- 1. FUNDING: Privado raises $14 million in Series A Funding to Embed Privacy in Software Development
$14M Series A led by Insight Partners and Sequoia India. Privado scans code repos for PII use and points where private data is sent to third parties. An interesting take on the resurgence of data security startups we've seen, organizations definitely need a better handle on data flows and responsibility for customer data.
- 2. FUNDING: BalkanID Closes $8.1 Million Seed Funding Round Amid Surging Demand for its Intelligent Access Governance Platform
An add-on round to BalkanID's seed, making the round larger than some Series A raises we see. From what I can tell, BalkanID discovers security issues within the spaghetti mess of permissions and access controls across all of a company's cloud and SaaS use.
- 3. ACQUISITIONS: Krit has been acquired by GreyNoise Intelligence
Krit was a well-known, but small cybersecurity product UI/UX consulting firm. GreyNoise needed product management and design help and has funding, so this acquihire made a lot of sense for them.
- 4. LAYOFFS: NSO lays off 100 employees, CEO Shalev Hulio to step down
NSO has a mess to work through. The CEO is stepping down again, the company is sanctioned in the US, and the company is viewed as quite the villain in the press. The word is that the company will be looking for a buyer.
- 5. LAYOFFS: Malwarebytes lays off 125 employees citing ‘strategic reorg’ – TechCrunch
Following with layoff trends, another Endpoint Security vendor tightens its belt.
- 6. LAYOFFS: Okta lays off US sourcing team
A sourcing team of 25 was let go. This is a fraction of a percent of Okta's total workforce, so nothing much to worry about for other employees or Okta customers.
- 7. LEARNING: Incident Response in AWS – Chris Farris
- 8. OPEN SOURCE: Kubernetes v1.25: Pod Security Admission Controller in Stable
- 9. OPEN SOURCE: The Elastic Container Project for Security Research
Quickly stand up a local, fully containerized Elastic Stack, complete with Kibana, Fleet, and Detection Engine!
- 10. OPEN SOURCE: Matano – The Open Source Security Lake Platform for AWS
Along with the Elastic Container Project for Security Research, we're seeing some amazing free security tools popping up lately!
- 11. TRENDS: To bring PLG to cybersecurity, let’s change our hiring habits
PLG = Product Led Growth. In short, PLG is all about focusing on building a product compelling enough that it becomes the primary driver of sales. Typically accompanied by transparent pricing, a freemium tier, and self-service billing, to reduce sales friction. Slack is a key example.
In short, it's Tyler Shield's favorite term and you should get his opinion on this story ;)
- 12. TRENDS: The case for a SaaS bill of materials
As much as I hate the fact that the authors are trying to make "SaaSBOM" a thing, the article asks some excellent and pertinent questions about SBOMs and their SaaS equivalent.
- 13. TRENDS: Requiring MFA on popular gem maintainers – RubyGems Blog
The trend of requiring popular package maintainers on package repos to use MFA continues, as it becomes more and more common to see malicious code inserted into open source projects.
- 14. SUPPLY CHAIN: The Twilio Breach goes Deep
Twilio is the kind of 3rd party supply chain breach we've worried about for years - a one-to-many situation.
1. The attackers spearphish some Twilio employees, stealing their credentials
2. The attackers hit Cloudflare, but failed due to use of security keys
3. Signal users were targeted with data from the Twilio breach
4. 93 Authy users affected; attackers attached devices to their accounts to hijack 2FA
5. DOORDASH was affected, with some customers' data exposed
6. Twilio claims only 176 customers were affected, but it seems clear the damage done goes much deeper than the numbers suggest (and might go much further than what's currently known to the public)
- 15. BREACHES: Notice of Recent Security Incident – The LastPass Blog
Big deal, or nothingburger?
- 16. INTEL: CISA Adds 10 new Known Actively Exploited Vulnerabilities to its Catalog
CISA has expanded their known exploited vulnerabilities catalog yet again (and apparently we're using the KEV acronym now?) Notable additions include Apple operating systems, PEAR Archive_Tar, WebRTC, Grafana, CouchDB, and dotCMS.
If you're not actively using this list of sure-to-get-you-hacked items to prioritize your vuln mgmt work, you probably should be.
- 17. FEDERAL: U.S. Government Spending $15.6 Billion on Cybersecurity
$15.6B isn't "staggering" when compared to the DoD budget (which is where most of this money is going), but compared to the entire cybersecurity industry's revenue - it's a TENTH of it.
$2.9B of it is going to CISA, however, which is encouraging. CISA has been doing some great work over the past few years (some of which we're highlighting in the news today!)
There's a good breakdown of where the money is going here: https://rollcall.com/2022/07/12/house-appropriators-back-over-15-6-billion-for-cybersecurity/
- 18. CAREERS: Almost No One Has Been Hired Through DHS’ Much-Hyped Cyber Talent Program
Wiz has hired nearly 250 employees in the last 6 months. I initially misread the subtitle of this story as "only 146 of the 150 person goal had been hired". The actual number hired is only FOUR. DHS hasn't been able to hire more than FOUR people through this program in the last 9-10 months?
The original press release for this program had an ambitious title: "DHS Launches Innovative Hiring Program to Recruit and Retain World-Class Cyber Talent"
What's wrong? I'm not sure... looking at some of these openings (e.g. https://www.usajobs.gov/job/672059700), the pay seems decent, many positions are remote, I don't see a CISSP requirement anywhere and many openings require as little as 2 years of security experience. Maybe there's just too much competition for candidates with 3-5 years of experience? Maybe they didn't market it very well.
- 19. CAREERS: Senior-Level Women Leaders in Cybersecurity Form New Nonprofit
Starting as an informal group at the start of the pandemic, The Forte Group now has 90 members and is now a non-profit. The non-profit's mission is to "offer career assistance, advocacy, mentoring, and educational programs for women an the infosec and technology fields."
- 20. SQUIRREL: Walmart lists a 30TB portable SSD for $39. It is, naturally, a scam
The picture of janky, hot-glued micro-SD cards are worth the click alone.