Palo Alto Goes IoT, Numbers Lose Their Meaning, BitSight, & Colossal Mammoths – ESW #242

The sun's getting real low, guys. Maybe time to start thinking about an exit. This is a Series F on one of the most unique startups I've seen in a while. I spent some time with them when they were going for more of an endpoint security angle, after which they pivoted into a directory services play with benefits. Speculating as to who could be an acquirer here is an interesting exercise. An acquisition by an IdP/IAM/SSO provider could be interesting, but I'm not sure anyone could even afford it without getting a PE player involved. Who else might want to acquire a potential AD replacement? Someone with a UDM offering like VMware? Or someone who has dipped their toes into these waters like Okta or AWS? I honestly don't know, but it's fun to speculate.

Maybe this is a Series A? I couldn't tell. I would have thought D3 would have raised more than this by now. It seems like they've been around a while. Maybe they were bootstrapped in the early days? Looks like they were founded in 2003. There's definitely a deeper story here I'm missing...

"The platform automatically finds all APIs involved with an organization and maintains a complete inventory, generating missing documentation for previously unknown APIs." <-- Quite a statement!

Actually, this is funding AND an acquisition. It's nearly two acquisitions, as the $250m round gives Moody's a significant stake in BitSight. And the acquisition is... yet another cyber risk scoring startup?

You know that Drake meme? When I hear a company say they're using AI to automate someone out of a job, or to solve a problem, I'm like the first Drake. When someone says, "yeah, we're just going to sort some of the busy work", I'm like the second Drake. This one is in the second category.

I'm sorry, WHAT? Run those numbers by me again?

This looks like an acute case of buzzword abuse. I'm not seeing anything Zero Trust related here - this looks like a RASP, or WAP-related play. I'm sure Tyler will know more, given his background in this market.

I'm not sure how the pure play NDR space is doing, but this seems like a solid Series D for this market. Corelight is a particularly performance and scale-focused NDR product that leverages Zeek (fka Bro).

"Majority investment"

An interesting acquisition, to be sure. FireMon has positioned itself as the single pane of glass for all your firewall and network policy management. Now it is also positioned as the single pane of glass for cloud and SASE as well. DisruptOps is certainly positioned to help it do that, as it not only gives visibility into cloud configuration and policy, but the ability to automatically enforce guardrails as well.

Ever-expanding its capabilities, Tenable picked up a company that can check all your YAMLs for security issues. I can see the need for it - the number of tweets I see complaining about YAML syntax frustrations has increased a lot in the last year.

Insurance companies and consulting firms are buying up cybersecurity businesses, so sure, why not a credit scoring agency?

If you're an insurance company or consulting firm without your own internal Mandiant, what are you even doing these days? Get with it!

Founder of Snort and Sourcefire, Martin Roesch joins Netography along with Dan Murphy. I got the impression that Roesch and the Sourcefire team really brought proper security credibility to Cisco and built what is now a proper security business group that has been joined by a number of other big acquisitions, most notably, Duo Security. We'll all be paying a bit closer attention to Netography from now on, that's for sure.

Palo Alto has brought on Barracuda's CEO, BJ Jenkins, to help them boost their channel sales.

The power of standards or regulation to choose winners and losers in the markets is not to be underestimated. Just look at the impact the PCI DSS had on the security market. If you're doing marketing for a vendor, it's okay, I get it. You're going to respond with feedback. If you're NOT a vendor, please, even out these responses with an enterprise perspective, so that this doesn't turn into a glorified invitation for cybersecurity product lobbying.

Modeled after GDPR, the Personal Information Protection Law (PIPL) mostly applies to companies aiming to sell products or services to folks located within China. NOTE: there's some fine print here and I'm not a lawyer. Should we be embarrassed that a state requiring its citizens to install malware passed federal privacy regulation before the US? I'll let you decide.

I knew GDPR fines were being levied, but never knew the details until now. It's interesting to see how many smaller fines there are, against smaller businesses.

This is an interesting one. It's not just Palo Alto entering the consumer market, though it is that. This is also Palo Alto _connecting_ the consumer market with the enterprise market, because really, we're kidding ourselves if we pretend like they're not already inseparable. Currently, your remote employees are probably working from home through 8-year old Netgear routers that have never had a firmware update with UPnP wide open. For a few hundred bucks, wouldn't you rather connect their networks to your existing Palo Alto Panorama instance and have some visibility into the safety of these networks? It will be interesting to see how employees react to this development, as putting MDM/EMM software on personal devices didn't always result in happy endings.

I have my reservations about stuff like this. First off, it gets into an unwinnable game of leapfrog with attackers. They'll find a new way to evade this technology every week, and I do what? Update my SSD firmware on a weekly basis to keep up with evasions? No thanks. My other concern is unintended consequences. I'm not sure I want my SSD blocking writes based on some arbitrary malicious behavior heuristic. It's only inevitable until we find legitimate software or use cases that this approach breaks in horrible ways.

New technology trends, whether enterprise or consumer, tend to have an impact on security, so we'll start covering them in these news segments. While Google's Glass was overpriced and underwhelming, it was clear that we'd see glasses-based tech return in some form. The big difference here is that the Facebook Ray-Ban Wayfarers look very similar to the non-tech-enabled versions. Which is good or bad, depending on your perspective. Hopefully, hearing "Hey Facebook, record video" won't become a common phrase we hear in public restrooms.

Xiaomi is never far behind in tech trends, so of course, they've announced their own camera-enabled sunglasses right along with Ray-Ban. Similar to the Ray-Bans, the Xiaomi shades also have an LED that will turn on to indicate when video recording is active.

The OWASP Top 10 has been updated for the first time since 2017! Seems a reasonable update, with some terminology changes and some category consolidation. But does anyone care anymore? Most folks I talked to would rather OWASP focus on curating excellent open-source tools, as the OWASP Top 10 doesn't seem to move the needle much anymore.

I'm introducing a SQUIRREL OF THE WEEK story, because the non-sequiturs are often my favorite part of newsletters and I wanted to emulate that here. This week, John Hammond, er, I mean, a biotech firm named Colossal aims to bring Wooly Mammoths back from extinction and drop them into the Siberian tundra. At the height (hopefully) of global warming. Where they'll almost certainly get immediately poached right back into extinction.