Open Source MFA, Layoffs, Krit, AWS Incident Response, & Product Led Growth Talk – ESW #287
In the Enterprise Security News This week: more layoff announcements than funding announcements! Krit acquired by GreyNoise, Incident Response in AWS is different, Awesome open source projects for SecOps folks, Tyler Shields can’t wait to talk about Product Led Growth, Forcing open source maintainers to use MFA, Twilio - the breach that keeps on pwning, The US Governments earmarks $15.6 BILLION for cybersecurity and we hear vendors salivating already, & more!
Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
- 1. FUNDING: Privado raises $14 million in Series A Funding to Embed Privacy in Software Development - $14M Series A led by Insight Partners and Sequoia India. Privado scans code repos for PII use and points where private data is sent to third parties. An interesting take on the resurgence of data security startups we've seen, organizations definitely need a better handle on data flows and responsibility for customer data.
- 2. FUNDING: BalkanID Closes $8.1 Million Seed Funding Round Amid Surging Demand for its Intelligent Access Governance Platform - An add-on round to BalkanID's seed, making the round larger than some Series A raises we see. From what I can tell, BalkanID discovers security issues within the spaghetti mess of permissions and access controls across all of a company's cloud and SaaS use.
- 3. ACQUISITIONS: Krit has been acquired by GreyNoise Intelligence - Krit was a well-known, but small cybersecurity product UI/UX consulting firm. GreyNoise needed product management and design help and has funding, so this acquihire made a lot of sense for them.
- 4. LAYOFFS: NSO lays off 100 employees, CEO Shalev Hulio to step down - NSO has a mess to work through. The CEO is stepping down again, the company is sanctioned in the US, and the company is viewed as quite the villain in the press. The word is that the company will be looking for a buyer.
- 5. LAYOFFS: Malwarebytes lays off 125 employees citing ‘strategic reorg’ – TechCrunch - Following with layoff trends, another Endpoint Security vendor tightens its belt.
- 6. LAYOFFS: Okta lays off US sourcing team - A sourcing team of 25 was let go. This is a fraction of a percent of Okta's total workforce, so nothing much to worry about for other employees or Okta customers.
- 7. LEARNING: Incident Response in AWS – Chris Farris
- 8. OPEN SOURCE: Kubernetes v1.25: Pod Security Admission Controller in Stable
- 9. OPEN SOURCE: The Elastic Container Project for Security Research - Quickly stand up a local, fully containerized Elastic Stack, complete with Kibana, Fleet, and Detection Engine!
- 10. OPEN SOURCE: Matano – The Open Source Security Lake Platform for AWS - Along with the Elastic Container Project for Security Research, we're seeing some amazing free security tools popping up lately!
- 11. TRENDS: To bring PLG to cybersecurity, let’s change our hiring habits - PLG = Product Led Growth. In short, PLG is all about focusing on building a product compelling enough that it becomes the primary driver of sales. Typically accompanied by transparent pricing, a freemium tier, and self-service billing, to reduce sales friction. Slack is a key example. In short, it's Tyler Shield's favorite term and you should get his opinion on this story ;)
- 12. TRENDS: The case for a SaaS bill of materials - As much as I hate the fact that the authors are trying to make "SaaSBOM" a thing, the article asks some excellent and pertinent questions about SBOMs and their SaaS equivalent.
- 13. TRENDS: Requiring MFA on popular gem maintainers – RubyGems Blog - The trend of requiring popular package maintainers on package repos to use MFA continues, as it becomes more and more common to see malicious code inserted into open source projects.
- 14. SUPPLY CHAIN: The Twilio Breach goes Deep - Twilio is the kind of 3rd party supply chain breach we've worried about for years - a one-to-many situation. 1. The attackers spearphish some Twilio employees, stealing their credentials 2. The attackers hit Cloudflare, but failed due to use of security keys 3. Signal users were targeted with data from the Twilio breach 4. 93 Authy users affected; attackers attached devices to their accounts to hijack 2FA 5. DOORDASH was affected, with some customers' data exposed 6. Twilio claims only 176 customers were affected, but it seems clear the damage done goes much deeper than the numbers suggest (and might go much further than what's currently known to the public)
- 15. BREACHES: Notice of Recent Security Incident – The LastPass Blog - Big deal, or nothingburger?
- 16. INTEL: CISA Adds 10 new Known Actively Exploited Vulnerabilities to its Catalog - CISA has expanded their known exploited vulnerabilities catalog yet again (and apparently we're using the KEV acronym now?) Notable additions include Apple operating systems, PEAR Archive_Tar, WebRTC, Grafana, CouchDB, and dotCMS. If you're not actively using this list of sure-to-get-you-hacked items to prioritize your vuln mgmt work, you probably should be.
- 17. FEDERAL: U.S. Government Spending $15.6 Billion on Cybersecurity - $15.6B isn't "staggering" when compared to the DoD budget (which is where most of this money is going), but compared to the entire cybersecurity industry's revenue - it's a TENTH of it. $2.9B of it is going to CISA, however, which is encouraging. CISA has been doing some great work over the past few years (some of which we're highlighting in the news today!) There's a good breakdown of where the money is going here: https://rollcall.com/2022/07/12/house-appropriators-back-over-15-6-billion-for-cybersecurity/
- 18. CAREERS: Almost No One Has Been Hired Through DHS’ Much-Hyped Cyber Talent Program - Wiz has hired nearly 250 employees in the last 6 months. I initially misread the subtitle of this story as "only 146 of the 150 person goal had been hired". The actual number hired is only FOUR. DHS hasn't been able to hire more than FOUR people through this program in the last 9-10 months? The original press release for this program had an ambitious title: "DHS Launches Innovative Hiring Program to Recruit and Retain World-Class Cyber Talent" What's wrong? I'm not sure... looking at some of these openings (e.g. https://www.usajobs.gov/job/672059700), the pay seems decent, many positions are remote, I don't see a CISSP requirement anywhere and many openings require as little as 2 years of security experience. Maybe there's just too much competition for candidates with 3-5 years of experience? Maybe they didn't market it very well.
- 19. CAREERS: Senior-Level Women Leaders in Cybersecurity Form New Nonprofit - Starting as an informal group at the start of the pandemic, The Forte Group now has 90 members and is now a non-profit. The non-profit's mission is to "offer career assistance, advocacy, mentoring, and educational programs for women an the infosec and technology fields."
- 20. SQUIRREL: Walmart lists a 30TB portable SSD for $39. It is, naturally, a scam - The picture of janky, hot-glued micro-SD cards are worth the click alone.