The Cyber Why: What We Read This Week...
... and why you should too! (7/27/24)
As I watch the opening ceremonies and early events of the Olympic games, I am struck by just how many countries and people there are in the world. I am in awe that almost 5,000 of you have opted in to receive our little slice of commentary every week. I appreciate each of you who follow our writing, and I want to say thank you for being along for the ride. We love you all! Now, onto the fun…
This week in The Cyber Why, we bring you a phenomenal cyber market research report from
, discuss a unique remote work inside threat model, flashback to 2003 and learn about concentration risk and homogeneity, debate the WHY behind the G-Wiz break up, and for story number five, Southwest Airlines can dodge bullets. All this and more in this week’s TCW!Get the most from your security team’s email alert budget
Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.
Material Security takes a pragmatic approach to email security – stopping new flavors of phishing and pretexting attacks before reaching the user’s mailbox, while searching through everyone else’s mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view.
More Evidence of Market Consolidation
WTF is Cloud Application Detection Response (Latio Tech James Berthoty)
I rarely read a report, especially one from an independent analyst, that nails a future prediction so directly on the head that you can’t help but know they are right. This piece by
from Latio Tech is absolutely amazing. In addition to nailing the technical requirements for a product roll-up in application and cloud detection and response, he also manages to go from 7+ acronyms down to just one (THANK GOD!)This report makes a very strong case that the following seven cyber markets should be rolled up into something more significant. They constitute a group of features and isolated products today and shouldn’t over the long term.
Application Detection Response (ADR)
Cloud Detection Response (CDR)
Kubernetes Detection Response (KDR)
Cloud Workload Protection Platform (CWPP)
Cloud Native Application Protection Platform (CNAPP)
Continuous Threat Exposure Management (CTEM)
API Security
As an industry, cybersecurity builds too many point products and not nearly enough groupings of features that make singular, powerful solutions. Cybersecurity has only existed for about 30 years (give or take). When an industry is young, solving very pointed problems and selling products that help customers solve unique issues makes sense. It’s a time of rapid innovation and expansion of new ideas. As markets mature, they group smaller, feature-sized products into platforms that deliver outsized value. Eventually, highly mature markets will consolidate into three dominant market participants.
We have entered the start of an era where cybersecurity must come to terms with a decrease in product counts and a simultaneous increase in customer value. The next decade of cybersecurity is going to be fun to watch as vendors broaden their technologies by acquisition and adjacent market consolidation.
The Hermit Kingdom Makes Headlines
North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers (DOJ)
North Korean hacking group makes waves to gain Mandiant, FBI spotlight (Cyberscoop)
Incident Report Summary: Insider Threat (Knowbe4)
APT45: North Korea’s Digital Military Machine (Mandiant)
(Rick Pick) North Korea made headlines this week via a couple of stories. First, the Security Awareness Training company Knowbe4 released a blog discussing how they hired a remote software engineer who turned out to be a North Korean insider threat. The threat actor was a "real person using a valid but stolen US-based identity." Kudos to Knowbe4 for releasing this blog.
Next up, the Department of Justice indicted a North Korean, Rim Jong Hyok, for "his involvement in a conspiracy to hack and extort U.S. hospitals and other health care providers." North Korea has long funded its regime through cybercrime, and this case is another potential example. Hyok is a member of the threat actor group APT45. Mandiant also released a deep dive on the group here.
Editors Note: It’s crazy to me how easy it is to get an inside threat into US-based enterprises. This risk has only increased with the rise of remote work. This type of threat is real and very difficult to discover. Be vigilant out there, people! BTW: TIL what the Hermit Kingdom is!
CyberInsecurity: The Cost of Monopoly
What the Crowdstrike outage means for the security industry? (Frankly Speaking)
CyberInsecurity: The Cost of Monopoly (Dan Geer and others)
By now, everyone has heard of the global IT outage caused by a software update issued by the cyber security vendor Crowdstrike. The cyber and IT social media universe has been abuzz discussing how it happened, how to fix the issue so it doesn’t happen again, and what the long-term impact on the business world will be.
On the back of the fallout, the main concern that comes to my mind is not about hacks, updates, or technology failure - instead, it is the concept of homogeneity. When a system that contains a given level of risk is deployed uniformly throughout an entire section of space, the risk to that space increases. To state it in a “less nerdy” way, the risk of issue or compromise grows if you deploy the same software everywhere. Attackers love concentration risk. It gives them a higher level of potential compromise with less effort.
The Crowdstrike issue was exacerbated by concentration risk because, as of January 31, 2023, CrowdStrike had 23,019 subscription customers, a 41% increase year over year. They analyze over 30 billion endpoint events daily from millions of sensors across 176 countries. That’s a MASSIVE deployment size and a MASSIVE concentration risk. High concentration risk plus an automatic update system make for a perfect path to MASSIVE damage.
This problem reminds me of the 2003 paper written by Dan Geer et al. entitled “CyberInsecurity: The Cost of Monopoly.” I remember the time vividly as I was working with Dan at @stake when he published the paper for which he was famously fired. Looking back, it seems like he was right; he just had the wrong company in his line of sight. This seminal paper is a must-read. Go check it out!
Security Theater Continues with Wiz Rejecting Google Offer
Google Talks to Acquire Cybersecurity Startup Wiz Fall Apart (Wall Street Journal)
Google Talks to Buy Wiz for $23B Reportedly End (Bloomberg)
Wiz Rejects Google’s $23 Billion Offer, Seeks IPO Instead (FOO)
(Katie pick) By now, you’ve definitely heard the news: Wiz walked away from a $23 billion dollar acquisition offer from Alphabet (Google’s parent company) to focus on preparing for an IPO instead. The initial announcement about the intent to acquire shocked the security community, both because of the sheer financials thrown around in media publications and because the deal, had it gone through, would have drastically changed the cloud vendor security landscape.
This was never a typical acquisition proposal, so the “ifs” were abundant.
But what I find most interesting is the timing of the offer and the decline. Few founders would reject the kind of money offered. Even with all the funding raised ($1.9B USD to date), the multiples were off the charts, especially for a four-year-old company. But to reject that kind of deal so quickly indicates to me that some sort of security theater may have been at play. In other words, Wiz might never have had any intention of selling. The founders have been bullish on this topic from the start — their goal is to become the biggest security company of all time. So why allow the media to get into a frenzy? Why even let it get to the media if the Wiz team had already decided to stay solo?
The short answer: Press and media attention. Market attention. All right before filing for IPO. I suppose it’s no different than an NFL coach hyping up his team right before the “Big Game.” But is this what we need in cybersecurity? Wouldn’t it just be better to build products that are really really really good and save the drama for the Kardashians?
Editors Note: Do you think it was security theater or was Google or Wiz spooked by some other reason? Comments below…
Southwest Airlines - Dodging Bullets, Baby!
A Windows version from 1992 is saving Southwest’s butt right now (Yahoo)
If this is true (it may not be), it’s absolutely NUTS. Southwest is the only airline that didn’t go down or suffered significant issues during the Crowdstrike debacle last week, and the reason is… get this… they still use Windows 95 and 3.11? I am not sure I believe the story, which is why I put it in as Story #5 this week, but if it’s true, they have a lot of work to do. Here’s a pick of Southwest Airlines when they learned they had dodged a bullet. (HT SuttonimpaQT)
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!