is reversed from the more common model as seen in non-cyber markets. Ross and Kane are right on with their analysis, specifically helping security teams understand how the dynamics of emerging technologies should work in their organization and what it really takes to be a design partner of innovative companies and technologies. They take a very buyer-centric view into the adoption cycle giving direct guidance on how security teams can mature over time.

I have seen this model from the other side of the coin for over a two decades. As an early go to market executive at both Signal Sciences and JupiterOne, I saw the vendor side of their framework play out. Early adopters of both companies were the highly mature security programs that had security engineering teams and the ability to take raw technology and mold it to their requirements. As the products we were building became more feature complete we were able to move downward to the design partner and early adopter segments of the curve. Generally this meant breaking open the finance and banking verticals. Finally, the hardest group to sell to was what I called the “mass buyer.” This buyer was almost always way less advanced in their cyber program and needed a specific set of features to make the technology usable to their low resourced and limited skill sets teams.

This is a great article to read and comprehend for both cybersecurity buyers as well as those companies looking to build a go to market engine.

Could Generative AI Break Reality - YES!

Google Says AI Could Break Reality (404 Media)
Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data (ARXIV.org)

A new paper written by a combination of research team members from Google’s multiple labs reviewed over 200 incidents of genAI misuse between January 2023 and March of 2024. The results of the research indicate that the majority of attacks against generative AI are not technically “hacks” of the system itself, but instead are much more focused on abusing the features that exist for malicious behavior or alternative methods of reward. The analysis shows that the prevalence of misuse tactics center on impersonation, scaling and amplification of malicious content, falsification of data, and sockpuppeting. The team at 404 Media did a great job breaking down where the gaps exist in the research (small n, classification issues, etc) but at the end of the day they (and I) are fairly confident that the recommendations and findings are directionally accurate. If these types of attacks continue to propagate unabated, the concept of what “reality really is” can indeed morph, or at least be skewed, in order to achieve the attackers intent. It’s not about attacking the LLM, or input injection, or poisoning the AI data set - it’s really about abusing the general input and output content in enough volume to make an alternative reality become the norm. How’s that for some real matrix style shit!

Cloudflare Shoots Across the Bow of AI Crawlers

Cloudflare goes to war with Microsoft, Google, and OpenAI's bots, with blanket free tools to block all crawlers (Windows Central)

Keeping with the theme of “independence,” Cloudflare just released a free tool to help content creators declare “AIdependence.” (OK, first of all the pun doesn’t even make sense. It was definitely forced.. #fail++.) The technology launch comes on the back of the Microsoft AI chief last week saying that “public content on the open web is freeeware.” In response, Cloudflare created new features that allow customers, even those on the free tier, to block their content from all AI crawlers and bots.

I’m struggling with this concept. As a content creator myself, isn’t the whole point of writing to have a human being consume the output? In the new world, driven by AI systems, the concept of readers doing traditional Google searches for your content will fade away. Instead of going direct to the source pages readers will consume the bulk of their content from some type of aggregation algorithm that is AI derived. It’s already happening with short form video content via the TikTok and YouTube short systems. As an author, if I want my writing to continue to be discovered I have to let the search systems of the 21st century (AI system crawlers) find my content. Isn’t this somewhat like telling Google to not index your content back in 1999. It may have felt like the right thing to do at the time but the end result would have been your content never being consumed by an audience. I believe this is what will happen here.

Check it out - I didn’t spill a DROP!

Mark Zuckerberg's Lake Tahoe antics are getting even weirder (SFGate.com)

To end this edition of The Cyber Why newsletter here’s something completely unexpected. The all powerful Zuck decided it would be social media worthy to don a tuxedo and an American flag and go wake boarding to the best 4th of July song in history - Born in the USA. This is a very high scoring frat boy activity. Zuck only lost points because he clearly didn’t properly utter the words “Hold my beer!” before he hopped on the board. Hats off to you Zuck - may all of your beers be a banquet!

@dailymail Mark Zuckerberg went all out for July 4th, wakeboarding in a tuxedo while drinking a beer and waving an American flag. 🦅 #fourthofjuly #independenceday #markzuckerberg #july4 #happy4thofjuly #4dejulio

Tiktok failed to load.

Enable 3rd party cookies or use another browser

Quick Hits and Hidden Gems

Gymnastics is the Turing test of video generation models (@deedydas) - This could have easily been a story #5. Apparently Gemini classifies this as sexual explicit material as well!
AI startup Abnormal Security is set to be valued at $5 billion in new funding round, sources say (Business Insider) - That’s a LOT of cheddar. The pace of that treadmill just jumped another few miles per hour. Keep running hard Abnormal!
6 Things To Know About Getting Acquired: The Good, The Bad, The Somewhat Ugly (Jason M. Lemkin) - I have been giving similar tips to founders for years. These are things many first time founders don’t know about M&A.
A Eulogy for DevOps (Mathew Duggan) - An interesting tear down of DevOps explaining why it was doomed to fail from the get go. Comment below!

The Cyber Why: What We Read This Week...

Tyler Shields — Sat, 29 Jun 2024 18:26:57 GMT

Happy Saturday. As I sit here putting the final touches on the current TCW newsletter I realize how thankful I am to have friends that help me write the content every week. are the best in the biz and I love you guys!

Now on to this week’s TCW! This week we cover quant vs. human based venture investing, the polarizing story of Jacob Appelbaum, polyfill or poly-fluff?, nation state false flags, and for story #5 McDonald’s AI ordering SNAFU!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

Quant vs. Human Based VC - Math vs. Intuition

Can We Fully Automate Startup Investing? (Data Driven VC)

Venture investing today is, operationally, drastically different depending on the stage, focus, fund size, and type of investing that you are doing. In the early stages of venture investing there is very little data to go on, making team and idea the predominant factors on which decisions are made. As you progress into later stage investing with companies who have been around a while and have sufficient metrics to analyze, venture investing becomes much more quantifiable. The question that remains is can we apply more quant techniques earlier in the target company lifecycle to make even more data driven decisions in the angel, seed, and pre-seed rounds. Data Driven VC author, Andre Retterath believes the early stage end state will be a blending of quant and human decision making processes which is a cop out if you ask me. If you are an investor, leave your comments below on which methodology will come to dominate early stage over time.

Handcraft / Traditional VC: A shrinking group of senior, gray-hair industry veterans, characterized by a strong belief that VC is more art than science and that the best deals will always be sourced through their proprietary personal networks. Moreover, they are rarely aware of their biases (recency, similarity, confirmation, over-simplification, etc.) when making decisions and tend to overestimate their position based on their firm and personal brands as well as their (oftentimes impressive) investment track records.
Augmented VC: Combining the best of both worlds, where machines collect, process and contextualize vast amounts of data to achieve comprehensive coverage and give direction, and where human investors focus on a select number of founders to build deep relationships and assess the soft factors based on their intuition. While data provides coverage and guidance, the human makes the final decision.
Quant VC: A new species of purebred algorithmic VCs who believe that startup investment decisions should not involve humans at all, just like in pure-play quant public funds. Just algos, no humans. Fast, clean and repeatable. These investors believe that human involvement skews the models and reduces the likelihood to generate alpha.

ioerror - The Story of a Polarizing Figure

This cyber-security activist made me afraid of surveillance culture (CBC)
Nobody Wants To Talk about Jacob Appelbaum Movie (CBC)

Jacob Appelbaum. AKA ioerror. I remember him from Defcon and Blackhat in the early to mid-2000s. He had white hair and a bit of a wild and crazy demeanor. We ran in similar circles, yet he always had something off about him. My spidey senses tingled, and I distanced myself from him quickly. At the time, I wasn’t sure what bothered me other than something wasn’t right.

I won’t use this platform to dive into his history or past—you can research that independently. The short of his story is this: He supposedly contributed to some very interesting cyber research in the mid-2000s. Behind closed doors, he was often referred to as a “hanger-on” and a “noncontributor” by the other authors of the papers. At the end of the day, none of the technical work mattered when compared to the horrible accusations and proven actions that surfaced. Eventually, he connected with Julian Assange, WikiLeaks, and the Tor Foundation, and everything went completely off the rails from there. Nobody is sure if the core of the story is one of paranoia and mental issues or, indeed, a government plot to wreck a person’s life (or maybe a bit of both.) Either way, I’m watching this movie this weekend!

The new documentary entitled “Nobody Wants To Talk About Jacob Appelbaum” by director and creator Jasmie Kastner is available free on CBC.

Polyfill or Poly-fluff?

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack (The Hacker News)
Polyfill supply chain attack embeds malware in JavaScript CDN assets (Dev.to)
Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites (Dark Reading)
Hulu, 100K+ Websites May Be Exposed to Polyfill Malware (PC Mag)

(Katie pick) Earlier this week it was reported that polyfill.io, a widely used JavaScript service, was compromised, potentially impacting 100,000+ websites. As the news rolled out, watchers speculated on whether the service’s new China-based content delivery network (CDN) company, Funnull, had anything to do with the exploit, either intentionally or unintentionally.

The timing was suspicious: Funnull took ownership of the domain; shortly thereafter, malicious code was delivered through any website using cdn.polyfill.io, redirecting users to betting and porn websites. No reports of anything more than redirects have been issued.

Curiously, Polyfill’s original creator, Andrew Betts, warned people back in February when the domain was sold to the Chinese entity. He noted that “no website today requires any of the polyfills in the polyfill.io library.”

Well, I guess some companies didn’t hear/read the statement or didn’t care. But the story doesn’t end there: As of Thursday, Namecheap.com, a domain hosting company, decided to remove polyfill.

In theory, this stops any further propagation of the attack. Time will tell.

Nation States Deploying Ransomware To Throw Defenders Off The Scent

ChamelGang APT Disguises Espionage Activities With Ransomware (Dark Reading)
Chinese State Actors Use Ransomware to Conceal Real Intent (InfoSecurity Magazine)
Cyberespionage Groups Attacking Critical Infrastructure with Ransomware (Sentinel One Labs)

(Rick pick) This week, SentinelOne's SentinelLabs released new research highlighting suspected Chinese and North Korean APT groups leveraging ransomware in their campaigns for “financial gain, disruption, distraction, misattribution, or removal of evidence.” In traditional intelligence parlance, the misattribution angle is referred to as a false flag. If you aren't a spymaster or Jason Bourne, let me help you out. The CIA defines a false flag as a:

"deliberate misrepresentation of motives or identity; an operation designed to appear as if it were conducted by someone other than the person or group responsible for it."

APT groups gain plausible deniability from conducting ransomware activity, and data exfiltration is part of the IP theft playbook. When conducting investigations, don’t make attribution assumptions. If you are in the US manufacturing sector in particular, you should read the full report and conduct threat hunting on the research findings.

Bacon Ice Cream Should Be A Feature, Not An AI Misfire

Bacon ice cream and nugget overload sees misfiring McDonald's AI withdrawn (BBC)
McDonald’s to end AI drive-thru experiment after errant orders — including bacon on ice cream and $222 McNuggets bill (New York Post)

AI is everywhere, even McDonalds. About a year ago McDonalds restaurant group rolled out AI based chatbot ordering to over 100 stores nation wide. The result of the year long experiment has been colossal failure and a horrible inability to take accurate orders. Viral videos have emerged showing hundreds of dollars of chicken nuggets sneaking onto the order slip, dozens of cream and kethup packets being added to a drive through request, and even one person getting a side of bacon layered on top of her ice cream cup. What a mess up - at least learened that current AI capabilities aren’t quite ready to ask if you would like fries with that!

I have to admit it - this looks freaking GOOD!

Quick Hits and Hidden Gems

Neiman Marcus confirms data breach after Snowflake account hack (Bleeping Computer) - The long tail of the exposed Snowflake credentials continues.
TeamViewer's corporate network was breached in alleged APT hack (Bleeping Computer) - Russian threat actor, APT29 is actively exploiting the popular remote access solution.
Batten down the hatches, it's time to patch some more MOVEit bugs (The Register) - Progress Software is making headlines for all the wrong reasons, again.
Evolve Bank Data Leaked After LockBit’s ‘Federal Reserve Hack’ (Security Week) - LockBit claimed to have 33 TB of Federal Reserve data, but so far it appears to be from an Arkansas bank.
The 'BlackSuit' hacker behind the CDK Global attack hitting US car dealers (Reuters) - Reuters took a deeper dive into the ransomware actor behind the CDK Global outage crippling car dealerships across the country.

Share The Cyber Why

The Cyber Why: What We Read This Week...

Tyler Shields — Mon, 24 Jun 2024 13:58:40 GMT

If you haven’t checked out The Cyber Why Podcast CLICK HERE! The monthly(ish) podcast covers the latest cyber news, commentary, debate, and discussion with a bit of fun and flare. You can find TCW Pod on thecyberwhy.com and all of your favorite podcast streaming systems.

This week in The Cyber Why Newsletter we cover a great article from on hiring for a startup vs an established org, more details emerge on Shinyhunters and Snowflake, Kaspersky banned from US operations (and photos of Tyler at a Kaspersky boondoggle), more pork on Pig Butchering style attacks, and an EPIC RANT on AI. All this and more is in this week’s TCW newsletter.

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

Startup Vs. High Growth - Same Thing, Right?

Hiring top performers from large cybersecurity vendors won't help early-stage startups grow, but it can ruin them (Venture In Security)

I want to open this week’s TCW newsletter with a top-tier piece by from . The differences between building a startup and scaling a high-growth yet larger company are massive. Forget about the learnings you get going from $50M in ARR to $200M+, the run from $0 to $10 is so different, I would argue that the knowledge you gain from one will not only slow down your efficacy in the other, but there is a very real chance that it will cause you to FAIL when making the switch. Ross does an excellent job detailing exactly why this phenomenon exists and why hiring people from your network who have experience in your growth phase is the best way to build your business. If you are a founder or entrepreneur who has hiring responsibility, this article is an absolute must-read.

Shinyhunters Reveals How They Compromised Snowflake Customers

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake (WIRED)
(Rick pick) Earlier this week, the great Kim Zetter scored a text chat interview with Shinyhunters, the threat actor that purportedly compromised Snowflake customers Ticketmaster and Santander. Shinyhunters has been on the cybercriminal scene since May of 2020 (full disclosure, link to Rick's day job), where they started selling and giving away data breaches for free. The group transitioned into extortion and continues to make headlines. The big news from the WIRED article is that there is a 4th party risk angle to these incidents. Shinyhunters claimed to have compromised EPAM Systems, a Snowflake partner. EPAM discounted Shinyhunter's allegations, saying, "It does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale." Infostealers aren't new, but they are trending, and defenders need a strategy to defend against them. Start with MFA, use passkeys, don't allow syncing personal browsers with work browsers, and set shorter session cookie timeouts. Keep threat actors from using your credentials to gain initial access.

Kaspersky Banned From US Operations

Exclusive-Biden to ban US sales of Kaspersky software over Russia ties, source says (Update)
New Government Ban on Kaspersky Would Prevent Company from Updating Malware Signatures in U.S. (Kim Zetter)
Eugene Kaspersky (Wikipedia Entry)

Russian antivirus firm Kaspersky has been banned from selling its software in the United States. In addition, they are no longer allowed to provide updates to customers that reside within the US borders. Kaspersky has skirted along the edges of the United States political system for as long as I can remember (see controversies section on Eugene Kaspersky’s Wikipedia entry here). The Department of Homeland Security even banned Kaspersky from all federal US government systems in 2017, citing multiple transgressions.

When I was a cyber researcher (long ago), Kaspersky held an annual boondoggle where they flew every big-name researcher, market analyst, influencer, and more to a remote location and held a killer cyber conference. After several years off, the event recently resurfaced and will be hosted in Bali, Indonesia, in 2024. The event has never been held in the United States - the rumor and prevailing opinion was that over half of the company couldn’t get into the country to host it here. Somehow, I managed to get invited for my mobile security research during my days as a market analyst. I had so much hair back then!

Pig Butchers Are The Worst Type Of Criminal

Killed by a scam: A father took his life after losing his savings to international criminal gangs (CNN)
(Rick pick) We have covered "pig butchers" in the past; it is a heartbreaking scheme where criminals run a long con on their victims to get them to invest in fraudulent crypto. Often, these romance scams target lonely retired folks and wipe out their life savings and dignity. A country prosecutor quoted in this CNN story said:

"I've been a prosecutor for over 25 years. I've done all kinds of different types of crime. I spent nine years in sexual assault. And I've never seen the absolute decimation of people that I've seen as a result of pig butchering."

Sadly, many of those who conduct these scams are trafficked to places in Southeast Asia against their will and forced to fleece their victims. I have some personal experience with these types of scams. Although no money was lost, a close family member of mine was actively groomed over months in an attempt to cash out. Some scams focus on crypto investment, while others seek to have money wired overseas. In 2023, the FBI Internet Crimes Complaint Center "received reports from 6,740 individuals over the age of 60 who experienced almost $357 million in losses to Confidence/Romance scams." We must educate our parents and grandparents on the predators that conduct these scams and how to protect themselves. Jason Statham’s latest film, “The Beekeeper,” has him get payback on these types of scammers. Go get ‘em JASON!

Rant On My Friend! Epic Rant on AI Hype!

I Will Fucking Piledrive You If You Mention AI Again (Update)

Holy shit, what an amazing piece of literature! OK, maybe it’s not quite “literature” in the traditional sense. Still, this article had me rolling on the floor laughing at the outlandish and violently funny visualizations embedded alongside actually interesting commentary on the realities of the AI everything craze. Very rarely do I get all the way through something this long and think I didn’t waste my time. If you are interested in AI from a data scientist's view and still have a sense of humor, I highly recommend you check out this read. Here’s an amazing quote to whet your appetite:

With God as my witness, you grotesque simpleton, if you don't personally write machine learning systems and you open your mouth about AI one more time, I am going to mail you a brick and a piece of paper with a prompt injection telling you to bludgeon yourself in the face with it, then just sit back and wait for you to load it into ChatGPT because you probably can't read unassisted anymore.

Quick Hits and Hidden Gems

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested (Krebs on Security) - (Rick pick) Good news, a 22-year-old Scotsman has been arrested. Bad news cut off one head, two more will take its place. Hail Hydra!
Biden to ban US sales of Kaspersky software over Russia ties (Reuters)
(Rick pick) Biden says “нет” to Kaspersky, customers have until September 29th, to move off.
CDK Global hacked again while recovering from first cyberattack (Bleeping Computer) - Directly affected me. I was turned away from a dealership last week!
WTF is Cloud Detection and Response (CDR)? (Latio Tech) - James is brilliant. Check out this great work on CDR
ADR - The Future of Runtime (Latio Tech) - ADR is different yet the same. James hits it again... PS: I’ve seen what’s coming next, and it’s AMAZING!
What’s Changed in 50 Years of Computing: Part 3 (The Pragmatic Engineer) - If we don’t learn from our past, we are doomed to repeat it. Great read.

Share The Cyber Why

Cyber arrests, Death of SIEM, MS Total Recall, Getting Snowflaked, and the Gili Ra'anan Model - TCW EP4

Tyler Shields — Thu, 20 Jun 2024 22:49:45 GMT

Welcome to TCW Pod #4, where we serve up the latest in cybersecurity with a side of snark and wit. In today's episode, we unravel the frosty Snowflake attack, navigate the labyrinth of SIEM's future, and dig into the spicy Gilli Ra'anan model. We also dish out tales of Scattered Spider arrests and the quirks of getting a job sans network. Buckle up as we blend serious insights with a splash of humor, making the world of cybersecurity both enlightening and entertaining. Let’s dive in!

Subscribe now

TCW POD #4 SHOW NOTES

On this episode, hosts Tyler Shields, Rick Holland, Katie Teitler-Santullo, & Adrian Sanabria tackle the following key points:

00:42 - Introductions and Cold Open

Crime hasn’t been solved in other fields… so why should we be special? — Adrian Sanabria

03:42 - Show Sponsor - Material Security

Does your email security solution fit your alert budget?

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Remediations are a breeze with Material – try it out for yourself at material.security.

Visit Material Security

04:27 Have You Been Snowflaked?

In this segment, we dive into the icy depths of the Snowflake attack. It starts with a chilling recount of the breach details, where info stealers had a field day, and customers found themselves compromised. The infamous Shiny Hunters make an appearance, shining a light on the murky world of cyber threats.

The conversation then melts into a discussion about partner compromise and the ever-looming fourth-party risk, like a game of cybersecurity Jenga waiting to topple. We hear about shared responsibility, where Snowflake tries to play the role of a responsible neighbor but ends up with a "Not in My Backyard" situation when infrastructure issues and media blame come knocking. Finally, things heat up with a discussion on credential security and the many flavors of Multi-Factor Authentication (MFA), leaving everyone pondering how to keep their digital igloos safe from the next big thaw.

25:25 Is SIEM Dead - If So What’s Next?

The future of SIEM is a labyrinth of challenges and labor intensity. The team explores the reinvention of SIEM, predictive analytics, and the inevitable evolution of security technologies. Amidst this, a debate on whether we should replace our SIEMs or embrace the challenges they bring unfolds, sprinkled with market trends and future forecasts.

38:30 Microsoft Recall Gets a TOTAL Recall

Microsoft Recall swoops in, bringing privacy and security concerns to the forefront. The discussion pivots to the marketing and user perception of Microsoft's latest move, wrapping up with insights that leave us all reconsidering the tech giant's role in our digital lives. If Recall had been released as an Apple product, would it have been so poorly received? After getting slapped by cyber folks worldwide, Microsoft throws in the towel and executes a “Total Recall of Recall.”

Arnold in Total Recall

50:47 Job Hunting Without a Network - Is It Possible

In this segment, Katie shares the rollercoaster ride of landing a job without a robust network. Spoiler alert: she cheated a bit. With a new gig at Ox Security, Katie spills the tea on how her extensive network fast-tracked her through the hiring process like a VIP at a cyber nightclub. Her network of connections, cultivated over years of schmoozing at conferences and trading favors, turned the grueling job hunt into something easier. Katie's journey underscores the reality that in the cybersecurity world, it’s often not what you know but who you know.

Katie’s article, “Finding a Cyber Job Without a Network,” struck a chord with readers, setting LinkedIn message boxes ablaze. She acknowledges her privilege, highlighting the plight of the less-connected masses who prefer a clear divide between work and personal life. Her candid reflection reveals the industry's bias towards the well-networked, leaving the heads-down, do-the-work folks in the dust. It’s a stark reminder: in the land of cybersecurity, your network is your net worth.

58:40 Scattered Spider and Law Enforcement Actions

This segment spins a web of intrigue as the team dives into the latest Scattered Spider arrest. Tyler B., not to be confused with our own beloved Tyler S., gets nabbed in Spain, shaking up the cybercrime community. Rick breaks down how these cyber villains often meet their fate while globetrotting, unlike their Russian counterparts who wisely stay put. Scattered Spider stands out in the ransomware crowd, a hodgepodge of English speakers mingling with Russian groups, showing that cybercrime truly transcends borders.

Rick adds a sprinkle of Hollywood flair with a nod to Jeff Goldblum's "cybercrime finds a way" quip, highlighting the resilience of these digital miscreants. From targeting MGM to causing a ruckus earlier in the year, Scattered Spider’s antics have kept law enforcement busy. This discussion underscores the relentless game of cat and mouse between cyber criminals and the authorities, reminding us all that in the world of cybercrime, there’s always another villain waiting in the wings.

Cybercrime FINDS A WAY!

63:00 The Gilli Ra’anan Model

SPICY TAKE! The team dives into the controversial "Gilli Ra'anan Model," named after the founder of CyberStarts, Gilli Ra'anan. Known for his uncanny knack for success, Ra'anan's stats are almost too good to be true. A former member of Israel's elite 8200 unit and the man behind CAPTCHA (yes, he's the reason you’re identifying traffic lights to prove you're human), Ra'anan has made waves in the cybersecurity investment world.

The spotlight is on his venture capital firm, CyberStarts, and its innovative yet eyebrow-raising Sunrise program. While applauding his impressive track record, the discussion doesn't shy away from the spicy takes and potential conflicts of interest that come with such a unique approach to venture capital. As the story unfolds, the team highlights the fine line between groundbreaking success and the murky waters of ethical dilemmas in the cyber investment landscape.

75:00 My Money Don’t JIGGLE JIGGLE - It Folds! Employment Scams and Mouse Jigglers

The conversation takes a quirky turn as the team delves into the world of employment scams and mouse jigglers. Anecdotes fly, and the ethical dilemmas of multi-job stacking come to light. With humorous commentary, the discussion reveals the creative lengths people go to in the name of remote work shenanigans, proving once again that truth is stranger than fiction.

95:00 So Long, And Thanks For All The JIGGLES!

With the final notes of gratitude, the podcast concludes. The team thanks the participants, sponsors, and the dedicated production crew at Dead Inside Media. With heartfelt waves and cheerful goodbyes, they wrap up another enlightening episode of the Cyber Why podcast, leaving listeners eager for the next round.

Share TCW with your friends. Baby kittens will thank you!

The Cyber Why: What We Read This Week...

Tyler Shields — Fri, 14 Jun 2024 21:12:53 GMT

It finally happened. We missed a week! I was off galavanting around Las Vegas, playing in one of the largest poker tournaments in history, and didn’t have the time to write last week’s newsletter. The scary thing is… NOBODY COMPLAINED! The only thing worse than getting yelled at for missing a week of content is NOT getting yelled at. Come on people.. show us some love!

This week in The Cyber Why, we cover the Snowflake breach that wasn’t, $1B is the new number to IPO, Fortinets acquisition and 0day failures, the Gili Ra’anan Model, and toilet stall harassment. All this and more in this week’s TCW.

Does your email security solution fit your alert budget?

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Remediations are a breeze with Material – try it out for yourself at material.security.

Snowflake or User Error - Who is at Fault?

Who's responsible in the Snowflake breaches? (Frankly Speaking)
Hundreds of Snowflake customer passwords found online are linked to info-stealing malware (TechCrunch)
Mandiant says hackers stole a 'significant volume of data' from Snowflake customers (TechCrunch)

We talked about this two weeks ago in The Cyber Why, but I want to bring it up again through a different lens. As the news story broke, most articles pointed out that Snowflake had been hacked. What actually happened is quite different than what was originally portrayed in the media. The attack was really a compromise of Snowflake credentials by attackers who had planted info-stealing malware across the computers of employees who have access to their employer’s Snowflake environment. This was a targeted attack against Snowflake using compromised credentials and nothing more. The question left open here is, “Who is at fault?”

Many in the security community believe that both the compromised customers and Snowflake should share the blame for these massive breaches. Snowflake did not require multifactor authentication by default, leaving the end user to configure the instances securely, and the data administrators didn’t properly secure the environment when they deployed the technology. MFA was an option, but it just wasn’t enabled by default. This sounds to me like a case of buyer beware. If you don’t properly lock your front door, is your home's builder responsible when you get robbed? I don’t think so.

This isn’t a cut-and-dry answer. I’d love to hear your comments on the topic below.

Billion Dollar Bollucks - $1B ARR or BUST!

Billions: The New Significance of Billion-Dollar Scale in Cybersecurity (Strategy of Security)

In this article, Strategy of Security author Cole Gromlus identifies a very interesting set of data. Cybersecurity companies aren’t ready to IPO until they are at $1B in ARR or have a very clear path to $1B in ARR via massive growth rates on nine-figure revenue numbers. This is a really interesting piece because the author just doesn’t look at what it takes to execute a cyber IPO in today’s market. Instead, he breaks it down by revenue, valuation, financing requirements, and potential acquisition opportunities that will occur along the way. It’s an interesting expose on modern software company valuations and what it takes to succeed at this level. It’s such an insane thought to me that a company at $250M in ARR and 20% growth wouldn’t be successful in the public markets, while a $250M ARR company with 50% growth and a five-year path to $1B would flourish. The markets reward growth way more than being a healthy business, and if that means getting way out over your skis along the way, so be it. If you don’t crash and burn along the way (Laceworks), good luck sticking the landing.

FortiVulnerable? Fortinet Makes Headlines For Vulnerabilities (Again)

China's FortiGate attacks more extensive than first thought (The Register)
China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says (Ars Technica)
Ongoing state cyber espionage campaign via vulnerable edge devices (Dutch NCSC)

(Rick Pick) Fortinet grabbed headlines this week with their acquisition of cloud security provider Lacework, but that's not their biggest story. Once again, they're in the spotlight for zero-day vulnerabilities. This time, it's CVE-2022-42475, a buffer overflow vulnerability in their SSL VPN. Dutch government agencies first reported this issue in February and just released new details. They revealed that Chinese actors accessed at least 20,000 FortiGate systems worldwide in 2022 and 2023, targeting dozens of Western governments, international organizations, and many companies in the defense industry. No bueno.

I don't know about Fortinet's product security program and the efforts it makes to minimize vulnerabilities, but this is all too common now. To be fair, threat actors of all types target edge devices, but vendors know this and should go to great lengths to push out secure code. At some point, buyers will hold vendors accountable and look at alternatives. If you are a bug bounty researcher, sadly, "Fortinet does not operate a bug bounty program." Fortunately for Fortinet, ripping and replacing big iron network gear is no small feat.

The Gili Ra’anan Model

The Gili Ra’anan model: Questions emerging from Cyberstarts' remarkable success (CTech by Calcalist)

Oh boy, this article is spicy. Rumors like this have been passed around for years, and nobody has been willing to go on record publicly and tell the story. That ended yesterday…

Calcalist, sometimes referred to as a bit of a hit piece publication, has set its sights on Cyberstarts and its founder Gili Ra’anan. They didn’t pull punches, instead making accusations of abuse of conflicts of interest, directly calling out Cyberstarts business model and several CISOs for potentially shady activities. In the article, the author claims that the Cyberstarts model incentivizes enterprise CISOs to purchase products from portfolio companies. Names are named, including specific CISOs who may have purchased multiple Cyberstarts-backed company products, deploying them in major enterprises regardless of their effectiveness, need, or costs. Below is one of the most damning quotes from the article:

"I recruited a new CISO for a financial organization that I managed out of a desire to refresh the cyber defense system. I gave him a free hand because I trusted him and I see this position as a position of trust. Six months later, I noticed that, surprisingly, almost all of the new logos that the CISO introduced were portfolio companies of Cyberstarts," describes a former senior executive at a large financial institution in the U.S.
"It's not that these were necessarily bad solutions, but that some of them were a very low priority for us or solved problems that were not particularly urgent. After I confronted the CISO on the subject, he admitted that he is on the list of advisers of Cyberstarts and receives a percentage of the funds from them. Shortly after this, he left the company and immediately upon the appointment of a new CISO, I asked him to inform me if he was contacted by Cyberstarts. Within a few weeks, he had already received an email from them with a description of their kind of 'loyalty program' that details exactly what he will receive the more he works with the fund." The letter, signed by Ra'anan himself and coming from his email box, also contains a sentence that refers to the amount of future compensation: "It is difficult to predict the performance of the fund, but according to our forecast, the points you have accumulated so far are valued at X dollars. You can expect additional allocations in these funds in the coming years and in the new funds we will raise later."

NOTE: I am not accusing anyone of anything or taking sides myself. I’m simply reporting the story. Do your own analysis and come to your own conclusions.

Poo-Timers and Bathroom Harassment

How long have you been in there?! A popular tourist destination in China has installed toilet timers. Reactions are mixed (CNN Travel)

For our story #5 this week, we bring you the most often heard series of words in every married male human’s life: “Are you STILL IN THERE!” In what can only be described as a shitty user experience, a popular tourist attraction in China has added stall timers to its public bathrooms. Essentially, the longer you sit in the stall, the higher your timer goes letting people know how long it takes you to do your business (or play one more game of Candy Crush). I, for one, think this is ridiculous. The last thing I need is someone telling me to get off the can while I’m on vacation to see a bunch of statues and caves in China. I get enough of that kind of harassment at home!

Quick Hits and Hidden Gems

Some notes on influencering (Lcamtuf’s thing) - This one struck a chord. I’ve been a fan of Lcamtuf for a while now, and it’s great to hear I’m going through the same things he does.
A PR disaster: Microsoft has lost trust with its users, and Windows Recall is the straw that broke the camel's back (Windows Central) - If Apple had launched “Recall” would it have had a positive reception? I’m guessing the answer is YES!
TCP #49: Product News & Recall Dumpster Fire (Cybersecurity Pulse) - Darwin is a super smart dude. More thoughts on Recall (see above)
Cybersecurity is not a market for lemons. It is a market for silver bullets. (Venture In Security) - There HAS to be a better way. I can’t believe we haven’t figured out a better way to measure security efficacy.

Share The Cyber Why

Fortinet Acquires Lacework in Surprising Move

Katie Teitler-Santullo — Wed, 12 Jun 2024 20:26:48 GMT

It’s been a tumultuous ride for Lacework, the former Super Heavyweight of cloud security. The nine-year-old company started its meteoric rise almost immediately out of the gate, taking advantage of enterprise companies’ mass migrations to the cloud. The company closed its $8 million USD Series A almost immediately after emerging from stealth; five rounds and $1.9 billion of investment later, the company was backed by some impressive firms, including Snowflake, Google Ventures, Altimeter Capital, General Catalyst, and Sutter Hill Ventures.

Subscribe now

As of late 2021, Lacework was valued at $8.3 billion, yep, that’s “billion” with a “B,” making it — at least on paper —one of the biggest cybersecurity players on the market.

And then came the fall. While many companies — in and out of cybersecurity — floundered during and in the wake of the pandemic, cloud companies thrived. Businesses needed a way to get people working from home, quickly and securely, and the cloud security market capitalized on this momentum.

Lacework was one of the companies leading this effort. Bolstered by all the cash it could possibly need to advance and enhance its products, acquire companies/products to expand its portfolio and hire top talent, there should have been no stopping the company. They even jumped into the artificial intelligence (AI) fray before the term was splashed across every RSA vendor’s booth and sprinkled into sales and marketing collateral. The way Lacework was using AI (read: advanced math, a.k.a., algorithms) was by using anomaly-based detection in ever-shifting cloud environments. Great idea…but it fell short when it was realized that, uh oh! The training data didn’t exist. For any machine learning (ML) or AI algorithm to work, enormous amounts of data must be available for the model to learn. And it must be reliable and trustworthy data. But because of how cloud environments work — how busy they are, and the fact that many cloud-focused attacks are based on API calls (not the data in the cloud itself) — the technology started to falter.

From the cloud to the ground

A whole lot of technological issues later, the company’s valuation started to drop. Lacework laid off 20% of its workforce. Key executives (like the co-CEO) started running for the hills. The remaining team management seemingly used questionable tactics to lure companies into buying the product. Employees—current and past—started complaining about the toxic and overly political culture. Customers started reporting the product’s lack of efficacy. And the list goes on and on.

Lacework’s fall from grace was highly recognized in security circles. As both its valuation and revenue plummeted, and the cloud security sector continued to boom, competitors took notice. Wiz, the 800-pound gorilla of the cloud, decided to approach Lacework for an acquisition — theoretically to buy the company in a firesale, retain the good parts, and remove one noisy would-be competitor.

But that acquisition fell through. Not much detail was given, and the security community was left to speculate that Wiz found something—or a whole lot of somethings—it didn’t like during the due diligence process. The toxic culture could have been a sticking point, or Wiz could have discovered some “smoke and mirrors” in the product. We’ll likely never know. However, the covers were off—everyone seemed to be talking about Lacework as a case study of how not to operate.

A fresh start, or tearing apart?

It seemed like the end of the road for Lacework until yesterday. On June 10, 2024, Fortinet announced it would acquire Lacework for an undisclosed amount. According to the Fortinet press release, “Fortinet intends to integrate Lacework’s CNAPP solution into its existing portfolio, forming one of the most comprehensive, full-stack AI-driven cloud security platforms available from a single vendor. This will help customers identify, prioritize, and remediate risks and threats in complex cloud-native infrastructure from code to cloud.”

The reality is that time will shake out a few of the reasons why this seemingly failing company is being thrown a lifeline. Is it an acqui-hire? An acquisition “for-parts”? Were the financials just so in Fortinet’s favor — the firesale of a lifetime —resulting in Fortinet engineers having a tiny leg up on building CNAPP rather than starting from scratch?

One thing is for sure: the announcement has captivated many in the cybersecurity community, and it’s bound to be a topic of conversation for a long time. If you have thoughts or opinions on this story, leave them in the comments below!

Can You Land Your Next Job Without Your Network?

Katie Teitler-Santullo — Tue, 11 Jun 2024 22:40:09 GMT

This article was written on June 4, 2024, by The Cyber Why author Katie Teitler-Santullo.

Hi — I’ve been gone for a while, recalibrating and job hunting. Maybe you’ve noticed, maybe you haven’t. In either case, I had about two months away from work and even though I was much busier than I wanted to be, I had time to reflect and think about cybersecurity as a career. Not just my career, but cybersecurity as a career, in general.

Subscribe now

Flashback to April

My former job was on shaky ground. Over the last year (plus) there were a number of major changes to my department as well as other organizational changes that directly and indirectly impacted my and my team’s work. As a result, I’d been thinking about making a move. But I’m usually not a quitter; I prefer to be shoved out the door for some sadistic reason.

During the first week in April, it became readily apparent to me that I’d need to start looking for a new job ASAP. I was out of town, getting ready to speak at a conference. What I should have been doing that morning was prepping my talk. Instead, I had a bad gut feeling and started messaging trusted friends and colleagues. The gist of my messages: “I think I need to look for a new job. If you know anyone who is hiring, I’d appreciate an introduction.”

Within minutes, the first reply came back: “Call me. I might know someone.” Over the course of the day, I received several other responses with a similar tone. That was a Wednesday. On Friday, I had my first conversation with the person who would ultimately facilitate my new job (at an amazing company!!). The following Monday, I had three more conversations with companies that were hiring for my role. Several of those conversations turned into opportunities, meaning they weren’t fluff conversations scheduled simply because a friend of a friend of a friend asked for a favor. I was being ushered down the hiring pipeline solely because of the industry connections I’ve made. I have been incredibly fortunate throughout my career to work with some really good people who (for some odd reason) appreciate my work and me as a person. And, in this situation, they were willing to dedicate time and effort to help me find my next job.

Work your network

You might think this is luck; where I’ve worked, and the positions in which I’ve worked have given me certain “advantages.” While there might be some truth in that, I also work really hard at cultivating and maintaining my network of security friends and colleagues. I check in with people “just because.” I send birthday texts (if I know their birthday). I reach out when I see/hear that someone is job searching. I make introductions whenever I can.

(Importantly, though, I am not a pest; I won’t continue to communicate with someone if they indicate in any way that my touchpoints are unwelcome. I’m not that LinkedIn connection.)

I know many of you readers also work hard at the community aspect of cybersecurity. Mostly, though, when we’re networking, the goal is less about “what can you do for me” than shared interests or, more simply, a connection with someone fun, friendly, interesting, etc. Personally, I don’t keep in touch with people because I’m thinking, “One day, I might need their help.” However, it’s hard to ignore the fact that I got my current job, had the plethora of interviews I did, and was offered jobs only at companies — not just now, but over the last 20 years — that began with a personal introduction. Every single job I’ve had in cybersecurity, going back to 2004, has started with an introduction. And I’ve never had more than a two-month gap between jobs. (If you’re now checking my LinkedIn, you’ll see a few gaps that are greater than two months. There were times I left a job, dabbled outside of security, then returned. Those positions appear only on my resume.)

My network has had a significant and profound impact on my ability to find employment. Again — I am incredibly grateful. I am even more grateful when I look at the state of the industry and my friends and colleagues who have been job-seeking for longer periods of time. Over the last few years, I’ve spoken with several people who want or need a new job and have to rely on the old-fashioned method of job hunting: applying through companies’ websites or job boards. These people send out hundreds and hundreds of resumes and fill out countless forms because they don’t have an inside track.

And they’re not getting great or rapid responses. I know a lot of very skilled people who have a hard time scheduling interviews because they are applying “blind.” I have two friends who, after applying for cybersecurity jobs for months on end (and have job history in the field), decided to send resumes to non-security tech companies. Guess what happened. They got positive responses right away.

In only one instance during this last round of job seeking did I land an interview with a company at which I knew no one. And even though the conversation went well, the HR person never followed up, even after saying I was a “great fit for the role.”

It’s a miserable situation. I’ve felt it. Even though my latest job search was fast-tracked due to connections, I built a backup plan in case something went awry. I applied to a dozen or so positions — which were exactly the same as the one I have and another for which I was offered a job — at which I didn’t have a personal connection. I either never got responses from those “blind” applications or received responses claiming there were “other candidates better suited.”

Stranded without a network

Thinking about this — and watching several of my friends and former colleagues struggle with the state of hiring in security — I have to wonder: when did we become so insular that only a connection — tenuous as it might be — will do? Is cybersecurity the type of community that refuses to welcome unknowns, even when the person’s skills, background, and temperament are a perfect fit for a position? Is a person imminently more qualified when referred by a friend, or a friend of a friend (or more)?

I saw this happening during my search, so I asked one of the people interviewing me why she was only talking to people to whom she’d be introduced by a mutual connection. “These positions are too risky to hire just anybody.”

Is that actually true? And isn’t that what the interview process is for? Aren’t recruiters supposed to help establish a connection? Do people honestly think that only the people they already know are the only good workers in the industry? Is keeping the circle tight helping advance security? Shouldn’t we be more impressed with what someone brings to the table than whom they bring to the table?

Expand your periphery

In my opinion, it’s extremely limiting to shrug off candidates purely because there’s no direct or dotted line to the hiring manager or company. While every job I’ve had in the last two decades started with an introduction by a mutual connection, I have met a number of amazingly impressive people at those jobs who are now colleagues I would recommend to any hiring manager. My professional life is richer for meeting these new people. My network has grown because I had the opportunity to work with people I didn’t previously know anything about. Some of these “outsiders” are now personal friends with whom I regularly communicate and/or spend my non-work time.

On the flip side, some of the people in my network who were once very close colleagues have significantly drifted outside my periphery (and vice versa). I have no idea what they’re up to now. If they are as committed as they once were. If they’ve kept up their skills. Sure, if someone in my network were to reach out and ask me to vouch for one of these people, I likely would. But I’d have to caveat it and say we haven’t been in contact for X while. Knowing the industry, I’d guess that even a latent relationship counts for more than no relationship.

Even though I benefit from wonderful professional relationships, I think it’s a disservice to the industry to rely solely on introductions when hiring for open positions. It might take more effort to vet an “unknown,” but it can pay off multifold. You never know how someone will act or react inside a new company, even if you’ve worked with them for years under different circumstances. When faced with a toxic environment or bad team composition, a previously amazing worker can sour or develop apathy. Stressful situations can breed bad — or anomalous — behavior. Someone you already know isn’t necessarily a “sure thing.”

Subscribe now

A different perspective on hiring

Personally, I will continue to grow my network and connect with past and current colleagues. I will also continue to try to help people in my network when I can. But I will also be mindful that the next best candidate for a job I might be hiring is someone completely disconnected from me or my network. From my point of view, the industry is in too much need of skilled workers to write people off purely because they were heads down at their jobs or too shy to attend RSA parties. I know some HR pros and hiring managers will say it’s too much work to wade through pages and pages of blindly submitted resumes or, worse yet, that their “AI-based resume scanner” didn’t identify the “correct” buzzwords.

If we want talented people to work for and with our teams, we have to expand our perception of who is the “right” fit. A tenuous LinkedIn, user group, online forum, or social media “connection” does not a known quantity make. Let’s be honest: on the internet, nobody knows you’re a dog.

So, while it might be easier to take the path of least resistance, which includes personal introductions for open positions, it might be profitable in the future to invest in cultivating new colleagues along the way. After all, a stranger is just a friend we have not yet met, or something…

In the meantime, I will continue to thank the gracious colleagues and friends who helped me land my current role.

FTR: I have recruiters connecting on LinkedIn all the time. They’re always willing to help when I don’t want or need a job. But when I reached out on this last hunt, ONLY the recruiters who personally knew at least one of my LinkedIn connections responded.

The Cyber Why: What We Read This Week...

Tyler Shields — Tue, 04 Jun 2024 00:13:10 GMT

I’m having trouble keeping my eyes open today. I’m in the middle of an eleven-day travel run and quite delirious. If you read this and it doesn’t sound even remotely coherent, you know why! I’m at the Gartner Security event in DC this week, so if you are in the area, hit me up with a DM, and we can get together. If you aren’t here.. you’re missing out. This is a great show!

This week in The Cyber Why, we touch on the potential (not confirmed) catastrophic hack at Snowflake and its fallout downstream. We discuss the startup debate AppSec vs. OpSec and which makes more sense. We also debate two privacy-related stories by Google and Microsoft (I fall on one specific side here… can you guess which one it is?). Finally, we make some crude jokes in the style of Beavis and Butthead for our story #5. All this and more in this week’s The Cyber Why!

Get An Automated Security Buddy with DryRun Security

DryRun Security performs automated and seamless security code reviews in seconds. Devs love it because they get actionable security advice without all the noise, and AppSec loves it because every code change is reviewed for risk.

DryRun uses a proprietary Code Review Inquiry Methodology on LLMs to deliver results to developers in just a few seconds. Try it yourself and install DryRun Security, or book a spot for a quick 15-minute demo today.

DryRun Security

Snowflake Pwnage Potentially Catastrophic

Santander staff and '30 million' customers hacked (BBC)
Ticketmaster Hack: Data of Half a Billion Users Up for Ransom (TicketNews)
Here Are 9 Companies With Reported Data Hacks This Week: Everything we Know (Newsweek)
Snowflake: ‘No Evidence’ Linking Ticketmaster Breach To Its Products, But Signs Of Former Employee Account Accessed (CRN)

What do Ticketmaster and Santander Financial have in common? Not much, unless you consider that they appear to have been hacked by the same attacker. In a recent post on an underground hacking forum, the group calling themselves “ShinyHunters” posted an advertisement naming Santander and offering the following data for sale:

30 million people’s bank account details
6 million account numbers and balances
28 million credit card numbers
HR information for staff

The same hacking group is also offering over 500M credit card records for TicketMaster users. The question is, how are these two hacks connected? According to the article and BBC research, it’s highly likely that both of these attacks stem from Snowflake's recent disclosure that their systems have been compromised.

Snowflake refutes the claims that it is responsible and, as of the time of writing, does not believe it has been hacked in any other way than possibly with externally compromised credentials being used to access customer data. Other attack victims may include Advance Auto Parts, Allstate, Anheuser-Busch, Mitsubishi, Neiman Marcus, Progressive, and State Farm Insurance. There is a good chance we’re only seeing the beginning of the fallout of this one. We’ll watch it and update you as more details unfold.

AppSec or OpSec - A Fork In the Market Road

What Tool Best Compliments CNAPP? (James Berthoty - Latio Sec)

In many of the vendors I speak with, there is often a desire to merge two major market segments in a way that creates differentiation and the ability to sell a broader platform to the cyber security buyer. The most frequent version of this discussion is whether a product should push “right” into the operational security offerings or “shift left” into the application and code side of the market.

Each of the two sides of the coin comes with different buying personas, value propositions, go-to-market strategies, and even willingness to pay, making it extremely difficult to cover both sides simultaneously. As a startup, you are almost forced to pick one side of the other until you reach critical mass and have the resources to truly go horizontal in your approach. The future of the cloud-native application protection platform (CNAPP) market is no exception to this rule of thumb.

In this article, James breaks down each side's how and why in minute detail, helping you see his vision for the space. I recommend this read if you are interested in cloud security's future market trends.

Microsoft Recall - Dream or Danger (or both)

How the new Microsoft Recall feature fundamentally undermines Windows security (Double Pulsar)
UK watchdog looking into Microsoft AI taking screenshots (BBC News)

Is this a dream technology or a privacy nightmare? According to those in the cybersecurity space I have spoken to, it’s an attacker’s potential perfect storm and a significant cybersecurity problem just waiting to happen. Just last week, Microsoft announced “Recall” to the market.

The idea is it allows you to rewind back in time at the click of a button to see what you were doing at, say, 11pm two months ago. It also classifies almost everything you’re doing, seeing and typing. This is instantly searchable.

In a nutshell, the technology is an infostealer and rootkit built directly into the Microsoft operating system. It watches literally everything you do on the device and allows you to play that information back while making it completely queryable. Content is stored locally but, in my opinion, the data will eventually be used in many cloud contexts.

Spicy Take: This sounds EXACTLY like what I’ve been looking for. I want something that automatically records all of my Zoom, Team, and Google meetings and analyzes them with AI, can cross-reference that data with all my email and calendar data, and knows everything about my daily digital usage and life. In a nutshell, I want a complete second brain, and this sounds like a great start!

Regarding privacy worries, users will GLADLY trade security and privacy for any simple long-term convenience. If this really gives us the ability to track, query, and remember our entire digital life with an AI overlay, people will clamor for the solution and happily trade away security and privacy.

I, for one, think the risk is worth it! I’d love to hear your opinions below!

Google Says - We Got Your Privacy Right Here

Google Leak Reveals Thousands of Privacy Incidents (404 Media)

Google made an oopsie. 404 Media recently acquired an internal Google database that tracked company privacy violations and remediations, such as collecting and analyzing children’s voices, saving license plates from Street View, inadequate blurring of sensitive YouTube videos, and many other self-reported incidents, large and small. The database recorded privacy issues from 2013 to 2018, all appearing to have been fixed quickly by Google’s team.

The problem isn’t in tracking and remediating privacy concerns directly. Instead, the issue is the sheer volume of privacy issues that Google has to deal with annually. These are not just little bugs; they can significantly compromise human privacy rights. It’s great to see Google fixing things quickly. However, the size of the problem may make it completely impossible to secure long-term. Look at the article and check out the wild list of issues discovered in this five-year period.

NVD Backlog To Be Cleared in Fiscal Year (9/24)

Federal agency taps new contractor help with bug backlog (Axios)

In this week’s “story #5,” we bring you the contract company NIST believes will be the savior of the National Vulnerability Database (NVD). The firm Analygence has been contracted to fill the existing hole and help clear the backlog that has been building up with NVD. It turns out that the contract is a five-year, $125M project, and it was awarded to Analygence as one of 14 applicants. It was awarded last December, and they have yet to operationalize the contract fully. Good luck, NIST and Analygence; your solution is desperately needed. This is a “story #5” for a reason - #iykyk - please leave your thoughts in the comments section below.

Quick Hits and Hidden Gems

Gartner Security and Risk Management Summit (The Security Industry) - Some raw data on vendors sponsoring the Gartner event this week. Some interesting growth trends here.
Visibility Without Action is Just Noise (Yaron Levi) - I think he means that visibility and observation don’t matter if you don’t have context. He mentions it directly in the article - finding another issue is nearly worthless without context. Context is everything during data collection, analysis, and remediation. Without context, we can’t possibly scale. Good quick read.
Is this the end of SIEM? (Frank Wang) - SIEM, as the concept of “security event aggregation,” is indeed dead. The addition of assets PLUS events could reinvent this market into something new. This provides context to everything in the data set, making it much richer and easier to use. Context is KING!
A venture capitalist walks into a bar (lcamtuf’s thing) - I love lcamtuf’s view of the world. He’s been around the block, and he speaks a great truth. My moral takeaway from this story is to understand the incentives, and you will be able to predict the future.

Share The Cyber Why

The Cyber Why: What We Read This Week...

Tyler Shields — Fri, 24 May 2024 20:09:45 GMT

After a few weeks of slow cyber news, we’ve had a complete turnaround of great content. This week, it was impossible to pick the top stories, let alone which ones make the top 5 for you. The quick hits are so interesting that reading every article we reference in this email should be mandatory.

This week in The Cyber Why, we cover the latest cyber drama around VulnDB and CVE, the turf war brewing between MS and Google, an increase in ICS risk, privacy impacts of wifi location tracking, and a chest-thumping-worthy (NSFW) performance by Matt McConaughey for an SDFC commercial. Have a great holiday weekend - we hope you enjoy this week’s newsletter!

Get An Automated Security Buddy with DryRun Security

DryRun Security

100K VulnDB Vs CVE Cage Match

VulnDB Uncovers 100,000+ Hidden Vulnerabilities Beyond CVE (Flashpoint)
LinkedIn Thread on Vulnerability Disclosure, VulnDB and CVE (Ben Edwards)

What an absolute dumpster fire of name-calling, mean comments, and throwing shade at each other. I took the time to read through both posts and threads, along with all associated comments, and all I can say is WTF. Can’t we do better when it comes to working together to make the world a safer place? With a (let’s be truthful here) slightly clickbait-style title, Flashpoint released a report stating that they now had cataloged 100K more vulnerabilities in VulnDB than CVEs that are currently published. This torqued a subset of cybersecurity researchers and vulnerability hunters as they attacked Brian Martin and the team at Flashpoint for “not publishing” these vulnerabilities as CVEs themselves. Brian made a great argument that every vulnerability within the VulnDB is already publicly known and that CVE is notoriously bad at keeping up with publishing vulnerabilities based on the fact that it’s an inbound model - they don’t search for known vulnerabilities, instead letting the details come to them. If you have an hour or two to kill, I recommend reading these threads, as they will help you to understand exactly how broken the vulnerability database world is today. There has to be a better way!

Note: I don’t have an opinion on either side of this equation. I just wish the debate and discourse could be civil so that we can actually improve security instead of merely maintaining what little we’ve achieved over the last two decades.

Google Announces a Turf War for the Productivity Suite Market

Google Pitches Workspace as Microsoft email Alternative, Citing CSRB Report (Dark Reading)
Google Cites ‘Monoculture’ Risks in Response to CSRB Report on Microsoft (Security Week)

(Katie pick) Earlier this week, Google took advantage of an opportunity to grow its online productivity suite business — Workspace. In the wake of a publication by the US Cyber Safety Review Board (CSRB), which noted the many vulnerabilities and known exploits in Microsoft Exchange Online environments, Google executives touted how businesses could achieve a safer online environment and a reduced attack surface by switching to Workspace.

Microsoft has received tons of criticism over the years for security issues in its offerings. In fairness, when your company has the greatest number of deployments worldwide, the target on your back is bigger. That said, if you have the largest account base, there is an argument for “do better.”

Google has made strides in the business world over the years; start-ups and cloud-native organizations have primarily switched to GSuite. As someone who has only worked in the startups for the last 6 years, I say, “Microsoft, who?” (Only kidding. Word for the win.) While Google has many great features and is highly user-friendly, they must improve Slides to be competitive (not actually kidding). Further, Google will likely have to continue battling the perception that Microsoft is for “more serious” businesses, including the US government.

Ah, isn’t competition “suite”?

Threat Actors Increase Pressure on ICS

Rockwell Automation Urges Customers to Disconnect ICS From Internet (SecurityWeek)
Rockwell Automation Warns Admins to Take ICS Devices Offline (Bleeping Computer)
Rockwell Automation Warns Admin to Disconnect from Internet (Cybersecurity News)

(Katie pick) Rockwell Automation issued an urgent warning to its industrial control systems (ICS) customers — Inventory and control your asset environment.

According to the notice, the company is concerned about the potential for increased attacks against ICS due to “heightened geopolitical tensions.”

Basic security hygiene is (or should be) critical to all businesses, yet these foundational processes are often overlooked or unattended. In the case of ICS and Rockwell’s programmable logic controllers (PLCs), the company is concerned that customers may have risky assets configured to the public-facing internet — though they shouldn’t be. According to an article on SecurityWeek, “A Shodan search for ‘Rockwell’ currently returns more than 7,000 results, including thousands of what appear to be Allen-Bradley programmable logic controllers (PLCs). “

Rockwell, alongside CISA, has provided guidance for customers on how to identify exposed assets and recommendations for triage and remediation, including some of the most urgent, listed here:

Importantly, simply identifying risky assets isn’t enough. Rockwell highlights the need to patch vulnerable systems immediately (when/if a patch is available) and continuously monitor for suspicious and/or anomalous activity.

Yes, Your Apple Device is Tracking Your Location

Why Your Wi-Fi Router Doubles as an Apple AirTag (Krebs on Security)

(Katie pick) In the eyes of some buyers, the Apple operating ecosystem is the most secure. Especially in the early days of smartphones, cybersecurity experts touted Apple’s advantages over other brands. Today, cybersecurity experts rally behind the company, often citing the “strict” vetting process in the AppStore.

However, upon a deeper analysis, Apple allows for more precise geolocation than its rivals, opening up interesting privacy risks.

In a recent article, KrebsOnSecurity reveals Apple’s process for collecting (and sharing) location data. If you care at all about privacy, you should be concerned. But don’t worry; in 2023, Apple released an under-the-radar patch for users to keep their devices’ precise location private. This is excellent for tech users and slightly savvy non-tech users. The rest of the iOS consumers will remain blissfully unaware of the exposure and incapable of changing their settings.

And by the way, researchers at the University of Maryland could track specific movements of military personnel in Ukraine, essentially allowing them to understand when and where an attack was being planned. In the wrong hands, weaponized geolocation via basic cell phone settings and wifi could prove disastrous.

Well, AI-right AI-right AI-right - AI Privacy w/ MM

Story #5: “Out here in the AI Wild West, bad guys only want one thing - your customer data!” The last time we saw a cybersecurity ad campaign tackle the Wild West, we got this gem: CrowdStrike tames cybersecurity Wild West in a new Super Bowl commercial. If that isn’t enough to make you think twice about buying cybersecurity technology, we also have this one from Palo Alto Networks: This is Precision AI with Keanu Reeves.

Similarly, SalesForce has decided to get ahead of the AI data collection story and put out a preemptive advertising strike stating that they are smarter and safer with your data regarding AI. Check out this series of half a dozen of the best cybersecurity ads I’ve ever seen (albeit the quality bar is quite low!) Enjoy…

Quick Hits and Hidden Gems

Kevin Mandia Stepping Down As CEO At Google-Owned Mandiant (CRN) - It’s the end of an era. Two decades after its founding, Mandiant CEO Kevin Mandia is stepping down. Good luck on your next adventures, Kevin!
CyberArk acquires Venafi for $1.54B, integrating human and machine IAM (SC Magazine) - Identity is a BIG DEAL.. a 1.5B$ BIG DEAL to be exact.
"I was forced to hire legal counsel," actress Scarlett Johansson responds after Microsoft partner OpenAI 'clones' her voice for ChatGPT (Windows Central) - ScarJo doesn’t like people stealing her voice. Good legal debate here.
CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules (Dark Reading) - Are rules real if they aren’t clear? 4 days to report a “material” breach. Sounds way to vague to be enforceable to me.

Share The Cyber Why

The Cyber Why: What We Read This Week...

Tyler Shields — Sun, 19 May 2024 22:17:42 GMT

Thank you. We are incredibly grateful for you taking the time out of your busy day to read The Cyber Why. Every week, we try to provide you with intellectual content colored with thoughtful op-ed opinions. If you find it useful, I only ask for one favor in return—tell two friends. That’s it. Let’s make this “TCW Friends” week and spread the word. Now, onto this week’s content…

In this week’s The Cyber Why, we cover the resignation of the OpenAI “superintelligent team” leader, the debunking of the cybersecurity labor shortage, a monster week in cyber M&A, a great piece from Andrew Morris on the disconnect of the cyber vendor ecosystem, and a killer YouTube “pwnie” playlist to induce musical euphoria!

Don’t forget to check out the quick hits section - it’s SUPER rich this week.

Sponsor The Cyber Why!

The Cyber Why reaches nearly 5,000 cybersecurity, technology, and investing professionals per send. With over 30,000 views a week, our content is frequently in front of your target audience. Reach out to The Cyber Why to find out how you can drive leads and brand recognition for your business. Sponsorship packages are available. Click HERE for more information.

Super Intelligent AI - Safe or Scary?

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says (TechCrunch)

It’s commendable to do the “right thing” and build a team responsible for developing ways to govern and steer “superintelligent” AI systems. It’s entirely the opposite of “commendable” to deny resources and let that team wither and die. That’s precisely what OpenAI did, resulting in several team members resigning, citing “disagreements with OpenAI leadership about the company’s core priorities.” Ouch…

OpenAI formed the team intended to safeguard AI development last summer. One year later, the leader of that team, Jan Leike, resigned in the same week as OpenAI co-founder Ilya Sutskever. This does not bode well for the future safety of AI as developed by OpenAI. These resignations and revelations, alongside the attempted OpenAI coup at the end of last year, make me very nervous about the future safety of our computing systems.

Cyber Labor Shortage Debunked

There Is No Cyber Labor Shortage (Dark Reading)

I’ve often wondered if the ludicrous numbers quoted when discussing cybersecurity job openings could possibly be real. Here’s one example from CNBC.

“There are nearly 600,000 unfilled cybersecurity jobs in the U.S. right now, and about 3.5 million open roles globally, says Lisa Gevelber, Google’s chief marketing officer for the Americas, citing recent research from Cybersecurity Ventures.”

According to an article penned by Rex Booth, CISO Sailpoint, there isn’t an issue with filling these jobs; the real issue is the requirements that are needed to be hired, making them unattainable for the majority of people who would want them. Rex makes a good argument by explaining that entry-level SOC analyst positions shouldn’t require years of formal training, multiple certifications, and potentially even a college degree. Most of these open roles are entry-level positions, and we treat them as if we have to find the perfect cyber analyst unicorn before extending a job offer. Let’s not get it twisted - I’m not suggesting we hire any old rando off the streets. If we have people with excellent technical skills and a high level of certifications applying for the role, we should hire the best we can find. But if you tell me that we have 600K jobs available and can’t fill them, we should adjust our requirements to fit our available supply and then train them on the job. My other intuition is that the metric of 600k cyber job openings is likely a made-up number anyway… making this entire discussion moot.

Cyber M&A Continues in 2024

Palo Alto Networks is buying security assets from IBM to expand customer base (CNBC)
LogRhythm and Exabeam Announce Intent to Merge, Harnessing Collective Innovation Strengths to Lead the Future of AI-Driven Security Operations (LogRythm PR)

It’s been a week of hot and heavy acquisition activity. The cybersecurity M&A pendulum has swung so far to one side that it feels destined to stay there forever. This week PANW and IBM got together to announce the sale of IBM’s cloud security software assets to Palo. At the same time, Palo has agreed to use IBM as a significant portion of its services arm and provide a clear path for QRadar users to switch to Palo’s equivalent platform offerings quickly. This one is big, and I have to admit I’m really not sure what I should be thinking about on the back of this announcement. Part of me sees this as a step backward for Palo. Previously, they would acquire the best products in the market and bring those to bear for their customers, but this feels more like buying the market and killing off a competing product type of play. However, if done correctly, this could unlock a new channel and customer base that Palo couldn’t access. There’s no clear answer here… This one has me scratching my head for sure!

ChatGPT depiction of IBM and PANW shaking hands. Scary!

Incentives Required - Altruism Doesn’t Work

Addressing the Cybersecurity Vendor Ecosystem Disconnect (Dark Reading)

Sharing is caring, and right now, the cybersecurity vendor space doesn’t care. At least that is the commentary posited by Greynoise founder and Chief Architect Andrew Morris. In this article penned for Dark Reading, Andrew concludes that a winning next phase of innovation should come on the back of collaboration - and I think he’s right! Enterprises are in a state of tool overload. The ability for tools to work together, for data to be uniform and normalized across systems, and for integrations to pass analyzed output effectively are requirements for success, and we just aren’t meeting those requirements as an industry. Andrew makes the point that we have to find common standards, operate via joint innovation, allow the passing of data that is currently limited by regulations, and effectively shift our collective mindset as vendors in the cybersecurity market. The one concern I have, Andrew also calls out, is that we are not incentivized to do this. Cybersecurity businesses have one goal in mind… ~~to help secure the world~~ to make money! Maybe I’m just a cynical old man (actually, that describes me perfectly), but until we vendors find some incentive that aligns well with growing the business quickly, we won’t see any change. As much as I hate to admit it, I think the only course of improvement is (/vomit) government regulation.

Note: Go check out Andrew’s company, Greynoise. They turn Internet noise into intelligence, and as long as I’ve known Andrew, he’s been one of the good guys… fighting the good fight for all of the right reasons.

Story #5: Pwnie Award Nominated Songs

YouTube Playlist of Pwnie Award Nominated Songs (tl;dr sec)

I saw this under the “Misc” section of the latest tl;dr sec newsletter. I have no idea where Clint (author of tl;dr) found it, but it’s the funniest thing I’ve seen this week. Many of the songs are old, but they still made me laugh out loud. The opening video alone is a classic that I will never forget.

Quick Hits and Hidden Gems

PMF Score Vs NPS & Sequoia Capital's Runway Reality Check for Founders (Venture Creator) - PMF Score vs. NPS and when to use them. Interesting take on how to measure product market fit.
Y-Combinator's Framework: How Much Traction Is Needed To Raise Funding? (VC Jobs) - Remember to take into account “marketing,” aka how you will reach the buyer. Build it, and they will come is reserved for baseball stadiums only.
FBI seize BreachForums hacking forum used to leak stolen data (Bleeping Computer) - Another breach forum is down, and another will rise to fill the gap. Risky Biz did a killer write-up as well. Story here.
Cyber Official Speaks Out, Reveals Mobile Network Attacks in U.S. (404 Media) - Mobile spying and tracking revealed by a whistleblower. If only I had a complete account to read it. Stupid paywall.
How Did Authorities Identify the Alleged Lockbit Boss? (Krebs on Security) - Krebs breaks down exactly how Dmitry Yuryevich Khoroshev was tracked and caught. Crazy good research.
Social Capital 2023 Annual Letter (Cahamath Palihapitiya) - This annual letter details learnings, observations, and reflections on technology, economic, and creator trends. Good read!
Unmasking adversary cloud defense evasion strategies: modify cloud computer infrastructure Part I (Permiso) - Super technical cloud based attack techniques blog. Digging this one for its “light technical reading.” Good stuff!

Share The Cyber Why