The Cyber Why: What We Read This Week...
... and why you should too! (11/16/23)
I’m pumped! I’m jazzed! I’m excited beyond belief! After spending the start of this week learning from some great keynotes at the Forrester Security and Risk Summit, I’m excited to get back and write this week’s newsletter. Thanks for the inspiration!
This week in The Cyber Why, we look at cybersecurity estates vs cybersecurity markets (which is a better analysis framework), the Clorox CISO gets bounced after a particularly nasty breach, a ransomware gang decides to report one of its victims to the SEC for lack of breach notification, the cybersecurity data and AI race heats up as MS takes aim at PANW, and Andy Greenberg pens a fascinating article on the authors of the Marai botnet. All this and more in this week’s TCW!
Who's using AI tools in your organization? Find out with Nudge Security. After a quick one-time setup with your email provider, Nudge Security discovers and categorizes every SaaS and cloud account created by anyone in your org, including generative AI. No agents, browser plug-ins or network proxies required.
The best part? You don’t even have to know what apps you’re looking for and you’ll have a full inventory within minutes of starting a free trial. Get started
Cybersecurity Estates == Cyber Markets 2.0
The Cybersecurity Revolutions (Strategy of Security)
Security’s Fifth Estate: Predictions for 2023 (Rak’s Facts)
As a former Forrester analyst, I follow the cybersecurity industry closely. It’s in my DNA, it’s who I am, it’s what I like to do. It used to be a lot easier to pontificate and predict the future of the cybersecurity industry because it was so much smaller and the lines between different sub-markets were more crisply composed. You were an email security company, a network security company, an appsec security company… never the twain shall meet. Then everything went sideways. As the number of products and companies skyrocketed, marketers started intentionally blurring the lines between offerings to capture adjacent market share or confuse the buyers long enough to ensure they were brought in on every possible deal. Things got very frustrating for the CISO as they weren’t sure what technology to deploy to solve their ever-increasing plethora of cyber security threats and risks. I’ve been searching for a framework to use as a taxonomy ever since and may have finally stumbled across one in the work by Rak Garg, VC at Bain Capital, and the follow-up post from Cole Grolmus. Read these articles closely as the two authors help us understand the use of “cybersecurity estates” and how to leverage the concept when investing and buying new cybersecurity technologies.
Tl;dr the framework is a shorthand way of lumping numerous markets together via natural adjacencies and using the larger footprint of an estate to look for future unification and M&A trends.
Clorox CISO Departs After Major Breach
Clorox CISO flushes self after multimillion-dollar cyberattack (The Register)
I don’t usually elevate a single breach to the top five articles of the week status, but this one is worth breaking down for several reasons. Clorox CISO Amy Bogac is no longer with the firm after a systems compromise resulting in hundreds of millions of dollars of loss. Clorox first disclosed the breach in August, saying that some of its systems had been “temporarily impaired.” Another note in September filed with the SEC disclosed “wide-scale disruption” across the business. Next, Clorox’s fiscal 2024 earnings report filed at the start of this month noted a 20% drop in year-over-year Q1 net sales and also disclosed a $365 million decrease in revenue that they attributed to the cyber attack. And in what is the final piece of the “oh shit” story of the year, Clorox filed a report with the SEC stating that expenses related to the compromise for July-September cost them $24 million! Go out and get your latest batch of Clorox cleaning supplies soon. I don’t think this story is entirely done yet! OUCH!
ALPHV Laid Down The LAW (Literally)
Twitter post from Alexander Leslie with screenshots (@aejleslie)
Ransomware gang files SEC complaint over victim’s undisclosed breach (Bleeping Computer)
Let’s open with a twist of the lemon rind and throw a little zest into the cocktail! Ransomware gang ALPHV/BlackCat just decided to lay down the law, literally. After what we presume to be a successful breach, the attackers filed a U.S. Securities and Exchange Commission complaint against the alleged victim for not complying with the four-day rule to disclose a cyberattack. Well, ain’t that a slap in the face!
If you dig into the regulations in detail, you will find that there currently is minimal risk to the business by doing this. Still, the idea is very inventive, and as regulations become more enforceable over time, this technique will likely become a valid forcing function for ransom payment. While I obviously do not condone what the attackers did, I applaud them for developing a new tactic that others hadn’t considered. I would love to see an SEC response to the submission publicly to understand how they will be handling this in the future.
My Youth Explained - Sort Of….
The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story (Wired)
OpenAI blames DDoS attack for ongoing ChatGPT outage (TechCrunch)
I’ve always been fascinated by the background and history of people who have fallen into the dark side of hacking. I grew up in an era when hacking wasn’t illegal (it wasn’t even a term then), and I was lucky enough to have avoided the potential descent into the abyss. That’s not to say that I never did anything now considered illegal, but I always had enough moral compass to do the right thing overall and never had malicious intent. Because of this background, the psychology of the “why” concerning hackers fascinates me.
All that to say, this cover story in the latest Wired is amazing. The great Andy Greenberg spent the last three years interviewing and working closely with the authors of the Marai botnet responsible for the takedown of the entire Internet on the United States East Coast. He delves into what drove three teens to build something so powerful that they could darken the Internet doorsteps of companies such as Netflix, PayPal, Twitter, Spotify, and Slack. Three self-taught hackers cut their teeth with DDoS techniques by targeting each other on Minecraft systems, eventually turning their sites on the Internet writ large. It’s a riveting story and well worth the read if you are interested in the psychology of hackers.
The Fight For Cyber Data Advances!
Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite (Microsoft Security Blog)
The stage is set for an epic battle between some of the world's largest cybersecurity businesses. Microsoft this week detailed how it plans to secure AI and use AI to secure the world enterprises. Microsoft has declared publically that it will become a cybersecurity company in the most significant sense of the phrase. AI doesn’t operate without a massively large-scale data set, and Microsoft is currently one of the AI data collection market leaders. The blog underscores increasing cyberattack complexity, necessitating a shift from traditional security tools. Microsoft's large-scale data collection (65 trillion daily signals) and new generative AI solution, Microsoft Security Copilot, are genuinely positioned to revolutionize cybersecurity. I am not going to go into all of the detail that was written about in the blog post and instead encourage you to review the content for yourself. Microsoft is clearly targeting Palo Alto Networks, Crowdstrike, and others regarding the emerging space of AI-backed cybersecurity. I’ve said it many times - whoever has the richest data set will become the dominant winner in the space, and Microsoft just shot a cannonball over the bow of the PANW pirate ship.
Quick Hits and Hidden Gems
Ransomware Mastermind Uncovered After Oversharing on Dark Web (Dark Reading) - OpSec is real, even for hackers!
OpenAI Dev Day — A New Era of Developer Productivity (Medium) - The most essential points to developers to come out of OpenAI Dev Day.
It's only been 11 hours since OpenAI Dev Day. (@linusekenstam) - 12 of the craziest things people have already built in the first 11 hours after OpenAI Dev Day.
Business & distribution model design for cybersecurity founders and startup leaders (Venture In Security) - Good, but be careful. There are a lot of traps in here. DM me if you want to dive deep into cyber GTM!
Denmark Hit With Largest Cyberattack on Record (Data Breach Today) - Oh no. Please give me some schnaps to wash this one down! This one is nation-state level!
My husband founded a startup. Then our marriage got weird. (Business Insider) - OK I’m going to confess. This one had me tear up a little bit. Great piece!
Early warning signs a founder CEO is unable to transition to next level (WRAL Tech Wire) - I’ve seen most of these at one point or another in my career. Watch for these red flags!
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!