New Startups From Stealth, It’s Not Matt Damon’s Fault, Merck Wins, & Pearson Fined – ESW #258

Hunters picks up a $68M Series C, led by Stripes. Hunters is an XDR play, which can be a vague term at times. The core focus of XDR is to make it easier to detect and respond to malicious activity - relying less on dozens of SOC analysts to sort things out. This is a very hot market segment - Hunters' last round came only 5 months ago, in late August 2021.

$55M series B was led by Sageview Capital and included Series A investor Forgepoint Capital. Anitian is part of a growing market segment focused on making it easier to achieve and maintain compliance in the cloud.

Both a GA announcement and a Series A ($13M) announcement in one. It's tough to find anything novel in this press release, as "Next Generation SOAR Solution to Automate SOCs" isn't exactly revolutionary. There are plenty of products automating security badly in the SOC, so the more attempts there are to get it right, the better the chances of someone getting it right, right? RIGHT? Series A funding comes via ClearSky, Crosslink Capital, and Rally Ventures

Polar comes out of stealth with$8.5M in seed funding. One of many startups we've seen recently, focused on discovering, analyzing and tracking company data on systems. It doesn't look like this product aims to compete with Digital Shadows or Terbium Labs (looking for proprietary company data across the entire public Internet is a huge undertaking). Rather it seems to focus on unmapped or unorganized data within the known bounds of corporate cloud accounts. One of the cofounders, Dov Yoran, also co-founded ThreatGRID (acquired by Cisco in 2014), and is Tenable's CEO, Amit Yoran's brother.

Additional funding brings ArmorCode's funding to $11m. ArmorCode does "Application Security Posture Management" (not to be confused with CSPM, I guess) Centralizes findings from SAST, DAST, and SCA tools (so, like a Kenna Security, but just for appsec?) So... vulnerability prioritization and management.

Additional seed funding brings the seed total to $10M for CodeSee. While not a pure-play security startup, building interactive code diagrams could possibly help appsec folks understand code and perform better code audits.

!! -> This is technology M&A deal number 81 that MSSP Alert and sister site ChannelE2E have covered so far in 2022. Fusion Connect has managed security services, but they seem complementary to the company's heavier managed IT focus. Disclosure: MSSPAlert is a CRA sister company.

IPG makes IoT security products. Cloudastructure does video surveillance. There's a long history of surveillance cameras getting hacked and enlisted into botnet armies (Mirai is still around). The combo makes sense.

Smart surveillance cameras attempting to detect humans IN trouble or CAUSING trouble. Without biases. I guess we'll see how they do once they start getting used at scale...

A no-frills security bug alerting service.

A small, but important contribution to supply chain and open source security, updated Scorecards in GitHub will make it possible for developers to automatically detect risky code choices and configurations.

"Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies." Not the biggest crypto exchange hack, but still pretty sizable. Good that Crypto.com is covering the losses (unlike exchanges in the past), but it's not the kind of losses they'll want to cover on a regular basis. Apparently 2FA either wasn't required for some users, or wasn't working? The company apparently reset 2FA for all users, migrated to an entirely new 2FA product, and are now enforcing 2FA for all customer and employee access to systems involved in transactions and withdrawals. The company is also implementing a quarter million dollar guarantee against losses for qualified users. It's not the FDIC, but better than nothing. We can only assume Matt Damon approves of these new security measures.

We're starting to see legal precedents get set for (pseudo) self-driving cars. In this case, it's a question of who is at fault - the auto manufacturer, or the individual behind the wheel (even if they aren't actively driving). Why include it here? It seems possible that we could see an "it wasn't me, I was hacked" defense at some point in the future. We've already seen CISOs held personally liable in some situations, so this leads to some interesting discussions of liability for integrated systems, IoT devices, and industrial computing scenarios.

Court rules against the insurance company that refused Merck's claim, on the basis that the NotPetya attack was NOT an "act of war". Good news: there's now one less BS reason for insurance companies to deny your cyberinsurance claim. Bad news: there's now one MORE reason for your rates to go up even more.

Widespread fraud campaigns targeting bank customers via SMS and email led to some big policy changes. With the likes of Google and Salesforce making 2FA mandatory, it looks like the path has been paved for smaller companies to start requiring and enforcing strong (not SMS-based) MFA across all customers.

The Federal Reserve released its study on formally adopting a digital currency, though it isn't discussing any decisions or future plans at this point. New acronym you might see floating around: CBDC (Central Bank Digital Currency).

A very interesting precedent here. Pearson is the company many folks likely know as the destination for the majority of their money in college (aside from tuition). The SEC slapped them with a $1M fine for downplaying a data breach in 2018, where attackers gained access to 13,000 Pearson accounts. Don't get too excited about the fine. $1M is around two thousandths of a percent (0.000229%) of Pearson's $4.4B annual revenue.

"The Securities and Exchange Commission is exploring ways to improve cybersecurity in capital markets, including by extending compliance obligations to companies that currently don’t have to meet them, Chairman Gary Gensler said Monday" That's quite an opener! Then we get this quote from Mr. Gensler, "The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars", and the initial statement becomes harder to take seriously. There's some broad misinformation flying around about actual cybercrime damages, overinflating amounts to preposterous levels. All the same, this is a serious topic, but digging into the article reveals that they're *playing* with the idea of requiring a very small handful of large financial firms to start adhering to more stringent cybersecurity regulations.

Okay, whatever, Google, let us know when it leaves the labs.

Shake up indeed - it wasn't too long ago that we were scratching our heads and trying to figure out the roles of Peiter Zatko (aka Mudge) and Rinki Sethi. Now, the new Twitter CEO, Parag Agrawal, has apparently dismissed them. This is far from the only change Agrawal has made - more just the latest step in a broad executive leadership shakeup. Lea Kissner, the head of privacy engineering will step up to the CISO role on an interim basis. Yikes, that's a slight job change. No pressure!

The latest from Phil Venables (and already covered by Application Security Weekly on Monday), this is an excellent read that digs into some nitty-gritty details on how modern attacks occur. At the same time, it discusses successful strategic perspectives that have resulted in positive security outcomes. TL;DR - focus narrowly on wins that net big improvements. Be relentless about sticking to routines and practices. In a health metaphor, "diet and exercise really gets results".

Following up on Theranos discussions we've had in the past, this post discusses the nuances of the "fake it 'till you make it" startup culture. The solution for problems borne of overpromising and underdelivering, of course, is also nuanced and isn't as simple as implementing brutal honesty as a corporate value. This very much applies to infosec, as it's often difficult to measure the value of security products. How do we know they have any value at all? It's a worrying problem in cybersecurity.

In the same vein as the Phil Venables piece, this is an excellent deep dive into DevOps Metrics, what they mean, and how to use them. "But this isn't security." Understanding DevOps workflows is key to understanding what security products, processes, and tools are likely to work, or fail completely in these environments.

If you're reading this title and loudly thinking, "TO GET THEIR FREAKING WORK DONE", you're right. That's basically it. However, before you move on, there is some interesting detail in the research around how, by breaking policies to get work done, employees are more likely to fall for BEC scams and other social engineering attacks. One lesson that can be taken away here is that bad security policies don't just hurt productivity, they make the organization less secure!