[AI + Security]

AI Code Security: Enterprise Governance for AI Generated Code (Latio)

James Berthoty over at Latio dropped a killer piece that should be required reading for every CISO trying to figure out what to do about the influx of AI-generated code flooding their repositories. We're watching a brand new security category emerge in real time, AI Code Security, and it's distinct from traditional SAST, DAST, or SCA. The problem isn't that AI writes bad code (though it does). The problem is that AI writes code at scale, without context, and without the institutional memory that a human developer carries about why certain patterns exist in a codebase.

The governance challenge isn’t about scanning output. It’s about understanding intent, provenance, and drift. When a junior dev uses Cursor to generate an authentication module, who owns the security posture of that code? The dev who prompted it? The AI that wrote it? The platform team that approved the model? Traditional AppSec tooling wasn’t built for this question because the question didn’t exist eighteen months ago. The companies that figure out AI code governance first (think policy engines that sit between the model and the merge request) are building the next foundational layer of the DevSecOps stack.

The security industry spent decades learning to secure code humans write. We now have approximately twenty months to figure out how to secure code that nobody wrote.

FOR INVESTORS: AI Code Security is an (re)emerging category with no clear incumbent. First movers that nail the governance layer (not just scanning) will own the workflow. Watch for Series A/B companies positioning here in 2026.

[STARTUP / VC]

Services: The New Software (Sequoia Capital).

Sequoia put out a thesis piece that should make every cybersecurity SaaS vendor deeply uncomfortable. They believe we’re moving from “software as a service” to “service as software.” The next trillion-dollar company won’t sell you a tool and a dashboard, it’ll sell you the outcome. Copilots and chat interfaces are simply the transition drug. Agents are the destination. The companies that get there first capture the margin that currently sits with the systems integrators, MSSPs, and consulting firms extracting value from the complexity your tools created in the first place.

Apply this to cybersecurity and the implications are enormous. Think about what an MSSP actually does: they take your SIEM, your EDR, your SOAR, your threat intel feeds, and they provide the human labor to make all of it work together. If an AI agent can do that (triage alerts, investigate incidents, write detection rules, tune policies) then the $30B managed security market isn’t a services market anymore. It’s a software market. And the vendors that make that transition eat the services revenue. The ones that don’t become commoditized infrastructure underneath someone else’s agent.

This is the most important strategic piece I’ve read this quarter. It reframes every vendor evaluation, every competitive analysis, every market sizing model. The question isn’t “how big is the EDR market?” anymore. It’s “how much of the SOC analyst’s job does your product replace end-to-end?”

The next war in cybersecurity isn’t over features. It’s over which vendors use agents to eliminate the need for services entirely.

FOR INVESTORS: Incumbents that complete the services-to-software transition will trade at infrastructure multiples. The ones that don’t become commodity inputs. The gap between those two outcomes is where the alpha lives.

[INDUSTRY]

SaaS is Dead: Why Your Next Security Tool Should Be a “Vibe-Coded” Agent (CISO Tradecraft).

CISO Tradecraft picked up the Sequoia thread and ran it through the practitioner lens. Their take is that the next generation of security tools won’t be dashboards you configure, they’ll be agents you describe. “Vibe coding” applied to security operations. You tell the agent what you want (”monitor my cloud configs for drift against CIS benchmarks and auto-remediate anything below critical”) and it builds the workflow, executes it, and reports back. No playbook authoring. No integration mapping. No three-month professional services engagement to get value from the thing you already bought.

The article is a bit off in places, (NO we’re not twelve months away from fully autonomous SOCs) but the directional argument is right. The SOAR market failed because it required security teams to become software developers to write playbooks. Agentic AI flips that. The security team describes the outcome and the agent figures out the implementation. That’s a fundamentally different value proposition, and it explains why every major security vendor at RSAC was demoing “agentic” capabilities whether they had them or not.

SOAR failed because it asked security analysts to become developers. Agentic AI succeeds by asking them to just be analysts again.

[INDUSTRY]

I Watched All 11 Main Stage Keynotes at RSAC 2026 (Defenders Initiative).

My good friend Adrian Sanabria did the Lord’s work and sat through all eleven RSAC 2026 main stage keynotes so the rest of you could go drink at the expo area instead. He found that the industry has reached violent agreement that AI agents need securing, but nobody has a coherent framework for how to do it. Every keynote mentioned “agentic AI.” Every vendor had an “agentic” demo. And the actual substance behind most of it ranged from “we added an LLM to our workflow engine” to “we’re thinking about thinking about agent security.”

The useful signal buried in the noise is that identity is the new perimeter for AI agents (who is the agent acting as?), observability is the blind spot (most orgs can’t see what their AI is doing in production), and the supply chain risk from AI model dependencies makes traditional software supply chain look like a safe little puppy. The conference effectively confirmed that “AI Agent Security” is the next major category but we’re in the “twenty vendors, zero standards” phase. Sound familiar? It should. This is cloud security circa 2016.

Everyone at RSAC agreed AI agents need securing. That’s the easy part. The hard part is that the agents are already deployed and nobody’s watching them.

[AI + SECURITY]

AI Is Breaking Security Categories (Frank Wang).

Frank Wang wrote the piece that every analyst (myself included) needed to read. His thesis is that AI-native security companies don’t fit into existing market categories, and Gartner’s Magic Quadrants are going to look increasingly absurd trying to classify them. When a product uses an AI agent to do continuous pentesting, automated remediation, AND compliance reporting, is that a vulnerability management tool? A GRC platform? A pentesting service? The answer is yes, and also no, and also the categories are the wrong question.

This resonates deeply with what I’m was seeing as an analyst at Omdia. We’re building market models for categories that are actively merging and splitting in real time. The AI-native startups aren’t building “better SIEM” or “better EDR” they’re building agents that collapse multiple security functions into a single workflow. That’s not an incremental improvement. That’s a category extinction event for vendors who defined themselves by a single Gartner box. Next time a vendor tells you they’re the “leader” in a Gartner category, ask them which category they’ll be in when that quadrant doesn’t exist anymore.

Gartner’s category taxonomy was built for a world where products did one thing. AI agents do twelve things. The map no longer matches the territory.

FOR INVESTORS: Category convergence means TAM models based on existing categories are increasingly unreliable. The winners will be companies that own entire process flows, not categories. Diligence needs to shift from “what category are you in?” to “what job are you eliminating?”

[AI + WORKFORCE]

Andrej Karpathy: The AI Workflow Shift Explained 2026 (The AI Corner).

Karpathy laid out the trajectory that every technical leader needs to internalize, we’re moving from humans writing code with AI assistance to AI writing code with human oversight. The human role shifts from creator to reviewer, from architect to editor. More importantly, the review bottleneck is already real. When AI can generate code 100x faster than a human can review it, the security implications aren’t theoretical, they’re operational. You cannot manually review AI-generated pull requests at the rate they’re being created. The math doesn’t work.

This connects directly to the Latio piece above. If humans are becoming reviewers rather than authors, then the tooling needs to shift from “help developers write secure code” to “help reviewers verify AI-generated code is secure.” That’s a different product. A different workflow. A different buyer. And most AppSec vendors are still building for the old model. Go look at your last five merged PRs. How many were AI-generated? Now ask yourself how long the security review took on each one. If the answer is “the same as always,” your review process is already underwater.

Engineers aren’t being replaced by AI. They’re being promoted to AI supervisors. The problem is nobody trained them for the new job.

THE WRAPUP

The thread running through every article this week is the same: the AI agent era isn’t coming, it’s already here, and the cybersecurity industry is scrambling to figure out the implications in real time. Sequoia says the business model shifts from tools to outcomes. Karpathy says the human role shifts from creator to reviewer. RSAC confirmed the industry agrees this is happening while demonstrating it has no idea what to do about it. And meanwhile, AI-generated code is flooding production repositories faster than anyone can review it, new security categories are emerging and collapsing simultaneously, and the old analyst frameworks for understanding this market are breaking under the weight of products that refuse to fit in a single box. The gap between “we know this is a problem” and “we have a plan” is the widest I’ve seen in twenty-five years. That gap is also where every interesting company in 2026 is being built.

Also worth your time this week:

• Katie Moussouris warns of a “tyranny of optimization”: The AI revolution doesn’t just create security problems, it creates governance problems. When algorithms optimize for efficiency at the expense of resilience, we get systems that work perfectly until they don’t. Worth reading for the policy lens alone.

• Bessemer maps five frontiers for AI infrastructure in 2026: Reasoning, multimodal, edge, simulation, and trust/safety. The trust and safety frontier is where security and AI infrastructure converge and it’s the least funded of the five. That tells you something.

If you've made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it.

This week, the TCW team learns about the “Agentic Economy,” debates the Telegram CEO’s arrest, and cries over a city playing the blame game with a researcher. We discuss the issue of cybersecurity delusion and learn one million checkbox lessons in creativity. All this and more in this week’s The Cyber Why!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

WOAH - Agent Smith is BACK!

The Agentic Economy: How Billions of AI Agents Will Transform Our World (Kyle Gomez)

We will open this week’s TCW with a bit of futurism. The article explores the rise of the "Agentic Economy," where autonomous AI agents will handle everything from shopping to complex negotiations on our behalf. These digital minions could transform industries, labor markets, and even our day-to-day lives by making us either incredibly efficient or utterly irrelevant. While the idea of AIs doing our light work sounds appealing, the author also hints at the unsettling possibility of these agents outpacing human control, making decisions that could redefine what it means to work and exist in the economy.

The future of human work in an "Agentic Economy" looks both promising and unsettling. On one hand, AI agents could free us from mundane tasks and boost productivity, giving us more time for creative or meaningful pursuits. On the other hand, these same agents might outcompete humans in many jobs, leading to potential job displacement and a rethinking of what "work" even means. In short, AI might be our new colleague—or our biggest competition. I’d love to hear your thoughts in the comments below!

Telegram’s CEO Is Going To Be Staying In France Longer Than Expected

Telegram CEO Durov placed under formal investigation and banned from leaving France (France24)
Who Is Pavel Durov? Telegram CEO Charged With Multiple Crimes In France (Forbes)
Telegram CEO Pavel Durov’s Arrest Linked to Sweeping Criminal Investigation (WIRED)

(Rick pick) Telegram CEO Pavel Durov is currently under formal investigation in France and facing serious charges related to criminal activities linked to his Telegram platform. French authorities detained him but later released him on €5 million bail. Forbes estimates he has a net worth of $15.5B, so making bail was trivial. The charges against him include enabling illicit transactions, child pornography, drug trafficking, and money laundering. The arrest has caused quite a stir, upsetting free speech and privacy advocates, while others have said this is politically motivated as Durov is a Russian/French dual citizen. Durov has five different passports. $15.5B buys you many nationalities. I know some folks are upset about this. For me, anything potentially disrupting the crime on the Telegram platform is a win. I recognize it's not all bad, but that place is a cesspool for illegal activities. Tracking the cybercriminal underground shift here over the years has been interesting.

Stop Blaming The Researcher - They Aren’t The Problem

Researcher sued for sharing data stolen by ransomware with media (Bleeping Computer)
Columbus investigates whether data was stolen in ransomware attack (Bleeping Computer)
He proved the Columbus data leak hurts the public. Now, the city has silenced him (NBC4i.com)

The City of Columbus, Ohio, has sued security researcher David Leroy Ross for illegally downloading and sharing data stolen by the Rhysida ransomware gang during a July 2024 attack. The lawsuit claims Ross's actions caused community concern and interfered with police investigations, seeking damages over $25,000 and a restraining order to prevent further dissemination of the stolen data. Ross disputed claims that the leaked data was unusable, revealing sensitive information about individuals, including police officers and crime victims.

What a waste of city resources! Money and time are spent chasing down someone doing good for the community by helping them stay educated and informed on the risks of the breach. The city argues that the researcher's actions caused serious public inconvenience and alarm, and the researcher claims he’s simply trying to help. The worst part about this is that the case remains “ongoing,” with a pretrial conference scheduled for September 2025! Yes.. a year away. What a clusterf*&#.

Here’s a link to the court complaint PDF for those who are morbidly interested.

Cybersecurity Is Delusional

Cybersecurity's Delusion Problem (Resilient Cyber)

Cybersecurity lives in a state of constant delusion. We believe that the world revolves around us, and we have a tendency to take an ego-centric view when thinking of the incentive structure of cybersecurity. This thought-provoking article from Chris Hughes at Resilient Cyber sheds light on this and many other intriguing concepts. These cyber earworms have been whispered from the shadows for ages but generally aren’t called out to be debated in the light of day. Approaching topics such as "cybersecurity not being the center of the universe,” “security tools are overhyped,” and “cybersecurity is a big echo chamber,” this article takes aim at an issue we have in our industry concerning misaligned incentives and insufficient consequences. Thanks for writing this piece, Chris. I hope we can get better soon.

Share

One Million Lessons In Creativity

One Million Check Boxes - A Badass Thread (@itseieio)

This fantastic thread on X details a fascinating story about a website called "One Million Checkboxes" (OMCB), where users can check or uncheck boxes globally. The creator initially worried about hacking but discovered that users—mainly creative teens—used the checkboxes to send secret messages, including URLs, by encoding them in binary. This led to the discovery of a Discord group of these teens who creatively used the site to draw and communicate in unexpected ways, highlighting the creative potential of constrained online environments. This is a must-read thread!

Quick Hits and Hidden Gems

• TL;DR: Every AI Talk from BSidesLV, Black Hat, and DEF CON 2024 (tl;dr sec) - WOW. If you want to know anything about security and AI, read this post! Fantastic work from the goat of cyber influencers, Clint Gibler.

• Investors are already valuing OpenAI at over $100B on the secondaries market (TechCrunch) - To think, I passed on this investment at a $23B valuation. Oops!

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

Sequoia’s YouTube Investment Memo Circa 2005

The confidential YouTube Investment Memo by Sequoia you were never meant to see (Alexander Jarvis)

Have you ever wondered exactly what happens after you’ve pitched your new company to a big-name investor? They disappear for a while, do a bunch of “research,” and if you are lucky, come back to you with an answer about their investment. But what really goes on behind the scenes? How do they grade you against the thousands of other investment opportunities they are likely to see in any given year?

Thanks to a lawsuit between Viacom and Google, we can read, in its entirety, the investment memo created by Sequoia partner Roelof Botha in 2005 as he and the firm analyzed their decision to invest in YouTube's super early seed stages.

What’s interesting in this article is the depth that Sequoia went to when analyzing the opportunity. The best investors aren’t just “dumb money” who follow simple signaling patterns to decide where to invest capital. The best approach will focus on the business fundamentals, the market, the competition, the founding team, AND the technology. Without all of that in alignment, a startup will never succeed. If you are building a startup and considering taking funding, you must read this piece and look at it through the eyes of the author. I promise that it will be enlightening!

The Game of M&A (aka A Game of Thrones)

CrowdStrike-Action1 deal collapses over user concerns (CSO Online)
Gur Talpaz comments on LinkedIn Post (LinkedIn)

The flames of the cyber drama dumpster fire continue to burn, as this week’s finger-pointing involves CrowdStrike vs. Action1. Cloud-based patch management and vulnerability remediation provider Action1 publically stated that it had rebuffed a $1B offer from Crowdstrike to acquire the company in the wake of the largest IT crash in history. Action1 placed the blame for the deal falling apart on feedback from customers after an email leaked about the acquisition. The customers felt the acquisition would erode trust in Action1, positioning them unfavorably in the market. But like any good who-done-it flick, we have a plot twist…

In response to Action1’s public statements, Gur Talpaz, VP of Corporate Development at Crowdstrike, took to Twitter to explain how he and presumably Crowdstrike see it. Crowdstrike barely had a 45-minute conversation with Action1 and never even approached an offer, let alone a deep discussion of acquisition. The LinkedIn post calls out Action1 for playing up a single meeting to get press and continued interest in their business. This move and the resulting counter-move bring into question other failed cybersecurity acquisitions over the last few years. It’s impossible to say exactly what happened when a he-said, she-said situation like this occurs, but it certainly raises doubt in one’s mind about so many other times this movie has played out.

Microsoft To Hold Cybersecurity Summit

Microsoft to host cybersecurity summit after CrowdStrike-induced IT outage (Reuters)
Microsoft plans September cybersecurity event to discuss changes after CrowdStrike outage (CNBC)

(Katie pick) Microsoft has announced its plan to host a cybersecurity summit in September, aiming to discuss how to improve security systems. After the faulty update that caused a global IT outage affecting 8.5 million devices, it seems like an intelligent move—though one might wonder why it took this Microsoft gaff to make it happen. It also begs the question of whether Microsoft will finally take steps following the summit to improve its own security program and commercial technology offerings, which are the frequent targets of (successful) attacks.

CrowdStrike has indicated their involvement, which will be critical, given the widespread impact of the outage on the company’s huge install base. With billions in market value lost and legal claims piling up, there’s a lot on the line. Here’s hoping this summit leads to real solutions rather than just more talk.

Security Isn’t OPTIONAL - DOJ Has Said SO!

DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts (Cyberscoop)

(Katie pick) It looks like Georgia Tech is in hot water with the Justice Department, and it's not for flunking an exam. Instead, the DOJ is pulling out the big guns by suing the university for allegedly skimping on some pretty important cybersecurity homework tied to Pentagon contracts.

The DOJ is dusting off the Civil War-era “False Claims Act” to advance this case, suggesting that the cybersecurity lapses at Georgia Tech's Astrolavos Lab were more "bug" than "feature." Apparently, not installing anti-malware software and submitting a questionable cybersecurity assessment score didn’t earn them any gold stars from the Pentagon.

For its part, Georgia Tech argues that the government was fully aware of its research's nature and that no classified information was ever at risk. According to Georgia Tech spokespeople, this case is more about miscommunication than malfeasance. It looks like we’ll have to wait and see how this one plays out over time!

Share

Neo Eats a Cookie

For story #5 this week, I bring you a simple meme. I have been a huge fan of The Matrix since it first came out. I saw every one of them on release day in the theaters, and I have even tried to force them onto my children as some of the best movies in history (yes, I failed). I’ve even gone so far as to break down as much of each movie as I can from a technical perspective trying to find the hidden computer science and hacker references in the films. That being said - it was this week when I saw this meme and nearly spit out of my morning coffee. Now I have to go back and watch them all over again just in case I missed something else.

Quick Hits and Hidden Gems

• Tech Layoffs Reach 132,000 8 Months Into 2024 (PYMTNS) - This has to be close to the bottom.. right? Please, someone, say it’s going to get better soon.

• Cybersecurity tool sprawl is out of control – and it’s only going to get worse (SiliconAngle) - This article almost made the top 5. The author does a great job breaking down the state of tool sprawl in modern enterprises.

• CrowdStrike unhappy with “shady commentary” from competitors after outage (ARS Technica) - More pissing match drama. SentinelOne, PAN, and Crowdstrike are all going after each other like kindergarteners fighting for the one open swing.

• Five Thoughts From DefCon (Frank Wang) - I was recently having similar thoughts about going back to my technical roots, and Frank’s write-up expresses my thoughts very well. Thanks for the piece, Frank!

• Cyber optimist manifesto: why we have reasons to be optimistic about the future of cybersecurity (Venture In Security) - We could all use a dose of optimism right about now. Here’s what’s GOOD in cybersecurity today.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

In this issue of The Cyber Why newsletter, we surface the “3 Billion People” hack that “may not be” at National Public Data, Tyler’s views on hitting the bottom of the VC investment cycle (tl;dr it’s up from here), the White House spends a whopping $11M on open source supply chain security (that’s all?!), measuring security debt as a new paradigm for understanding risk, and last but not least, what happens when a Tesla Cybertruck ends up in the hands of a Chechen Warlord (oh my!). All this and more in this week’s The Cyber Why!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

A US-Wide Compromise That May Not Be Real

Inside the "3 Billion People" National Public Data Breach (Troy Hunt)

Is it real? The “billions of compromised accounts” question. A massive data breach involving National Public Data (NPD) has sent shockwaves through the internet, but the true extent and legitimacy of the leaked information remains a mystery.

Initially, hackers claimed to have stolen data on nearly 3 billion people, including sensitive information like Social Security numbers. However, as more details emerge, a complex puzzle forms. Different batches of data appeared online, varying in size and content. Some information seemed accurate, while other parts appeared to be random or even fabricated. As outlined by blog author Troy Hunt, the challenge lies in determining which data is genuine and which is simply noise added to create confusion. With conflicting reports and a lack of transparency from those involved, unraveling the truth about this breach is proving to be an arduous task. Thanks, Troy, for tracking this one down and providing a life preserver in a murky pond.

Venture Bottom or Death Spiral?

VC Fund Performance: Q1 2024 (Carta Report)

In an article posted on August 16th, the Carta data research team noted that venture capitalists are having a rough go of it. With interest rates soaring and IPOs as scarce as a meth head’s teeth, money managers are in dire need of returns. Based on a view into over 1,803 venture funds, Carta's latest report paints a really tough picture. Funds from 2022 have deployed only 43% of their cash after two years, the slowest pace ever. And don't even get started on returns – less than 10% of 2021 funds have seen a dime back from their investments after three years.

If you think things are bad for VCs, wait until you hear about the businesses they are funding. The data on graduation rates is downright depressing. Fewer and fewer seed-stage companies are making it to Series A, suggesting a sad outlook for many new ventures. Are we simply at the bottom of a venture down cycle, or should we be worried about something more drastic occurring? In my opinion, we should see a positive bounce over the next few vintages. Fingers crossed!

Subscribe now

A Whole $11M for Open Source Security in Critical Infrastructure?!?!

White House details $11M plan to help secure open source (Cybersecurity Dive)

(Katie Pick) Last week during DEFCON 32, National Cyber Director Harry Coker Jr. revealed a plan by the White House and Department of Homeland Security (DHS) that will focus on helping secure open source software used in operational technology. Coker shared that the plan is to invest $11M USD in a program they’re calling the “Open Source Software Prevalence Initiative.”

Now, on the one hand, this is great! Any time initiatives like this come down from the top, it’s a signal to public and private organizations that it’s time to step up their game. In the case of open source — or open source-based — software, it’s past time. The threat surface is enormous. According to various sources, attacks on software, particularly those targeting the software supply chain, have increased by 300-400% in the last three years. Driven by increased reliance on open source codebases and the complexity of modern software development, there are no signs of these attacks slowing down. Given that critical infrastructure (CI) increasingly relies on traditional software (versus purpose-built, air-gapped components), the sector is at least as vulnerable to software and supply chain attack as any other industry (i.e., very high risk) or likely higher, given the impact of a CI compromise.

On the other hand, what does it say that the government is offering less than most seed rounds for organizations to make substantive changes in software development and open source security? Though this isn’t the only initiative or government-supplied help organizations can get in this realm, it feels a little like offering a single nail to fix a leaky bucket.

Security Debt - A Metric NOW With Meaning

Contextual Vulnerability Management With Security Risk As Debt (Ari Kalfus and Tim Lisko)

Vulnerability management has existed since the birth of cybersecurity as an industry. As new vulnerabilities are discovered, enterprises have to determine if they are affected and then remediate those issues programmatically. Over the years, things have gotten way more complicated than simply fixing issues when they arise. The growth in the number of CVEs discovered each year has become overwhelming. To make matters worse, security teams have no way to properly prioritize the fixes without severely impacting the output of the business as a whole.

Enterprise security groups need a better way to create urgency for remediation within their engineering and development teams without being perceived as the group slowing down business. Enter the concept of “security debt.” Much like financial or technical debt, security debt can be measured by adding context to the decision tree for recommended remediation time and then adding a time element (let’s call this “security interest”) to the equation so that the longer issues remain, the more security debt is accumulated. DigitalOcean security leaders Ari Kalfus and Tim Lisko wrote a very interesting blog post outlining how they are working towards implementing a security debt metric at their firm. It’s a fantastic read, and I love the innovation around metrics. We can adapt this type of math to many more fields, and I look forward to seeing how this grows over time.

Share

A Cybertruck War Machine Is A BAD Idea

Ecstatic warlord mounts machine gun on Cybertruck, invites Musk to visit after hailing billionaire’s ‘genius’ (NY Post)

A Chechen warlord, Ramzan Kadyrov, has acquired a Tesla Cybertruck and mounted it with a massive machine gun on the back. Please try to ignore any discussion or implication to the actual conflict in Ukraine and give this video a watch simply for the stupidity that is a Cybertruck with a machine gun. There are TONS of Cybertruck fails on YouTube and after you watch this video, go check out this one that features an old-school pickup truck saving the day when a cybertruck gets STUCK!

Quick Hits and Hidden Gems

• Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes (Wired) - Sam Kamkar of MySpace Worm fame resurfaces a legend from the 90s and brings it to life! I’ve been “hearing this for decades.” Now it’s real.

• Meet AI Goat: The First Open Source AI Security Learning Environment Based on the OWASP Top 10 ML Risks (Orca Security) - An exciting environment for learning about AI security. While I like education, I’m more interested in the “how” to secure it problem.

• Fuzzing Bests Formal Verification (Dan Guido) - Super technical yet awesome. I guess my formal methods courses really were an annoying waste of time! Long Live “ZED!”

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

This week in The Cyber Why, we bring you a new record for a single ransomware amount, worry about Crowdstrike’s future potential legal woes, update you on the cyber M&A landscape, watch as Ferrari brakes hard on Deepfake scams, and last and certainly least, we bring you the CyberCasket - Tesla Tech Bros REJOICE!

Get the most from your security team’s email alert budget

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Material Security takes a pragmatic approach to email security – stopping new flavors of phishing and pretexting attacks before reaching the user’s mailbox, while searching through everyone else’s mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view.

Free up more of your alert budget so your team can spend it on what really matters. See how much time you can give back to your security team with Material.

Visit Material Security

Angels or Demons - A Ransomware Record

Record-Breaking $75 Million Ransom Paid To Dark Angels Gang (Forbes)

Well, well, well. The Dark Angels gang just hit the jackpot, raking in a whopping $75 million, a new record for a single ransomware amount. This eye-watering sum smashes the previous record of $40 million paid by CNA Financial in 2021. Apparently, these "angels" are more like demons, targeting a select few high-value organizations and making off with 10-100 terabytes of data. Talk about going big or going home!

Meanwhile, global ransomware attacks are up 18% year-on-year, with the US getting hammered 93% more than last year. Manufacturing is taking it on the chin, suffering more than twice as many attacks as healthcare and technology combined. But hey, at least we have "Ransomware Awareness Month" to save us! Because nothing says "effective cybersecurity" like a gimmicky PR campaign, right? Maybe instead of awareness months, companies should try being aware every day and patch their damn systems before the Dark Angels come knocking.

CrowdStrike’s Legal Woes Are Just Beginning

Delta CEO Says CrowdStrike Tech Outage Cost It $500 Million (WSJ)
Delta CEO: ‘When was the last time you heard of a big outage at Apple?’ (The Verge)
CrowdStrike Is Now Being Sued By Investors (Forbes)

(Rick Pick) It’s been a rough two weeks for CrowdStrike and its customers. This week, we saw legal responses to the incident emerge. First, Delta's CEO came out swinging. He claimed that the outage would cost Delta Airlines $500 million and that they would seek legal damages from both CrowdStrike and Microsoft. Delta took longer to recover than any other airline. Additionally, the Plymouth County Retirement Association pension fund filed a class action lawsuit (PDF) in Texas. The lawsuit claims that CrowdStrike:

"... repeatedly touted the efficacy of the Falcon platform while assuring investors that CrowdStrike’s technology was “validated, tested, and certified.” This complaint alleges that these statements were false and misleading..."

I’m not a lawyer and don’t play one on TV, so I won’t wade into waters over my head, but I can say that these cases, along with others that will follow, are a costly distraction for a company that must regain the trust of its customers. These cases won’t be resolved quickly, so this embarrassing outage will continue to periodically make its way into the headlines. I’m interested in reading upcoming SEC Form 8-K filings to see how the outage has impacted other public companies.

Cybersecurity Acquisitions Drop Dramatically…or Have They?

Security Week Analysis: 178 Cybersecurity M&A Deals Announced in First Half of 2024 (Security Week)

(Katie Pick) Eduard Kovacs is up to his always-excellent analysis of the cybersecurity market. In this piece, published on July 29, 2024, Kovacs shares data about cybersecurity M&A activity in the first half of 2024. He specifically shares that the number of deals has dropped dramatically — ~75% since H2 2021 and 17% since H1 2023.

According to the analysis, Europe's companies are the hardest hit, while M&A for companies in Australia, Canada, Germany, and Israel has stayed relatively steady.

What’s interesting about the analysis, however, is that while the total number of deals has shrunk, the valuations of acquired companies have expanded. Specifically, six deals were valued at over $1B USD. Kovacs writes, “It’s worth pointing out that the number of deals exceeding $1 billion is already the same as in the entire year of 2023.”

We’ll have to watch the trends over the next few quarters, but if deal sizes continue to increase, we're either seeing overvaluation (again) in the cybersecurity market or a reshaping of the market. A reshaping could mean more small companies get scooped up for big bucks or squashed by the larger players before they even have a chance to get there.

Ferrari Slams The Brakes On AI Deepfake Scam

‘I Need to Identify You': How One Question Saved Ferrari From a Deepfake Scam (Bloomberg)
Ferrari CEO Impersonated by AI in Deepfake Scam Attempt (Yahoo)
Ferrari Thwarted an AI Deepfake Scammer Posing as Its CEO With an Age-Old Trick (The Drive)

(Rick Pick) The deepfake problem is accelerating. Earlier this year, a Hong Kong finance worker got taken for a $25 million joyride after joining a multi-person video conference with fake participants. This week, Ferrari was in the crosshairs. A deepfake scammer reached out to a Ferrari executive via WhatsApp but was thwarted when the executive asked a question only Ferrari’s CEO could answer. The bar for creating deepfakes is getting lower. Security Awareness Training has become a compliance checkbox punchline, but performing targeted deepfake training for executives is something that defenders need to do. If you are at Summer Camp in Vegas next week, the DEF CON AI Village will have a Deepfake Demo lab. DARPA will even have a deep fake analysis system there. I’ll be there too, so say hi if you are around!

Share

Tech Bros Rejoice - The CyberCasket Is Launched

The CyberCasket (Titan Casket)

Starting today, if you kick the bucket, you won’t have to give up that Tesla vibe; instead, get yourself a HyperCasket (aka CyberCasket). With a recessed latch similar to Tesla doors, vegan leather (what is vegan leather anyway?), and a 12-gauge stainless steel exterior to match your cybertruck, you can now rest in peace in an amazing CyberCasket. Don’t forget to purchase the optional seatbelt and self-burying technology (no lie, these are on the ordering form.) For only $9,999 (add-ons not included), you, too, can spend the rest of eternity in Elon Musk’s good graces! Here’s a copy of one of the user reviews from their site:

I passed away 2 months ago and decided to go with the CyberCasket. Let me tell you it's the BEST PURCHASE EVER! I decided to upgrade to the self-burying model as I didn't want to pay an opening and closing fee at the cemetery. I would recommend purchasing the seatbelt as well as the ride tends to be a bit bumpy, I did fall out of the casket once. The Wi-Fi cuts in and out at times and makes it a bit difficult to post my daily TikTok's but other than that this is a great product, if I were to die a second time, I would definitely purchase this product again with the seat belt added! → link to actual review

Quick Hits and Hidden Gems

• How New-Age Hackers Are Ditching Old Ethics (Dark Reading) - Times have certainly changed. When I was a “hacker,” web defacements were about as bad as we got. For-profit never even hit our radar. Today the ethics are out the window as younger attackers gun straight for the profits.

• Monoculture Hype (Marcus J. Ranum) - Marcus Ranum, cyber security luminary and inventor of many cyber concepts and technologies wrote a 2003 retort to the monoculture paper by Geer et al. that we discussed in last week’s The Cyber Why here. It’s short, but I’m glad I found it, as it’s an interesting counterpoint to the original piece. I wonder how Marcus perceives the issues after the Crowdstrike debacle.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

This week in The Cyber Why, we bring you a phenomenal cyber market research report from , discuss a unique remote work inside threat model, flashback to 2003 and learn about concentration risk and homogeneity, debate the WHY behind the G-Wiz break up, and for story number five, Southwest Airlines can dodge bullets. All this and more in this week’s TCW!

Get the most from your security team’s email alert budget

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Material Security takes a pragmatic approach to email security – stopping new flavors of phishing and pretexting attacks before reaching the user’s mailbox, while searching through everyone else’s mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view. 

Visit Material Security

More Evidence of Market Consolidation

WTF is Cloud Application Detection Response (Latio Tech James Berthoty)

I rarely read a report, especially one from an independent analyst, that nails a future prediction so directly on the head that you can’t help but know they are right. This piece by from Latio Tech is absolutely amazing. In addition to nailing the technical requirements for a product roll-up in application and cloud detection and response, he also manages to go from 7+ acronyms down to just one (THANK GOD!)

This report makes a very strong case that the following seven cyber markets should be rolled up into something more significant. They constitute a group of features and isolated products today and shouldn’t over the long term.

1. Application Detection Response (ADR)

2. Cloud Detection Response (CDR)

3. Kubernetes Detection Response (KDR)

4. Cloud Workload Protection Platform (CWPP)

5. Cloud Native Application Protection Platform (CNAPP)

6. Continuous Threat Exposure Management (CTEM)

7. API Security

As an industry, cybersecurity builds too many point products and not nearly enough groupings of features that make singular, powerful solutions. Cybersecurity has only existed for about 30 years (give or take). When an industry is young, solving very pointed problems and selling products that help customers solve unique issues makes sense. It’s a time of rapid innovation and expansion of new ideas. As markets mature, they group smaller, feature-sized products into platforms that deliver outsized value. Eventually, highly mature markets will consolidate into three dominant market participants.

We have entered the start of an era where cybersecurity must come to terms with a decrease in product counts and a simultaneous increase in customer value. The next decade of cybersecurity is going to be fun to watch as vendors broaden their technologies by acquisition and adjacent market consolidation.

The Hermit Kingdom Makes Headlines

North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers (DOJ)
North Korean hacking group makes waves to gain Mandiant, FBI spotlight (Cyberscoop)
Incident Report Summary: Insider Threat (Knowbe4)
APT45: North Korea’s Digital Military Machine (Mandiant)

(Rick Pick) North Korea made headlines this week via a couple of stories. First, the Security Awareness Training company Knowbe4 released a blog discussing how they hired a remote software engineer who turned out to be a North Korean insider threat. The threat actor was a "real person using a valid but stolen US-based identity." Kudos to Knowbe4 for releasing this blog.

Next up, the Department of Justice indicted a North Korean, Rim Jong Hyok, for "his involvement in a conspiracy to hack and extort U.S. hospitals and other health care providers." North Korea has long funded its regime through cybercrime, and this case is another potential example. Hyok is a member of the threat actor group APT45. Mandiant also released a deep dive on the group here.

Editors Note: It’s crazy to me how easy it is to get an inside threat into US-based enterprises. This risk has only increased with the rise of remote work. This type of threat is real and very difficult to discover. Be vigilant out there, people! BTW: TIL what the Hermit Kingdom is!

CyberInsecurity: The Cost of Monopoly

What the Crowdstrike outage means for the security industry? (Frankly Speaking)
CyberInsecurity: The Cost of Monopoly (Dan Geer and others)

By now, everyone has heard of the global IT outage caused by a software update issued by the cyber security vendor Crowdstrike. The cyber and IT social media universe has been abuzz discussing how it happened, how to fix the issue so it doesn’t happen again, and what the long-term impact on the business world will be.

On the back of the fallout, the main concern that comes to my mind is not about hacks, updates, or technology failure - instead, it is the concept of homogeneity. When a system that contains a given level of risk is deployed uniformly throughout an entire section of space, the risk to that space increases. To state it in a “less nerdy” way, the risk of issue or compromise grows if you deploy the same software everywhere. Attackers love concentration risk. It gives them a higher level of potential compromise with less effort.

The Crowdstrike issue was exacerbated by concentration risk because, as of January 31, 2023, CrowdStrike had 23,019 subscription customers, a 41% increase year over year. They analyze over 30 billion endpoint events daily from millions of sensors across 176 countries. That’s a MASSIVE deployment size and a MASSIVE concentration risk. High concentration risk plus an automatic update system make for a perfect path to MASSIVE damage.

This problem reminds me of the 2003 paper written by Dan Geer et al. entitled “CyberInsecurity: The Cost of Monopoly.” I remember the time vividly as I was working with Dan at @stake when he published the paper for which he was famously fired. Looking back, it seems like he was right; he just had the wrong company in his line of sight. This seminal paper is a must-read. Go check it out!

Security Theater Continues with Wiz Rejecting Google Offer

Google Talks to Acquire Cybersecurity Startup Wiz Fall Apart (Wall Street Journal)
Google Talks to Buy Wiz for $23B Reportedly End (Bloomberg)
Wiz Rejects Google’s $23 Billion Offer, Seeks IPO Instead (FOO)

(Katie pick) By now, you’ve definitely heard the news: Wiz walked away from a $23 billion dollar acquisition offer from Alphabet (Google’s parent company) to focus on preparing for an IPO instead. The initial announcement about the intent to acquire shocked the security community, both because of the sheer financials thrown around in media publications and because the deal, had it gone through, would have drastically changed the cloud vendor security landscape.

This was never a typical acquisition proposal, so the “ifs” were abundant.

But what I find most interesting is the timing of the offer and the decline. Few founders would reject the kind of money offered. Even with all the funding raised ($1.9B USD to date), the multiples were off the charts, especially for a four-year-old company. But to reject that kind of deal so quickly indicates to me that some sort of security theater may have been at play. In other words, Wiz might never have had any intention of selling. The founders have been bullish on this topic from the start — their goal is to become the biggest security company of all time. So why allow the media to get into a frenzy? Why even let it get to the media if the Wiz team had already decided to stay solo?

The short answer: Press and media attention. Market attention. All right before filing for IPO. I suppose it’s no different than an NFL coach hyping up his team right before the “Big Game.” But is this what we need in cybersecurity? Wouldn’t it just be better to build products that are really really really good and save the drama for the Kardashians?

Editors Note: Do you think it was security theater or was Google or Wiz spooked by some other reason? Comments below…

Share

Southwest Airlines - Dodging Bullets, Baby!

A Windows version from 1992 is saving Southwest’s butt right now (Yahoo)

If this is true (it may not be), it’s absolutely NUTS. Southwest is the only airline that didn’t go down or suffered significant issues during the Crowdstrike debacle last week, and the reason is… get this… they still use Windows 95 and 3.11? I am not sure I believe the story, which is why I put it in as Story #5 this week, but if it’s true, they have a lot of work to do. Here’s a pick of Southwest Airlines when they learned they had dodged a bullet. (HT SuttonimpaQT)

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

Email security that protects from the outside in and inside out

There’s more than one way in to exploit email as an attack vector. Plus, even more to target once inside the mailbox. Material Security takes a holistic approach to email security that covers the full threat landscape – stopping new flavors of phishing and pretexting attacks in their tracks, while also protecting accounts and data from exploit or exposure.

Visit material.security to learn more about their multi-layered detection and response toolkit for email.

Visit Material.Security

When Ego Takes Over - Criminals Fall

Notorious Hacker Kingpin ‘Tank’ Is Finally Going to Prison (WIRED)

I’m a sucker for the “Hacker Kingping” going to jail story. We have reported on a number of them over the last year and a half, including early details on this particular arrest, and I still find them absolutely intriguing. What would make a person go down a path of crime that is so heinous and despicable? People think the answer lies in greed and money, but if you read between the lines, you often find that the real reason most of these disgusting people do what they do is ego.

Vyacheslav Penchukov, a Russian national, was the mastermind behind the Zeus malware operation. He orchestrated the creation and distribution of malware that infected millions of computers worldwide. Penchukov aimed to steal banking information and commit financial fraud, generating substantial illegal profits. He was involved from November 2018 to at least February 2021, officials say. Investigators found he kept a spreadsheet detailing his $19.9 million income in 2021 alone.

That’s pure ego - nothing more. I, for one, am glad to see this guy going away for such a long time. Enjoy your time in jail, Vyacheslav; I don’t think DJs are needed very often on the inside.

Auto Dealers Back Online - I’m Left With Questions

How did the auto dealer outage end? CDK almost certainly paid a $25 million ransom (CNN)

There’s a lot to unpack in this story. According to the article on CNN, auto dealership software company CDK Global appears to have paid a $25M ransom to get their systems and dealer networks back online. On June 21st, a roughly $25M crypto payment was tracked as delivered to what is believed to be the ransomware group “BlackSuit,” but neither the sender nor the target of the money can be confirmed at this time. As I read the article, I was left with three questions that maybe my readers can help me with:

1. How do companies actually go about PAYING a ransom like this? I can’t imagine that CDK Global had the technical chops in-house to figure out how to pay $25M in crypto to get their systems back online — they most likely had to have used a third-party service to deliver the payment. Who offers this type of service, and how much money do THEY make on the deal?! Wow, this is most definitely a morally grey area product offering.

2. $25M is a LOT of money. My initial concern was how does a global auto dealership software vertical SaaS offering like CDK Global have $25M lying around. Apparently, they are much larger than I thought! CDK Global was acquired in April 2022 for over $8B, and the parent holding company, Brookfield Business Partners, is MASSIVE. But what if they DIDN’T have it available - where do they go to get the money (gov? insurance?), and if they can’t get it liquid, do they just POOF out of business?

3. With over $1.1B in ransomware payments occurring last year, how concerned are we that this will grow in the future? I’ve seen tons of different incentive structures for hackers over the last 20+ years but this one shares the SHIT outta me. This is HUGE money, and I don’t see how attackers will ever move off of this approach if they can extort such massive financial windfalls. I only see this getting worse in the next year or two. What are your thoughts - can we limit ransomware? If so, how, when, and what will finally help us lower the risk?

Stolen Legos Worth Over $200K Recovered

Oregon police recover over $200,000 worth of Lego sets in massive bust (NBC News)

Legos are a big deal. I’ve always been a fan of Lego. Since I was a little kid and got my first set, I have collected, assembled, and destroyed more Lego objects than I care to admit. What I never really understood is the collectible nature of the damn things. I mean, all they are is bricks and a book that tells you how to put them all together. So simple.. yet so amazing. Apparently, Lego has turned into a big business, and these criminals figured it out. Throughout a three-month investigation, Oregon police built a case against a store owner who had been “knowingly purchasing stolen sets” of Lego. The total value of the recovered Lego sets was over $200K. I should have kept all those bins from back in the day… instead, they are in the local dump alongside my baseball cards and old Beanie Babies. C’est la vie!

SaaS Must Adapt To Survive

AI Pricing Strategies for SaaS Companies Offering Copilots (Tomasz Tunguz)
No SaaS! How AI Agents Will Change Software Pricing (Tomasz Tunguz)
Avenir x SaaS - What’s Gone Wrong in Software and Why We’re Optimistic (Avenir)
SaaS: Have reports of my death been greatly exaggerated? (Next Big Teng)

Warning - This is a LONG ONE.. I went full nerd on this post.

Lately, I’ve been pondering the idea that we may have seen the height of the software-as-a-service (SaaS) approach to business and are facing the next wave of foundational change. How will AI impact business, and in particular, will SaaS as an offering die over time?

The research conducted by Avenir in their slide deck entitled “What’s Gone Wrong in Software and Why We’re Optimistic” examines the impact of COVID on SaaS solutions, positing that the pandemic has catapulted SaaS business models straight through adolescence and directly into maturity. We’re seeing this in nearly all metrics around high-growth software-based companies in this cohort. Revenue growth has slowed, and by force, these companies must become more efficient in order to maintain any level of foundational financial success. The best quote in the article is, “What management teams have referred to as “tough macro” is likely a “new normal.”

Prediction: SaaS is already mature and has long passed its days as a growth investment.

Two new posts from Tomasz Tunguz expand on the concept, detailing how AI agents will change pricing models in the software business. According to Tomasz, AI agents are 2.5x-3x more efficient than human counterparts, yet we are only charging an uplift of, on average, 70% against non-AI, traditionally seat-based SaaS solutions today. There is room for price increases, and SaaS companies will likely hop on this trend over the next few years. It’s why we’re seeing so much vendor-side investment in AI and copilots - there is a ton of upside if they can increase margins and add AI-based feature sets for their customers to consume.

Prediction: AI will increase prices for tools and technology to run our businesses, matching an offset in human resource requirements.

If companies rationally attempt to solve their SaaS efficiency problems by removing human resources and replacing them with AI-based automation, the result will be a massive increase in AI-based demand and a new wave of business fundamentals away from SaaS and into SaaS-enabled AI agent-driven automation. This will change how we tactically operate day to day, how we are charged for our products and services, and how businesses manage themselves to meet the new market needs.

Prediction: Over time, SaaS decreases in value in favor of AI-based systems potentially delivered in a SaaS model, but more likely via some type of new interface will overtake the SaaS UI.

AI will drastically change how software is written, consumed, and charged for and, in time, completely rewrite how software businesses are run. Just as software was a massive paradigm shift that took a decade or more to understand, AI is on the same trajectory. I know this was a nerdy post, but thanks for bearing with me. I encourage you to read all three pieces and clap back at me with healthy debate and discussion. See you in the comments!

Share

These Shoes Were Made For (VR) Walking!

Freeaim VR Shoes (Freeaim)

For our Story #5 this week, we bring you - Freeaim VR Shoes! If you don’t want to overpay for a VR-enabled treadmill designed to allow you to walk in virtual worlds, you can instead spring for brand-new virtual reality shoes! They may not look like the latest Jordans, but they are just as much of a waste of money. These shoes are designed to connect with your VR system to provide you with a fully immersive ability to walk around and not actually GO ANYWHERE! They aren’t cheap either - the current dev kit is $4999, and they hope to have the final retail version available for around $1000 USD. Just a word of caution: the “Swivel Caster Frame” is not included, and they have yet to figure out how to allow you to walk backward. Buyer beware!

Quick Hits and Hidden Gems

• Barcelona anti-tourism protesters fire water pistols at visitors (CNN) - First, it won’t work. Second, it’s just stupid. Why are you bothering them?

• AT&T says hacker stole some data from 'nearly all' wireless customers (ABC News) - They stole all the things.. ALL OF EM! Yet another massive breach.

• Ticketmaster finally notifies customers, omits important details (Cybernews) - We knew about this one for a while. More massive breaches going down.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have a few 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

Marc Andreessen and the History of Netscape

The true story -- as best I can remember -- of the origin of Mosaic and Netscape (Marc Andreessen Substack)

I’m a sucker for historical content. I love documentaries, historical data analysis, and learning about the past to help us with the future. I specifically remember the first time I saw a “web browser”. It was the Mosaic browser on a Sun SPARC Station in 1993. I was freshman at the Rochester Institute of Technology and one of my classmates loaded up Mosaic to introduce me to the “World Wide Web”. I was simultaneously amazed and bored. It was super cool to have interesting data at your fingers tips yet a total waste of time because it was impossible to find anything of real value (this was pre search engines). Essentially it felt a lot like ChatGPT does today! If you are into the history of the Internet, check out this great content on the “true story of the origin of Mosaic and Netscape.”

Marc Andreessen Substack

The true story -- as best I can remember -- of the origin of Mosaic and Netscape.

Listen now

2 years ago · Marc Andreessen

Go To Market in Cyber is Just DIFFERENT!

Cybersecurity technology adoption cycle and its implications for startups and security teams (Venture In Security)

Another excellent article from from . This time with the help of , Ross breaks down the cybersecurity adoption cycle and how it is reversed from the more common model as seen in non-cyber markets. Ross and Kane are right on with their analysis, specifically helping security teams understand how the dynamics of emerging technologies should work in their organization and what it really takes to be a design partner of innovative companies and technologies. They take a very buyer-centric view into the adoption cycle giving direct guidance on how security teams can mature over time.

I have seen this model from the other side of the coin for over a two decades. As an early go to market executive at both Signal Sciences and JupiterOne, I saw the vendor side of their framework play out. Early adopters of both companies were the highly mature security programs that had security engineering teams and the ability to take raw technology and mold it to their requirements. As the products we were building became more feature complete we were able to move downward to the design partner and early adopter segments of the curve. Generally this meant breaking open the finance and banking verticals. Finally, the hardest group to sell to was what I called the “mass buyer.” This buyer was almost always way less advanced in their cyber program and needed a specific set of features to make the technology usable to their low resourced and limited skill sets teams.

This is a great article to read and comprehend for both cybersecurity buyers as well as those companies looking to build a go to market engine.

Could Generative AI Break Reality - YES!

Google Says AI Could Break Reality (404 Media)
Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data (ARXIV.org)

A new paper written by a combination of research team members from Google’s multiple labs reviewed over 200 incidents of genAI misuse between January 2023 and March of 2024. The results of the research indicate that the majority of attacks against generative AI are not technically “hacks” of the system itself, but instead are much more focused on abusing the features that exist for malicious behavior or alternative methods of reward. The analysis shows that the prevalence of misuse tactics center on impersonation, scaling and amplification of malicious content, falsification of data, and sockpuppeting. The team at 404 Media did a great job breaking down where the gaps exist in the research (small n, classification issues, etc) but at the end of the day they (and I) are fairly confident that the recommendations and findings are directionally accurate. If these types of attacks continue to propagate unabated, the concept of what “reality really is” can indeed morph, or at least be skewed, in order to achieve the attackers intent. It’s not about attacking the LLM, or input injection, or poisoning the AI data set - it’s really about abusing the general input and output content in enough volume to make an alternative reality become the norm. How’s that for some real matrix style shit!

Cloudflare Shoots Across the Bow of AI Crawlers

Cloudflare goes to war with Microsoft, Google, and OpenAI's bots, with blanket free tools to block all crawlers (Windows Central)

Keeping with the theme of “independence,” Cloudflare just released a free tool to help content creators declare “AIdependence.” (OK, first of all the pun doesn’t even make sense. It was definitely forced.. #fail++.) The technology launch comes on the back of the Microsoft AI chief last week saying that “public content on the open web is freeeware.” In response, Cloudflare created new features that allow customers, even those on the free tier, to block their content from all AI crawlers and bots.

I’m struggling with this concept. As a content creator myself, isn’t the whole point of writing to have a human being consume the output? In the new world, driven by AI systems, the concept of readers doing traditional Google searches for your content will fade away. Instead of going direct to the source pages readers will consume the bulk of their content from some type of aggregation algorithm that is AI derived. It’s already happening with short form video content via the TikTok and YouTube short systems. As an author, if I want my writing to continue to be discovered I have to let the search systems of the 21st century (AI system crawlers) find my content. Isn’t this somewhat like telling Google to not index your content back in 1999. It may have felt like the right thing to do at the time but the end result would have been your content never being consumed by an audience. I believe this is what will happen here.

Share

Check it out - I didn’t spill a DROP!

Mark Zuckerberg's Lake Tahoe antics are getting even weirder (SFGate.com)

To end this edition of The Cyber Why newsletter here’s something completely unexpected. The all powerful Zuck decided it would be social media worthy to don a tuxedo and an American flag and go wake boarding to the best 4th of July song in history - Born in the USA. This is a very high scoring frat boy activity. Zuck only lost points because he clearly didn’t properly utter the words “Hold my beer!” before he hopped on the board. Hats off to you Zuck - may all of your beers be a banquet!

@dailymailMark Zuckerberg went all out for July 4th, wakeboarding in a tuxedo while drinking a beer and waving an American flag. 🦅 #fourthofjuly #independenceday #markzuckerberg #july4 #happy4thofjuly #4dejulio

Tiktok failed to load.

Enable 3rd party cookies or use another browser

Quick Hits and Hidden Gems

• Gymnastics is the Turing test of video generation models (@deedydas) - This could have easily been a story #5. Apparently Gemini classifies this as sexual explicit material as well!

• AI startup Abnormal Security is set to be valued at $5 billion in new funding round, sources say (Business Insider) - That’s a LOT of cheddar. The pace of that treadmill just jumped another few miles per hour. Keep running hard Abnormal!

• 6 Things To Know About Getting Acquired: The Good, The Bad, The Somewhat Ugly (Jason M. Lemkin) - I have been giving similar tips to founders for years. These are things many first time founders don’t know about M&A.

• A Eulogy for DevOps (Mathew Duggan) - An interesting tear down of DevOps explaining why it was doomed to fail from the get go. Comment below!

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Now on to this week’s TCW! This week we cover quant vs. human based venture investing, the polarizing story of Jacob Appelbaum, polyfill or poly-fluff?, nation state false flags, and for story #5 McDonald’s AI ordering SNAFU!

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have a few 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

Quant vs. Human Based VC - Math vs. Intuition

Can We Fully Automate Startup Investing? (Data Driven VC)

Venture investing today is, operationally, drastically different depending on the stage, focus, fund size, and type of investing that you are doing. In the early stages of venture investing there is very little data to go on, making team and idea the predominant factors on which decisions are made. As you progress into later stage investing with companies who have been around a while and have sufficient metrics to analyze, venture investing becomes much more quantifiable. The question that remains is can we apply more quant techniques earlier in the target company lifecycle to make even more data driven decisions in the angel, seed, and pre-seed rounds. Data Driven VC author, Andre Retterath believes the early stage end state will be a blending of quant and human decision making processes which is a cop out if you ask me. If you are an investor, leave your comments below on which methodology will come to dominate early stage over time.

Handcraft / Traditional VC: A shrinking group of senior, gray-hair industry veterans, characterized by a strong belief that VC is more art than science and that the best deals will always be sourced through their proprietary personal networks. Moreover, they are rarely aware of their biases (recency, similarity, confirmation, over-simplification, etc.) when making decisions and tend to overestimate their position based on their firm and personal brands as well as their (oftentimes impressive) investment track records.

Augmented VC: Combining the best of both worlds, where machines collect, process and contextualize vast amounts of data to achieve comprehensive coverage and give direction, and where human investors focus on a select number of founders to build deep relationships and assess the soft factors based on their intuition. While data provides coverage and guidance, the human makes the final decision.

Quant VC: A new species of purebred algorithmic VCs who believe that startup investment decisions should not involve humans at all, just like in pure-play quant public funds. Just algos, no humans. Fast, clean and repeatable. These investors believe that human involvement skews the models and reduces the likelihood to generate alpha.

ioerror - The Story of a Polarizing Figure

This cyber-security activist made me afraid of surveillance culture (CBC)
Nobody Wants To Talk about Jacob Appelbaum Movie (CBC)

Jacob Appelbaum. AKA ioerror. I remember him from Defcon and Blackhat in the early to mid-2000s. He had white hair and a bit of a wild and crazy demeanor. We ran in similar circles, yet he always had something off about him. My spidey senses tingled, and I distanced myself from him quickly. At the time, I wasn’t sure what bothered me other than something wasn’t right.

I won’t use this platform to dive into his history or past—you can research that independently. The short of his story is this: He supposedly contributed to some very interesting cyber research in the mid-2000s. Behind closed doors, he was often referred to as a “hanger-on” and a “noncontributor” by the other authors of the papers. At the end of the day, none of the technical work mattered when compared to the horrible accusations and proven actions that surfaced. Eventually, he connected with Julian Assange, WikiLeaks, and the Tor Foundation, and everything went completely off the rails from there. Nobody is sure if the core of the story is one of paranoia and mental issues or, indeed, a government plot to wreck a person’s life (or maybe a bit of both.) Either way, I’m watching this movie this weekend!

The new documentary entitled “Nobody Wants To Talk About Jacob Appelbaum” by director and creator Jasmie Kastner is available free on CBC.

Polyfill or Poly-fluff?

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack (The Hacker News)
Polyfill supply chain attack embeds malware in JavaScript CDN assets (Dev.to)
Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites (Dark Reading)
Hulu, 100K+ Websites May Be Exposed to Polyfill Malware (PC Mag)

(Katie pick) Earlier this week it was reported that polyfill.io, a widely used JavaScript service, was compromised, potentially impacting 100,000+ websites. As the news rolled out, watchers speculated on whether the service’s new China-based content delivery network (CDN) company, Funnull, had anything to do with the exploit, either intentionally or unintentionally.

The timing was suspicious: Funnull took ownership of the domain; shortly thereafter, malicious code was delivered through any website using cdn.polyfill.io, redirecting users to betting and porn websites. No reports of anything more than redirects have been issued.

Curiously, Polyfill’s original creator, Andrew Betts, warned people back in February when the domain was sold to the Chinese entity. He noted that “no website today requires any of the polyfills in the polyfill.io library.”

Well, I guess some companies didn’t hear/read the statement or didn’t care. But the story doesn’t end there: As of Thursday, Namecheap.com, a domain hosting company, decided to remove polyfill.

In theory, this stops any further propagation of the attack. Time will tell.

Nation States Deploying Ransomware To Throw Defenders Off The Scent

ChamelGang APT Disguises Espionage Activities With Ransomware (Dark Reading)
Chinese State Actors Use Ransomware to Conceal Real Intent (InfoSecurity Magazine)
Cyberespionage Groups Attacking Critical Infrastructure with Ransomware (Sentinel One Labs)

(Rick pick) This week, SentinelOne's SentinelLabs released new research highlighting suspected Chinese and North Korean APT groups leveraging ransomware in their campaigns for “financial gain, disruption, distraction, misattribution, or removal of evidence.” In traditional intelligence parlance, the misattribution angle is referred to as a false flag. If you aren't a spymaster or Jason Bourne, let me help you out. The CIA defines a false flag as a:

"deliberate misrepresentation of motives or identity; an operation designed to appear as if it were conducted by someone other than the person or group responsible for it."

APT groups gain plausible deniability from conducting ransomware activity, and data exfiltration is part of the IP theft playbook. When conducting investigations, don’t make attribution assumptions. If you are in the US manufacturing sector in particular, you should read the full report and conduct threat hunting on the research findings.

Share

Bacon Ice Cream Should Be A Feature, Not An AI Misfire

Bacon ice cream and nugget overload sees misfiring McDonald's AI withdrawn (BBC)
McDonald’s to end AI drive-thru experiment after errant orders — including bacon on ice cream and $222 McNuggets bill (New York Post)

AI is everywhere, even McDonalds. About a year ago McDonalds restaurant group rolled out AI based chatbot ordering to over 100 stores nation wide. The result of the year long experiment has been colossal failure and a horrible inability to take accurate orders. Viral videos have emerged showing hundreds of dollars of chicken nuggets sneaking onto the order slip, dozens of cream and kethup packets being added to a drive through request, and even one person getting a side of bacon layered on top of her ice cream cup. What a mess up - at least learened that current AI capabilities aren’t quite ready to ask if you would like fries with that!

Quick Hits and Hidden Gems

• Neiman Marcus confirms data breach after Snowflake account hack (Bleeping Computer) - The long tail of the exposed Snowflake credentials continues.

• TeamViewer's corporate network was breached in alleged APT hack (Bleeping Computer) - Russian threat actor, APT29 is actively exploiting the popular remote access solution.

• Batten down the hatches, it's time to patch some more MOVEit bugs (The Register) - Progress Software is making headlines for all the wrong reasons, again.

• Evolve Bank Data Leaked After LockBit’s ‘Federal Reserve Hack’ (Security Week) - LockBit claimed to have 33 TB of Federal Reserve data, but so far it appears to be from an Arkansas bank.

• The 'BlackSuit' hacker behind the CDK Global attack hitting US car dealers (Reuters) - Reuters took a deeper dive into the ransomware actor behind the CDK Global outage crippling car dealerships across the country.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

This week in The Cyber Why Newsletter we cover a great article from on hiring for a startup vs an established org, more details emerge on Shinyhunters and Snowflake, Kaspersky banned from US operations (and photos of Tyler at a Kaspersky boondoggle), more pork on Pig Butchering style attacks, and an EPIC RANT on AI. All this and more is in this week’s TCW newsletter.

The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)

TCW Newsletter and the TCW Podcast both have a few 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.

Startup Vs. High Growth - Same Thing, Right?

Hiring top performers from large cybersecurity vendors won't help early-stage startups grow, but it can ruin them (Venture In Security)

I want to open this week’s TCW newsletter with a top-tier piece by from . The differences between building a startup and scaling a high-growth yet larger company are massive. Forget about the learnings you get going from $50M in ARR to $200M+, the run from $0 to $10 is so different, I would argue that the knowledge you gain from one will not only slow down your efficacy in the other, but there is a very real chance that it will cause you to FAIL when making the switch. Ross does an excellent job detailing exactly why this phenomenon exists and why hiring people from your network who have experience in your growth phase is the best way to build your business. If you are a founder or entrepreneur who has hiring responsibility, this article is an absolute must-read.

Shinyhunters Reveals How They Compromised Snowflake Customers

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake (WIRED)
(Rick pick) Earlier this week, the great Kim Zetter scored a text chat interview with Shinyhunters, the threat actor that purportedly compromised Snowflake customers Ticketmaster and Santander. Shinyhunters has been on the cybercriminal scene since May of 2020 (full disclosure, link to Rick's day job), where they started selling and giving away data breaches for free. The group transitioned into extortion and continues to make headlines. The big news from the WIRED article is that there is a 4th party risk angle to these incidents. Shinyhunters claimed to have compromised EPAM Systems, a Snowflake partner. EPAM discounted Shinyhunter's allegations, saying, "It does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale." Infostealers aren't new, but they are trending, and defenders need a strategy to defend against them. Start with MFA, use passkeys, don't allow syncing personal browsers with work browsers, and set shorter session cookie timeouts. Keep threat actors from using your credentials to gain initial access.

Kaspersky Banned From US Operations

Exclusive-Biden to ban US sales of Kaspersky software over Russia ties, source says (Update)
New Government Ban on Kaspersky Would Prevent Company from Updating Malware Signatures in U.S. (Kim Zetter)
Eugene Kaspersky (Wikipedia Entry)

Russian antivirus firm Kaspersky has been banned from selling its software in the United States. In addition, they are no longer allowed to provide updates to customers that reside within the US borders. Kaspersky has skirted along the edges of the United States political system for as long as I can remember (see controversies section on Eugene Kaspersky’s Wikipedia entry here). The Department of Homeland Security even banned Kaspersky from all federal US government systems in 2017, citing multiple transgressions.

When I was a cyber researcher (long ago), Kaspersky held an annual boondoggle where they flew every big-name researcher, market analyst, influencer, and more to a remote location and held a killer cyber conference. After several years off, the event recently resurfaced and will be hosted in Bali, Indonesia, in 2024. The event has never been held in the United States - the rumor and prevailing opinion was that over half of the company couldn’t get into the country to host it here. Somehow, I managed to get invited for my mobile security research during my days as a market analyst. I had so much hair back then!

Pig Butchers Are The Worst Type Of Criminal

Killed by a scam: A father took his life after losing his savings to international criminal gangs (CNN)
(Rick pick) We have covered "pig butchers" in the past; it is a heartbreaking scheme where criminals run a long con on their victims to get them to invest in fraudulent crypto. Often, these romance scams target lonely retired folks and wipe out their life savings and dignity. A country prosecutor quoted in this CNN story said:

"I've been a prosecutor for over 25 years. I've done all kinds of different types of crime. I spent nine years in sexual assault. And I've never seen the absolute decimation of people that I've seen as a result of pig butchering."

Sadly, many of those who conduct these scams are trafficked to places in Southeast Asia against their will and forced to fleece their victims. I have some personal experience with these types of scams. Although no money was lost, a close family member of mine was actively groomed over months in an attempt to cash out. Some scams focus on crypto investment, while others seek to have money wired overseas. In 2023, the FBI Internet Crimes Complaint Center "received reports from 6,740 individuals over the age of 60 who experienced almost $357 million in losses to Confidence/Romance scams." We must educate our parents and grandparents on the predators that conduct these scams and how to protect themselves. Jason Statham’s latest film, “The Beekeeper,” has him get payback on these types of scammers. Go get ‘em JASON!

Share

Rant On My Friend! Epic Rant on AI Hype!

I Will Fucking Piledrive You If You Mention AI Again (Update)

Holy shit, what an amazing piece of literature! OK, maybe it’s not quite “literature” in the traditional sense. Still, this article had me rolling on the floor laughing at the outlandish and violently funny visualizations embedded alongside actually interesting commentary on the realities of the AI everything craze. Very rarely do I get all the way through something this long and think I didn’t waste my time. If you are interested in AI from a data scientist's view and still have a sense of humor, I highly recommend you check out this read. Here’s an amazing quote to whet your appetite:

With God as my witness, you grotesque simpleton, if you don't personally write machine learning systems and you open your mouth about AI one more time, I am going to mail you a brick and a piece of paper with a prompt injection telling you to bludgeon yourself in the face with it, then just sit back and wait for you to load it into ChatGPT because you probably can't read unassisted anymore.

Quick Hits and Hidden Gems

• Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested (Krebs on Security) - (Rick pick) Good news, a 22-year-old Scotsman has been arrested. Bad news cut off one head, two more will take its place. Hail Hydra!

• Biden to ban US sales of Kaspersky software over Russia ties (Reuters)
  (Rick pick) Biden says “нет” to Kaspersky, customers have until September 29th, to move off.

• CDK Global hacked again while recovering from first cyberattack (Bleeping Computer) - Directly affected me. I was turned away from a dealership last week!

• WTF is Cloud Detection and Response (CDR)? (Latio Tech) - James is brilliant. Check out this great work on CDR

• ADR - The Future of Runtime (Latio Tech) - ADR is different yet the same. James hits it again... PS: I’ve seen what’s coming next, and it’s AMAZING!

• What’s Changed in 50 Years of Computing: Part 3 (The Pragmatic Engineer) - If we don’t learn from our past, we are doomed to repeat it. Great read.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

This week in The Cyber Why, we cover the Snowflake breach that wasn’t, $1B is the new number to IPO, Fortinets acquisition and 0day failures, the Gili Ra’anan Model, and toilet stall harassment. All this and more in this week’s TCW.

Does your email security solution fit your alert budget?

Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.

Material Security takes a pragmatic approach to email security – stopping new flavors of phishing and pretexting attacks before reaching the user’s mailbox, while searching through everyone else’s mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view. 

Remediations are a breeze with Material – try it out for yourself at material.security.

Snowflake or User Error - Who is at Fault?

Who's responsible in the Snowflake breaches? (Frankly Speaking)
Hundreds of Snowflake customer passwords found online are linked to info-stealing malware (TechCrunch)
Mandiant says hackers stole a 'significant volume of data' from Snowflake customers (TechCrunch)

We talked about this two weeks ago in The Cyber Why, but I want to bring it up again through a different lens. As the news story broke, most articles pointed out that Snowflake had been hacked. What actually happened is quite different than what was originally portrayed in the media. The attack was really a compromise of Snowflake credentials by attackers who had planted info-stealing malware across the computers of employees who have access to their employer’s Snowflake environment. This was a targeted attack against Snowflake using compromised credentials and nothing more. The question left open here is, “Who is at fault?”

Many in the security community believe that both the compromised customers and Snowflake should share the blame for these massive breaches. Snowflake did not require multifactor authentication by default, leaving the end user to configure the instances securely, and the data administrators didn’t properly secure the environment when they deployed the technology. MFA was an option, but it just wasn’t enabled by default. This sounds to me like a case of buyer beware. If you don’t properly lock your front door, is your home's builder responsible when you get robbed? I don’t think so.

This isn’t a cut-and-dry answer. I’d love to hear your comments on the topic below.

Billion Dollar Bollucks - $1B ARR or BUST!

Billions: The New Significance of Billion-Dollar Scale in Cybersecurity (Strategy of Security)

In this article, Strategy of Security author Cole Gromlus identifies a very interesting set of data. Cybersecurity companies aren’t ready to IPO until they are at $1B in ARR or have a very clear path to $1B in ARR via massive growth rates on nine-figure revenue numbers. This is a really interesting piece because the author just doesn’t look at what it takes to execute a cyber IPO in today’s market. Instead, he breaks it down by revenue, valuation, financing requirements, and potential acquisition opportunities that will occur along the way. It’s an interesting expose on modern software company valuations and what it takes to succeed at this level. It’s such an insane thought to me that a company at $250M in ARR and 20% growth wouldn’t be successful in the public markets, while a $250M ARR company with 50% growth and a five-year path to $1B would flourish. The markets reward growth way more than being a healthy business, and if that means getting way out over your skis along the way, so be it. If you don’t crash and burn along the way (Laceworks), good luck sticking the landing.

FortiVulnerable? Fortinet Makes Headlines For Vulnerabilities (Again)

China's FortiGate attacks more extensive than first thought (The Register)
China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says (Ars Technica)
Ongoing state cyber espionage campaign via vulnerable edge devices (Dutch NCSC)

(Rick Pick) Fortinet grabbed headlines this week with their acquisition of cloud security provider Lacework, but that's not their biggest story. Once again, they're in the spotlight for zero-day vulnerabilities. This time, it's CVE-2022-42475, a buffer overflow vulnerability in their SSL VPN. Dutch government agencies first reported this issue in February and just released new details. They revealed that Chinese actors accessed at least 20,000 FortiGate systems worldwide in 2022 and 2023, targeting dozens of Western governments, international organizations, and many companies in the defense industry. No bueno.

I don't know about Fortinet's product security program and the efforts it makes to minimize vulnerabilities, but this is all too common now. To be fair, threat actors of all types target edge devices, but vendors know this and should go to great lengths to push out secure code. At some point, buyers will hold vendors accountable and look at alternatives. If you are a bug bounty researcher, sadly, "Fortinet does not operate a bug bounty program." Fortunately for Fortinet, ripping and replacing big iron network gear is no small feat.

The Gili Ra’anan Model

The Gili Ra’anan model: Questions emerging from Cyberstarts' remarkable success (CTech by Calcalist)

Oh boy, this article is spicy. Rumors like this have been passed around for years, and nobody has been willing to go on record publicly and tell the story. That ended yesterday…

Calcalist, sometimes referred to as a bit of a hit piece publication, has set its sights on Cyberstarts and its founder Gili Ra’anan. They didn’t pull punches, instead making accusations of abuse of conflicts of interest, directly calling out Cyberstarts business model and several CISOs for potentially shady activities. In the article, the author claims that the Cyberstarts model incentivizes enterprise CISOs to purchase products from portfolio companies. Names are named, including specific CISOs who may have purchased multiple Cyberstarts-backed company products, deploying them in major enterprises regardless of their effectiveness, need, or costs. Below is one of the most damning quotes from the article:

"I recruited a new CISO for a financial organization that I managed out of a desire to refresh the cyber defense system. I gave him a free hand because I trusted him and I see this position as a position of trust. Six months later, I noticed that, surprisingly, almost all of the new logos that the CISO introduced were portfolio companies of Cyberstarts," describes a former senior executive at a large financial institution in the U.S.

"It's not that these were necessarily bad solutions, but that some of them were a very low priority for us or solved problems that were not particularly urgent. After I confronted the CISO on the subject, he admitted that he is on the list of advisers of Cyberstarts and receives a percentage of the funds from them. Shortly after this, he left the company and immediately upon the appointment of a new CISO, I asked him to inform me if he was contacted by Cyberstarts. Within a few weeks, he had already received an email from them with a description of their kind of 'loyalty program' that details exactly what he will receive the more he works with the fund." The letter, signed by Ra'anan himself and coming from his email box, also contains a sentence that refers to the amount of future compensation: "It is difficult to predict the performance of the fund, but according to our forecast, the points you have accumulated so far are valued at X dollars. You can expect additional allocations in these funds in the coming years and in the new funds we will raise later."

NOTE: I am not accusing anyone of anything or taking sides myself. I’m simply reporting the story. Do your own analysis and come to your own conclusions.

Share

Poo-Timers and Bathroom Harassment

How long have you been in there?! A popular tourist destination in China has installed toilet timers. Reactions are mixed (CNN Travel)

For our story #5 this week, we bring you the most often heard series of words in every married male human’s life: “Are you STILL IN THERE!” In what can only be described as a shitty user experience, a popular tourist attraction in China has added stall timers to its public bathrooms. Essentially, the longer you sit in the stall, the higher your timer goes letting people know how long it takes you to do your business (or play one more game of Candy Crush). I, for one, think this is ridiculous. The last thing I need is someone telling me to get off the can while I’m on vacation to see a bunch of statues and caves in China. I get enough of that kind of harassment at home!

Quick Hits and Hidden Gems

• Some notes on influencering (Lcamtuf’s thing) - This one struck a chord. I’ve been a fan of Lcamtuf for a while now, and it’s great to hear I’m going through the same things he does.

• A PR disaster: Microsoft has lost trust with its users, and Windows Recall is the straw that broke the camel's back (Windows Central) - If Apple had launched “Recall” would it have had a positive reception? I’m guessing the answer is YES!

• TCP #49: Product News & Recall Dumpster Fire (Cybersecurity Pulse) - Darwin is a super smart dude. More thoughts on Recall (see above)

• Cybersecurity is not a market for lemons. It is a market for silver bullets. (Venture In Security) - There HAS to be a better way. I can’t believe we haven’t figured out a better way to measure security efficacy.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

This week in The Cyber Why, we touch on the potential (not confirmed) catastrophic hack at Snowflake and its fallout downstream. We discuss the startup debate AppSec vs. OpSec and which makes more sense. We also debate two privacy-related stories by Google and Microsoft (I fall on one specific side here… can you guess which one it is?). Finally, we make some crude jokes in the style of Beavis and Butthead for our story #5. All this and more in this week’s The Cyber Why!

Get An Automated Security Buddy with DryRun Security

DryRun Security performs automated and seamless security code reviews in seconds. Devs love it because they get actionable security advice without all the noise, and AppSec loves it because every code change is reviewed for risk.

DryRun uses a proprietary Code Review Inquiry Methodology on LLMs to deliver results to developers in just a few seconds. Try it yourself and install DryRun Security, or book a spot for a quick 15-minute demo today.

DryRun Security

Snowflake Pwnage Potentially Catastrophic

Santander staff and '30 million' customers hacked (BBC)
Ticketmaster Hack: Data of Half a Billion Users Up for Ransom (TicketNews)
Here Are 9 Companies With Reported Data Hacks This Week: Everything we Know (Newsweek)
Snowflake: ‘No Evidence’ Linking Ticketmaster Breach To Its Products, But Signs Of Former Employee Account Accessed (CRN)

What do Ticketmaster and Santander Financial have in common? Not much, unless you consider that they appear to have been hacked by the same attacker. In a recent post on an underground hacking forum, the group calling themselves “ShinyHunters” posted an advertisement naming Santander and offering the following data for sale:

• 30 million people’s bank account details

• 6 million account numbers and balances

• 28 million credit card numbers

• HR information for staff

The same hacking group is also offering over 500M credit card records for TicketMaster users. The question is, how are these two hacks connected? According to the article and BBC research, it’s highly likely that both of these attacks stem from Snowflake's recent disclosure that their systems have been compromised.

Snowflake refutes the claims that it is responsible and, as of the time of writing, does not believe it has been hacked in any other way than possibly with externally compromised credentials being used to access customer data. Other attack victims may include Advance Auto Parts, Allstate, Anheuser-Busch, Mitsubishi, Neiman Marcus, Progressive, and State Farm Insurance. There is a good chance we’re only seeing the beginning of the fallout of this one. We’ll watch it and update you as more details unfold.

AppSec or OpSec - A Fork In the Market Road

What Tool Best Compliments CNAPP? (James Berthoty - Latio Sec)

In many of the vendors I speak with, there is often a desire to merge two major market segments in a way that creates differentiation and the ability to sell a broader platform to the cyber security buyer. The most frequent version of this discussion is whether a product should push “right” into the operational security offerings or “shift left” into the application and code side of the market.

Each of the two sides of the coin comes with different buying personas, value propositions, go-to-market strategies, and even willingness to pay, making it extremely difficult to cover both sides simultaneously. As a startup, you are almost forced to pick one side of the other until you reach critical mass and have the resources to truly go horizontal in your approach. The future of the cloud-native application protection platform (CNAPP) market is no exception to this rule of thumb.

In this article, James breaks down each side's how and why in minute detail, helping you see his vision for the space. I recommend this read if you are interested in cloud security's future market trends.

Microsoft Recall - Dream or Danger (or both)

How the new Microsoft Recall feature fundamentally undermines Windows security (Double Pulsar)
UK watchdog looking into Microsoft AI taking screenshots (BBC News)

Is this a dream technology or a privacy nightmare? According to those in the cybersecurity space I have spoken to, it’s an attacker’s potential perfect storm and a significant cybersecurity problem just waiting to happen. Just last week, Microsoft announced “Recall” to the market.

The idea is it allows you to rewind back in time at the click of a button to see what you were doing at, say, 11pm two months ago. It also classifies almost everything you’re doing, seeing and typing. This is instantly searchable.

In a nutshell, the technology is an infostealer and rootkit built directly into the Microsoft operating system. It watches literally everything you do on the device and allows you to play that information back while making it completely queryable. Content is stored locally but, in my opinion, the data will eventually be used in many cloud contexts.

Spicy Take: This sounds EXACTLY like what I’ve been looking for. I want something that automatically records all of my Zoom, Team, and Google meetings and analyzes them with AI, can cross-reference that data with all my email and calendar data, and knows everything about my daily digital usage and life. In a nutshell, I want a complete second brain, and this sounds like a great start!

Regarding privacy worries, users will GLADLY trade security and privacy for any simple long-term convenience. If this really gives us the ability to track, query, and remember our entire digital life with an AI overlay, people will clamor for the solution and happily trade away security and privacy.

I, for one, think the risk is worth it! I’d love to hear your opinions below!

Google Says - We Got Your Privacy Right Here

Google Leak Reveals Thousands of Privacy Incidents (404 Media)

Google made an oopsie. 404 Media recently acquired an internal Google database that tracked company privacy violations and remediations, such as collecting and analyzing children’s voices, saving license plates from Street View, inadequate blurring of sensitive YouTube videos, and many other self-reported incidents, large and small. The database recorded privacy issues from 2013 to 2018, all appearing to have been fixed quickly by Google’s team.

The problem isn’t in tracking and remediating privacy concerns directly. Instead, the issue is the sheer volume of privacy issues that Google has to deal with annually. These are not just little bugs; they can significantly compromise human privacy rights. It’s great to see Google fixing things quickly. However, the size of the problem may make it completely impossible to secure long-term. Look at the article and check out the wild list of issues discovered in this five-year period.

Share

NVD Backlog To Be Cleared in Fiscal Year (9/24)

Federal agency taps new contractor help with bug backlog (Axios)

In this week’s “story #5,” we bring you the contract company NIST believes will be the savior of the National Vulnerability Database (NVD). The firm Analygence has been contracted to fill the existing hole and help clear the backlog that has been building up with NVD. It turns out that the contract is a five-year, $125M project, and it was awarded to Analygence as one of 14 applicants. It was awarded last December, and they have yet to operationalize the contract fully. Good luck, NIST and Analygence; your solution is desperately needed. This is a “story #5” for a reason - #iykyk - please leave your thoughts in the comments section below.

Quick Hits and Hidden Gems

• Gartner Security and Risk Management Summit (The Security Industry) - Some raw data on vendors sponsoring the Gartner event this week. Some interesting growth trends here.

• Visibility Without Action is Just Noise (Yaron Levi) - I think he means that visibility and observation don’t matter if you don’t have context. He mentions it directly in the article - finding another issue is nearly worthless without context. Context is everything during data collection, analysis, and remediation. Without context, we can’t possibly scale. Good quick read.

• Is this the end of SIEM? (Frank Wang) - SIEM, as the concept of “security event aggregation,” is indeed dead. The addition of assets PLUS events could reinvent this market into something new. This provides context to everything in the data set, making it much richer and easier to use. Context is KING!

• A venture capitalist walks into a bar (lcamtuf’s thing) - I love lcamtuf’s view of the world. He’s been around the block, and he speaks a great truth. My moral takeaway from this story is to understand the incentives, and you will be able to predict the future.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

This week in The Cyber Why, we cover the latest cyber drama around VulnDB and CVE, the turf war brewing between MS and Google, an increase in ICS risk, privacy impacts of wifi location tracking, and a chest-thumping-worthy (NSFW) performance by Matt McConaughey for an SDFC commercial. Have a great holiday weekend - we hope you enjoy this week’s newsletter!

Get An Automated Security Buddy with DryRun Security

DryRun Security performs automated and seamless security code reviews in seconds. Devs love it because they get actionable security advice without all the noise, and AppSec loves it because every code change is reviewed for risk.

DryRun uses a proprietary Code Review Inquiry Methodology on LLMs to deliver results to developers in just a few seconds. Try it yourself and install DryRun Security, or book a spot for a quick 15-minute demo today.

DryRun Security

100K VulnDB Vs CVE Cage Match

VulnDB Uncovers 100,000+ Hidden Vulnerabilities Beyond CVE (Flashpoint)
LinkedIn Thread on Vulnerability Disclosure, VulnDB and CVE (Ben Edwards)

What an absolute dumpster fire of name-calling, mean comments, and throwing shade at each other. I took the time to read through both posts and threads, along with all associated comments, and all I can say is WTF. Can’t we do better when it comes to working together to make the world a safer place? With a (let’s be truthful here) slightly clickbait-style title, Flashpoint released a report stating that they now had cataloged 100K more vulnerabilities in VulnDB than CVEs that are currently published. This torqued a subset of cybersecurity researchers and vulnerability hunters as they attacked Brian Martin and the team at Flashpoint for “not publishing” these vulnerabilities as CVEs themselves. Brian made a great argument that every vulnerability within the VulnDB is already publicly known and that CVE is notoriously bad at keeping up with publishing vulnerabilities based on the fact that it’s an inbound model - they don’t search for known vulnerabilities, instead letting the details come to them. If you have an hour or two to kill, I recommend reading these threads, as they will help you to understand exactly how broken the vulnerability database world is today. There has to be a better way!

Note: I don’t have an opinion on either side of this equation. I just wish the debate and discourse could be civil so that we can actually improve security instead of merely maintaining what little we’ve achieved over the last two decades.

Google Announces a Turf War for the Productivity Suite Market

Google Pitches Workspace as Microsoft email Alternative, Citing CSRB Report (Dark Reading)
Google Cites ‘Monoculture’ Risks in Response to CSRB Report on Microsoft (Security Week)

(Katie pick) Earlier this week, Google took advantage of an opportunity to grow its online productivity suite business — Workspace. In the wake of a publication by the US Cyber Safety Review Board (CSRB), which noted the many vulnerabilities and known exploits in Microsoft Exchange Online environments, Google executives touted how businesses could achieve a safer online environment and a reduced attack surface by switching to Workspace.

Microsoft has received tons of criticism over the years for security issues in its offerings. In fairness, when your company has the greatest number of deployments worldwide, the target on your back is bigger. That said, if you have the largest account base, there is an argument for “do better.”

Google has made strides in the business world over the years; start-ups and cloud-native organizations have primarily switched to GSuite. As someone who has only worked in the startups for the last 6 years, I say, “Microsoft, who?” (Only kidding. Word for the win.) While Google has many great features and is highly user-friendly, they must improve Slides to be competitive (not actually kidding). Further, Google will likely have to continue battling the perception that Microsoft is for “more serious” businesses, including the US government.

Ah, isn’t competition “suite”?

Threat Actors Increase Pressure on ICS

Rockwell Automation Urges Customers to Disconnect ICS From Internet (SecurityWeek)
Rockwell Automation Warns Admins to Take ICS Devices Offline (Bleeping Computer)
Rockwell Automation Warns Admin to Disconnect from Internet (Cybersecurity News)

(Katie pick) Rockwell Automation issued an urgent warning to its industrial control systems (ICS) customers — Inventory and control your asset environment.

According to the notice, the company is concerned about the potential for increased attacks against ICS due to “heightened geopolitical tensions.”

Basic security hygiene is (or should be) critical to all businesses, yet these foundational processes are often overlooked or unattended. In the case of ICS and Rockwell’s programmable logic controllers (PLCs), the company is concerned that customers may have risky assets configured to the public-facing internet — though they shouldn’t be. According to an article on SecurityWeek, “A Shodan search for ‘Rockwell’ currently returns more than 7,000 results, including thousands of what appear to be Allen-Bradley programmable logic controllers (PLCs). “

Rockwell, alongside CISA, has provided guidance for customers on how to identify exposed assets and recommendations for triage and remediation, including some of the most urgent, listed here:

Importantly, simply identifying risky assets isn’t enough. Rockwell highlights the need to patch vulnerable systems immediately (when/if a patch is available) and continuously monitor for suspicious and/or anomalous activity.

Yes, Your Apple Device is Tracking Your Location

Why Your Wi-Fi Router Doubles as an Apple AirTag (Krebs on Security)

(Katie pick) In the eyes of some buyers, the Apple operating ecosystem is the most secure. Especially in the early days of smartphones, cybersecurity experts touted Apple’s advantages over other brands. Today, cybersecurity experts rally behind the company, often citing the “strict” vetting process in the AppStore.

However, upon a deeper analysis, Apple allows for more precise geolocation than its rivals, opening up interesting privacy risks.

In a recent article, KrebsOnSecurity reveals Apple’s process for collecting (and sharing) location data. If you care at all about privacy, you should be concerned. But don’t worry; in 2023, Apple released an under-the-radar patch for users to keep their devices’ precise location private. This is excellent for tech users and slightly savvy non-tech users. The rest of the iOS consumers will remain blissfully unaware of the exposure and incapable of changing their settings.

And by the way, researchers at the University of Maryland could track specific movements of military personnel in Ukraine, essentially allowing them to understand when and where an attack was being planned. In the wrong hands, weaponized geolocation via basic cell phone settings and wifi could prove disastrous.

Share

Well, AI-right AI-right AI-right - AI Privacy w/ MM

Story #5: “Out here in the AI Wild West, bad guys only want one thing - your customer data!” The last time we saw a cybersecurity ad campaign tackle the Wild West, we got this gem: CrowdStrike tames cybersecurity Wild West in a new Super Bowl commercial. If that isn’t enough to make you think twice about buying cybersecurity technology, we also have this one from Palo Alto Networks: This is Precision AI with Keanu Reeves.

Similarly, SalesForce has decided to get ahead of the AI data collection story and put out a preemptive advertising strike stating that they are smarter and safer with your data regarding AI. Check out this series of half a dozen of the best cybersecurity ads I’ve ever seen (albeit the quality bar is quite low!) Enjoy…

Quick Hits and Hidden Gems

• Kevin Mandia Stepping Down As CEO At Google-Owned Mandiant (CRN) - It’s the end of an era. Two decades after its founding, Mandiant CEO Kevin Mandia is stepping down. Good luck on your next adventures, Kevin!

• CyberArk acquires Venafi for $1.54B, integrating human and machine IAM (SC Magazine) - Identity is a BIG DEAL.. a 1.5B$ BIG DEAL to be exact.

• "I was forced to hire legal counsel," actress Scarlett Johansson responds after Microsoft partner OpenAI 'clones' her voice for ChatGPT (Windows Central) - ScarJo doesn’t like people stealing her voice. Good legal debate here.

• CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules (Dark Reading) - Are rules real if they aren’t clear? 4 days to report a “material” breach. Sounds way to vague to be enforceable to me.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

In this week’s The Cyber Why, we cover the resignation of the OpenAI “superintelligent team” leader, the debunking of the cybersecurity labor shortage, a monster week in cyber M&A, a great piece from Andrew Morris on the disconnect of the cyber vendor ecosystem, and a killer YouTube “pwnie” playlist to induce musical euphoria!

Don’t forget to check out the quick hits section - it’s SUPER rich this week.

Sponsor The Cyber Why!

The Cyber Why reaches nearly 5,000 cybersecurity, technology, and investing professionals per send. With over 30,000 views a week, our content is frequently in front of your target audience. Reach out to The Cyber Why to find out how you can drive leads and brand recognition for your business. Sponsorship packages are available. Click HERE for more information.

Super Intelligent AI - Safe or Scary?

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says (TechCrunch)

It’s commendable to do the “right thing” and build a team responsible for developing ways to govern and steer “superintelligent” AI systems. It’s entirely the opposite of “commendable” to deny resources and let that team wither and die. That’s precisely what OpenAI did, resulting in several team members resigning, citing “disagreements with OpenAI leadership about the company’s core priorities.” Ouch…

OpenAI formed the team intended to safeguard AI development last summer. One year later, the leader of that team, Jan Leike, resigned in the same week as OpenAI co-founder Ilya Sutskever. This does not bode well for the future safety of AI as developed by OpenAI. These resignations and revelations, alongside the attempted OpenAI coup at the end of last year, make me very nervous about the future safety of our computing systems.

Cyber Labor Shortage Debunked

There Is No Cyber Labor Shortage (Dark Reading)

I’ve often wondered if the ludicrous numbers quoted when discussing cybersecurity job openings could possibly be real. Here’s one example from CNBC.

“There are nearly 600,000 unfilled cybersecurity jobs in the U.S. right now, and about 3.5 million open roles globally, says Lisa Gevelber, Google’s chief marketing officer for the Americas, citing recent research from Cybersecurity Ventures.”

According to an article penned by Rex Booth, CISO Sailpoint, there isn’t an issue with filling these jobs; the real issue is the requirements that are needed to be hired, making them unattainable for the majority of people who would want them. Rex makes a good argument by explaining that entry-level SOC analyst positions shouldn’t require years of formal training, multiple certifications, and potentially even a college degree. Most of these open roles are entry-level positions, and we treat them as if we have to find the perfect cyber analyst unicorn before extending a job offer. Let’s not get it twisted - I’m not suggesting we hire any old rando off the streets. If we have people with excellent technical skills and a high level of certifications applying for the role, we should hire the best we can find. But if you tell me that we have 600K jobs available and can’t fill them, we should adjust our requirements to fit our available supply and then train them on the job. My other intuition is that the metric of 600k cyber job openings is likely a made-up number anyway… making this entire discussion moot.

Cyber M&A Continues in 2024

Palo Alto Networks is buying security assets from IBM to expand customer base (CNBC)
LogRhythm and Exabeam Announce Intent to Merge, Harnessing Collective Innovation Strengths to Lead the Future of AI-Driven Security Operations (LogRythm PR)

It’s been a week of hot and heavy acquisition activity. The cybersecurity M&A pendulum has swung so far to one side that it feels destined to stay there forever. This week PANW and IBM got together to announce the sale of IBM’s cloud security software assets to Palo. At the same time, Palo has agreed to use IBM as a significant portion of its services arm and provide a clear path for QRadar users to switch to Palo’s equivalent platform offerings quickly. This one is big, and I have to admit I’m really not sure what I should be thinking about on the back of this announcement. Part of me sees this as a step backward for Palo. Previously, they would acquire the best products in the market and bring those to bear for their customers, but this feels more like buying the market and killing off a competing product type of play. However, if done correctly, this could unlock a new channel and customer base that Palo couldn’t access. There’s no clear answer here… This one has me scratching my head for sure!

Incentives Required - Altruism Doesn’t Work

Addressing the Cybersecurity Vendor Ecosystem Disconnect (Dark Reading)

Sharing is caring, and right now, the cybersecurity vendor space doesn’t care. At least that is the commentary posited by Greynoise founder and Chief Architect Andrew Morris. In this article penned for Dark Reading, Andrew concludes that a winning next phase of innovation should come on the back of collaboration - and I think he’s right! Enterprises are in a state of tool overload. The ability for tools to work together, for data to be uniform and normalized across systems, and for integrations to pass analyzed output effectively are requirements for success, and we just aren’t meeting those requirements as an industry. Andrew makes the point that we have to find common standards, operate via joint innovation, allow the passing of data that is currently limited by regulations, and effectively shift our collective mindset as vendors in the cybersecurity market. The one concern I have, Andrew also calls out, is that we are not incentivized to do this. Cybersecurity businesses have one goal in mind… to help secure the world to make money! Maybe I’m just a cynical old man (actually, that describes me perfectly), but until we vendors find some incentive that aligns well with growing the business quickly, we won’t see any change. As much as I hate to admit it, I think the only course of improvement is (/vomit) government regulation.

Note: Go check out Andrew’s company, Greynoise. They turn Internet noise into intelligence, and as long as I’ve known Andrew, he’s been one of the good guys… fighting the good fight for all of the right reasons.

Share

Story #5: Pwnie Award Nominated Songs

YouTube Playlist of Pwnie Award Nominated Songs (tl;dr sec)

I saw this under the “Misc” section of the latest tl;dr sec newsletter. I have no idea where Clint (author of tl;dr) found it, but it’s the funniest thing I’ve seen this week. Many of the songs are old, but they still made me laugh out loud. The opening video alone is a classic that I will never forget.

Quick Hits and Hidden Gems

• PMF Score Vs NPS & Sequoia Capital's Runway Reality Check for Founders (Venture Creator) - PMF Score vs. NPS and when to use them. Interesting take on how to measure product market fit.

• Y-Combinator's Framework: How Much Traction Is Needed To Raise Funding? (VC Jobs) - Remember to take into account “marketing,” aka how you will reach the buyer. Build it, and they will come is reserved for baseball stadiums only.

• FBI seize BreachForums hacking forum used to leak stolen data (Bleeping Computer) - Another breach forum is down, and another will rise to fill the gap. Risky Biz did a killer write-up as well. Story here.

• Cyber Official Speaks Out, Reveals Mobile Network Attacks in U.S. (404 Media) - Mobile spying and tracking revealed by a whistleblower. If only I had a complete account to read it. Stupid paywall.

• How Did Authorities Identify the Alleged Lockbit Boss? (Krebs on Security) - Krebs breaks down exactly how Dmitry Yuryevich Khoroshev was tracked and caught. Crazy good research.

• Social Capital 2023 Annual Letter (Cahamath Palihapitiya) - This annual letter details learnings, observations, and reflections on technology, economic, and creator trends. Good read!

• Unmasking adversary cloud defense evasion strategies: modify cloud computer infrastructure Part I (Permiso) - Super technical cloud based attack techniques blog. Digging this one for its “light technical reading.” Good stuff!

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

In this week’s The Cyber Why we cover the CISA Secure By Design Pledge, WIZ raising a BILLION bucks and actually having a real need for it, AI cybersecurity moves from Palo Alto and Crowdstrike, a throwback to 2003 Trustworthy Computing Memo from Microsoft, and a chuckle filled video from Matthew Broderick. All this and more in this week’s The Cyber Why!

Sponsor The Cyber Why!

The Cyber Why reaches nearly 5,000 cybersecurity, technology, and investing professionals per send. With over 30,000 views a week, our content is frequently in front of your target audience. Reach out to The Cyber Why to find out how you can drive leads and brand recognition for your business. Sponsorship packages are available. Click HERE for more information.

CISA Secure By Design Pledge - YAY or NAY?

CISA Announces Secure by Design Commitments from Leading Technology Providers (CISA)
Statements of Support for the Secure by Design Pledge (CISA)
I'm not cheerleading for the CISA pledge (lcamtuf’s thing)

This week, the Cybersecurity and Infrastructure Security Agency (CISA) announced a “Secure by Design pledge”. The pledge is voluntary for enterprise software products and services, in line with CISA’s secure-by-design principles. Many companies have taken up the torch and made public statements of support, including Armis, Cisco, Cloudflare, GitHub, Google, HP, IBM, Lenovo, Tenable, and dozens more. I love the idea of a pledge, but it won’t actually make anything better in the long run. If it was as easy as declaring “we are going to be secure,” we would have done it long ago. At first, I thought this was just another piece of lip service that software vendors were putting forward, but the article by “lcamtuf” made me see it differently. For many software companies, this may be how they get out in front of what could be coming down the pipe in the form of legal requirements containing teeth.

Finally, a REAL Reason to Raise $1B

Wiz Lands $1B In Funding, $12B Valuation Amid Surging Cloud Security Growth (CRN)

When I think WIZ’s growth rate can’t increase any faster, they go and pull something like this. At the RSA Conference this week, WIZ announced a $1 billion (YES with a B!) investment from major silicon valley VCs, including Andreessen Horowitz. I typically am pretty cynical when I see announcements of raising funds of this size. We live in a world where it takes way less capital to build a technology and software startup than ever, yet I keep seeing massive infusions of cash into companies that are blitzscaling markets that may not need to be blitzscaled. HOWEVER… On this particular piece of news, I think it’s imperative that WIZ bring this large amount of funding to bear. They are currently in a war with Palo Alto Networks, Crowdstrike, and others to become one of just a few major platforms that large enterprises will look to purchase. This battle is the final epic scene of the tale of cybersecurity consolidation that is upon us. The raise puts significant funds into WIZ’s war chest, allowing them to make acquisitions as they continue to broaden their product portfolio and prepare to go public. Also, they had a pretty crazy kickass booth at RSA this week - the sucker couldn’t have been cheap!

The AI Cyber Platform Wars Heat Up

INSERTING and REPLACING SentinelOne® Unveils Future of Autonomous Security (Yahoo Finance)
Palo Alto Makes Artificial Intelligence Push At RSA Conference (Investor Business Daily)
Palo Alto Networks Launches New Security Solutions Infused with Precision AI to Defend Against Advanced Threats and Safeguard AI Adoption (Palo Alto Website)

The cyber AI platform wars have begun. Last week at RSA, I had the pleasure of sitting in on the announcement by Palo Alto Networks of their new Precision AI cybersecurity solutions, three distinct platforms, and connected co-pilots. It was an exciting presentation in which Palo Alto clearly depicted how they plan to leverage their industry-leading broad set of data and context to provide preventative security solutions ranging from code all the way to cloud-native operational security. Also last week, SentinelOne announced their future of autonomous security built on the back of their Singularity Data Lake and Purple AI system. While Palo has a much broader approach today, it appears that the first battleground will be where AI and security operations collide. Improvements in the SOC are the “low hanging fruit” in which these cybersecurity behemoths can have a massive impact quickly. Over time, AI will stretch to broader solution sets and value propositions. I plan to follow these two companies, as well as Microsoft, Google, Wiz, and a few others, very closely as this new AI cybersecurity reality emerges.

Trustworthy Computing 2.0

Read Satya Nadella’s Microsoft memo on putting security first (The Verge)
Trustworthy Computing (Wikipedia)
Microsoft is tying executive pay to security performance — so if it gets hacked, no bonuses for anyone (TechRadar)

I’m guessing many of you aren’t old enough to remember the famous email of 2002 from Bill Gates to every Microsoft employee announcing the “Trustworthy Computing (TWC) Initiative.” In the years leading up to the 2002 memo, attackers and security researchers had been making a complete mockery of Microsoft and the security of their software and products. There were significant customer breaches, product vulnerabilities weaponized, and, quite frankly, Microsoft became the laughing stock of cybersecurity. We reminisced about the initiative in the most recent The Cyber Why Podcast as we covered the Cyber Safety Review Board Report on Microsoft and even broke down some of the issues in a TCW Deep Thought piece on the topic. When we think we have seen another new low for Microsoft, they pop up and take a page from Bill Gates’ old playbook from 2003. Satya Nadella, Microsoft CEO, sent out his own version of the Trustworthy Computing Memo to over 200K employees. Suppose they put the same effort behind the new initiative as Gates and their team did in 2002. In that case, we should see Microsoft become a more secure and hopefully dominant player in the cybersecurity space. Good luck, Microsoft - it’s a tough hill to climb!

Share

I <3 Matthew Broderick and Wargames!

Cybersecurity, AI and Alicia Keys: What We've Seen at the RSA Conference (CNET)

What do Ted Lasso, Alicia Keys, Matthew Broderick, Homeland Security Secretary Alejandro Mayorkas, and Secretary of State Antony Blinken all have in common - absolutely NOTHING except that they were all at the RSA 2024 conference as speakers or keynotes. While I’m not sure why a couple of those names were chosen (Alicia Keys, she’s fantastic, but what’s the connection to cyber?), most speakers were perfect for content and inspiration. Some videos can be found on the official RSA Conference YouTube Channel; others are available as bootleg shots, like the Matthew Broderick one below. I loved this video as Wargames was a HUGE influence on me. If you have free time, look at the content - you’ll be sufficiently inspired.

Quick Hits and Hidden Gems

• Palo Alto Networks Abdicates (The Security Industry) - Richard, do you have a vendetta against PANW? First, you snipe them for their 2024 strategy; then, you snipe them for pulling out of RSA. A major conference like RSA provides a vendor with both demand generation and brand awareness. When you are a massive company like PANW, you already have both in large quantities, making guerilla marketing a potentially smart move. Alternatively, if you are a tiny company, it also makes sense to go rogue due to ROI metrics when nobody knows your name and your tiny reach. I disagree with you on this one - PANW pulling out of RSA and doing their own thing is just the start of many major companies moving to run their own side conferences during that same week.

• The free advice economy; 500-foot baguette; 40,000 robot narrators (Josh Bernoff) - Great brief article on why I give free advice to others. tl;dr, I get self-reward from it, and hopefully, they find value in it! This is how the world operates.

• Akamai Doubles Down On API Security With $450M Noname Acquisition Deal (CRN) - Bargain basement acquisition prices are here. Akamai snaps up NoName.

• Note to investors and security pros: drive innovation by going on the offensive  (SC Media) - Bob Ackerman on driving innovation with offensive moves. A great investor with great advice. Must read.

• The Alleged LockBit Ransomware Mastermind Has Been Identified (WIRED) - With eyes like his, I would have pegged him for a criminal overlord from a mile away. Either that or as someone who has to tell his neighbors that he just moved in.

• IntelBroker Hacker Claims Breach of Top Cybersecurity Firm, Selling Access (Hack Read) - No proof yet, but where there is smoke, there’s typically fire. Watch this one closely, as I bet it breaks further over the next two weeks.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

In this week’s TCW, we wax eloquent regarding the 2024 RSA Innovation Sandbox finalists, get depressed thanks to the 17th DBIR report where nothing got better, debate the natural fit between Aqua (water) and Orca (whales), watch as a Darktrace short gets slapped back to reality, and finally talk about Tyler’s FAT HEAD! All this and more in this weekly The Cyber Why!

RSAC Innovation Sandbox 2024 Cohort

RSAC Innovation Sandbox 2024 - Who to Watch ([Latio Pulse] )

The RSA Conference is just a few days away! Hot press releases, venture funding, acquisition rumors, and product announcements have been flooding the newswire. It’s the time of year that some of us loathe (introverts unite), and many of us cherish (extroverts, I don’t understand you!). It’s a time to analyze where cybersecurity is headed, readdress our strategy and trends, meet up with old friends, and make some new ones as well. One of the hottest discussion items each year at RSA is the Innovation Sandbox finalists. These companies are supposed to be the most innovative, unique, and compelling product offerings in their rookie class. Some go on to become massive publicly traded companies, and many sell for hundreds of millions of dollars to the highest bidder. Either way, it’s a time when analysis of these companies makes a lot of sense and is something we should at least take a glance at.

This year, the companies fall into the following general categories: Identity Innovation, Generative AI Security, Cloud and Kubernetes Security, and Exploit Intelligence. The biggest thing about each of these companies is that their products and technology are unique, elevating them above the category confusion that plagues the rest of the cybersecurity startup world. Good luck to this cohort… it’s going to be fun to watch you grow up!

• Aembit - Secure Machine-to-Machine Token Authentication

• P0 Security - Just In Time (JIT) Access to APIs, Workloads, and Infrastructure

• Harmonic - Generative AI Data Security

• Antimatter - Generative AI Security

• Rad Security - Kubernetes Security and Cloud Native Threat Detection and Response

• VulnCheck - Exploit Intelligence for Vulnerability Prioritization

• Antimatter - Make data safe for GenAI, fast!

• Bedrock Security - Frictionless Data Security

• Reality Defender - Detect Generative AI Threats

• Dropzone.AI - AI SOC Analyst

Tyler’s Verizon DBIR Depression Kicks In

Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of Breaches (Dark Reading)
Verizon’s 2024 Data Breach Investigations Report: 5 key takeaways (SC Media)
2024 Data Breach Investigations Report DBIR (Verizon)

This report is one of my favorite reports of the year - yet I’ve stopped reading it cover to cover. It’s not because of a lack of available time that I have given up on the content. Instead, it’s a lack of hope. Maybe this is where my jaded old cyber personality comes out. In the last 17 years of analyzing the DBIR I have seen next to ZERO improvement in the state of cybersecurity. Sure, the goalposts of success have moved, the weapons chosen by the adversaries have changed, and the defensive models have advanced, but in actuality, we are no better off today than we were a decade and a half ago. Please comment below if you are more hopeful about the future of cybersecurity and help me see that a positive future can exist (hit the comments below). In the meantime, here are some of the interesting statistics that jumped out to me in this year’s report:

• Primarily thanks to the MoveIT attack, vulnerabilities as the first entry point jumped 180% year over year. Attackers can weaponize their attacks rapidly, making them highly successful.

• MoveIT accounted for 8% of all reported breaches.

• Extortion attempts occurred in 32% of all reported breaches. The average loss was $46K per successful breach.

• The average time to remediate a 0-day is 55 days. The average time to weaponize a new vulnerability is five days. That’s nearly TWO MONTHS of exploitability window, assuming everyone fixes their issues on day one. That’s BAD!

• 68% of breaches involve a "non-malicious human element"—phishing, misconfiguration, or other human mistakes. To quote the great T. Swift…

Two Formidable Companies Join Forces to Fight Cloud Workload Compromise

Integrating Aqua Security with the Orca Cloud Security Platform (Orca Security)

(Katie pick) I saw this coming, and I think it’s big. These are two powerhouse companies working together to identify and remediate cloud-based compromise in near real-time. With this integration, Orca and Aqua are knocking down the common arguments against each other’s tech approach: “Agents can’t see where they’re not deployed.” “Agentless technologies can’t see into the workload.”

These arguments are used by vendor sales teams all the time, depending on which side of the agent vs. agentless fence they sit on. The reality of any networking is that security teams need both. Without the ability to monitor and control endpoints and the ability to monitor and control traffic, blind spots will remain.

This integration — and similar ones in the future — could threaten cybersecurity asset management (CAM) companies if they’re not careful. I know (as well as anyone) that the message from CAM is, “We aggregate data from these tools and more.” While true, Orca and Aqua have the capital and the brand recognition to spin the narrative in their direction and secure tightening budgets — especially because cloud compromise is something CEOs are being warned about.

Aqua and Orca have repeatedly proven themselves; this looks like it will be a big win for end users. And I wouldn’t be surprised to see an acquisition in the near future.

Editors Note: Is it me, or are Oracs and Aqua totally meant to be together?

Shorting Darktrace Seemed Brilliant. Until It Didn’t.

Thoma Bravo to buy UK's Darktrace for around $5.3 bln (Reuters)

(Adrian Pick) I think there’s a lesson here. In my part of the cybersecurity industry, Darktrace is a bit of a joke. I don’t think I’ve ever encountered someone happy with the product. It seemed clear that it was a small amount of tech (open source, at that), with a lot of window dressing around it. Shades of FireEye.

With the Thoma Bravo take private announcement, suddenly, we were all second-guessing ourselves. Were we wrong about them? Is everything Darktrace marketing has been claiming - the digital immune system stuff - is all that validated now?

It’s not an enormous win, but a solid one - Thoma Bravo’s offer is ~8x on 2023 revenue. FireEye (after it split from Mandiant) exited at a steeply declining 1.2x to Trellix. It makes me wonder how much of a shock this has been for the folks at Quintessential Capital Management, who released a scathing report on Darktrace just over a year ago and announced they were shorting it. If we assume QCM was shorting DARK when they published this report, DARK was around 250 pence on the LSE. After the announcement from Thoma Bravo, DARK leaped from ~450 up to 600 pence. Ouch.

Share

Republicans have FAT HEATS! </clickbait>

AI Can Tell Your Political Affiliation Just by Looking at Your Face, Researchers Find (Gizmodo)

This most definitely qualifies as a story #5. As you know, #5s are supposed to be funny, irreverent, quirky, or just downright weird. This particular story falls into the downright weird bucket. Recent research has shown that just by looking at a person’s still and emotionless face, AI can accurately predict if you are a liberal or a conservative. WTF?! Apparently, the researchers had this to say:

According to this analysis—and, I have to warn you, it’s kinda funny—liberals and conservatives have markedly different facial morphology. Liberals have “smaller lower faces” and “lips and noses [that] are shifted downward,” and chins that “are smaller” than conservatives, researchers write. Researchers repeat the key conclusion later on: “liberals tended to have smaller faces.”

So, according to this theory, if you have a tiny face, you’re probably a progressive. Or, by contrast, if you have a big fat face, there’s a good chance you might be a Trump voter.

Quick Hits and Hidden Gems

• Tenable Bolsters Its Cloud Security Arsenal with Malware Detection (Tenable BLog) - And the water gets murkier! Tenable adds CNAPP-style capabilities, including malware detection in workload, to its stable of technologies. The centers of gravity are getting closer day by day!

• Microsoft bans US police departments from using enterprise AI tool for facial recognition (TechCrunch) - This could end up being controversial. When the risks of AI impacting privacy become “good for the general population,” we are going to have explosive debates. Watch this one over the next few years.

• Apple’s $110 Billion Stock Buyback Plan Is Largest in US History (Bloomberg) - It’s usually a good sign when a company believes enough in themselves to buy back shares. Watch $APPL closely as it moves into the second half of 2024.

• Examining the Deception infrastructure in place behind code.microsoft.com (Microsoft Blog) - For over 2 years code.microsoft.com has been a honeypot! The data they collected was incredibly useful to MS and the community at large.

• Harvesting Ideas from Questionable People (Dan Meissler) - This resonated with me. Everyone should read this and evaluate how they perceive others and the world and how they are able to learn while maintaining their own moral code.

• The Future of SOC Automation Platforms (Francis Odum) - A great report on the modernization of the SOC and the technology stack to go with the updated processes. This research should also be reproduced for Appsec, Cloudsec, Infrasec, and all other *Sec derivatives).

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

This week in The Cyber Why, we cover the latest updates to the gift that keeps on giving news: the United Healthcare Group hack. We discuss the impact of the non-compete ban in the United States and take aim at building companies just to get rich. We provide a feedback loop on Iranian phishing attempts, and finally, we put a new gift on Tyler’s birthday wishlist — a flame-throwing robot dog (I want one SO BAD!). All this and more in this week’s The Cyber Why!

Sponsor The Cyber Why - Reach Nearly 5,000 Tech and Cyber Leaders TODAY!

The Cyber Why is your weekly dose of cybersecurity wit straight to your inbox. TCW tracks cyber and tech news and drama with humor you won't find anywhere else. Sponsor TCW and reach thousands of active subscribers bi-weekly. Don't be a phish, sponsor today!

CLICK HERE or email tyler dot shields at gmail.com for sponsorship specifics.

UHG Update - Admits To Having Paid Ransom

UnitedHealth Group Updates on Change Healthcare Cyberattack (United Health Group)
UnitedHealth paid ransom after massive Change Healthcare cyberattack (CBS News)
Authentication failure blamed for Change Healthcare ransomware attack (CSO)
UnitedHealth CEO to testify before US House panel on cyberattack at tech unit (Reuters)

(Rick Pick) It was a significant news week for updates on the Change Healthcare extortion attack. UnitedHealth Group (UHG) issued a press release with less-than-encouraging news on Monday. The company said that it:

"has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America."

There are over 335 million Americans, and the release substantially understates the potential implications. Later that night, a spokesperson told CBS News that the company paid a ransom ($22M) to the extortionists (ALPHV). The company revealed "$872 million in unfavorable cyber attack effects in its release."

What would a favorable cyberattack effect be? Asking for a friend. It was also reported that "compromised credentials on an application" is how the attackers gained their initial access.

You could debate me, but this could be a top-three ransomware attack, especially considering potential future losses. It demonstrates the fragility of our interdependent systems and begs the question, where is the next Change Healthcare? What other sectors have their version of this type of target? Finally, if compromised creds on an "MFA-less" application were the initial access vector, it highlights that actors don't need esoteric zero-day to achieve their goals. Companies need to be maniacal about managing their external footprints and hardening their external services. UHG's CEO, Andrew Witty, is testifying on The Hill next week; get your popcorn ready.

I’m Now Dating Your Best Friend - HOW YA LIKE ME NOW!

U.S. bans non-compete agreements for nearly all jobs (NPR)

One of this week's hottest topics, the FTC ban on non-compete agreements in the United States, brought on a flurry of news articles, pundit commentary, and debate about whether non-compete agreements are essential to safeguard a business. In some circles (employee slack groups specifically), the commentary was all rainbows and unicorns talking about how bad non-competes were, and while commonly known to be unenforceable in most states, how they still acted as a deterrent to changing jobs since most companies wouldn’t hire you if you signed a non-compete agreement for fear of being sued by your former overlords.

In some tech founder groups, the commentary wasn’t so appreciative of the moves made by the FTC. Some founders said that if people could move freely to competition, it would make it more difficult to keep human resources and increase the cost of doing business. They also suggested that it would bring about a significant amount of IP theft and brain drain from one company to another in a similar space. In general, I don’t believe that non-competes should be allowed. However, I see the potential impact that can occur to businesses with no better way to defend themselves from nefarious individuals willing to act maliciously. Let me know how you feel about the topic in the comments below!

Founder Syndrome in Cybersecurity

In 2024, finding cybersecurity startup ideas worth pursuing is harder than many people think (Venture in Security)

(Katie pick) As Ross writes in his latest piece, “Starting a cybersecurity startup is easier than ever,” but that doesn’t mean the industry needs more startups or that founders and would-be founders are starting cyber vendor companies for the right reasons.

As I’ve written in the past (part 1; part 2), there are plenty of headwinds to founding a cybersecurity business, which Ross expertly outlines in his article. What he doesn’t touch on is what I’ll call “founder syndrome,” or the idea that “there is a gap in X aspect of security. I’ll build this widget. I’ll sell this widget. I’ll get rich and create the world’s biggest cybersecurity company.” Building a cybersecurity technology with the idea of “getting rich” rarely results in achieving the goal. You’d be better served just buying state-run lottery tickets!

Building a security company from scratch is a mighty endeavor, even for tenured founders. This piece covers many of the considerations that entrepreneurs should ask themselves—and their investors—before entering the fray. Don’t just throw caution to the wind and hang a shingle - know what you are getting yourself into.

Iranian Attackers Go Phishing

Iran Dupes US Military Contractors, Gov’t Agencies in Years-Long Cyber Campaign (Dark Reading)

(Katie pick) While the US government has been busy issuing cybersecurity guidance for public and private sectors, it seems that they, themselves, are not immune to social engineering attacks.

The Fed recently announced that “hundreds of thousands” of US business and government employees were the target of Iranian state-sponsored cyber espionage campaigns between 2016-2021. Four Iranian nationals were indicted but are unlikely to face any real charges due to extradition laws.

While the article claims the attackers were “clever” and “more sophisticated by a significant margin,” the tactics employed seem straightforward — masquerading as a cybersecurity services provider and asking targets to click on links. You know the rest of the story. The story's moral here isn’t “Haha, the government got tricked, too!” Instead, the moral is: We must focus on security basics that help limit attack escalation. Social engineering works and will continue to work until someone can build a solution that stops the malware from executing and stops the attackers from elevating privileges after the link has been clicked. We’re not going to stop link-clicking — we all need it for everyday, non-malicious business — so let’s look at the compensating controls. And get them right.

Share

Tyler’s Updated Birthday Wish List

Watch: Fire-breathing robot dog that can torch anything in its path (Yahoo)

This is the thing that nightmares are made of! Robot dogs with flamethrowers on their backs. It reminds me of Austin Powers talking about “sharks with fricken LASERS on their heads!” As if that wasn’t scary enough. These little 1ft square beauties are manufactured by the US firm Throwflame, can eject fuel for up to 45 minutes, and can be purchased by the general public in the United States of Freaking America for only 7,600 British Pounds. Shoots 30-foot jets of fire, remotely controlled and enabled with laser sight and a built-in flashlight, this bringer of mayhem looks too good to pass up! Time to get my checkbook out! Or better yet - I’ll start a GoFundMe for my next birthday present… it’s just around the corner.

Quick Hits and Hidden Gems

• Aaron Levie, CEO at Box on AI Agents Impact On Business (LinkedIn) - Aaron is one smart dude. He equates AI agents to the advent of SaaS, detailing the potential massive market impact.

• Wiz CTO: “AI is probably the fastest-adopted technology in history” (Calcalist) - This time with data to back the assertion. WOW... incredible pace of change.

• A world after Wiz: Emerging opportunities in cloud security (Scale VP) - While we are on the topic of Wiz. What’s a world post-Wiz look like for cybersecurity companies? Where’s the whitespace for the next crop of Israeli startups?

• Is NoName the normal exit size now? (Cole Grolmus) - Lots to unpack here. Strategic products and companies can still exit but nowhere near as big as they once could. Down rounds abound!

• The Wiz acquisition of Lacework makes sense (Frankly Speaking) - PHEW, at least I’m not the only one that thinks this way. I thought I was on an island here!\

• The Rise Of Application Security Posture Management (ASPM) Platforms (Chris Hughes) - Sorry, buddy. Let’s agree to disagree on this one. ASPM is just another token product that will get absorbed into something bigger.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

Sponsor The Cyber Why - Reach Nearly 5,000 Tech and Cyber Leaders TODAY!

The Cyber Why is your weekly dose of cybersecurity wit straight to your inbox. TCW tracks cyber and tech news and drama with humor you won't find anywhere else. Sponsor TCW and reach thousands of active subscribers bi-weekly. Don't be a phish, sponsor today!

Top Market Report - MUST READ, 5+ STARS

Q1 2024 Cybersecurity Market Review (Altitude Cyber)

One of the most robust cybersecurity market analysis reports dropped this week. Dino Boukouris and the team at Altitude Cyber provide for your reading please the Q1 2024 Cybersecurity Market Review Report. The overall themes and takeaways include a positive uptick in cybersecurity deal making, a larger than normal rate of major M&A activities, and even later stage financing is making a comeback. This report takes a look at all of the moves being made in cybersecurity including calling out some of the top companies that made the RSA Innocation Sandbox for 2024. Go take a look at the entire list but I’d like to directly hype up a couple of my favorites, specifically RAD Security and Vulncheck. These two companies provide interesting and unique value propositions to their customers that really can’t be found anywhere else - and that’s saying something in today’s overly crowded product landscape. Finally, here are a couple of my favorite chart from the report - I HIGHLY recommend you load this article up and at a minimum look through all of the amazing pictures!

0-Day Vulnerabilities - Do They REALLY Matter?

Cisco Duo's Multifactor Authentication Service Breached (Dark Reading)
PuTTY crypto bug exposes private keys, may lead to supply chain attacks (Risky Biz News)
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack (The Hackers News)
This week in security: Putty keys, libarchive, and Palo Alto (Hackaday)

Maybe it’s a function of my age. Maybe I am just a jaded old security guy who has been around the scene too long to worry about issues such as these any more. Don’t get me wrong — the PAN-OS bug is seeing active exploitation, the Putty flaw opens up all sorts of crypto risk, and Cisco’s Duo problem could certainly lead to major issues at enterprises world wide. However, I no longer get excited when the latest 0-day drops and everyone flies into a risk induced tizzy. I guess the vibe really comes from the fact that as an industry, cybersecurity still can’t handle the low hanging fruit let alone have the capability and resources to mitigate the risk that comes from some crazy advanced crypto issue or a supply chain risk that compromised some very important data. Maybe I’m analyzing this completely the wrong way (highly likely!) I guess I’m looking for more root cause fixes as opposed to bandaids that solve a point in time problem such as the latest vulnerabilities.

Someone out there please help me get back to the time when finding new vulnerabilities was interesting and that solving these problems really did make the world a better place. Right now I feel like it’s similar to shooting down a massive drone attack with a single slingshot. You might get one or two but you certainly won’t stop the onslaught. Put your discussion comments below….

Once Upon a Security Data Fabric

The Security Data Fabric Shift Explained: Why Zscaler Paid $350M for Avalor And What It Means For The Security Industry (The Cybersecurity Pulse)
Palo Alto Networks - A Play For The Future (The Cyber Why)
The Next Era of Cyber Security Capabilities (The Cyber Why)

As we progress through 2024, large public cybersecurity behemoths are all triangulating to the next era of cybersecurity offerings. I’ve written about this topic several times over the last year, most recently in the abovementioned pieces. This week, Darwin Salazar wrote a great piece about ZScaler's acquisition of Avalor. His commentary echoes my views almost identically regarding the AI-backed cybersecurity future being painted by Palo Alto Networks, Crowdstrike, Cisco/Splunk, and now ZScaler. Large-scale, contextual, data-driven, AI-analyzed cybersecurity platforms are coming, and they will be glorious! Darwin did a great job summarizing the impact of the Avalor acquisition in the quote below. Read the original article for additional deep-thought specifics.

In the past couple of years, we’ve seen vendors double down on contextualizing security issues, because without context, everything is seemingly on fire all the time and security teams struggle with deciding what to prioritize. I’m a firm believer that Wiz has eaten much of PANWs market share due to their attack path analysis and other contextual features. Without data infra to support cross-pollination of data sources, it’s nearly impossible to add context to security issues. This is why the Avalor acquisition gives Zscaler an upper hand in the near-term.

Your Self-Help Corner of the Week

Stop Searching For Work/Life Balance- What’s Important Is To Be Present (Forbes)

I don’t usually include content around work/life balance, mental health, and recommendations on remaining present in a chaotic and busy world. However, when I do, I almost always get positive feedback from the audience. I wonder if the nature of what we do as cybersecurity people makes this type of discussion more difficult and simultaneously more needed. For this particular summary, it doesn’t matter why these kinds of articles resonate as long as you find a sliver of information you can learn from and hopefully improve with. The info-nugget I walked away with from this article was a potential reframing of the concept of work/life balance. The author is indirectly incepting the idea that attempting to balance your work and personal life may not be the best option for your mental health. It might be more of a function of remaining present in every moment that can bring happiness to the breadth of activities that must be accomplished on any given day.

Whether you need better balance or are learning the ability to be happy with the imbalance of your current life, this article provides a few ideas on how to achieve a better state of being. Enjoy and namasté!

Share

AI Generated Pure Trash TV

The Dystopian Future of TV Is AI-Generated Garbage (404 Media)

The en-shitification of television content has begun. I don’t know if this type of garbage qualifies as television anymore. After reading the article, I am not even convinced that television as a media will exist in even remotely the same way once AI has its way with the content. In a nutshell AI-generated content is beginning to take over the streaming media space and appears to be dumbing down the value while shooting out pure garbage in a volume attempt at success. Although, I have to admit I don’t think AI generated garbage content could get quite as bad as the latest season of Keeping Up With The Kardashians.. I mean that is pure trash TV and it’s “real”.

Quick Hits and Hidden Gems

• MGM Resorts sues FTC, agency chair over cyberattack investigation (Las Vegas Review-Journal) - MGM sued the FTC because the FTC commissioner was on MGM's property during the attack, making her a witness, not a prosecution leader. That just got spicey!

• You can't teach someone to swim when they're drowning (Resilient Cyber). Chris Hughes does it again with his take on secure by design and why it’s important “by the numbers.”

• Cisco debuts new AI-focused security system after $28 billion deal to buy Splunk (CNBC) - Cisco and Splunk team up to launch HyperShield. Their attempt to remain relevant in the new cyber-AI era. I’m not buying this one yet.

• Police take down $249-a-month global phishing service used by 2,000 hackers (CNN) - 2000+ hackers sign up for your illicit services, and the most you can get is 1.5M$. Sounds like bad business to me. Too much risk for not enough reward.

• Building platforms in cybersecurity: select playbooks for growing “best of suite” solutions (Venture in Security) - does it again. Great piece from Ross on build vs buy and other difficulties in platform building in Cyber.

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

Featured Sponsor - Traceable.AI

API Masterclass Episode 4 is LAUNCHED!

Do you love the idea of robbing a bank? Good news, you can, totally ethically. Join Traceable for the next live API Security Masterclass. We’ll cover an introduction to APIs, what kinds of vulnerabilities exist, how to find them, and how to test your own APIs. Whether you’re on the blue team and trying to understand threats, a hacker new to APIs, or a developer trying to better understand how your code can go wrong, these live classes will tell you everything you need to know. And don’t leave it on in the background, these are interactive sessions so you can get the most out of it! Join Episode 4 or go back to Episode 1 to get caught up!

Sisense Breach Fallout Will Be BIG!

Why CISA is Warning CISOs About a Breach at Sisense (Krebs on Security)
Matt Johansen Writeup on Sisense breach (Vulnerable U)
Sisense breach has CISA and everyone else panicking (Risky Biz News)

This one is going to be a big one. Krebs and others have done some detailed research on the massive security breach at Sisense. I didn’t know what Sisense was until I read about this breach, and after I heard what they did, the importance of the issue jumped. Sisense is a product and application business intelligence platform that allows you to make smarter decisions based on real data from your products. The attackers discovered cloud tokens, allowing them to access Sisense customer data, which included “millions of access tokens, email account passwords, and even SSL certificates.” The result of the attack is a massive compromise that may lead to the compromise of over 1000 customers’ downstream systems and applications. In short, this is a big one! It’s so big, in fact, that CISA themselves have begun reaching out to potentially compromised companies to facilitate cleanup and lower the risk of additional fallout.

If you use Sisense or have any upstream or downstream vendors that use Sisense, please ensure you read these details and respond as quickly as possible. You are at risk.

How Churn Destroys SaaS Models - OUCH!

Is SaaS Math Broken (OnlyCFOs)
The Margin Crush is Coming in 2024 (The Cyber Why)

As an adjunct professor at a major business school (Go Heels!), I stay very connected with business economics. This particular article is relevant not only for general SaaS behavioral knowledge but is specifically important for cybersecurity founders and investors to understand. As your customer acquisition costs (CAC) increase and your time to pay back those costs after you land a customer (CAC payback) gets longer, the unit economics of SaaS businesses break down. Add to that, the most frequent issue I’m seeing in cyber SaaS companies today - a massive increase in churn - and you have a recipe for disaster. In the next five years, AI will decrease the amount of time it takes to build newer, updated technologies, increasing churn and lengthening CAC Payback times for cyber SaaS solutions. This raises the real question: “What happens next?” If SaaS margins go down, churn goes up, and CAC Payback gets out of control, will there be enough efficiency gains in traditional SaaS business models to offset those impacts? Time will tell… in the meantime, go read this article and nerd out on metrics for a bit.

Is A Private + Public NVD a Good Idea?

NIST Proposes Public-Private Group to Help with NVD Backlog (Security Boulevard)

As we previously discussed in The Cyber Why, The National Institute of Standards and Technology (NIST) is facing severe challenges with its National Vulnerability Database (NVD) as it struggles to keep up with a surge in security vulnerabilities due to budget cuts and increased software vulnerabilities. Instead of adequately funding the problem, NIST is now proposing the creation of a public-private consortium to help tackle the backlog. This consortium would include stakeholders from industry, government, and other sectors to collaborate on improving the NVD's efficiency and coverage.

The situation at NIST and the NVD backlog is at a critical juncture. The NVD is an essential tool that informs threat intelligence and vulnerability management, helping to prioritize and mitigate potential threats. With the backlog growing, timely and reliable data becomes scarce, potentially exposing systems to unaddressed vulnerabilities. What concerns me the most is the potentially perverse incentive structures if a joint NIST and private sector effort were to happen. The private sector will always attempt to make a profit and bias the work effort to help them do so. Because of this, the results may not be as broadly suited to the improved security of the world. Instead, it may benefit a few companies that can successfully leverage a return on time and resource investment. I’ll be watching this one closely.

Are Cyber Catastrophes Meaningful?

Debunking NotPetya’s cyber catastrophe myth (Binding Hook)

What if the risk of a massive cyber attack or worm really wasn’t that massive? The author of this article draws comparisons of the most significant cyber catastrophes of all time against natural disasters and other massive financially impacting black swan incidents. I’m not 100% convinced of his logic as he attempts to normalize the dollar impacts of attacks, including NotPetya, The Morris Worm, SoBig, MyDoom, and others, against wars, famine, hurricanes, and other naturally occurring disasters.

I’m not sure what the analysis's benefit is other than to tell cybersecurity people not to take themselves so seriously. In the grand scheme of things, a massive cyber attack that impacts the majority of the world isn’t going to be important twenty years from now. The author says, “It’s just not big enough to matter.” As technology continues to embed itself into the day-to-day lives of society, the impact of disruption and attack will continue to increase in significance. When an attack takes down a hospital that impacts the life of a loved one, it’s going to matter to you, too! Let’s take this one to the notes section - I’d love to hear what you think of the author’s conclusions!

Share

Money Laundering in the Modern Age

How a Money Laundering Crew Allegedly Moved Millions Through FanDuel (404 Media)

It's not quite a “story #5”, but it's still an interesting departure from the standard attacks and defenses type of content. This article, while a little bit short on technical details and rightfully so, digs into a modern money laundering scheme using the latest online sports betting apps such as DraftKings and FanDuel. It’s a long-known fact that nefarious activities happen around casinos, and money laundering is one of them. Now that those casinos are prolific throughout the United States and online, I’m certain that we will see continued growth in these types of fraud-based attacks. Hackers go where the money is, and right now, the money is in and around the online betting systems. Give this one a read, and if you want to bet on these attacks' growth, hit me with a comment below <GRIN>.

Quick Hits and Hidden Gems

• The $100 cybersecurity budget – how cyber pros would spend it (CyberNews) - Might as well be $0, but the thought experiment is an exciting idea.

• The Security Path - New Book Announcement - I was interviewed by two great authors and participated in this fun, new book detailing how successful cyber notables got to where they are today. Use code “thecyberwhy” for a 40% discount when purchasing!

• OpenAI transcribed over a million hours of YouTube videos to train GPT-4 (The Verge) - We all knew they did it, but what does it mean to fair use and copyright legal precedent? Time will tell.

• LastPass: Hackers targeted employee in failed deepfake CEO call (Bleeping Computer) - We knew this was coming. Eventually, attackers will stop using weird comms channels, and this attack class will work like a charm.

• CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway (Palo Alto Networks) - A critical OS command injection vulnerability in the GlobalProtect Gateway of Palo Alto Networks PAN-OS software for specific versions. Patches coming soon!

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why

In this week's TCW, we cover a scathing cyber safety review board report lambasting Microsoft, AI’s impact on the impending elections, the long con that is the XZ Utils supply chain hack, NIST rewarding people entering the cyber field, and a cloud of magic security dust that solves all of your cyber theater issues! All this and more in this week’s edition of The Cyber Why!

Featured Sponsor - Material Security

Are you wasting your email security budget?

When every dollar counts, you want to make sure you make the most of what you get. You (hopefully) get funds for anti-phishing tools, but the threat landscape extends beyond the inbox.

With more sophisticated attack flavors at higher volumes than ever, email security must also encompass insider risk scenarios, account takeover protection, and data loss prevention.

See why Material Security is the preferred choice for organizations looking to protect more areas of their Microsoft 365 or Google Workspace footprint under a unified toolkit… and a single line item in the budget.

Visit Material Security

Microsoft's "Secure Future Initiative" Isn’t Looking So “Secure”

Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 (CISA)
Scathing federal report rips Microsoft for shoddy security, insincerity in response to Chinese hack (AP)

(Rick Pick) This week, the Cyber Safety Review Board released a scathing report regarding Microsoft's 2023 Exchange Online breach. Although we could dissect the 29-page report separately, here's an overview of the crucial points. A Chinese-based threat actor, Storm-0558, gained unfettered access to the email accounts of a broad range of victims across the US, UK, and beyond. The threat actor has ties back to 2009's Operation Aurora, targeting Google. The Board wrote:

"identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management."

Microsoft was disingenuous when it claimed that the actor gained access via a crash dump, no evidence was provided to support this.

"Microsoft has not identified a crash dump that contains the 2016 MSA key, or any other evidence of the key having been moved inappropriately."

It took six months for Microsoft to update its blog, and only after the Board's persistence. Most alarming, Microsoft is still unaware of how the threat actor gained access to the MSA key. The Board wrote:

"The loss of a signing key is a serious problem, but the loss of a signing key through unknown means is far more significant because it means that the victim company does not know how its systems were infiltrated and whether the relevant vulnerabilities have been closed off."

The "Findings and Recommendations" section is a must-read for enterprises and vendors alike. One final note: vendors who live in glass houses shouldn't throw stones. Some folks who compete against Microsoft's cybersecurity products have been quick to judge. I'd look at the twenty-five recommendations and ensure my own house is in order, especially if you are a "platform" player that makes for an attractive target to nation-state actors.

Editor’s (Tyler) Note: Hot damn, this is a good take. We can all go a long way to improve before we start throwing stones at our opponents. Great write-up, Rick!

AI Will Play a Pivotal Role in U.S. Elections

China tests US voter fault lines and ramps AI content to boost its geopolitical interests (Microsoft blog)
Same targets, new playbooks: East Asia threat actors employ unique methods (Microsoft)
China will use AI to disrupt elections in the US, South Korea and India, Microsoft warns (The Guardian)

(Katie Pick) A new report from the Microsoft Threat Intelligence division says that the Chinese Communist Party (CCP)- and North Korean-affiliated actors are testing AI-aided techniques to influence elections in the U.S. and abroad. The research group has been looking into trends and indicators since June 2023. It states that these adversarial nation-state actors focus on the South Pacific Islands, regional Chinese adversaries, and the U.S. defense industrial base.

Interference in U.S. elections is always a hot topic, and it’s not unexpected that China (or other adversaries) would try to disrupt or influence the upcoming U.S. Presidential election. Mis- and disinformation are rampant around election time, and reports show that voters consuming information on specific social media platforms are likely to be swayed by malicious content.

With recent advancements in AI, threat actors can more easily create deep fakes, highly convincingly manipulated images and videos, and other AI-enhanced content. Microsoft previously released research on how the Chinese use generative AI to “create sleek, engaging visual content.” Now, says the tech firm, China is doubling down on publication.

Though social media platforms say they’ll do their part to identify, remove, and/or block maliciously manipulated content, only time will tell if they’re successful. Humans are prone to influence, and everybody loves a juicy story about their most hated presidential candidate. AI will make it harder to spot and stop the “fake news.”

XZ Utils, The Mother Of All Backdoors, Almost

Backdoor in upstream xz/liblzma leading to ssh server compromise (Andres Freund)
What we know about the xz Utils backdoor that almost infected the world (Ars Technica)
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind (WIRED)

This could be one of the most drama-filled stories of the year. A severe security breach recently occurred within the XZ Utils project, a popular data compression tool for Linux systems. Hackers cleverly embedded a backdoor into specific versions of the software. If exploited, this backdoor could provide attackers with complete remote control of vulnerable systems, allowing them to bypass authentication on servers using those compromised versions.

The incident reinforces the critical need for strict security measures in open-source projects and highlights the dangers of software supply chain attacks. Security experts are still working to identify the culprits behind the attack, with the latest theories centering on a foreign nation-state actor who has been executing a slow and low attack for years. In application security circles, it’s often discussed how easy it would be to spend a decade or more to build up a reputation as a conscientious contributor to open-source projects only to embed something nefarious years into the project. It seems like we weren’t the only ones considering this exact threat scenario.

A NICE Cybersecurity Workforce Development Program Aimed at Bringing New Talent to the Field

NIST Awards $3.6 Million for Community-Based Cybersecurity Workforce Development (NIST)

(Katie pick) On April 3, 2024, the National Institute of Standards and Technology (NIST) announced the 18 organizations to which it has pledged funding to help with cybersecurity workforce development and recruitment. The grants, of up to $200,000 each, were awarded to diverse education and community organizations across 15 U.S. states.

Anyone who has worked in the space knows about the legendary “talent shortage” faced by both private and public organizations. As companies’ rapid tech adoption fuels the need for increased security measures and governance, already-stretched security teams struggle to handle the amount of work on any given day.

The funding offered by NIST and delivered in collaboration with NICE will help train and educate individuals interested in cybersecurity careers. NIST is still accepting applications for future grants through Friday, May 24, 2024. Participants can learn more about the program on NIST’s website. A free informational webinar will be held on April 8, 2024 at 3 PM ET.

Share

Finally a Product That Solves Security Theater

Magic Security Dust™ from Shostack + Associates (Adam Shostack)

In a world where most of the products we purchase to help secure our environments are built on the backs of unicorn tears and fairy wishes, a product that fixes everything is finally launched. I announce to you - “MAGIC SECURITY DUST!” Just sprinkle a little on all of those broken products, procedures, policies, and even PEOPLE, and before you know it, your cyber security program turns from theater to reality! Check out this fantastic solution brought to you by the threat modeling expert himself, Adam Shostack. Date of launch: April 1, 2024!

Quick Hits and Hidden Gems

• RSA Conference Innovation Sandbox Contest Finalists Announced (RSAC) - If you are headed to RSAC, this is one of the best parts of the week.

• NIST Wants Help Digging Out of Its NVD Backlog (Dark Reading) - This follows a story we did on the latest TCW Podcast. NIST needs help!

• Themes From (And Beyond) Altitude Cyber's 2023 Cybersecurity Year In Review (Strategy of Security) - Themes from 13 years of cyber market research.

• On Tech Politics/Policy -- 2 hour video discussion () - Two hours on tech politics and policy with one of the leading tech luminaries.

• The OWASP Foundation disclosed a data breach that impacted some members due to a misconfiguration of an old Wiki web server. (Security Affairs) - It’s a nothing-burger of a story but still an interesting target that y’all care about!

If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!

Share The Cyber Why