ESW #289 – Jonathan Roizin
This week, Jonathan Roizin from Flow Security joins to discuss what this new security category is all about and how it differs from the OG, false positive heavy DLP we'd all rather forget! Data Security Posture Management (DSPM) is not your dad's DLP. This new category has emerged to tackle one of the toughest areas of security: protecting data. Then, Based on what we know so far (which is limited and could change), the Uber breach appears to be a classic example of how penetration testers and criminals alike break into large organizations. In this segment, we'll discuss how the attack happened. We'll go over the controls that failed, why they failed, and what Uber could have done to prevent or detect this attack. Then, in the Enterprise Security News, Fortanix raises a $90 series C for data security, Cyrebro raises a $40M series C for MSSP SOC solutions, Dig Security raises a $34M series A (yes, this is a repeat from last week, but we didn’t get a chance to talk about it), Internet 2.0 gets funded??? (probably not what you think), How to hire and build your cybersecurity team, The NSA gives some bad advice on securing software, Courtroom Drama, & Oracle makes a really bad whoopsie!
Flow's blog post - "5 Key Takeaways About DSPM From the Gartner® Hype Cycle™ For Data Security, 2022":
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
1. Understanding DSPM: Data Security Revisited! – Jonathan Roizin – ESW #289
Data Security Posture Management (DSPM) is not your dad's DLP. This new category has emerged to tackle one of the toughest areas of security: protecting data. Today, Jonathan Roizin from Flow Security helps us understand what this new security category is all about and how it differs from the OG, false positive heavy DLP we'd all rather forget.
Flow's blog post - "5 Key Takeaways About DSPM From the Gartner® Hype Cycle™ For Data Security, 2022":
Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!
Jonathan Roizin is the CEO and co-founder of Flow Security. He is a cybersecurity expert with 15 years of experience total. Jonathan is a seasoned entrepreneur, founding both Flow Security and mobile app Founder. Prior to founding both companies, Jonathan served as a team leader with Sygnia (acquired by Temasek), where he led cyber investigations for Fortune 500 companies. Jonathan’s cybersecurity experience ranges from vulnerability assessment and host-based forensics to big-data analysis and Linux internals. He also has more than five years of experience with full-stack development, back-end, front-end and mobile. Jonathan began his career as an officer in the IDF’s elite 8200 intelligence unit.
2. How The Uber Breach Went Down – ESW #289
Based on what we know so far (which is limited and could change), the Uber breach appears to be a classic example of how penetration testers and criminals alike break into large organizations. In this segment, we'll discuss how the attack happened. We'll go over the controls that failed, why they failed, and what Uber could have done to prevent or detect this attack.
For those listening live, questions are welcome!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
3. Oracle Whoopsie, Internet 2.0 Funded, Fortanix Series C, & Dig Security – ESW #289
In the Enterprise Security News, Fortanix raises a $90 series C for data security, Cyrebro raises a $40M series C for MSSP SOC solutions, Dig Security raises a $34M series A (yes, this is a repeat from last week, but we didn’t get a chance to talk about it), Internet 2.0 gets funded??? (probably not what you think), How to hire and build your cybersecurity team, The NSA gives some bad advice on securing software, Courtroom Drama, & Oracle makes a really bad whoopsie!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. VALUATIONS: The Complete List Of Unicorn CompaniesIn the first half of 2022, the market added 12 new cybersecurity unicorns, bringing the total to roughly 50. In the first 3 months of the second half... Nothing. Anyone who has followed our show or the financial news understands why, but I felt the need to check in on the unicorn stables and make sure I hadn't missed anything.
- 2. FUNDING: Data Security Firm Fortanix Raises $90M Series C$90M Series C, led by Goldman Sachs. Fortanix appears to be doing mostly data-at-rest, but also does tokenization. Seems that compliance and privacy regs are their customers' key use cases.
- 3. FUNDING: CYREBRO Raises $40M Series C Funding for the World’s First Cloud-Based Security Operations Center Infrastructure$40M Series C, led by Koch Disruptive Technologies (Koch bros, I assume?). Is software created specifically for managed service providers a new category? I've seen a few companies that specialize in making SOC software and selling to MSSPs, and wonder how these products might differ from selling to an in-house SOC. Multi-tenancy would be a priority of course - keeping customer data separate...
- 4. FUNDING: Dig Security raises $34 million Series A to deliver real-time data security for the cloud$34M Series A led by SignalFire. "Dig uses a comprehensive threat model for cloud data attacks that detects, analyzes and instantly responds to cloud data threats to minimize business impact and damage with an average mean-time-to-detection (MTTD) of less than a minute." Huh? They're calling this Data Detection and Response, but honestly, they look VERY similar to other DSPM solutions. At least, until you get to the response bit. Like other DSPMs, they're going through the data discovery and classification process. Where the startups diverge is on the next step - some seem to focus on policy enforcement, while dig is suggesting it will detect and prevent attacks in near real time. This wouldn't be possible if they're depending on event logging - CloudTrail has a hard 10 minute delay that you can't really get around. The only other option would be placing themselves directly in-line with data flows, like an IPS or NDR appliance.
- 5. FUNDING: SecurityPal Emerges from Stealth with $21M to End the Dreaded Security Review$21M Series A led by Craft Ventures, and with Martin Casado of A16Z also participating. SecurityPal's niche appears to be outsourcing completing security questionnaires to get sales deals closed more quickly. It seems to me that what folks really want (judging from the RSA talks I went to this year) is to reduce or even eliminate the questionnaire. There's no shortage of companies trying to make it easier to manage a SIG Lite though: RFPio, Loopio, VISO Trust, CyberGRX...
- 6. FUNDING: Theom Raises 16 Million"Oversubscribed" $16.4M seed round led by Ridge Ventures. "Theom is pioneering a new method of securing data in the cloud and SaaS data stores by ensuring that protection always follows the asset, adapting the security as environments change." To quote GTA V, "Aw shit, here we go again." The data security market is well and truly alive again. We're starting to see more and more shades of cloud data security. It has _always_ been possible to do what Theom is proposing, but the challenge has always been the complexity, friction, and usability tradeoff. Data is no good to a business if it can't be used, and locking down access too tightly could have more of a negative impact on the business than a breach would!
- 7. FUNDING: Ellerston, Bondi’s 1941 Fund backs cyber group Internet 2.0$5M seed led by Ellerston Capital and Bondi Partners. Australian-based Internet 2.0 provides "Military Grade Cyber Protection". *sigh* It looks like their actual product is a "clean Internet as a service" type solution, but it appears they ship some sort of physical or virtual appliance, rather than go the purely route-based approach like Zscaler or Cato Networks. But let's touch a bit on the branding. So, the terms Web 3.0 and Web 2.5 are already a thing. Internet2 has been a thing since at least the mid-1990s. Where does someone arrive at the idea that Internet 2.0 would be a good name for a company? What's the website? It's internet2 DASH 0 dot com. Yeah, it's not ideal.
- 8. FUNDING: Fidelis Cybersecurity Secures Significant Additional Growth Investment From Runway Growth Capital and Skyview CapitalFidelis has a bit of an odd history. It has been around since 2002, and for a while was owned by DoD contractor General Dynamics (2012-2015). In most of its early days, it sold XPS, an NDR product if memory serves, with a DLP component to detect data exfil. When I covered it as an industry analyst at 451 Research, it had also entered the EDR space. Marlin Equity acquired it in 2015, and brokered an acquisition of Resolution1 (<$50M), Access Data's own endpoint security solution (split out from AD's Forensics Software business). Later, in 2018, it acquired the deception vendor TopSpin. I suspect most of its customers are still large government entities, which is why we seem to only hear about it when there's an acquisition or fundraising event.
- 9. ACQUISITIONS: Newfold Digital Signs Agreement to Acquire MarkMonitor from ClarivateI almost didn't include this, because MarkMonitor is on the fringes of what you could call a "security vendor", but it is often tossed into the Digital Reputation Management ring along with folks like ZeroFox and RiskIQ.
- 10. ACQUISITIONS: Cloud Security Buy: Plurilock Completes CloudCodes Acquisition – MSSP Alert
- 11. ACQUISITIONS: CrowdStrike to Acquire Reposify to Bolster Visibility and Reduce Risk Exposure of External Assets
- 12. ACQUISITIONS: Vista Equity Makes Offer for Software Security Firm KnowBe4KnowBe4 didn't go the SPAC route, so it's better off than other vendors that went public around the same time (ahem QOMPLX ahem). Still, it hasn't been a great performer and has received a $4.22B ($24/share) take private offer from Vista Equity.
- 13. ACQUISITIONS: Devo Technology Delivers Industry’s First Comprehensive Cloud-Native Platform for the SOC with Acquisition of Next-Gen SOAR Provider LogicHub – Devo.com
- 14. TRENDS: Your digital HQ just got better with Slack canvas
- 15. LEADERSHIP: How to hire and build your cybersecurity team
- 16. HOT TAKES: Securing the Supply Chain of Nothing"Kelly Shortridge just casually slinging wisdom bombs all over the place again." -- Allan Alford This is Kelly's rebuttal to the recently released, NSA-backed guide on "Securing the Software Supply Chain". She sums up her thoughts in ten objections: 1. Slowing down software delivery does not help security, it hurts it 2. There is an underlying paradox (the “Thinking Machine” paradox) 3. Most enterprises have no chance of implementing this 4. Most enterprises will not want to implement this 5. Security vendor bolt-on solutions are overemphasized 6. Relevant security and infrastructure innovation is omitted 7. Inaccuracies about software delivery practices and basic terminology 8. Confusing, contradictory messages from the authoring agencies 9. Omission of second order effects and underlying causal factors 10. Dangerous absolution of security vendors’ own software security
- 17. COURTROOM DRAMA: Uber Boss Testifies He ‘Could Not Trust’ Ex-Security Chief
- 18. WHOOPSIE: AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes