Corelight Smart PCAPs, Shifting Left, Tenable AD Security, & Tube Vulns – ESW #237

Struggling a bit through the word salad in this one also. This article is about "SentinelOne Storyline Active Response" (STAR), which is going to "transform XDR" Does that mean it isn't XDR? Is it supplemental? It integrates with SentinelOne's ActiveEDR. Replaces the need for manual and one-off EDR activities... by allowing customers to manually create automated rulesets? But then, SentinelOne's Singularity XDR platform is built on top of STAR, apparently. So EDR + STAR = XDR, sounds like. EDR pulls the data and performs the actions, while STAR enables practitioners to create detection rules and pair them with automated responses. Oh, no - STAR is actually one of a pile of XDR "power tools", so this is more like a module that plugs into Singularity XDR. They also have: - Extended Data Retention (which sounds more like extra hard drives, not a feature or tool) - Binary Vault (analyze new, unknown binaries - like WildFire or VirusTotal) - Remote Script Orchestration (collection of pre-made scripts for various stuff - Cloud Funnel (redirect EDR data to a different tool)

The overall trend of XDR is strong, and as we've mentioned on previous episodes is evolutionary, not revolutionary. A somewhat newer trend, however, is XDR offerings from MSSPs and in general, MSSPs trying to move towards valuations that look more like software companies than services companies. This started with the move from MSSP (we'll keep it running) to MDR (we'll find the attackers) and now to XDR (we'll find the attackers better). SecureWorks built an XDR offering out of their Red Cloak EDR product, Arctic Wolf is being valued at software startup multiples, and Bishop Fox has taken funding from Forgepoint to create and market a subscription product. The big question is: can they do a better job of running security than we can? Should we welcome this change? Optiv is using Devo as the back end for its XDR product, which also begs the question: when a reseller gets into the software/ARR game, is it going to hurt their relationship with competing products that they sell? How does SentinelOne feel about Optiv's XDR offering? Also, get a load of this word soup and what it takes to make a qualifying statement that's unique in this insanely crowded market: "Optiv MXDR is the only managed cloud-based, next-gen advanced threat detection and response service that ingests data across various layers of technologies to correlate, normalize, enrich, and enable automated responses to malicious activity in real-time"

$30m Series A is healthy, especially with names like Dmitri Alperovich attached to it. It's apparently using a number of different methods, including AI, to determine if a DNS entry is malicious or not. If it's a website, they do image analysis on it, like PIXM. They analyze the website content. They look at where the IP is hosted, who owns the domain, age of domain, etc. Some of that isn't new, some of it is, but a DNS firewall still seems like an approach worth investing in. At least, as long as it doesn't impact performance or run into too many false positives. Also, through this article, I learned that GCHQ's National Cyber Security Center runs something called "Active Cyber Defense", or ACD. The idea is that they'll run secure services for the whole nation (including secure DNS), but it's only available to government institutions so far. Read more about ACD here: https://www.securityweek.com/inside-uks-active-cyber-defense-program

YesWeHack isn't new, it's a bug bounty platform provider that has actually been around for a while. Because it caters specifically to Europe and European challenges (researcher residency) and constraints (GDPR), we don't hear about it as much over here in the US. The $18.8m raise is a series B, which sounds about right for this market. I'm still not sure if the jury is in on whether these platforms can be profitable or how to value them properly. We haven't seen an exit in this market and I'm not even sure what an exit would look like - I've struggled to imagine who an acquirer might be.

This one is yet another scorecard vendor - the 7th on my list so far. The interesting bit here is that BT Group led the round, which got them exclusive rights to resell it.

Daniel Miessler always has good pieces to make you think and this one is no exception. Talk content is often full of boring stuff from vendors and people generally want better content. The paradox lies in that a lot of the best experts that you want to hear from work for vendors. TL;DR here, in my opinion, is that the problem isn't vendors giving talks, it's vendors giving BAD talks. It's not so much a vendor issue as a quality issue. Personally, I've probably seen more crappy talks given by non-vendors than vendors and this is always a challenge for event planners - how do you pick the best talks based on a 350-word abstract?

SolCyber was founded by ForgePoint and was kicked off with a $20M round. They're an MSSP and seem like they're aimed squarely at some of that giant ArcticWolf valuation!