Happy almost weekend, everybody… or not, if you’re in IT… trying to travel… or get medical attention... or just get your work done and start the weekend off with a bang.

Many of us have woken up to the news of a massive global outage caused by a Crowdstrike Falcon endpoint sensor update for Windows hosts. From airlines to banking systems, emergency services to media outlets, businesses around the world are dealing with the dreaded Blue Screen of Death (BSOD) to kick their weekend into high gear.

NOTABLY… this is not a cyber attack. As far as we know, malintent is not an issue.

According to the company’s website, the outage was caused by “a defect in a single content update for Windows hosts. Mac and Linux hosts are not affected.” Further, the company says that the issue was “identified, isolated and a fix has been deployed.” 

Good news! Except, according to sources, this isn’t the simple fix it’s being positioned as.

Source: Reddit: https://www.reddit.com/r/crowdstrike/comments/1e6vmkf/bsod_error_in_latest_crowdstrike_update/ 

While attempting to triage the fix, many customers are reporting that they’re stuck in a boot loop and being forced to manually reset impacted servers, which could result in hours — or possibly days — of downtime and uncountable amounts of lost productivity and revenue. 

Leave a comment

Dependency issue, not a cyber issue

If this is not a cybersecurity issue — and it does not seem to be — why is a company like OX commenting? Quite simply: because it highlights the criticality of understanding the longtail of dependencies within IT infrastructures. 

Neatsun Ziv, OX Security’s CEO and Co-founder, has said, “Incidents like the one we are seeing cause global chaos today, where an error in an update provided by a provider causes widespread outages, are not uncommon. What is unique about this incident is the scale at which it has taken place, likely wiping billions of dollars from the global economy due to global, widespread downtime.”

What’s become clear in the aftermath is that IT and operations teams are having to boot individual endpoints manually, which will take tons of time, especially for understaffed businesses. If the machine is Bitlockered, response teams will also have to enter a very long passcode, delete the file, and then restart. Remote-first companies will have to walk employees through these steps. 

Agent-based systems versus agentless

While the world is recovering, we don’t want to cast stones. It’s easy to say, “An engineer messed up!!” But in reality, sometimes things happen. What we will say is that agent-based tools have consistently caused issues, starting with performance issues and network bandwidth issues.

As illustrated here, deployment and management of agents are problematic at scale. Furthermore, ensuring consistent agent configurations and updates across the entire ecosystem — especially if we’re talking about 100s of thousands, is extremely challenging. 

With the Crowdstrike issue, the remediation requires hands-on-keys to fix. In today’s hybrid and highly mobile work environment, ensuring the right updates in this scenario is nearly impossible. 

Share

In contrast, agentless deployments offer numerous advantages, especially when it comes to updates. Automated agentless updates facilitate:

• Centralized Control: Without the need for agents on individual devices, updates can be managed centrally, ensuring consistency and efficiency.

• Rapid Deployment: New patches or software versions can be pushed out to all endpoints simultaneously, accelerating the update process.

• Reduced Error Rate: Centralized control minimizes the risk of human error during the update process.

• Improved Security: By eliminating the need for agents, which can be potential attack vectors, agentless technology enhances security.

• Scalability: Handles large-scale deployments with ease, as there's no need to manage agents on countless devices.

This is an extremely unfortunate incident, and we wish every affected IT team good luck! What’s important here is to remember that incidents will happen — whether they’re cyber incidents or IT incidents. The best way to mitigate both the likelihood and severity of incidents is careful planning, including threat modeling, testing, backups, and practicing rapid response — and perhaps a future agentless approach. 

Over the years, “new” categories — and thus their acronyms — have emerged from perfectly descriptive former terms. For example, “data security” morphed into “data loss prevention”/”data protection” morphed into “data security posture management,” a term we use today to basically describe “data security” as it exists in 2024 versus how it existed in 1994.

Another trend that’s taken hold more recently is the tendency to add on to established terms. That is, take a category and chunk it into subcategories, thus allowing for disparate tools creation underneath the broader heading. The most current crazes I see are:

• Security posture management: All the SPMs: CSPM, SSPM, DSPM, ASPM, I(A)SPM, and Orca’s latest addition: SCM-PM, “source code management posture management” 

• Detection and response: All the DRs: EDR, NDR, XDR, ITDR, DDR, MDR, ADR, MLDR, TDR

The rest of this post will focus on the “DR”s. There’s plenty to say about the posture management category, but I’ll save that for later.

The evolution of cybersecurity detection and response

Presumably, most of you reading this post work in security and know the history. But just in case you’re not a security pro or need a refresher — Cybersecurity emerged from more general IT in the late 1980s. At that time, and for about ten years, cyber threat detection and response (DR) primarily focused on signature-based analysis and provided the birth of antivirus (AV). If you’re old enough to have lived through or near those days, you might remember that identifying known malware patterns via signatures was tedious, highly manual, and not hugely effective. I mean, if you were a cybercriminal and knew that some newfangled software was looking for known patterns, wouldn’t you simply change the patterns? Yes, exactly.

AV software evolved to account for polymorphic viruses and became slightly more effective.

By the mid-1990s, no one in their right mind would have based their DR program on AV. It was a nice complement to other tools, one that would catch the “low-hanging fruit,” but not enough to be successful. What came next was intrusion detection and intrusion prevention systems (IDS/IPS). While IDS/IPS provided broader detection capabilities than AV, they were still based on patterns and were hamstrung by limited response actions.

The next decade brought SIEM, enhanced IDS/IPS, broader use of VPNs, heuristic detection capabilities, email filtering and spam detection, stateful firewalls, and more. These were (and continue to be) DR mechanisms in some form or another. As time passed, advanced persistent threats grew in popularity (both as a buzzword and a real-life potential attack) and tools developers needed to move toward greater detection and response efficacy. It became obvious that automation was needed and that reactivity wouldn’t cut it.

That’s when we first started hearing terms like “network detection and response,” “endpoint detection and response,” and the catch-all, “extended detection and response.” All these technologies emerged as a response to the evolving threat landscape. They were not completely new technologies but rather extensions of previous tools that existed, and they were built to fit modern-day computing requirements.

The exploding cyber tools ecosystem?

Of course, DR solutions cannot stand on their own; there are many other categories of tools — and related acronyms — deployed throughout organizations’ digital estates. As a result, the ecosystem of cybersecurity tools has exploded, and what we have today is a giant pool of tools to aid security teams in their quests to conquer the entire attack surface. 

While detection and response is a well-understood category, the hyper segmentation of terms and acronyms has muddied the space. Many DR tools now don’t only focus on detection and response, as their name implies; they’ve added identification components that, presumably, can help security teams pinpoint problems before they turn into active compromise. What we’re left with is an accumulation of acronyms that don’t mean the same thing to everyone. On top of that, if you stop and drill into the various subcategories, it feels like we’ve got some duplicative efforts—or, at least, the ability to consolidate, as is the stated desire of many practitioners.

What do I mean?   

Theoretically, XDR was developed to encompass NDR and EDR — the first iterations of DR tools. MDR offers the managed services version. Shouldn’t XDR cover everything, including managed DR? Logically, “extended” could mean coverage of identity threat detection and response (ITDR), data detection and response (DDR), application detection and response (ADR), “cloud detection and response,” and whatever comes next. It would be much simpler, wouldn’t it? The catch-all acronym “XDR” would clarify the soup. 

But since security pros are so fond of acronyms, the creation of micro categories allows us to continue the trend and develop more siloed tools that will likely all converge “n” years from now. In the meantime, though, we have to have a place for each distinct subsection of DR. ITDR, for instance, is an approach for managing identities — both user and system. Cloud detection and response (CDR) clearly focuses on monitoring and managing cloud activity. Not necessarily identities of cloud-based systems and users (because that’s ITDR, at least to some vendors), but it could, couldn’t it? Wouldn’t that equate to “extended detection and response”? Gosh, this is getting confusing.

DDR is focused on protecting sensitive data (the artist formerly known as “data security”) for data in on-prem networks, cloud environments, applications…but then we have a separate category of ADR; ADR is much more specific to application runtime behavior, but it also analyzes things like user interactions (“identity”?), data flows (“data”?), and network calls (“network”?). 

So What?

At the heart of the matter, the real question is: Are all these DR technologies necessary? The answer, I think, is yes. But are they necessary as standalone categories? If my crystal ball worked, it might say that many or even most of these acronymic categories will converge into one larger category, much like how SASE converged complementary categories into one integrated engine.

What’s amusing to me, though, is that, at least from this vantage point, the category they would roll into is…detection and response, which is the top-level umbrella category from which they emerged. In all likelihood, some analyst at one of the top two firms will concoct a creative term that can easily be turned into a catchy acronym that will be splashed across RSA and Black Hat conference booths. Two years later, the tides will turn again, and there will be another attention-grabbing category. For now, “DR” is all the rage. There are plenty of effective products to choose from if you want to swim in the DR soup. Sometime in the near future, though, expect your XDR vendor to buy your ITDR or ADR vendor — so negotiate your contracts well.

Subscribe now

As of late 2021, Lacework was valued at $8.3 billion, yep, that’s “billion” with a “B,” making it — at least on paper —one of the biggest cybersecurity players on the market.

And then came the fall. While many companies — in and out of cybersecurity — floundered during and in the wake of the pandemic, cloud companies thrived. Businesses needed a way to get people working from home, quickly and securely, and the cloud security market capitalized on this momentum.

Lacework was one of the companies leading this effort. Bolstered by all the cash it could possibly need to advance and enhance its products, acquire companies/products to expand its portfolio and hire top talent, there should have been no stopping the company. They even jumped into the artificial intelligence (AI) fray before the term was splashed across every RSA vendor’s booth and sprinkled into sales and marketing collateral. The way Lacework was using AI (read: advanced math, a.k.a., algorithms) was by using anomaly-based detection in ever-shifting cloud environments. Great idea…but it fell short when it was realized that, uh oh! The training data didn’t exist. For any machine learning (ML) or AI algorithm to work, enormous amounts of data must be available for the model to learn. And it must be reliable and trustworthy data. But because of how cloud environments work — how busy they are, and the fact that many cloud-focused attacks are based on API calls (not the data in the cloud itself) — the technology started to falter. 

From the cloud to the ground

A whole lot of technological issues later, the company’s valuation started to drop. Lacework laid off 20% of its workforce. Key executives (like the co-CEO) started running for the hills. The remaining team management seemingly used questionable tactics to lure companies into buying the product. Employees—current and past—started complaining about the toxic and overly political culture. Customers started reporting the product’s lack of efficacy. And the list goes on and on.

Lacework’s fall from grace was highly recognized in security circles. As both its valuation and revenue plummeted, and the cloud security sector continued to boom, competitors took notice. Wiz, the 800-pound gorilla of the cloud, decided to approach Lacework for an acquisition — theoretically to buy the company in a firesale, retain the good parts, and remove one noisy would-be competitor. 

But that acquisition fell through. Not much detail was given, and the security community was left to speculate that Wiz found something—or a whole lot of somethings—it didn’t like during the due diligence process. The toxic culture could have been a sticking point, or Wiz could have discovered some “smoke and mirrors” in the product. We’ll likely never know. However, the covers were off—everyone seemed to be talking about Lacework as a case study of how not to operate.

Share

A fresh start, or tearing apart?

It seemed like the end of the road for Lacework until yesterday. On June 10, 2024, Fortinet announced it would acquire Lacework for an undisclosed amount. According to the Fortinet press release, “Fortinet intends to integrate Lacework’s CNAPP solution into its existing portfolio, forming one of the most comprehensive, full-stack AI-driven cloud security platforms available from a single vendor. This will help customers identify, prioritize, and remediate risks and threats in complex cloud-native infrastructure from code to cloud.”

The reality is that time will shake out a few of the reasons why this seemingly failing company is being thrown a lifeline. Is it an acqui-hire? An acquisition “for-parts”? Were the financials just so in Fortinet’s favor — the firesale of a lifetime —resulting in Fortinet engineers having a tiny leg up on building CNAPP rather than starting from scratch?

One thing is for sure: the announcement has captivated many in the cybersecurity community, and it’s bound to be a topic of conversation for a long time. If you have thoughts or opinions on this story, leave them in the comments below!

Hi — I’ve been gone for a while, recalibrating and job hunting. Maybe you’ve noticed, maybe you haven’t. In either case, I had about two months away from work and even though I was much busier than I wanted to be, I had time to reflect and think about cybersecurity as a career. Not just my career, but cybersecurity as a career, in general.

Subscribe now

Flashback to April

My former job was on shaky ground. Over the last year (plus) there were a number of major changes to my department as well as other organizational changes that directly and indirectly impacted my and my team’s work. As a result, I’d been thinking about making a move. But I’m usually not a quitter; I prefer to be shoved out the door for some sadistic reason. 

During the first week in April, it became readily apparent to me that I’d need to start looking for a new job ASAP. I was out of town, getting ready to speak at a conference. What I should have been doing that morning was prepping my talk. Instead, I had a bad gut feeling and started messaging trusted friends and colleagues. The gist of my messages: “I think I need to look for a new job. If you know anyone who is hiring, I’d appreciate an introduction.”

Within minutes, the first reply came back: “Call me. I might know someone.” Over the course of the day, I received several other responses with a similar tone. That was a Wednesday. On Friday, I had my first conversation with the person who would ultimately facilitate my new job (at an amazing company!!). The following Monday, I had three more conversations with companies that were hiring for my role. Several of those conversations turned into opportunities, meaning they weren’t fluff conversations scheduled simply because a friend of a friend of a friend asked for a favor. I was being ushered down the hiring pipeline solely because of the industry connections I’ve made. I have been incredibly fortunate throughout my career to work with some really good people who (for some odd reason) appreciate my work and me as a person. And, in this situation, they were willing to dedicate time and effort to help me find my next job.

Share

Work your network

You might think this is luck; where I’ve worked, and the positions in which I’ve worked have given me certain “advantages.” While there might be some truth in that, I also work really hard at cultivating and maintaining my network of security friends and colleagues. I check in with people “just because.” I send birthday texts (if I know their birthday). I reach out when I see/hear that someone is job searching. I make introductions whenever I can. 

(Importantly, though, I am not a pest; I won’t continue to communicate with someone if they indicate in any way that my touchpoints are unwelcome. I’m not that LinkedIn connection.) 

I know many of you readers also work hard at the community aspect of cybersecurity. Mostly, though, when we’re networking, the goal is less about “what can you do for me” than shared interests or, more simply, a connection with someone fun, friendly, interesting, etc. Personally, I don’t keep in touch with people because I’m thinking, “One day, I might need their help.” However, it’s hard to ignore the fact that I got my current job, had the plethora of interviews I did, and was offered jobs only at companies — not just now, but over the last 20 years — that began with a personal introduction. Every single job I’ve had in cybersecurity, going back to 2004, has started with an introduction. And I’ve never had more than a two-month gap between jobs. (If you’re now checking my LinkedIn, you’ll see a few gaps that are greater than two months. There were times I left a job, dabbled outside of security, then returned. Those positions appear only on my resume.)    

My network has had a significant and profound impact on my ability to find employment. Again — I am incredibly grateful. I am even more grateful when I look at the state of the industry and my friends and colleagues who have been job-seeking for longer periods of time. Over the last few years, I’ve spoken with several people who want or need a new job and have to rely on the old-fashioned method of job hunting: applying through companies’ websites or job boards. These people send out hundreds and hundreds of resumes and fill out countless forms because they don’t have an inside track. 

And they’re not getting great or rapid responses. I know a lot of very skilled people who have a hard time scheduling interviews because they are applying “blind.” I have two friends who, after applying for cybersecurity jobs for months on end (and have job history in the field), decided to send resumes to non-security tech companies. Guess what happened. They got positive responses right away.

In only one instance during this last round of job seeking did I land an interview with a company at which I knew no one. And even though the conversation went well, the HR person never followed up, even after saying I was a “great fit for the role.”

It’s a miserable situation. I’ve felt it. Even though my latest job search was fast-tracked due to connections, I built a backup plan in case something went awry. I applied to a dozen or so positions — which were exactly the same as the one I have and another for which I was offered a job — at which I didn’t have a personal connection. I either never got responses from those “blind” applications or received responses claiming there were “other candidates better suited.”

Share

Stranded without a network

Thinking about this — and watching several of my friends and former colleagues struggle with the state of hiring in security — I have to wonder: when did we become so insular that only a connection — tenuous as it might be — will do? Is cybersecurity the type of community that refuses to welcome unknowns, even when the person’s skills, background, and temperament are a perfect fit for a position? Is a person imminently more qualified when referred by a friend, or a friend of a friend (or more)? 

I saw this happening during my search, so I asked one of the people interviewing me why she was only talking to people to whom she’d be introduced by a mutual connection. “These positions are too risky to hire just anybody.”

Is that actually true? And isn’t that what the interview process is for? Aren’t recruiters supposed to help establish a connection? Do people honestly think that only the people they already know are the only good workers in the industry? Is keeping the circle tight helping advance security? Shouldn’t we be more impressed with what someone brings to the table than whom they bring to the table?

Expand your periphery

In my opinion, it’s extremely limiting to shrug off candidates purely because there’s no direct or dotted line to the hiring manager or company. While every job I’ve had in the last two decades started with an introduction by a mutual connection, I have met a number of amazingly impressive people at those jobs who are now colleagues I would recommend to any hiring manager. My professional life is richer for meeting these new people. My network has grown because I had the opportunity to work with people I didn’t previously know anything about. Some of these “outsiders” are now personal friends with whom I regularly communicate and/or spend my non-work time.

On the flip side, some of the people in my network who were once very close colleagues have significantly drifted outside my periphery (and vice versa). I have no idea what they’re up to now. If they are as committed as they once were. If they’ve kept up their skills. Sure, if someone in my network were to reach out and ask me to vouch for one of these people, I likely would. But I’d have to caveat it and say we haven’t been in contact for X while. Knowing the industry, I’d guess that even a latent relationship counts for more than no relationship. 

Even though I benefit from wonderful professional relationships, I think it’s a disservice to the industry to rely solely on introductions when hiring for open positions. It might take more effort to vet an “unknown,” but it can pay off multifold. You never know how someone will act or react inside a new company, even if you’ve worked with them for years under different circumstances. When faced with a toxic environment or bad team composition, a previously amazing worker can sour or develop apathy. Stressful situations can breed bad — or anomalous — behavior. Someone you already know isn’t necessarily a “sure thing.”  

Subscribe now

A different perspective on hiring

Personally, I will continue to grow my network and connect with past and current colleagues. I will also continue to try to help people in my network when I can. But I will also be mindful that the next best candidate for a job I might be hiring is someone completely disconnected from me or my network. From my point of view, the industry is in too much need of skilled workers to write people off purely because they were heads down at their jobs or too shy to attend RSA parties. I know some HR pros and hiring managers will say it’s too much work to wade through pages and pages of blindly submitted resumes or, worse yet, that their “AI-based resume scanner” didn’t identify the “correct” buzzwords. 

If we want talented people to work for and with our teams, we have to expand our perception of who is the “right” fit. A tenuous LinkedIn, user group, online forum, or social media “connection” does not a known quantity make. Let’s be honest: on the internet, nobody knows you’re a dog. 

So, while it might be easier to take the path of least resistance, which includes personal introductions for open positions, it might be profitable in the future to invest in cultivating new colleagues along the way. After all, a stranger is just a friend we have not yet met, or something… 

In the meantime, I will continue to thank the gracious colleagues and friends who helped me land my current role.

FTR: I have recruiters connecting on LinkedIn all the time. They’re always willing to help when I don’t want or need a job. But when I reached out on this last hunt, ONLY the recruiters who personally knew at least one of my LinkedIn connections responded. 

Given this description of a “contextual” cybersecurity future, specific requirements exist for any vendor that wishes to become the dominant player in the emerging contextual security (AI cyber) space. Both technology and usability innovations are required in this new and exciting area of cybersecurity products.

Subscribe now

Winners and Losers

In the landscape of contextual cybersecurity, winners and losers among vendors will be determined by the amount of data they can collect, the strength of the context they build, how they integrate with other technologies to collect the data, and if they can innovate new technology capabilities on top of the context set in a way that provides rapid value. Look for these criteria in the vendor you invest in.

Winners: Vendors that embrace AI and machine learning to enhance contextual analysis will come out ahead. Companies that effectively integrate their solutions with broader ecosystems, ensuring seamless data flow and contextual insights across different platforms, are poised to succeed. Those who invest in developing systems that can rapidly adapt to new threats and offer proactive security measures based on rich contextual data will be at the forefront.

Losers: Vendors that fail to move beyond traditional, siloed approaches to cybersecurity will struggle. Companies that are slow to integrate AI and machine learning or do not effectively utilize the increasing availability of data for contextual analysis will fall behind. Vendors that resist evolving their products to work seamlessly in cloud-based, API-driven environments or cannot provide a holistic view of security threats will lose relevance.

Criteria for Contextual Cybersecurity Success

The future of cybersecurity hinges on a strategic blend of context creation and intelligent data handling. These criteria define the capabilities of cutting-edge cybersecurity solutions and shape how they integrate within the broader technology ecosystem. From harnessing advanced AI to ensuring comprehensive data collection, these principles form the cornerstone of a robust and future-proof cybersecurity platform. Specific criteria will determine success:

1. Breadth and depth of data collection: This refers to the comprehensive gathering of varied data types from multiple sources to create a rich data pool. The breadth refers to the range of data types and sources – encompassing everything from network traffic, user behavior, and application logs in both cloud and SaaS environments. The depth pertains to the level of detail and historical data accumulated, allowing for nuanced analysis. This extensive collection is crucial for AI systems to understand standard patterns and identify anomalies effectively. It enables the construction of a more detailed and accurate contextual landscape, which is crucial for predictive analytics and proactive threat mitigation.

2. Integrations and data enrichment from external sources: Ensuring that cybersecurity solutions integrate smoothly with various platforms and ecosystems enhances the overall security posture. The additional data enrichment from external sources provides a more robust depth of data, resulting in more accurate and detailed context creation. The data could even come from sources beyond security, including business, human resources, financial, and sales and marketing output.

3. Feedback loops of context for continuous learning: A network effect is formed when data is turned into context and then fed back into the training system as a new data piece. The compounding effect of this feedback loop creates a system where knowledge grows over time, and data analysis accuracy is self-improving. Whichever technologies understand this concept and can build a system that improves over time will have a distinct advantage in the market. Like compound interest, the sooner they start learning, the sooner they will hit acceptable levels of accuracy. Essentially, contextual cybersecurity is a race against time that must start sooner rather than later.

4. Ease of use and seamless interoperability: Ensuring that cybersecurity solutions can integrate smoothly for the consumption and usability of results with various platforms and ecosystems enhances the overall security posture. Balancing advanced technology with user experience and usability of output creates a robust and user-friendly solution. Any vendor wanting to dominate in this emerging market must surface value quickly, in the appropriate formats, and make it easy to use for several different user personas. This is NOT going to be an easy task.

   Share

The Enterprise Path To Glory - What This Means For The CISO!

While the path to contextual cybersecurity glory seems clear, it is anything but. Vendors that understand the success criteria listed above and the vision of the future will undoubtedly have a leg up on the rest of the market. Still, like anything in business, execution is always more complex than ideation. The devil is indeed in the details.

We are still in the early days. Enterprise cybersecurity leaders must understand the requirements for future success but be careful not to over-index on this vision too quickly. It’s very easy to get out in front of the reality of what products are actually capable of, resulting in a situation where you are less secure than before you rallied behind the innovations. Don’t buy too much into the hype; instead, be pragmatic and pay attention to how solutions such as these can fit into your cybersecurity program today and augment what you are already achieving. As they say in comedy, timing is everything.

Coming soon: A new deep-thought piece on the cybersecurity vendors and platforms positioned well to succeed and the submarkets they will come to dominate. Stay tuned to The Cyber Why for more!

It has been a while since I’ve written up a post-mortem analysis of a breach. Partially, this is because breach details rarely become available to the public. This is currently a huge issue for our industry, as learning from others’ failures is one of the most ideal and effective ways for the industry as a whole to improve. Otherwise, we’re all just guessing at what moves the needle and what doesn’t.

Background

A quick note: many folks make their living off Microsoft. It is one of the largest tech giants, and as the CSRB report points out, it has over one billion customers. It might seem like researchers and analysts are constantly picking on Microsoft and singling it out. They’re not wrong!

Microsoft, along with tech giants like Apple, Google, and Amazon, are often singled out for a good reason: due to their massive market share, when they make a mistake, it has a much larger impact on the general public and global economy than incidents at other businesses and tech companies would. Mistakes like these are easier to forgive when smaller, less experienced, and less impactful companies make them. Companies like Microsoft are held to higher, unique standards because mistakes at Microsoft scale can do so much more damage - like when Exchange vulnerabilities destroyed part of Rackspace’s business nearly overnight. Sorry, these are the breaks when your company achieves trillion-dollar valuations.

What is the CSRB?

In May 2021, Executive Order 14028 tasked Homeland Security with creating a Cyber Safety Review Board (CSRB from here out). This would be a group of private and public cybersecurity experts tasked with investigating only the most egregious and impactful incidents. To date, the CSRB has investigated three incidents:

1. The Log4j Vulnerability

2. Lapsus$ and related threat groups

3. The Summer 2023 Microsoft breach - the focus of this analysis.

Why Read This?

I read as many reports like this as possible, trying to discover the deeper root causes behind some of these events. I aim to answer questions like:

1. why did detections fail?

2. why did security controls fail?

3. which controls failed and why?

4. were failures due to technology, processes, people, or some combination?

While my review of the CSRB report will contain my personal bias and opinions, I should also point out that the CSRB report feels somewhat biased. It remains highly focused on facts, but to my eyes, at least, the tone could be characterized as complementary of the government and “sick of Microsoft’s screwups.” I personally think the CSRB’s reviews should be more unbiased - the members of the board have ample opportunity to share their individual personal opinions via their own blog posts or social media. With that said, the board isn’t alone - there has been a lot of sympathy with the report's tone (myself included).

Why is Everyone Beating Up on MSFT so Much??

Microsoft has indeed had a rough time in the past few years. Companies like Wiz, Orca, and Lacework have discovered and reported on dozens of security issues in the Azure cloud platform. With access to so many of the world’s businesses and hosting a significant chunk of the world’s email, unsurprisingly, Microsoft is a constant target for nearly all types of attackers.

Microsoft isn’t alone in being targeted, but it does seem to get breached more often than any of its peers. In fact, two more significant incidents have occurred following the breach I’ll be discussing here. Adding to Microsoft’s woes, some of the incidents occurred due to its own employees failing to understand how to use Azure securely.

Share

Let’s Dive Into The Analysis

Grab a copy of the report if you want to read it yourself, or check out some of the sections I’ll reference. At 34 pages, it doesn’t seem like a massive report, but don’t let that fool you. The report is quite dense and doesn’t contain a lot of fluff.

First, let’s talk about the overall sentiment of the report. Microsoft failed to detect a major intrusion into one of its most popular products, and this report doesn’t ever let you forget that fact. Sure, this attack was truly deserving of the oft-overused “advanced and sophisticated” description. It was carried out by the same Chinese-affiliated group (Storm-0558) that famously compromised Google (the Aurora attack that led to the creation of the company’s BeyondCorp zero trust principles and products) and RSA (targeting their SecurID MFA product) over a decade ago.

This attack campaign appears to have been successful: Storm-0558 went undetected for an unknown period of time. This threat actor accessed the email accounts of 22 organizations and over 500 individuals across both commercial (M365) and consumer (Hotmail/Outlook.com) products. Tens of thousands of emails were downloaded from just one of these targets (the State Department) before the attack was detected.

Microsoft has yet to conclude this investigation. They continue to explore 46 hypotheses they originally developed nine months ago.

How did the attackers pull it off?

The primary mechanism that allowed this attack to happen was a Microsoft Services Account key (MSA Key) that Storm-0558 used to generate the tokens needed to access all the aforementioned email accounts.

This MSA key is at the heart of this whole thing. It's such a mess — it's like a problem with superpowers, a super-godmode vulnerability.

This thing was the equivalent of a skeleton key for Microsoft's services.

• The MSA key wasn't supposed to be able to generate tokens for both consumer and enterprise Microsoft services, but thanks to some software bugs, it did.

• The MSA key was originally generated in 2016, and this attack happened in 2023. Keys like this shouldn’t have a lifespan this long. They should have been revoked and rotated years prior, but Microsoft stopped rotating keys after an availability incident and never went back to rotating keys after that.

• The idea of any MSA key having access across all of one of Microsoft's services is already bonkers. The review board talked to all of the other CSPs out there (Google, Amazon, even Oracle), and no one else does this. Everyone else compartmentalizes access controls and token generation. Microsoft didn't.

• The CSRB report even cites Oracle Cloud as an example of correctly controlling access. Ouch.

A total of 525 tokens were forged from this MSA key: 503 were for personal email accounts, and 22 were for enterprise M365 organizations.

The majority were for US-based accounts, but this was an international incident — UK organizations and personal accounts belonging to people worldwide were also affected.

Share The Cyber Why

Two Truths and a Lie

You might recall that Microsoft reported last year that Storm-0558 got this key from a crash dump.

That was apparently a lie.

The CSRB report isn't calling it a lie because it's a formal, professional report, but I can't think of any more accurate language to use here. Microsoft stated it as fact. You can still go back and read it.

Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).

Microsoft later admitted to the review board that there was no evidence to support this theory. Apparently, Microsoft came up with 46 hypotheses when investigating this attack, and this "key recovered from a crash dump" theory seemed plausible to them. Instead of saying, “We don’t know what happened, but here’s a theory”, they pitched their theory as fact. This is problematic not only for reasons of trust but also because it potentially impacts the incident response strategies of the targets of this attack. If Microsoft claims containment has occurred when it hasn’t… well.. that’s an issue!

After Microsoft revealed this lack of evidence to the CSRB, they chose not to correct the incorrect information. For over six months, Microsoft allowed the public and their customers to believe they had discovered the incident's root cause.

The truth is that they still have no idea how Storm-0558 got their hands on this MSA key.

Notification Troubles

Another concerning issue was around notification. Microsoft users and customers are so used to seeing phishing scams using Microsoft designs, fonts, and CSS that many victims ignored Microsoft's messages about the compromise and had to be contacted directly by the FBI.

Perhaps security awareness training also has some culpability here? I'd be interested in hearing other folks' thoughts on this.

One of the report's recommendations is an ‘amber alert’ style notification system. Hopefully, it will be more scammer-resistant than email.

Leave a comment

How was the attack detected?

Microsoft often reminds us that it is the most prominent security vendor in terms of revenue (>$20 billion today). They have an extensive line of security products designed to detect attacks. It is a bad look that they failed to spot this attack.

Instead, the US State Department detected this attack using a detection mechanism they call "Big Yellow Taxi" (someone’s a Joni Mitchell fan?). Big Yellow Taxi analyzes MailItemsAccessed logs for anything that looks weird or anomalous when compared to a baseline. For any detection engineers out there that just winced, yeah - this doesn’t seem like an easy detection rule to operationalize. It sounds like a ton of work, but it enabled the State Department to be the first and only one to detect this huge attack out of 503 individuals, 21 other organizations, and Microsoft themselves.

According to the CSRB report, they wouldn't have been able to create this detection rule if they hadn't paid extra for Purview Audit Premium. This sets the Security Poverty Line at least another $144 per user per year above the standard M365 license.

It could be biased from the review board, but inter-agency cooperation seems really impressive here. The State Department, Commerce Department, FBI, and CISA provided a lot of sub-24-hour assistance and feedback. By comparison, Microsoft seems positively sloth-like.

Microsoft’s detection and telemetry

A recurring theme in the report is a focus on log retention. Most folks are aware of the log situation at Microsoft: logs are disabled by default, and when they are enabled, retention is often limited. This forces customers to ship them elsewhere or pay extra to store them for extended periods. Then there are the ‘advanced’ logs that cost extra.

Microsoft apparently only had 30 days of logs to investigate after the State Department notified them.

A 30-day retention period for a free or basic-tier Microsoft 365 customer is unsurprising. However, Microsoft's decision to limit its own log retention so severely borders on bizarre. The irony is that the US State Department couldn’t have detected the attack Microsoft missed if it had not paid a premium for logs and made very effective use of them. Meanwhile, Microsoft’s log retention was so short that they didn’t know when the attack began.

Was Microsoft a victim of its own stinginess here? Does Microsoft seriously not indulge in longer retention times for its infrastructure—the infrastructure backing the second-largest cloud service provider in the world?

The implications are odd and don’t entirely add up. On the product side, the shortest amount of time that logs hang around for the most basic tiers of M365 is 30 days by default. Nearly any more premium option—E5, Purview Audit (standard or premium)—increases log retention to at least 180 days. Log retention can be increased to as long as ten years. Why would Microsoft choose only 30 days for their internal logging?

Furthermore, Microsoft believes the attack originated from a laptop belonging to an employee at a company they acquired in 2021. They think the employee's laptop was already compromised before the company was acquired.

That also, unfortunately, means that there could have been more stuff compromised that Microsoft doesn't know about. Storm-0558 could still have access to systems, individual assets/identities, or the ability to generate access keys we don't know about.

The M&A employee could also be a scapegoat—everything Microsoft has published concerning root cause analysis is a theory. It has no evidence linking this compromised employee's laptop to the MSA key theft.

How Far Should Shared Responsibility Extend?

Another point the review board makes in this report, which has been echoed by the White House, is that far too much onus is put on the customer to secure their accounts and data—the providers and CSPs should shoulder more of the work here.

Just look at Microsoft's most recent breach (Jan 2024 by Russia's "Midnight Blizzard"). Microsoft insists there were no vulnerabilities here, it was just cred stuffing, but then look at everything they recommend customers do to detect and/or prevent an attack like this. Imagine reading these recommendations as a 50-person organization. Madness.

Is this reasonable to expect of the average M365 customer? What about personal accounts? Is there nothing Microsoft can do to ease this burden?

Not only did the State Department need some serious Detection Engineering skills to discover this attack, but they also needed sharp SOC analysts AND the premium audit package to get access to the necessary logs to begin with!

Figuring out how Microsoft's licensing works, understanding their products, and securing them is a complex maze that makes the defender's job an utter nightmare.

Subscribe now

Recommendations

From what I can tell, everything in this report is a recommendation. Microsoft isn't required to do any of it. The recommendations are very bold but mostly seem fair to my eyes. A potential silver lining here is that this report could be used by Microsoft and its employees as a permission slip of sorts—a permission slip to shift priorities back in the direction of security a bit.

Microsoft is incentivized to focus on profits and revenue at all levels, even for the CEO. A report like this can help them give security the priority it needs and push back on expectations for more profit and growth at all costs. I'm sure there are folks at Microsoft who have been advocating for better security at every step. For those still fighting that fight, this could be their most important weapon against years of poor risk prioritization.

I'm not going to get too deep into the details here, so start on page 17 if you want to jump straight to the recommendations [www.cisa.gov]

The List…

This isn't an exhaustive list - just the ones I found most interesting. There are 25 in total. Here are the ones that apply to Microsoft:

1. Microsoft’s security culture needs to improve.

2. Microsoft needs to modernize its key management (LOTS of specific recommendations here, including updates to NIST standards, FedRAMP, and other industry best practices.)

3. Transparency and reporting breach details were lacking and unacceptable, especially for a company as large and essential as Microsoft.

4. Security must be prioritized, with incentives coming from the CEO and board on down. For a time, this priority needs to exceed that of innovation/new development until the worst of the security issues have been addressed.

5. Security must be a design requirement (wait, haven't I heard that from Microsoft itself???)

6. NO MORE CHARGING FOR LOGS, and provide customers a minimum of six months of logs.

7. More useful logging.

8. Rework IAM architecture to be more secure and compartmentalized - lots of pointing and hinting at Google's post-Aurora BeyondCorp transformation here.

9. Better M&A due diligence.

The recommendations continue with more CSP/Industry-specific ones, like:

1. CISA becoming a CSP watchdog, doing annual reviews of CSPs.

2. NIST should update 800-53 to better account for cloud-based IAM risks.

3. Need for a minimum audit logging standard for cloud services.

4. CSPs should be early adopters of more secure identity standards and IAM/key mgmt processes.

5. US-based CSPs should report ALL incidents potentially involving a nation-state (and we should consider legally requiring them to do so.)

6. CSPs should be transparent about both what they DO know and what they DON'T know.

7. CSP vulnerabilities should go through CVEs and be handled like vulnerabilities (this has long not been the case, with an argument that customers don't patch CSP issues; they're patched once by the CSP for all customers - there is an argument to have here though, about other benefits of these vulns using CVE and having a presence in other vulnerability databases.)

8. CSPs and USGov should create an "amber alert" system for high-impact situations.

9. CSPs should verify victims received notifications, not just fire them off en masse.

10. US Gov should incentivize more data sharing between CSPs and those affected by security issues.

How should all this make us feel?

We often hear about how fragile the Internet is and how common poor security practices are, even at security vendors. Every time we think, “This is it - buyers, consumers, and regulators are done with this BS,” nothing happens. Breaches keep happening, and we move on. Is the problem with us, the security professionals? Is security more important and precious to us than it is to the general public? Of course, it is - we’re focused on it and worried about it all day, every day - it’s our job.

Perhaps part of the problem is a perception of industry importance that doesn’t line up with reality.

We work in an industry that’s more than happy to publish myths and lies, like the indefensible fake statistic that cybercrime somehow did $6 trillion in damages in 2021 and will top $10 trillion in 2025. That’s difficult to reconcile, as ransomware payments recently crossed the $1 billion mark, and the FBI reported BEC scam losses in the US were $2.7 billion in 2022. Dozens of vendors happily repeat these fake stats, hoping they’ll help them sell more products.

“The greatest transfer of economic wealth in history,” Steve Morgan says. Really? A recent post by Tom Johansmeyer, who has over 20 years of experience in the insurance industry, disagrees. Here’s his take on NotPetya, which is often pointed to as one of the most costly cyber incidents ever.

NotPetya is often called the most expensive cyber catastrophe in history, having caused as much as $10 billion in economic losses at the time ($11.9 billion in 2024 at an annual inflation rate of 3%). That may seem monumental—-and by cyberattack standards it is—-but as catastrophes go, that’s a pretty small price tag.

Spoiler - Tom concludes that NotPetya isn’t even the 2nd worst “cyber-catastrophe”. The greatest transfer of economic wealth in history probably has something to do with student loans.

The point here isn’t that cybersecurity isn’t important - it absolutely is! It’s just not the most important thing ever. Some companies and individuals in this industry desperately want it to be, and that’s causing problems. Daniel Miessler recently coined an interesting term that explains why it’s often difficult to move the cybersecurity baseline: the Efficient Security Principle.

The Efficient Security Principle explains why, despite this incident, the US Government still uses Microsoft 365 and other Microsoft products. It explains why, despite dozens of vulnerabilities in Azure and incidents impacting Microsoft 365, it is still one of the most dominant collaboration, communication, and productivity platforms available. Customers' value from these products and services exceeds the actual or perceived risk related to Microsoft’s breaches and mistakes.

Share

Conclusion

Hopefully, some of the points made in this report help remove some tech debt for not just Microsoft but the industry as a whole. It’s frustrating that it often takes incidents like this to justify improving security, but that’s nothing unique to our industry. Efforts to improve safety and security often look unnecessary or even paranoid until there’s an incident demonstrating the need for them.

It's a great reminder that there really is no such thing as "best practices," only "current practices" that we should always strive to improve.

According to reports, the primary concern is that staffers’ use of Copilot and similar large language model (LLM) services will result in leaks of sensitive information, particularly from classified documents. Considering current events, trying to keep classified information under wraps is not a bad idea. 

While the ban aims to safeguard against potential data breaches and ensure the protection of government-related data, information and document leaks have been a problem for the U.S. government since long before AI was anything but a fictional movie plot. 

The ban, therefore, is simply a stopgap measure. For one thing, LLMs may facilitate data and information leakage, but they don’t precipitate it. Second, although I don’t have access to such data, I love to make inconsequential bets, and in that vein, I’d be willing to bet that 99+% of staffers own and operate non-work-issued devices. With their personal devices, staffers can take whatever information they are privy to and use it as inputs to Copilot, ChatGPT, Gemini, LLaMA, and the like.

So, even though the electronic transfer and storage of work documents and information should be relegated to approved and managed devices, information will be transferred/shared outside of protocols much in the same way other “workarounds” have occurred, and for many of the same reasons. 

Governing AI

For the record, many private companies are also attempting to ban or apply stricter governance to using LLMs and AI. At a minimum, smart companies are issuing acceptable use policies for the technology. No one wants their data leaked. Many companies don’t want their data used for training purposes either. Regarding government and national secrets, the stakes are even higher; data protection is paramount. Given the history of government data leaks — and the fact that state information is so highly coveted — it's no wonder Congress is wary.

All of this being said, government officials are aware that LLMs like Copilot have already achieved liftoff, meaning there’s no way they can completely stop it from propagating throughout their user base. What’s more, trying to do so would be both an exercise in futility and pure hypocrisy; in October 2023 the Biden Administration issued an executive order explicitly addressing the secure development and use of AI. Congress must also be aware that adversarial governments and cyber criminals are taking full advantage of every technological advancement they can get their hands on. If the U.S. were to ignore the advantages AI and LLMs offer, it would be willful ignorance. 

Vendors, too, have recognized that ignoring the needs and requests of the U.S. government is a mistake. In this case, Microsoft has acknowledged the government’s concerns and has announced that it will start to build a government-focused edition of Copilot that incorporates enhanced security controls and compliance requirements (one wonders why the rest of us aren’t afforded such protections, but I digress). Szpindor’s office has not committed to the presumptive tool’s use when it becomes available, but it is a good strategic decision for Microsoft to head down that runway.

The Wrap Up

Whether or not the House allows Copilot — or any other generative AI tool — on government-owned devices or systems is almost irrelevant. Some of you might argue with me and say, “But AI is the future of all technology!” And you are probably right. But at the end of the day, most concerns about AI are really about data security and privacy; we’re just applying data security concepts to a different model. At the heart of AI (and all its subcategories) is data — data repositories, data algorithms, data access controls, etc. Historical principles apply. What this means is that developers do not have to reinvent the wheel when it comes to AI security. It might feel like they do, but really — they don’t. Developers can take years of lessons learned and mold them for AI-based tools. If you were to read cybersecurity funding reports, it would be easy to think this is a new category of security controls. It’s actually just an evolution (though, if you are a vendor trying to raise venture capital, sprinkling “AI” into your pitch materials isn’t a bad way to go).

Share

The moral of the story may be this: The House of Representatives is banning a generative AI tool because of concerns about data security and privacy. Though the focus is on the “AI” part, it really comes down to the data: how it’s generated, how it’s used, how it’s processed, how it’s stored, where it’s stored, who has access to it... There is little new in this. AI is slightly different in that developers have to also consider the security of the algorithms used to generate results. But even this isn’t a totally new security concept. Which is all good news.  

Except when a powerful entity, in this case, the House of Representatives, calls out a vendor for not developing to the highest security standards. If Microsoft can develop a hardened version of Copilot, it should. Perhaps that was the goal all along — to improve Copilot’s security as new versions are built. Or maybe the goal was always revenue first; freemium versions aren’t afforded the same level of security as paid versions. I get it. We live in a capitalist society. 

However, when it comes to LLMs, there are implications beyond commercialization that builders and buyers have to think about. Kudos to the House for stepping forward and demanding better. Good luck to them, though, on keeping Copilot out of the hands of staffers entirely.

For this article, I spoke with Lynn Dohm, Executive Director of Women in CyberSecurity (WiCyS) (pronounced “wee-sis”), to look at how organizations and individuals can turn DE&I programs into a force for good.

A few weeks back, Adrian and Tyler were discussing the Rezvani Vengeance supercar during the Enterprise Security Weekly (ESW) podcast. The manufacturer offers all kinds of crazy add-on features, including military and (physical) security packages. Not being a car fanatic,2 I didn’t have much to add. Until they started talking about gas masks, electrified door handles, and pepper spray defense. While Tyler and Adrian were musing on how drivers could use these features maliciously — like to spray jaywalking pedestrians — I was thinking, “Never gonna buy it, but this isn’t the worst idea for anti-assault scenarios.”

I raised this point, and the two of them (uncharacteristically) were silent for a moment. It hadn’t occurred to them that the functionality could be for the protection of the driver — to help her defend off an attacker if one were to break into her car. They had their cyber hacker hats on and were thinking about it from a “how much ill-intentioned harm could be done to unsuspecting individuals” point of view. But as soon as I said it, they both realized that the use cases for pepper spray, gas masks, and glow-in-the-dark car door handles were diverse.

They might not have ever thought of it without the female perspective.

Case in point

Think of the new features and/or marketing opportunities of adding diverse points of view to business conversations! Diverse perspectives add potential, not limit it. And that’s what people in favor of DE&I programs have been saying for years.

Individuals not in favor of DE&I programs have been arguing that they can go too far — the programs end up being a checkbox activity that can exclude qualified people from positions solely because the person doesn’t tick off the “diversity” box. This is a no-less-valid argument.

I don’t want to get into social or political arguments here. Still, the numbers show that cybersecurity isn’t the most diverse industry on the planet. Just go to any cybersecurity conference — especially the more technical ones — and you’ll see what I mean.

Now, I’ve been an advocate for women in cyber for a long time, so my thoughts and feelings on this topic are no secret.3 However, anytime I’ve written or spoken about increasing the number of women in security, it’s been with a focus on women’s strengths and expertise rather than fulfilling a quota. And frankly, if we could take away the shoehorning of people (women or any other underrepresented group) into positions, I think more security practitioners might agree that diversity is a good thing. Find qualified people who also have diverse attributes.

Share The Cyber Why

Enter: A new voice

In my mind, I’ve been a positive advocate for DE&I in the workplace. That is until I met Lynn Dohm, Executive Director of Women in CyberSecurity (WiCyS). My friend Steve Moscarelli had invited me to speak at an ISSA event in Chicago, and Lynn was the first speaker. Her talk was amazing — I was a little nervous to get on stage after her — and she opened my eyes to a number of things. Mainly, that focusing on diversity before inclusion is a mistake. Yes, the acronym is ubiquitous so most people start at “diversity.” The problem is that they often also stop at “diversity.”

To get back to my earlier anecdote about ESW, if Adrian and Tyler had heard my comments about the Vengeance and thought, “OK, fine. That’s not the point, though,” my differing point of view wouldn’t have mattered. At all. You can have plenty of diversity in the room, but if there’s no inclusion, none of it matters. 

“Diversity” may be the focal point of hiring conversations, but it’s less common for people to leave workplaces because of a lack of diversity. Exclusion and absence of opportunity are the prevailing reasons for people — especially people in underrepresented groups — to change jobs or leave the industry altogether. 

I wanted to explore the idea of inclusion with Lynn a bit more. She’s been a powerful force for change in the industry, so what could I learn from her? 

Katie: From your experience and research, what do people get wrong about DE&I programs?

Lynn: Everyone puts “diversity” in front of “inclusion.” And it’s understandable, but they’re very different. “Inclusion” is about wanting everyone to be active contributors; when you create inclusiveness, diversity comes. When you start putting the emphasis on inclusion, diversity will thrive. Because at that point, you’re empowering people. You’re giving them opportunities. But you have to follow through. You can’t just ask for ideas and opinions and then dismiss them. That will backfire, and people will feel more excluded than ever.

Inclusion is a feeling, and you only feel excluded when it’s happening. Tracking diversity is easier than inclusion — that’s why it’s used for measurement. 

We have to get away from diversity as a “feel good” metric. So many people don’t understand what inclusion means, but in order to take responsibility, we have to define it. We have to explain what it looks like — without being confrontational or dismissive. The sad fact is that people who are being excluded from conversations and opportunities don’t speak up. It’s hard for them to address and easier to leave. And then we’re left with the echo chambers that have existed for years.

Katie: All of that is good, but we’re only making slow progress, and now we have people who view DE&I programs as negative. The initial intentions of these programs are getting buried because of poor execution. What do we do?

Lynn: Allyship. We have to focus on allyship and helping others. Speak up for others when they’re being excluded. It is so hard to speak up for yourself when you’re the one who is being excluded, especially if it’s constant or consistent. Everyone wants someone to support them when they’re not being included or treated unfairly. When you see and hear exclusion in the workplace, be that advocate, be that educator. Offer time, effort, and help.

Subscribe now

Many of us have been in these situations, so it’s easy to spot. But only if you’re paying attention. It’s easy to look the other way. That's why allyship is so hard sometimes — it's less awkward to ignore a bad situation.. 

Some of the most well-intentioned people have exclusionary patterns and traditions ingrained in their behaviors. The best way to approach a conversation about inclusion is with empathy and understanding. Be active in the conversation, but without calling someone out. That will only lead to defensiveness and ultimately, inaction on that person’s part.

Katie: How would you approach a conversation with someone who is excluding someone or a group of people in the workplace?

Lynn: First and foremost, build your own awareness skills. If you don’t come at inclusion from a place of understanding, we’re going to end up with more aggressive individuals than when we started. 

I’ve found that the most successful approach to conversations about exclusion starts by letting your natural curiosity be the driver. If you can stay calm and rational, it’s more likely the person you’re approaching will, too. Then, repeat back parts of a conversation to the person. For example, “I am trying to gain a better understanding of something that happened yesterday. In our team meeting, you put Tim, Bob, and Joe on a project but said that Sara won’t participate since she has to leave the office at 4 pm to pick up her kids. Can you help me understand why this excludes her from the project?” Initiate a conversation that has the person repeating back what they said so they can hear it in a different key. 

Katie: Changing people’s minds is hard! A lot of people won’t ever try.

Lynn: True, but the only way to start a shift is by being an ally, by speaking up. It’s hard, but it will pay off.

If you’re not ready to start those hard conversations, there are some things you can do to limit your exposure to exclusionary behavior in your workplace. When looking for a new job, look at the composition of the executive team and the board of directors. If the “leadership” webpage is homogenous, it’s likely their thoughts and actions are, too. This is not a failsafe — it will only give you visual clues about diversity, not inclusion, but it’s a start. 

Katie: What is the most surprising thing about exclusion?

Lynn: WiCyS partnered with Aleria for the first-ever study on the state of inclusion for women in cybersecurity. From that work, we know that 57% of women in cyber say that the exclusion they experience shows itself in the form of a lack of career growth and advancement. Women hit the glass ceiling in year six of their careers! This is while men continue to have greater opportunities as they get older and gain more experience. Women feel they have to change jobs to advance, and that harms not only women but the entire industry.

Katie: There are some researched benefits to building an inclusive workforce. Can you share a few?

Lynn: Absolutely! Before you can get to benefits, you have to focus on trust, respect, and a sense of belonging. Now, if these seem like fuzzy measures, there is plenty of research to suggest that giving employees and coworkers trust, respect, and a sense of belonging results in increases in productivity and even profits. Practicing inclusion is the right thing to do. But if you’re in charge of a company or a business unit and your goals are more bottom-line-focused, the proof is there too.

Share

Tracking and keeping up with all of the vendors and products in the cybersecurity market is a remarkable achievement, and I applaud Richard’s efforts here. It’s a very valuable thing that he’s built. It’s a good opportunity to dig into this milestone and what I think it means for the industry.

I love tracking cybersecurity market trends and talking to founders about what they’re building on the bleeding edge. I spend a lot of time on the Enterprise Security Weekly podcast and here on The Cyber Why discussing security startups. I talk and write about startups from the moment they come out of stealth through every funding round and finally exit to larger vendors and become part of a larger platform or suite of products.

It’s rare, however, that I see something that really moves the needle, so I try to highlight it when it happens.

Subscribe now

Drowning in Solutions to Our Problems

While the constant flow of new startups and funds through the cybersecurity market provides me with a never-ending source of news to write and podcast about, I think it provides less value to practitioners. Ten thousand products. Most practitioners have never heard of these vendors or products, and never will. It’s a mark of the age we live in, where defenders got all the funds they asked for, products they asked for, and people they asked for, but still get breached.

We’re positively drowning in resources but still struggling to get the job done.

I’ve devoted a large chunk of my career trying to understand this dilemma, and this research goes back to an epiphany I had in 2011, shortly before becoming an industry analyst. I was working for a mid-sized enterprise, building their security program. While going through their current tooling, I found that their vulnerability management product had identified 250,000 critical vulnerabilities.

How was this possible? How could a company with 2,000 employees and less than 3,000 assets have a quarter million critical vulnerabilities? The vulnerability management tool couldn’t answer this question, so I went in search of a tool that could. I discovered a company named Risk I/O (later rebranded as Kenna Security and acquired by Cisco), whose whole value proposition was to make sense of the mess that vulnerability management products produced.

It was already concerning that the state of patch management was so bad that we needed a tool to tell us when patches were missing (I know vuln mgmt is a lot more than just updating software, but that was the bulk of it in this scenario). It was much more concerning that we now needed a third tier of products to clean up the mess that the lower tier had produced. A few years later, we’d see “next-gen” anti-virus offerings create a similar dynamic, where most organizations resigned themselves to running two AV solutions on every endpoint, until the new technology caught up enough to replace the old.

Everything Fatigue

The term “fatigue” is now commonly used to describe the situation cybersecurity products have created. Early in my career, I was tasked with implementing my company’s first SIEM. We were one of the world’s largest payment processors, and the upcoming PCI 1.0 deadline made this an important project. My first instinct was a common one: shove as many events from as many possible sources into the SIEM. I wanted every bit of enterprise visibility I could get.

One month in, I had over 1700 devices pumping 100 million events into our SIEM daily. It was an absolute nightmare. Every day, sources would stop sending us events and we’d have to investigate. Managing storage was a daily struggle, as PCI had retention requirements we had to meet. I had built this SIEM from the perspective of “what COULD this SIEM do for us”, when the goal I should have set should have sounded more like, “what SHOULD this SIEM do for us”. We could barely keep the thing running - trying to do anything useful with it was challenging.

Once IT realized that we had built this massive system of record, the security team was tasked with determining root-cause analysis after every IT outage. Due to the SIEM’s architecture, database technology, and the amount of data we were constantly pumping into it, even the most basic queries could take hours to complete. Getting any cybersecurity value out of our SIEM seemed an impossible task, even with nearly 5 FTEs largely devoted to managing and using it.

Share

Function, Not Innovation

My SIEM story is 20 years old, and my vulnerability management story is 13 years old, but the cybersecurity industry is still struggling with similar problems today. Security teams are fatigued by the very products proposed to solve their problems. So we sell more products to solve the problems created by other security products. Meanwhile, breaches are at a record high, and most ransomware attacks resemble mediocre penetration tests.

Throughout my career, I’ve consistently encountered buggy, poorly designed security products that don’t come close to achieving their claims. I’ve encountered a shocking number of products that simply don’t work at all and only provide the appearance of function and value. Enough to fool practitioners juggling too many products, but not those with the time to evaluate a product properly. On the inaugural episode of The Cyber Why podcast, I mention that Palo Alto doesn’t need best-of-breed products to win with their platform approach - they just need products that work, and they’ll beat most of the competition by making purchasing painless.

So, that’s my take on the current state of a cybersecurity market peddling over 10,000 products. So many products, we need a tool like Richard’s to help alleviate shopping fatigue.

Leave a comment

Less Noise, More Boring

With the exception of perhaps nation-states, most threat actors aren’t innovating, because they don’t really need to. In fact, the data we have suggests that cybercriminals have more easy targets than they have time or resources to take advantage of. Initial access brokers aren’t running out of product to sell. After every breach post-mortem I work through, the lessons are the same: staff wasn’t trained, security products weren’t configured correctly, and security processes were either missing, untested, ineffective or all of the above.

There are a lot of parallels between the health & fitness industry and cybersecurity. Both industries generate a constant barrage of “innovations” and things that sound like shortcuts. Some folks will buy anything to avoid the old, tired, reliable advice: diet and exercise. Yeah, you got that Whoop 4.0 strapped to your wrist, but it didn’t stop you from eating 2,000 calories of Cool Ranch Doritos during the Oscars last night, did it?

The path forward is clear:

1. Focus on nailing the fundamentals, not chasing the latest “innovation” in security. The constant process of chasing, trying new products, and ripping/replacing is disruptive and will contribute to security failures (particularly if the products, processes, and people you already have aren’t effective!)

2. Constantly test the efficacy of your products, people, and processes. One pen test a year isn’t often enough. Practice like a sports team.

3. Talk to the folks who don’t seem to have their hair on fire all the time - you’ll get good advice and product recommendations. There are some products out there that are real gems. When these folks move to a new company, there’s a short list of “evergreen” products they’ll put in place every time. Buy and implement those, and ignore most of the rest of the noise in the market.

4. Make sure your product overhead to headcount ratio makes sense so you can get the most out of the products you already have. What’s the right number? I don’t know, but five products per FTE is probably too much. Some products need more attention than others, so it’s hard to nail down a number for every org and scenario.

There isn’t a finish line, but you’ll know when you’ve arrived at security enlightenment. You’ll still have the same boring routines, but incidents won’t rattle the team or burn out employees. You’ll return to normal from incidents more quickly. You’ll sweat less in management/board meetings when presenting metrics and updates. Changes to the security program and its processes will be smaller and more iterative.

Before cybersecurity enlightenment: chop wood, carry water.

After cybersecurity enlightenment: chop wood, carry water.

One of the key aspects highlighted in the guidance is a focus on microsegmentation — a cybersecurity buzzword from the 2016-2018 era. Will microsegmentation finally take hold? Are organizations equipped to implement microsegmentation now? In this article, we’ll explore what makes microsegmentation so hard and how enterprises can adopt the NSA’s zero trust guidelines intended for government entities.

Subscribe now

Zero Trust Microsegmentation Is HARD!

Several years ago, I worked for a software vendor building a zero trust based microsegmentation product. The company was one of many emerging at the time. Each of the startup vendors offered its own interpretation of what microsegmentation meant and where in a network it should be deployed, leading to some pretty nasty turf wars. The promises were big, execution was uneven, and results were unreliable.

The microsegmentation market started cooling off by mid-2019 after the more successful players got scooped up by bigger (platform-oriented) vendors. In my opinion, the acquisitions were focused on the concept of offering a path to zero trust based microsegmentation rather than the particular technologies themselves. Given that most of the acquired technologies got rolled into other product lines and ceased to exist in their original form, this seems like a solid argument.  

It’s not that microsegmentation is (or was) a bad idea. In fact, it’s a great idea! Adrian and I recorded a video at Black Hat 2019 (which I cannot, for the life of me, find anywhere online) about why microsegmentation, while highly beneficial for security purposes, can be challenging to implement. To quickly recap:

1. Complexity of network architecture: Overhauling large, complex networks with highly interconnected devices and systems (including legacy tooling that may lack flexibility and granularity) would be excessively time-consuming and would likely be incomplete due to architectural limitations.

2. Granular policy definition: Microsegmentation requires security, IT, and operations teams to define and enforce granular access control policies based on factors such as user identity, device type, managed/unmanaged applications, data sensitivity, baseline traffic patterns, dependencies, and intended security policies. Many organizations don’t have the level of visibility that would allow them to start this process.

3. Performance impacts: If not implemented well, microsegmentation could introduce latency and overhead as network traffic passes through additional security enforcement points.

4. Integration with existing infrastructure: Microsegmentation requires integration with existing network infrastructure. Compatibility issues, interoperability challenges, and the need for software-defined networking (SDN) may make it hard for teams to update their networks to a state that makes microsegmentation possible.

5. Dynamic nature of modern networks: Today’s networks are dynamic and constantly evolving, with devices connecting and disconnecting, applications being deployed and updated, and users accessing resources from various locations and devices. This means that policies must be flexible enough to meet the modern network’s demands — and that may seem impossible for many organizations.

   The Cyber Why needs you! Share Katie’s Awesome Writing.

   Share

So, Exactly What Has changed?

If we understand that microsegmentation is beneficial but has been too hot to handle for many organizations, why is the NSA refreshing its push for it now?

Because software-defined networking (SDN), a hyper-reliance on cloud environments, and zero trust architectures are finally starting to be the de facto standard for public and private organizations alike. 

The guidance specifically states, “Though microsegmentation can be achieved with traditional system components and manual configuration, the centralized nature of SDN allows for dynamic implementation and management across the network. SDN enables the control of packet routing by a centralized control server via a distributed forwarding plane, provides additional visibility into the network, and enables unified policy enforcement.”

It continues to note that “SDN is already a feature of many modern network devices currently in use and can allow flexible integration and control of new equipment,” making it a prime facilitator of microsegmentation. Because traffic in an SDN flows through software-based controllers, an SDN provides a high level of visibility into the network and network traffic patterns. This, in turn, allows administrators to understand the network more clearly, allowing them to more easily create rules and policies for microsegmentation and adhere to zero trust policies. 

Zero trust, for its part, is driven by greater adoption of SDN. Why? Because SDN allows admins to implement dynamic security policies that can automatically adapt to changing network conditions and events, and enforce actions based on user identity, device security posture, and behavior. It’s a cyclically beneficial model that has evolved alongside the increased adoption of modern and flexible networking technologies.

More than just zero trust and microsegmentation

The new NSA guidance focusing on the “network and environment” pillar includes more than recommendations for implementing zero trust and microsegmentation. However, these two elements are noteworthy because they are a re-emergence of topics that tried to take a stronghold in the past. Nonetheless, with current capability comes additional opportunities. It is undoubtedly the NSA’s hope that organizations will use the new recommendations and deploy more robust security controls and processes across their networks. 

Now that past barriers to zero trust based microsegmentation implementation have been removed, perhaps now is the proper time for its heyday. There is no question that microsegmentation enhances network security and reduces the cyberattack surface, making it a worthwhile endeavor. As for zero trust, it should be the default architecture in all organizations’ network environments. Applying a zero trust approach to microsegmentation, using SDN and other present-day networking capabilities, will only serve to strengthen organizations’ network defenses, which is — truly — the main point of the NSA’s guidance.

Leave a comment

Private equity (PE) firms also have a large stake in the cybersecurity market. PE firms pick up moderate-performing companies and combine them with other moderate-performing companies. This is in the hopes that 1+1=3, from an investment standpoint.

This market cycle, where point products and features masquerading as products get acquired into platforms, has been the dominant force setting the market pace for the past 20 years. This cycle shows no sign of changing or stopping.

Subscribe now

The Palo Alto Platform Debate

Recently, Palo Alto’s CEO, Nikesh Arora, felt the need to do some defensive explaining around PANW’s current market strategy. At the end of this LinkedIn post, he strikes a match, which finds some dry tinder.

…we feel confident that in the next five years point solutions will become a thing of the past.

This is clearly hyperbole, right? Nikesh knows how the market works. In fact, as an acquisition-driven company, Palo Alto depends on a healthy ecosystem of competitive point products to fuel their growth! For some perspective on Palo Alto’s dependence on the startup ecosystem, published a recent piece that details Palo Alto’s acquisitions over the past six years: 16 transactions totaling nearly $4.8B USD.

For some market perspective on the size and health of the security startup ecosystem, over at Return on Security reported 684 funding rounds across 100+ unique product categories worth ~$12.7B in 2023. Mike also reported that 2023 had 259 M&A transactions across 70+ unique product categories worth ~$40.5B. That’s nearly 1000 major transactions, pumping over $53B into the cybersecurity market. As the market continues to recover, we can only expect to see the number and size of transactions increase, particularly after tech and security companies start going public again.

Palo Alto has no less than three major platforms. The company’s firewall platforms, Cortex, and Prisma, have all been around for many years, making it difficult to claim that platformization (a real word, apparently) doesn’t work. Further bolstering the strategy, PANW’s incredible growth over the period that these platforms were built is well-detailed by in his ‘BHAG’ post.

Symantec and McAfee’s corpses are often dragged out and placed on display as evidence that platformization doesn’t work, but those companies were built during a very different time. Building a simple integration required dozens of meetings, contracts, and the exchange of proprietary information. Today, nearly all products are API-first SaaS and integrations are built in hours. Honestly, it’s a miracle McAfee made ePolicy Orchestrator work at all in the 2000s!

(pssst, it still exists, BTW)

Share

A Challenger Approaches

, industry analyst and author of , jumps feet-first into the point vs platform debate with some bold statements.

This left me scratching my head. There are tons of cybersecurity platforms on the market. Sure, many of them make compromises and probably aren’t considered ‘best-of-breed’ in some categories, but to say there is no such thing as a cybersecurity platform? I don’t get it. Perhaps his next statement is a clue?

There is ZERO appetite within the enterprise to purchase all of their cybersecurity from the same vendor.

Any statement that goes to such an extreme is impossible to disagree with. It’s a strawman - there aren’t any vendors trying to be everything to everyone, unless we consider VARs vendors. There are plenty of categories I just don’t see Palo Alto venturing into. The cybersecurity market is full of niches and nuanced products that will never make sense as part of a larger platform.

Even within Palo Alto itself, there isn’t a single dashboard or platform. Panorama, Cortex, and Prisma are all separate platforms with separate UI/UX. This makes sense - each platform has separate buyers and use cases, each with its own UI/UX needs. Mashing it all together into a single console would be a mess.

What’s a platform?

A platform doesn’t have to cover every use case and product to be a platform.

Personally, I define a platform (in the enterprise B2C software sense, at least) as multiple, highly integrated products that can be accessed and leveraged via one cohesive UI/UX. Pricing often also enjoys some discount over purchasing the software separately. Platforms should generally benefit the buyer in terms of cost and convenience, but like anything else, there are examples of badly executed platforms. As companies grow, business diversification is often necessary to achieve growth goals.

Zscaler has a platform. Crowdstrike has a platform. Trend Micro has a platform. Sophos has a platform. I think it is fair to say that platforms are common and successful. Perhaps the confusion here is that a well-integrated platform closely resembles a point product.

For some more perspective, let’s play with the opposite extreme as a thought exercise.

Share The Cyber Why

There Is No Such Thing as Best of Breed

The vast majority of security point products are created by early-stage, VC-dependent startups. Selling a minimum viable product to a Fortune 100/500/1000 can be tricky to pull off. Enterprise features are often missing in MVPs, but startups target large enterprises because they have a small sales team with big numbers to hit. They ain’t gonna get there with a 4-5 digit ACV, and large enterprises fling a lot less when the cost is big.

Most point products aren’t even usable or available to the larger general market. As previously mentioned, sales teams can’t afford to go after smaller deals. I often hear buyers complain that they can’t get anyone to return their calls or take their money, and it is often because these startups have to be picky about who they sell to. They need enough growth and the right logos to reach the next milestone. Rinse and repeat until the ARR/growth numbers are right for a decent exit.

These products are often rough and might not even work reliably at this stage. If early-stage startups manage to make a sale, it’s almost certainly at a discount. Unless it creates an immediate impression, there’s a good chance it ends up as shelfware. Surely this isn’t what we’re calling best-of-breed? Late-stage startups get closer to polished, more usable products but are also closer to exiting to a platform vendor.

So… are we most likely to find best-of-breed products within a platform? Or is there some optimal window where a startup is late-stage but also pre-acquisition that could be described as a peak point product?

Let’s jump back to another quote from Richard:

You need the best possible defenses against a real and present danger. If you compromise to reduce the burden on your purchasing department you are going to be out of a job and may be indicted by the SEC.

I think there is a misunderstanding here of how products are purchased, implemented, and used in enterprises. The “best possible defenses” (i.e., product performance) are just one factor the buyer must consider. It probably isn’t even the most important factor for most buyers. Botched and abandoned deployments are so common in the security space that getting a product deployed, working, and producing value is often a major win, regardless of product performance. The best security product in the world can’t make a difference if it never gets deployed.

Let’s say Crowdstrike was the best performer in some anti-malware tests, but SentinelOne was the best performer in an EDR/XDR test. Endpoint security platforms are tightly integrated - I can’t imagine a buyer mixing and matching both of these solutions. Honestly, I’m not even sure if it’s possible to segregate some of these functions anymore - there are many places in cybersecurity where you need a platform to avoid massive inconvenience and overhead: endpoint, cloud, vulnerability management, identity.

Usability, compatibility, and ability to integrate are critical features that weigh into “best of breed” decisions. A .NET shop’s favorite SAST tool might not work for a Java/C++ shop because language support is missing or retired. Best-of-breed is subjective - objective best-of-breed products don’t exist in many categories.

Let’s explore another way to define best-of-breed: industry analyst reports. Who are the “leaders” according to all the analyst firms? They’re all platforms.

Each buyer must individually decide what best-of-breed means to them based on their unique requirements and resource constraints. I’ve seen the same product perform amazingly for one customer and not work at all for another, because things were “too noisy” for one, and “not noisy enough” for another. Customer environments are diverse, and it’s difficult to build one product that suits everyone.

Integration is another important consideration in the buying process. “Does your product integrate with X,” will be asked on nearly every introductory sales call. Have someone with disabilities on your team? You’re probably looking for a mature, well-established platform. There’s little to no chance that a startup’s MVP will include accessibility features for folks with low vision, for example.

Subscribe now

No Best-of-Breed, Only M&A Targets

It’s incredibly rare for point products to remain private or go public. The vast majority get acquired. Trying to advocate for point products can be painful - I regularly hear buyers bemoan that their favorite product is now part of Broadcom, Microsoft, Palo Alto, or some other platform vendor that they worry will ruin it. Buyers will search for an alternative and switch to it, and inevitably, that vendor will also exit to a larger player, leaving the buyer to repeat the cycle.

That said, the security market and threat landscape change so often that ripping and replacing solutions every few years isn’t necessarily a terrible idea for some security product categories. However, doing it across dozens of products is a considerable time and labor investment. Is all this work worth it? That depends - best of breed only exists in the eye of the beholder.

All growth paths lead to platforms. Do you think Apple is building VR headsets because they want to? They have to satisfy shareholder expectations of continued growth, and that often means differentiating by entering new markets, like VR/AR. The Apple ecosystem is the platform that bridges the path there. Palo Alto and Crowdstrike’s platform moves aren’t that different. Like Apple’s laptops, tablets, and smartphones, the network, cloud, and endpoint are ideal environments to build a platform around.

Leave a comment

In this piece, we’ll take a look at some of the new data and trends shaping workplace evolution and thus insider threat, and briefly cover a few mitigations.1

“Insider threat,” as it pertains to cybersecurity, is broadly defined as the potential for harm caused by an employee, business partner, supplier, or any other person with authorized and legitimate access to systems, data, and/or facilities. Insider threat is (or should be) a major concern for any business. Why? Because it’s insiders who already know their way around the organization. They’ve been granted access to the organization’s network and technologies, including devices, applications, and data repositories. They understand the types of data and information upon which the business runs. They have relationships with people inside the organization and may use those relationships to coax information. They likely know (at least some) workarounds for certain access or security controls (when those controls get in the way of efficacy).

There are four main types of insiders:

Malicious insider: These are the people with intentioned evil actions. They might be a disgruntled worker, someone who feels they’ve been wronged by the organization or a specific person in it. They have an ax to grind and use what’s at their disposal to steal or harm systems or data. For instance, this might be a salesperson who recently resigned because they feel they’ve been mistreated. They download their client list before moving to the next job, taking proprietary information outside the company. Or it could be an executive who leaks potential M&A information in exchange for future financial gain.

Unintentional insider: These people accidentally or unwittingly cause a security event. They might typo an email address or Slack username and send sensitive information to the wrong person. They might click on a link or email attachment, thinking it is legitimate, and trigger malware or have their credentials stolen.  

Compromised insider: This is someone who has been bribed, blackmailed, or coerced by a third party who has malicious intent. The compromised insider may be acting against their will but feel they must carry out harmful actions to protect themselves, loved ones, or fellow employees.

Negligent insider: This type of insider is someone who doesn’t know the rules for acceptable use or ignores them to get work done. It might be a developer uploading sensitive data to GitHub in the name of efficiency or an employee putting a sensitive presentation on a personal laptop so they can work while on vacation. 

Share The Cyber Why

What’s new with insider threat?

OK, you’ve read this far and are thinking: What’s new here? Well, so far, nothing. Just level setting, my friends. Let’s get to the meat, shall we?

According to the Gurucul 2023 Insider Threat Report, 74% of organizations say insider attacks have become more frequent. An equal number of  respondents say they are “at least moderately vulnerable or worse to insider threats.” 

A December 2023 report by CrowdStrike found that “Approximately 55% of the identified insider threat incidents involved unauthorized use or attempted use of privilege escalation,” and “approximately 45% of insider threat incidents involved insiders who unwittingly introduced risk to their environment through the unauthorized download of exploits or by downloading other offensive security tools for testing or training purpose.”

But, why?

There are so many reasons — too many to list in one article2 — why the risk of insider threats is increasing.

1. Digital transformation: We live in a hyper-connected world. Our personal lives and professional lives run on technology. Most of us have multiple devices that we use or cross-use. We connect to dozens or hundreds of apps daily. The more technology we have and the more data we put into it, the greater the chance for a leak or breach, intentional or unintentional. Growing attack surface = growing risk.

2. Data is currency; there is always something to be gained by it. This doesn’t always mean a person is going to weaponize data. In fact, mostly it’s not weaponized (despite the scary statistics published here). But if a person were so inclined or coerced into using data for harm, there’s plenty to choose from. 

3. Social issues: Contentious topics like the wars in Ukraine and Gaza, gender politics, national politics, the environment, and more have wended their way into the workplace, dividing colleagues and creating tensions. An insider with a grudge or point to make could easily use sensitive or private business data as retaliation or retribution.

4. Anonymity: Many employees feel it’s easy to cover their tracks if they intend to abuse, misuse, or tamper with systems and data. Perhaps they haven’t met a forensic investigator. If they have, perhaps they know stealthier ways to hide in today’s network traffic messiness. 

5. Work-life imbalance: Many employees work remotely and/or in hybrid environments. Along with it comes the co-mingling of work and personal devices, additional user accounts and access needs, and a general blurring of system and data use. Users can more easily make mistakes (if the threat is unintentional or negligence) or simply blame technology (“I’ve been hacked!” If the threat is intentional or malicious). What’s more, detecting insider threats is more difficult for security and ops teams because permissions have to be so broad to accommodate current working conditions.

Discontent in the workplace

Workplace unhappiness is higher than it’s ever been (Or, at least, it’s higher than has ever been expressed). Either way, people are unhappy at work, and unhappiness and stress can be a significant contributing factor to mistakes, carelessness, or the desire for retaliation. It can also make a person more prone to negative influence if the influencer promises personal or financial gain (“I can help you get a better job with a nicer manager and a higher salary”) or some sort of protection (“I won’t tell your boss you’ve been drinking at lunch if you just get me this one file…”).

Insider threat programs frequently stress the importance of…well…watching employees for elevated stress or unhappiness. Although increased unhappiness and stress in no way guarantee employee wrongdoing, any adverse change in behavior should be noted and delicately addressed before bad turns to worse. 

Just how bad are we talking about?

The “Employee Happiness Index” report by BambooHR says employee job satisfaction has declined at a rate that is 10 times faster than in the previous three years!!!

Source: BambooHR

Separately, Gallup’s State of the Global Workplace 2023 Report shows that 6 in 10 employees are “quiet quitting” and “exhibiting record-high stress levels”. Further, according to the report, more than half of employees are currently job-seeking. 

Some of the top reasons for workplace unhappiness cited in these and other recent reports include:

• High stress caused by workplace demands or perceived poor management practices

• Lack of recognized value or contribution by the employee’s colleagues, managers, or executives

• High inflation with declining wage growth (ie., lower take-home pay)

• The prevalence of layoffs directly or indirectly affecting employees 

• Return-to-office policies threatening work-life balance

Refer a friend

UGH, just tell me what to do!

The good news is that there is little that’s actually new when it comes to reducing the risk of insider threat and deploying controls that can prevent it!

The bad news is that the advice is neither new nor sexy. It’s back to basics. Focus on the fundamentals. It is the cyber essentials that will pave the way to a more protected work environment.

• Inventory and control of enterprise and software assets: These are the #1 and #2 on the CIS Critical Security Controls, and for good reason. Know what you have so you can monitor, manage, and measure it. For example, if you don’t know that a sensitive data repository exists, you probably don’t know when/if an employee is accessing it. You, therefore, can’t see that they’re downloading tons of data from the repository and exporting it to an external app or thumb drive. Lesson: You can’t remediate insider threats without knowing what systems, data, and users are involved.

• Zero trust: Despite Tyler’s hate <GRIN>, zero trust is an important element in an organization's infrastructure security plan. Let me be clear: Zero trust is not a product but an approach, framework, or policies that result in identity-based, least privilege, and conditional access to (network-segmented) data and systems (all the things attackers, including insiders, are after). In today’s computing environments, zero trust = security. It’s the baseline upon which security teams should be architecting their networks.

• Patch: We know that vulnerable hardware and software versions are leading entry points for attackers. While they are possibly less of a bright, shiny object to most insiders, someone with ample technical knowledge can use outdated versions to execute an insider attack. Fix vulnerabilities and identify and remediate misconfigurations. In other words, take away the easy access points.

• Monitor for behavioral anomalies: Organizations must know their baselines before they can start looking for what may be going wrong. And in the case of insider threat, the signs might be very minor. Remember, insider threat is one of the hardest attack types to stop because these are people with legitimate access. But there are usually at least some signs that things are awry. Simple network traffic patterns, access requests, and data volumes are good places to start. More advanced organizations should deploy user and entity behavior analytics (UEBA) to identify individual user or user device anomalies.

• Acceptable use policies (AUP): While a policy isn’t going to stop a determined criminal from anything, the hesitant or nervous would-be insider who is thinking about stealing, leaking, or tampering with data or systems may think twice if the organization has shone a spotlight on expectations and consequences of an intentional insider compromise. Be careful not to be overly strict about accidental compromise; we don’t want people doing stupid things, but accidents can happen — and they can happen to anyone. However, be very deliberate with wording around negligence. “I didn’t know I couldn't dump our product designs into ChatGPT” isn’t a scenario you want to deal with. 

In short, insider threat is still insider threat. The things security and operations teams (along with HR, legal, and communications colleagues) have to do to mitigate the risk aren’t vastly different today than they were four years ago. However, our corporate environments have changed, and (apparently) not for the better.  As a result, security and ops teams must be hyper-aware of the situation, work with business colleagues to put the data into context, and put an extra spotlight on the security fundamentals to ensure systems and data are more resilient to stealthy attacks from insiders than ever before.

Subscribe now

To summarize the news, Palo Alto Networks announced earnings earlier this week, topping industry analyst estimates with the results. However, they also put out lower guidance for the rest of 2024. The net result was about a 20% drop in the stock price after hours and the scrubbing off of around $20B in market cap the following day. In other words, the public market freaked the hell out.

The earnings report stated that the company was seeing spending fatigue and an increase in the need to tighten security budgets amidst businesses becoming more efficient with their spending. This makes TOTAL sense!

Cybersecurity buyers have been publicly saying that we have “too many solutions”, “too many vendors”, “too many alerts”, “too much investment”, and quite frankly too many shitty products that don’t provide value. I agree with them!

But for the sake of argument, let’s take a step back and consider the alternatives. Let’s assume that all of the complaints of the last few years are echo chamber garbage, and the reality is that buyers really want point solutions that provide siloed output that don’t work well together and haven’t been successful in securing the enterprise. If this is true, I can still make the case that Palo Alto’s platformization play (HAH, I love the new word) will win in the long term.

The Strategic Details

Nikesh Arora and the Palo team have spent the last half-decade acquiring the best of bread in many of the critical cybersecurity niche areas. Let’s take a look at Wikipedia to see the list of acquisitions since 2017. I added bolding to the ones that I felt were near the top of the market in their specific subsegment at the time of acquisition (your bolding may vary).

• March 2017: LightCyber for approximately $100 million^[34]

• March 2018: Cloud Security company Evident.io for $300 million. This acquisition created the Prisma Cloud division.^[35]

• April 2018: Secdo^[36]

• October 2018: RedLock for $173 million^[37]

• February 2019: Demisto for $560 million^[38]

• May 2019: Twistlock for $410 million^[39]

• June 2019: PureSec for $47 million^[40][41]

• September 2019: Zingbox for $75 million^[42]

• November 2019: Aporeto, Inc. for $150 million^{[43][better source needed]}

• April 2020: CloudGenix, Inc. for $420 million^[44]

• August 2020: Crypsis Group for $265 million^[45]

• November 2020: Palo Alto Networks announced its intent to acquire Expanse for $800 million.^[46]

• February 2021: Bridgecrew for $156 million^[47]

• November 2022: Cider Security for $300 million.^[48]

• November 2023: Talon Cyber Security for $625 million^[51]

• December 2023: Dig Security for $400 million^[52]

As you can see, they weren’t buying garbage technology. It’s not like the old days of an acquisition done by IBM or Symantec, where good companies go to wither and die. Palo targeted and acquired one of the top three companies in each security subsegment to broaden their offering. The promise all along has been an eventual platform that offers all of these technologies from a single vendor. If this is where the story ended, I’d agree with Richard that the results will go nowhere.. but this is just where the tale BEGINS!

Leave a comment

The Era of Unified Data and AI Analysis

In the earnings guidance, Palo stated that it would offer programs and incentives (e.g., free months of service) to buyers who trade in legacy vendor products. They are willing to do no-cost deals, introductory offers, and free product upgrades to bring on and grow their customer base. At first glance, this sounds like a HORRIBLE idea - next year, let’s GIVE AWAY our products. That’s a super refreshing new way to do business!

So why would Palo choose this strategy? The public market immediately responded and told the executive team they had made a mistake. Hold on to your shorts because here comes the twist. They haven’t.

Palo plans to use this year to do some essential things to the business to set them up to win in the long game. They are playing chess while the rest of the cybersecurity market is playing checkers.

1. Pay down technical debt - Palo's historic acquisitions were largely left alone and only worked toward a broader integration play in the last few years. This built up technical debt, and in the next year, Palo will pay this debt down and build a much more robust engine and user experience. This costs money and will be a minor hit to their bottom line. They must invest in themselves and their innovation pipeline.

2. Collect and unify the largest cybersecurity dataset on the planet - Only a few cyber players have multiple SaaS cyber offerings and can collect such a massive data set. Palo plans to leverage this dataset and build a network effect by getting as many new customers onto the platform as quickly as possible. Each new customer is another set of raw data that their AI system learns from and can use to improve accuracy. This is an apparent reason to blitz the market and attempt to dominate as a single vendor offering. This is why they are giving products away for free.

3. “Activate their AI leadership strategy” - The marketing words are Palo’s, not mine. However, the strategy is a good one. There are two to three players in the global cyber market who might understand and take a shot at the broad AI cyber vision. Palo believes that their resources and current capabilities give them a headstart in the AI-backed cybersecurity detection and prevention of attacks arena. I am confident they are correct. There is nobody better fit to make these moves except for Microsoft and possibly Google (the leaders in AI today). Google doesn’t see the cybersecurity market as meaningful, and Microsoft has traditionally been unable to execute its long-term vision. Palo has the lead and will win over everyone else.

4. Start the afterburners and buy the market - There is a unified market forming in which a one-vendor platform provides outsized value compared to point solutions. Nobody would switch if the platform's value weren’t orders of magnitude better than point solutions - but it is, or at least will be! Every additional customer you put onto the platform makes the platform more robust for everyone else. The network effect is real, and when the network effect is real, you have to blitzscale (buy) the market. The first company to get there has a distinct advantage over the competition, making it challenging to dethrone them over time.

The new guidance Palo provided not only makes sense in the near term but will show a massive return on investment in the long term. They will spend 2024 reworking the spaceship with new boosters, nose cones, and steering systems. The only real question remains whether they can execute the engineering side of this vision because this is one market they will not be able to acquire their way into. This year will be a year of innovation and reinvestment in the company, shrinking its growth rate but resulting in a launching pad that will take the company to a whole new level of dominance.

I’m sorry . I love ya, brother, but with all due respect, you’ve missed the boat on this one. The one ring to rule them cyber platform will be here in the next three years, and Palo Alto Networks will be the one to bring it to the world.

Share

Additional background reading from The Cyber Why on Palo Alto Networks and the cyber AI race is below:

Palo Alto's Big Hairy Audacious Goal
The Next Era of Cyber Security Companies
AI Will Be The Next New Massive Platform
The Margin Crush is Coming in 2024

Like patching, backups were security-adjacent but never really considered a ‘pure play’ security product. It was a little odd for Symantec to acquire Veritas, but what did we know? Everything was new back then. Maybe hybrid IT/security vendors would be the thing from now on. We still see some of that today where there is clear synergy between the IT and security sides, like with data (Splunk, Elastic, DataDog, etc).

It was announced last week that Veritas and Cohesity will merge (it sounds like a merger, at least), which seems a much better fit than Symantec ever was. This seemed like an excellent opportunity to do a bit of a retrospective.

Subscribe now

In the year 2000…

Symantec paid $13.5B (a 6.75x revenue multiple) for Veritas in an all-stock deal that closed in 2005 (okay, not quite 2000). The pairing didn't make a lot of sense and was later undone. It’s said that, after the acquisitions, Symantec and Veritas continued operating independently.

What a difference ten years can make! In 2014, Symantec was getting bloodied by 'next-gen' AV startups like Crowdstrike and Cylance. The endpoint security incumbents, Symantec and McAfee, rejected innovation, resulting in the creation of their own worst enemies. This occurred directly in the case of McAfee, as Crowdstrike and Cylance’s founders both came from leadership roles there before founding the companies that would outcompete their former employer. This battle would inevitably see Symantec and McAfee be taken private and dismantled by private equity.

To drive my point home - can you recall what Symantec and McAfee are called these days, without looking it up? I’ll put the answer at the end of this piece if you give up.

Symantec at least had the foresight to see that they needed to focus on security, so in late 2014, they announced the sale of Veritas to The Carlyle Group, a private equity firm. Completed in February 2016, the deal was only for $8B. The revenue multiple was less than half (3.08x) what Symantec paid ten years prior.

The acqui-merger-combination

Somehow, another ten years have passed (I feel OLD), and Carlyle is selling off Veritas in what appears to be a merger. The press release never uses the term “acquisition” or “merger.” The businesses will instead “combine” and are referred to as “the combined company” thereafter.

While we can’t estimate a multiple for the sale of Veritas alone, the press release does share combined numbers: $1.6B in total revenue, $1.3B ARR, and a combined valuation of $7B. Combined, the companies are targeting a market with a $30B TAM that I suspect is likely shrinking, as many of the products and services offered here are increasingly consumed as features within other platforms (e.g., AWS Glacier).

This isn’t the most exciting product category, but it also doesn’t seem like one that is going away any time soon. I’m just glad that, after 20 long years, Veritas finally has a home that makes sense.

What’s in a name?

If you’ve given up, here’s what happened with the branding.

Symantec was split into two, with the enterprise software becoming a product within Broadcom called Symantec Enterprise Cloud. The consumer side of the business was rebranded as Norton LifeLock and later rebranded again as Gen Digital after merging with Avast.

As for McAfee, the name stayed with the consumer product, while the enterprise business was split off and split again into two pieces by STG: the SSE products became Skyhigh Networks, and the remainder of McAfee’s enterprise business was merged with FireEye (which was split off from Mandiant) and rebranded as Trellix.

Editors Note: If you can follow all that splitting and rebranding, you deserve a cookie!

Share The Cyber Why

In 2022, the European Commission proposed new legislation that would give EU citizens even greater control over their personal data. It was called the Data Act, and it became law on January 11, 2024. 

In this article, we’ll break down the Data Act and consider its impacts on the cyber attack surface.

Back in 2018, companies worldwide were in a frenzy to comply with the EU’s General Data Protection Regulation (GDPR). The new law drastically changed data handling practices for any organization processing personal data of individuals residing in the EU. Companies spent months and millions of dollars updating processes and tools that would help them meet and maintain compliance. But the GDPR was only the first stepping stone in what’s to become a long line of data-focused laws meant to strengthen data protection and privacy rights for individuals.

Countless additional laws and frameworks have followed the passing of the GDPR, notably in the EU, the European Data Governance Act (signed into law on June 23, 2022) and Europe’s Digital Decade initiative, which helps EU Member States follow leading practices that help achieve safe and responsible digital transformation. The newest regulation, the Data Act, was formally adopted by the Council of the European Union and endorsed by the EU’s Parliament in late 2023, passed into law in January 2024, and will be enforceable in mid-2025. 

According to the European Commission’s press release, “The new rules define the rights to access and use data generated in the EU across all economic sectors and will make it easier to share data, in particular industrial data.

The Data Act will ensure fairness in the digital environment by clarifying who can create value from data and under which conditions. It will also stimulate a competitive and innovative data market by unlocking industrial data and by providing legal clarity as regards the use of data.”

What is the EU Data Act?

In clear terms, what is the EU Data Act, and what does it mean? Practically speaking, the Data Act creates rules that enable consumers and businesses to access, use, and share personal data generated during the use of connected products, mainly Internet of Things (IoT) devices. It forces manufacturers of connected devices to design their products in a way that makes it straightforward to access the data upon request, by the data owner or holder, and by any business or service to which the data owner/holder has granted permission. 

The Data Act also applies to suppliers of related services (e.g., the software used in the connected device), data holders and providers (e.g., the businesses that store/process data on behalf of the manufacturer), and public sector entities (when there is an “exceptional need”).

Rights for Data Owners

In short (and first and foremost), the Data Act gives data rights back to data owners.

Let’s say you are an EU citizen with a connected toothbrush. In theory, this toothbrush has been spitting out (pun intended) some data about the state of your oral health. You, as a consumer, have access to some of this processed data (Yippe! You brushed for two minutes, two times per day, for eight days straight!). But getting access to the metadata is much more challenging (until the Data Act becomes law). 

So what, you may ask? At present, the toothbrush manufacturer is collecting (and likely sharing or selling, albeit — hopefully — anonymized or pseudonymized) data about your brushing habits and using the data to create new revenue streams. They’re harvesting your habits. 

However, it might benefit your dentist to see this metadata and use it to help you prevent or manage oral problems. At present, it would be hard for you — the toothbrush owner and user — to get all data related to your use of the connected toothbrush. And if you do manage to get it, it might be in an unusable format. Furthermore, the manufacturer might not even be able to generate a comprehensive report, given that the data could be scattered across various components of the system. 

But with the enforcement of the Data Act, connected toothbrushes will have to be designed in such a way that the data owner can request access to all their data and/or transfer it securely to their dentist. Importantly, the law also states that the data must be provided free of charge and in a ubiquitously machine-readable format.

Imagine the same scenario in regard to car maintenance and repairs; access to diagnostic data could be very useful to a third-party mechanic of your choice. The new laws make it easier for you and your repair person to get your hands on all that data.

The Data Act gives users (data owners) additional rights, as well. The regulation specifies that users will have greater control over how manufacturers can leverage data generated by their operation of a connected device. For example, users should be able to prevent or limit the inclusion of their data in marketing campaigns, the manufacturer’s revenue-generating activities, and how/where the data is processed. The act also requires manufacturers to comply with all user data access requests as well as transfer requests to third parties.

The same standards apply to businesses when the business is generating data on behalf of another business. For example, in the case of cloud providers, cloud processing services, and other data processing/data handling services, providers must now support data interoperability when or if the user — in this scenario, a business “user” — chooses a new provider.

Greater market opportunity

In addition to data access and data sharing obligations, the Data Act prohibits unfair contract terms that prevent anyone but connected device manufacturers (and other data generators) and their data service providers from benefiting from the data.

Going back to our car example, under the Data Act, car makers must release the data generated through the operation of the car to the owner and/or a third-party repair facility if requested to do so; they can no longer force EU owners/operators of these cars to use only manufacturer-managed repair facilities and/or manufacturer-built components.

Further, one of the stated intents of the Data Act is to spark greater innovation. With broader access to connected device data, entrepreneurs can create new aftermarket products and services. The press release about the regulation states that the Data Act “makes a significant contribution” to “advancing digital transformation” and ensuring fair market pricing as well as more effective business decisions and planning that result from data access.

No hindrance to normal operations

A main stipulation of the Data Act is product design; manufacturers must now build their connected products and services in such a way that data access is guaranteed. However, manufacturers are prohibited from designing the product/service so that data access interferes with the normal and intended operation of the device. In other words, a manufacturer cannot build a product that is effectively ineffective after its data is accessed.

While it is not specifically spelled out in this legislation, there is sure to be some follow-on addendum that prevents manufacturers from adding insecure backdoors to products in the name of data access, thereby creating easier attack paths. At least, let’s hope there is. While the law, in part, makes a case for a stronger economy, it first and foremost claims to focus on protecting personal data, even widening the definition of “personal data” beyond what is defined in the GDPR.

Attack surface considerations

It’s no secret that connected devices and the data they generate have increased the cyber attack surface. Data is a valuable commodity. And both legitimate businesses and attackers relish in the overabundance of data made available as a result of our digital economy. So while the Data Act is an effort to give some control back to data owners, it also potentially opens up more doors to misuse and abuse. Manufacturers/providers must be cognizant of product design changes that facilitate unauthorized data access. Data owners must take responsibility for any data they request; if a manufacturer/provider securely transfers data to an owner who then stores or uses it insecurely, the data is at risk of theft, tampering, and more. If the requestor is a business rather than a consumer, insecure storage or use of this data could result in a major data breach.

Businesses are, as a result of many prior laws and regulations (including the GDPR), better acquainted with data protection and privacy protocols. However, they still need to improve their data protection game — too much data is lost to weak protections already. 

But for consumers…generally speaking, the average citizen has neither the desire nor the expertise to safeguard what will likely be highly coveted by cyber criminals. While the idea of returning data rights to data owners is a positive step, let’s hope that some enterprising individuals have ideas on how to penetrate the consumer data privacy and protection market in a way we haven’t seen before. Individuals — consumers — will need help when presented with the responsibility for hardened data access controls. 

On October 10, 2022, Nikesh Arora, the CEO of Palo Alto Networks (PANW), gave an interview to Sophie Shulman of CTECH by Calcalist. In that interview, he talked about his background and history, how he views business success, his decisions to leave both SoftBank and Google, and, most importantly to this article, his predictions on the cybersecurity market.

First, the BHAG

Arora came to Palo Alto knowing nothing about cyber, but a lot about how to grow a business from small numbers to much bigger numbers by looking at the market as a whole. Despite this lack of cyber experience, or maybe <more likely> because of it, Arora grew Palo Alto Networks from a $19 billion valuation in 2018 to $50 billion in 2022. That wasn’t the big goal, though. Arora’s BHAG was to double PANW’s valuation to $100 billion and become the first cyber company to hit that goal. He did it before the end of 2023, just over a year later. And it looks like PANW’s valuation and market share will continue to grow. So how’d Arora do that in a year that saw market consolidation, more difficulty in getting funding for small players, longer sales cycles, and more challenges in closing deals?

More Cyber Attacks, More Regulation

There’s no way to avoid saying this. The cyber industry gets more attention and more customers when there are a lot of cyber attacks, which often coincide (not coincidentally) with an increase in chaos in the world. Last year, there was plenty of chaos as the war in Ukraine dragged on, chaos that only increased when the war in Gaza began. FBI Director Christopher Wray is now warning that Chinese hackers are getting ready to target American infrastructure, while Congress is stalled on providing aid to Ukraine, Israel, and Taiwan due to disagreements about border policies. These disputes embolden malicious actors to take advantage of areas of weakness.

Plus, the new U.S. Securities and Exchange Commission (SEC) regulations regarding rapid, comprehensive reporting on cyber incidents in public companies went into effect on December 18, increasing the urgency to have the tools in place to be able to report on an adverse cybersecurity event within 96 hours of discovering the attack. The additional pressure on boards of directors to understand cybersecurity risk also changes how organizations make cyber investments and what they’ll expect of them. More regulations are coming, too, both related to incident reporting and artificial intelligence, particularly as hackers figure out how AI can help them carry out an attack successfully, and cybersecurity companies add AI capabilities to prevent those attacks.

More Money, Less Security?

It rarely seems like a day goes by without a significant breach or a new vulnerability. Granted, sometimes the vulnerability sounds more critical than it is, either because it’s hard to take advantage of or it allows access to something that no one really cares about. Either way, there’s a lot of noise in the cybersphere. And perhaps because there are so many breaches, it’s hard not to wonder whether any of these companies actually have cybersecurity solutions in place.

The short answer is that they do, but hackers are getting faster and, frankly, better at executing attacks. Arora knows the answer is to deflect those attacks in hours instead of days. His acquisitions, combined with the belief that companies need modern, integrated cybersecurity systems, seem to be proving that PANW can do just that.

Strategic Acquisitions and Integrations

Last summer, Palo Alto indicated that point solutions were over and platforms needed to take over. It’s not new news. Plenty of companies have tried to make strategic acquisitions and built cyber platforms that deliver what companies need in terms of cybersecurity today, but none have really succeeded. Arora’s slightly different approach has been to build a comprehensive set of cyber products through acquisitions, with an increasingly close eye on how the technology will integrate with what it already has in place.

Unlike many other organizations that grow cyber capabilities through acquisition, Arora maintains the existing management and teams. He buys companies that have achieved product-market fit and have a management team with a strategy they can (and do) execute. Then, he leaves the managers of the acquired companies in charge of their departments, minimizing the disruption and loss of talent that so often comes with a poorly executed acquisition. That method helps integrate those new companies into PANW and increases the likelihood of quickly and successfully integrating the technology.

The Next BHAG?

Arora is getting a lot right for someone who didn’t know anything about cyber just 4 or 5 years ago. Clearly becoming the first $100 billion company wasn’t much of a stretch for Arora, for all that it sounded pretty audacious last year. So, what can we expect next? In the past, Arora hasn’t stuck around just because of an impressive compensation package. At Google and SoftBank, he got record-breaking comp packages and still chose to move on to new challenges. He’s already proven his ability to build the world’s largest cyber company, so will his next BHAG be to expand market share to an unprecedented 200B in valuation? Or will he find a new company in a different industry to gain next-level success? Either way, he’s someone to watch as he sets his next BHAG and likely achieves it!

I figured the PCI Council was easing us into the new standards and its hundreds of highly prescriptive requirements. “Surely we’ll be required to encrypt internal traffic in the next version,” I thought. It didn’t come in version 1.1 or 2.0. It didn’t come in 3.0, and now that 4.0 is here, it’s still apparently okay to let payment data get transferred unprotected, as long as it is on a “private” network.

The thing is, there aren’t really any “public” networks. Frustratingly, we can’t really consider anything truly “private” either.

The original reason we created this public/private nomenclature was all about control. Private networks were ones that were entirely controlled by one organization. Public networks were those where multiple organizations handed off our network traffic for it to get from point A to point B. The Public Internet, in other words. In theory, since this traffic crosses the network of untrusted organizations (ISPs, telecoms, government-owned utilities in some cases), these untrusted parties could capture the traffic crossing their segment of the public Internet and abuse or misuse it.

In reality, it wasn’t practical for malicious parties to compromise these networks to access this juicy, unencrypted data. It was far easier to attack target organizations directly to get access to this data. When TJX’s internal networks were compromised, the PCI Council responded (4 years later) by treating wireless networks as “public” networks, rather than treating internal networks as untrusted.

Not long after that time, John Kindervag introduced the concept of Zero Trust - a philosophy that assumes networks and other resources should be inherently untrusted. In another five years, cybercriminals would shift to organization-wide extortion tactics using ransomware. Ransomware attacks require access to “private” networks and systems and are so common that most ransomware attacks don’t even appear in the news anymore.

It is long past time to stop pretending that any network can remain private. We can’t keep pretending that “internal” networks are safe enough to send sensitive data in the clear. Encrypting data in transit should be considered basic hygiene and ubiquitous.

The really painful bit is that encrypting data on the wire doesn’t really solve anything. Attackers aren’t breaking weak transport encryption or stealing data by capturing packets - they compromise hosts, log into databases, and grab data off file systems.

Sadly, it seems we’ve got significant catching up to do, and that will take a lot of effort. Even more SADLY, this effort likely won’t get us very far.

To continue the conversation, either comment here, or check out my LinkedIn post on this topic!

A Quick Primer on Margins

Here’s a quick lesson for those not versed in success metrics in software businesses. Gross margin is the difference between the cost to make software and the price at which you sell. There are many different types of “margin,” but the image below represents the most common math used in cybersecurity businesses at the board level.

Traditionally, in a software business, it’s widely believed that 85%+ is a good level of expected gross margin on software you sell. In board meetings everywhere, investors and business leaders track margins to ensure you aren’t losing money on each new subscriber to the business. This directly ties to the unit economics of the business and is a great way to determine how successful any business will be over time.

Business Math Basics

Now that we have the introduction aside, here’s the exciting part of the story. In 2022 through 2023, the world saw unit economics for subscription businesses start to change. The macroeconomic conditions in the United States put significant downward pressure on the price at which we could sell software, resulting in a lower revenue number. Businesses had to cut their prices to continue driving sales and extend their runway without returning to the investors in a down business cycle for more funding. If they didn’t lower their prices, they sold less software (or possibly both things happened), and revenue dipped either way.

At the same time, we have seen a continued increase in the price of cloud services required to build modern SaaS software businesses. Cloud services, specifically storage and read/write activities, have dramatically increased the cost of running a SaaS software business. This is represented in the gross margin equation's denominator and again puts pressure on the result.

Subscribe now

All businesses will suffer when they see a top-line decrease in price and, therefore, revenue, coupled with a bottom-line increase in cost. Add to that the fact that cybersecurity products are going through a reinvention that requires a significant increase in the storage of large quantities of contextual data, and we see not just an increase in cost but an explosion in the bottom line of the margin equation.

See my piece on the Next Era of Cybersecurity Capabilities for more details on this reinvention.

All this “business math” leads to a lousy situation for software-as-a-service cybersecurity startups. The idea that we will be able to keep 85% margins on successful businesses in the future is becoming a fallacy. In the next 12 months, successful SaaS cybersecurity companies will see acceptable margins drop to the 50-60% range. Because of this, we will have to decrease the size of our sales and marketing engine, lower the number of engineers available to grow the business, and rely on things like AI and co-pilot style development to ensure that we have a stable and prosperous company.

The only other option will be to re-engineer our SaaS products to operate in a hybrid on-premise and cloud model or create BYOC solutions so that compute and storage costs can be passed through to the buyer of the product. By requiring the buyer to create their own storage and compute nodes to run our software, we can keep the cost of goods sold to a minimum and continue to see the traditionally high gross margin levels.

The Trickle-Down Effect of Pricing Pressure

Higher gross margin means higher valuations in both private and public companies. As you can see in the chart below from CloudZero, as the gross margin increases, so does the value of the business. The valuation is very important when it comes to raising capital, M&A, and stock options for your employees.

Price pressures, increases in cloud costs, and the resulting valuation decreases will result in a race to the gross margin-bottom for many markets. The best business leaders will rightsize their business expectations, allowing them to execute on a much longer timeline and, if possible, reach profitability well before initially intended.

The Impact On Investment and M&A

Venture capital is designed on a power law model, meaning that a select few investments return the entire fund, while most invested businesses go to zero. Suppose existing SaaS cyber companies retool their business to become profitable quicker instead of building towards the massive growth exit. In that case, it will permanently upset the apple cart that is venture investment in early-stage SaaS companies. This will decrease venture investment in the future due to limited returns to the venture LP base. We’re already seeing this in private funding numbers as tracked on Crunchbase.com.

When markets decrease in size and value, companies within them become logical acquisition targets for rollups and strategic acquisition plays. Most private equity investors are happy purchasing a company that is growing in the 10-20% annual range as they will inject efficiencies post-acquisition to help them get to scale and profitability as soon as possible. If the net impact of cost and margin changes identified earlier come true, the companies will better fit private equity than traditional venture investment. This will result in an increase in exits to private equity firms in 2024 for cybersecurity-related SaaS companies. Those companies with significant scale will be the first to be snapped up.

Share

The Big Winner - At Scale Contextual Security

Healthier companies are an easier acquisition for strategic acquirers as well. Consider the Palo Alto Networks and Cisco Systems style, publicly traded companies out there. They both reinvented themselves not by innovating internally but instead by acquiring emerging cloud and application security companies to become dominant players in the market. Strategic acquisitions from large companies such as these, looking to increase the amount of contextual data under their control, will increase in quantity as SaaS-based cyber companies make themselves look pretty from a margin perspective. The end result should be an increase in momentum around the contextual cybersecurity data play and a significant move by major cyber vendors looking to unify the global cybersecurity market.

Let’s Go Out On A Limb - An Odd Prediction

As a closing thought and a long-shot bet, I have a final crystal ball prediction. Suppose the gross margin impact prediction comes true and the cloud services do not correct their pricing. In that case, we will eventually see hybrid hardware and bring your own cloud offerings take over for SaaS software only as businesses move to the on-premise approach and look for optimizations in speed and pass-through cost on the customer site. This will directly result in a rethinking of cybersecurity responsibilities and again require the CISO to reconsider where she places her trust.

Because of the impact of cloud costs and decreasing margins, I believe that there will be less cloud-focused innovation and less financial capital injection into young cyber software-as-a-service startups in the coming years. Services approaches and on-premise models come in waves, and I believe we are cresting the peak of a recent wave. The era of insane exit multiples and crazy returns for SaaS-specific cybersecurity investing is over. Lick your wounds. Exit what you can in 2024. And find a new way to make money.

Subscribe now

This wave of change hasn't emerged suddenly; it has been rising and swelling over several years, leading to an inflection point where we witness a drastic shift from the status quo. This new era of cybersecurity capabilities is arriving more swiftly than anticipated, poised to transform daily cybersecurity operations.

Data Collected - Analysis Engine - Actionable Output

Cybersecurity technologies, like all software, adhere to a basic framework encompassing data intake, data analysis, and the generation of actionable output. For instance, a traditional application security static code analysis tool ingests the binary or source code of applications, conducts an analysis to detect vulnerabilities, and then produces a list of exposures with remediation instructions. This framework can describe nearly any cybersecurity technology on the market today. While it's a nuanced and focused version of general software theory, it's beneficial to consider cybersecurity within this framework as it offers a means to differentiate between technologies.

Historically, cyber companies have distinguished themselves in at least one aspect of this framework when building their products. They often highlighted a "superior analysis engine" as the primary reason for being a more effective solution in detecting attacks or attackers. This approach led to a point-solution strategy in cybersecurity, where products excelled in resolving specific issues but lacked integration with other siloed technologies. As a result, "defense in depth" became the expected norm.

The popularity of defense in depth surged as enterprise cybersecurity teams amassed various solutions in pursuit of the ideal combination of detection, protection, and response technologies. This method, akin to needing a better mousetrap (analysis engine) that targets only mice while ignoring other creatures, propelled the cybersecurity market towards a focus on identifying more vulnerabilities and exploits rather than mitigating risk. To effectively reduce risk, the value proposition of products must evolve beyond mere issue detection to encompass other elements of the foundational framework.

API and Cloud Adoption Drive The New Security Data Fabric

With the growing adoption of cloud infrastructure, software as a service (SaaS), and API-based communications, our access to data has significantly expanded. Data is now omnipresent and readily accessible via APIs.

Transitioning workloads to the cloud removed them from traditional data centers, placing them in environments where every aspect, including configuration and current state data, is accessible through APIs. The rise of SaaS usage transferred corporate data into the hands of third parties, offering API-based access in return. Moreover, the explosion of API communication patterns, as applications were segmented into smaller components to exploit cloud-native services, gave rise to microservices and service mesh architectures, all underpinned by API communication models.

In today's world, we are inundated with data, possessing the capability to access extensive enterprise information in real-time, often with minimal programming expertise. The common saying, "There's an app for that," has evolved to "There's an API for that!"

Context Is The Next Wave of Oil

Isolated data fragments are limited in utility. Data's value multiplies exponentially when numerous pieces are combined, providing insights unattainable in isolation. Consider a scenario where your car has a flat tire and is involved in an accident on the same day. One could infer that the flat tire either caused or resulted from the accident.

When two or more pieces of data are near each other in logical proximity, we may gain additional insights and value that couldn’t be perceived when the data points were viewed in isolation. This is context, and context is king. Taking multiple data points and looking at them holistically to make more competent observations is contextual awareness, which humans are really good at.

We live in a world with more data and, thus, more context than ever. In addition to quantity, this breadth and depth of data is available programmatically, increasing the speed at which systems can consume and analyze it to create additional context. More context begets more data, so the virtuous cycle continues as analysis creates and builds more and more contextual knowledge, feeding on itself as the gravitational pull between the raw data and the contextual output becomes more intense. The pace of contextual creation is gaining speed, and there is no way to stop it.

Context has become the new oil. As technology and software companies devise systems that amass vast data collections, the contextual insights gleaned from analysis generate a network effect for the owning businesses. Context transforms into the high-octane fuel powering the engines of artificial intelligence and future computing systems.

Improved Analysis with AI-Derived Contextual Decisions

Humans excel at drawing connections and inferences from discrete data points. We are adept at observation and recollection, enabling informed and intelligent decision-making. However, humans are not as efficient in the speed of analysis. Becoming a subject matter expert involves years, sometimes decades, of focused study and experience, a gradual ascent up "knowledge mountain."

In contrast, computers excel in processing speed, designed for swift execution of processes and data analysis. The advancements in artificial intelligence have enabled computing systems to process vast amounts of data and solve complex problems in a fraction of the time required for human analysis. What might take a human a decade to learn, AI can master in mere weeks or months.

Simply put, artificial intelligence involves processing massive data sets, posing context-based questions in natural language, and rapidly deriving accurate answers. As AI's analytical capabilities evolve with our expanding data access, context will multiply exponentially. Over time, AI will become more adept and intelligent, drawing inferences not just from raw data but from the amalgamation of multiple contextual elements, now seen as a data superset.

In this equation, Context + Context = Consciousness. Applying these analysis techniques to cybersecurity, as previously discussed, suggests that cybersecurity technologies are on the brink of a revolutionary capability to observe and protect our cyber universe like never before.

Automated Workflows On Accurate Data

In cybersecurity, there's a prevailing belief that automated solutions to security issues are risky, as errors could compromise services, networks, or applications, eroding trust in both the automation and the security team. Historically, this caution was warranted, as security automations were not context-aware and relied solely on raw data, lacking the nuanced decision-making akin to human consciousness. The risk of technology-driven decisions was deemed too high.

However, today's landscape is different. Our source data comprises analyzed context, offering a more precise foundation for decision-making. Our analysis engines now emulate human consciousness through AI, utilizing a very rich data set. Furthermore, our outputs are expected to yield unparalleled data comprehension and accuracy. If these factors hold true, we can automate fixes with a sufficiently low-risk level, making automation preferable to human intervention.

The New Cyber Platform

To reiterate: "The difference between traditional cybersecurity products and modern cybersecurity platforms is the incorporation of context (data) and AI to enable more intelligent and accurate decisions."

The question isn't if we can develop a cybersecurity platform that emulates human behavior and intelligence, executing its recommendations in real-world scenarios, but when? As AI and contextual understanding evolve alongside the proliferation of APIs, so too does our intelligence's richness. Gradually, we will build trust in the system's answers to complex questions, allowing for autonomous corrections. This progression could mark the beginning of a significant advantage in the fight against cyber attackers. The barriers separating technologies, people, processes, and data will crumble, granting us a comprehensive view of the cybersecurity context and, hopefully, a real chance at success.

...until, of course, attackers begin to leverage the same contextual insights.

IMHO: AI will be globally transformative and act as the underlying platform for future technologies.

Here is the link to the episode at the exact point of the Doug Leone comments on AI being a platform. It’s short… give it a listen. *Side note, I introduced Adrian to the All-In Pod.. so yeah.. take that!

The Hype is Indeed Intense

The hype around AI reminds me of the web hype cycle in 1999 in silicon valley. I moved to the bay area in 1997 for a startup. I dropped out of undergrad in western New York and flew across the country with only a signing bonus in my pocket - no bed, no clothing, no nothing. I had to sleep on the floor in the closet of my tiny little studio apartment across the street from 1 Infinite Loop (Apple HQ). Until I could get settled in. I often stayed overnight at my employer's office with a blanket and pillow I borrowed from the engineering closet. Everyone was doing it! The world wide web had taken hold of the universe, and the hype was out of control. You couldn’t avoid the topic. Websites for every possible idea were being built left and right and funded into existence by insane amounts of venture capital flooding the valley's streets.

Where there is smoke, there is fire. Insane funding amounts don’t happen in a vacuum with a total result of failure. They happen when the herd mentality that is venture capital connects so violently with an investment thesis that anyone with a vague idea for a product can get funded. Today is no different with AI. You can get funded if you have anything to do with AI, whether focused on a single solution or a broader vision of what AI could mean to society. The bulk of the projects will miss. We will likely end up with an AI investing bubble resulting in a crash of AI projects when they realize specifically what it takes to be successful in this market. Like the .com era, from those ashes will arise a phoenix that ends up being the top-tier companies and products of the time, and going forward, they will dominate AI as it takes over the world - much like websites eventually did!

What Makes a Platform

We must first extrapolate a clear definition of the word to determine if AI is a platform. Of course, the most logical thing to do for this article is to ask ChatGPT how to define the term. So we did just that:

In general, a platform refers to a base or foundation upon which something else is built or supported.

In technology, a platform refers to a software or hardware environment that enables the development and deployment of applications or services. For example, the Android operating system is a platform for developing mobile applications.

In business, a platform can refer to a company or organization that provides a set of tools or services that enable other businesses or individuals to build their own products or services. For example, Amazon Web Services (AWS) is a platform that provides cloud computing infrastructure and services to other businesses.

So essentially, if someone can build a product on top of another tool, that tool becomes a platform. OpenAI introduced the concept of ChatGPT Plugins on March 23, 2023. According to ChatGPT and Bing AI search, 120 plugins are available as of May 20, 2023. As of February 2023 (yes, before the release of plugins), OpenAI’s API received an average of 3 million API calls per day, totaling over 1.5 billion examples per month. It is clear enough to say that people are building on top of OpenAI and that we should consider it a platform. To ensure I wasn’t crazy, I asked ChatGPT if OpenAI was a platform.

Yes, OpenAI can be considered a platform in the sense that it provides a variety of resources and tools for artificial intelligence (AI) research and development. These resources include AI models like GPT-3 and Codex, a cloud-based API for interacting with these models, and research papers and data sets that support the broader AI community. OpenAI's goal is to ensure that artificial general intelligence (AGI) benefits all of humanity, and it provides these resources as part of its mission to directly build safe and beneficial AGI, or to aid others in achieving this outcome.

That’s enough evidence to declare that most AI technology being used today (specifically OpenAI and ChatGPT) is indeed a platform. But how do we know if this is the platform that becomes transformative to the future of how we operate our lives daily? Is AI going to be the “Next New Massive Platform!”

When I start talking about the grand vision of AI disruption, people often throw other recent hype cycles in my face. The one I get most frequently is the debate that crypto would be the next massive transformative technology platform that changes how the world operates. This was just a bunch of hype with no real value behind it (at least, that’s my take on it). So what makes AI any different? Why will AI become the next .com wave that massively changes our lives?

Waves Dominate When Value Is Provided

Truth be told, I fell for a bit of the hype in the crypto run-up. I made a lot of money buying useless shit-coins and then lost it all when the bubble burst. I fell for people telling me that actual value was coming soon. While I didn’t fall for the “Bitcoin will rule the world” rhetoric, I did fall in love with the concept of smart contracts and using the blockchain to provide immutability of data and an accurate trail of operations that the world could see. I also believed in the idea of compute on the chain and having automated execution of code within those smart contracts. The key thing to learn from what happened to me was that I “BELIEVED IN IT,” … but I didn’t really “DERIVE VALUE FROM IT.”

In actuality, there was very little development on top of the blockchain that showed ACTUAL value to the end users of the products. Sure, there were crypto kitty games, drug and weapon purchases from dark web sites, and even some smart contract usage for certain niche needs. But we never really saw a world where blockchain and crypto came to provide real value to the daily lives of a random person with minimal technical capability. Crypto and blockchain became odd technology terms the masses didn’t understand or care about. Outside of gambling in shitcoins, the average person didn’t USE the blockchain or crypto.

AI is different. AI is a true platform with an exponential level of adoption. And we aren’t just seeing technology built for technology's sake because many smart people think it would be cool. We’re seeing LIVE applications of AI in the products we use every day and direct interaction with AI systems to ease the burdens of doing work daily. This is the exact definition of the masses finding value from a technology platform.

Finding Value from AI Today

To drive home the point of value being provided by AI today, I’ll attempt to enumerate where I touch AI (or AI touches me) every day.

• As I read news articles daily, I use a web clipper to automatically grab the article text, enter it into a database in Notion, use notion AI to summarize the article, and write three jokes. AI then creates a tweetstorm that I occasionally use to write tweets about things I read. The Cyber Why team then peruses this information weekly and writes our newsletter. While we rarely use the summary and joke text directly, the content definitely influences our decisions on the text that makes it into each piece. As the content improves, I'm sure we will start using it more directly!

• I’ve built a system that creates a text transcript of every meeting that I have, then using AI, summarizes the meeting, creates action items, emails me the action items list, adds it to a TODO list, and stores everything in a big daily notion database with a great calendar view. While I have homegrown this system myself, it won’t be long before you can pay someone like sembly.ai, fireflies.ai, otter.ai, or some other system to be your second brain. I plan to shelve my homegrown solution as soon as the products are baked enough to be fully usable.

• Working with clients as a fractional CMO, I often have to be creative. ChatGPT and OpenAI are my friends. I frequently use them to create that first big content lump of clay that I can form and mold into something you, as a reader, are interested in. I can do that right in the ChatGPT interface and prompt engineer my way to a successful piece, or I can take a first pass out of ChatGPT and mold the clay by hand. As I write, grammar.ly takes an AI approach to help me write in real-time. Additionally, I have Google AI built into Google Docs that I often use to help me create text.

• Finally, I am exploring an AI-backed contact management system and personal CRM. The system takes all my contacts, meetings, and emails and helps me determine who to stay in touch with and for what reasons. The system then guides me with automatic email options to sync and connect with people from my personal and business worlds. This is a fantastic new concept for people like me that are naturally introverted and horrible at staying in touch with people no matter how much I want to.

As you can see, I am a believer in the AI hype. The daily use cases are real, and the average human being will be significantly impacted by the progress of AI sooner rather than later. We are at the precipice of a massive change in how the technology we use everyday functions. AI is the underlying platform upon which we will build the next generation of transformative technologies!