Startup Failures, Thoma Bravo, Fortress InfoSec, SEC & CISOS, & Squirrely Medicine – ESW #270
This week in the Enterprise Security News: Fortress InfoSec raises $125M to help critical infrastructure improve security, ThreatLocker raises $100M, thanks in part to Kaseya’s breach, Obsidian raises $90M to secure SaaS use, DoControl raises $30M to possibly compete with Obsidian, Blueshift raises a seed round to bring SOC and XDR to SMBs, Strike Security raises a seed round to take a different approach to pen testing, Thoma Bravo is still working on an Imprivata exit, The biggest startup failures of all time - how many security vendors are on the list?
Is the SEC forcing CISOs into the boardroom, Better, but harder to collect, security metrics, & more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
- 1. FUNDING: Fortress Information Security receives $125M to find the answer to supply chain attacks - $125M Series C, PE round, led by Goldman Sachs. The product is effectively a GRC and Risk Management portal that consolidates and organizes risk-related data (questionnaires, vuln scans, threat intel) from a wide range of sources. Another side project is a 'library' of 40,000+ completed product and vendor assessments aiming to cut down on the work necessary for TPRM processes. The company seems almost entirely focused on utilities, particularly electric utilities in the US. With a raise this large, I figure the plan is either to expand the ideal customer to other verticals, or to stay within the utility/manufacturing niche and expand globally. My money is on the latter.
- 2. FUNDING: ThreatLocker raises $100M Series C funding to bring Zero Trust endpoint security to more organizations - $100M Series C, led by General Atlantic. This is zero trust (lowercase) as a metaphor, and does not appear to be related to Zero Trust Architecture. The endpoint security product claims to include a suite of capabilities, including app control, NAC, Ringfencing (?), storage control, and PAM. The company claims its product is currently used by over 23,000 organizations. How have I not heard of them and they're in 23000 orgs? Perhaps some kind of whitelabeling agreement? Kaseya is mentioned as a partner... Ah, yep: https://www.crn.com/slide-shows/security/kaseya-ransomware-attack-has-led-to-a-windfall-for-threatlocker-ceo-danny-jenkins "ThreatLocker co-founder and CEO Danny Jenkins says his company experienced record sales growth in July in the wake of the Kaseya ransomware attack and is adding 60,000 new seats a month to its application whitelisting solution." Mentions over 2000 MSPs are using them.
- 3. FUNDING: Obsidian Security to detect and fix major SaaS security risks with $90M infusion - “We have created a model that allows us to quickly solve for a new threat vector that we may not be thinking about today.” Hasan ImaM, CEO, Obsidian Security If folks aren't thinking about this threat vector, I'm thinking, it might be tougher to sell it. This is an interesting approach. Regardless of what they call it, this is essentially CASB 2.0. Both the use cases (threat detection, account compromise, etc) and the method (API ingestion) existed with CASB 1.0. As with CASB 1.0, one of the primary challenges is whether it will work out-of-the-box with the SaaS apps you use.
- 4. FUNDING: Silverfort raises $65 million Series C for identity threat protection platform - $65M Series C, led by Greenfield Partners. Focused on Identity Threat Detection and Response (ITDR) and Identity Threat Prevention (ITP), both of which caused me pain to write. Not to be confused with identity THEFT protection, this is an enterprise play that will compete with PlainID and others emerging in this space.
- 5. FUNDING: Twingate Raises $42M in Series B Funding – FinSMEs - $42M Series B, led by BOND. Sells an SDP/ZTNA VPN solution (e.g. VPN without having to publicly expose endpoints).
- 6. FUNDING: DoControl secures $30 million Series B for data security platform - $30M Series B, led by Insight Partners. Appears to be joining the CASB 2.0 crowd.
- 7. FUNDING: Israeli Cybersecurity Startup Sentra Raises $23M - $23M *Seed* round led by Oren Zeev & Bessemer. I suspect we're looking at another DSPM here, that will compete with the likes of Cyera, Polar, Eureka, & Symmetry.
- 8. FUNDING: Zoho Alumni’s Cybersecurity Startup Securden Raises Tiger Global-Led Series A Round To Take On Access Management Giants - $10.5M Series A, led by Tiger Global, Accel & Together Fund. Taking aim at AuthZ space & the likes of CyberArk, BeyondTrust, Delinea, etc. Founders come from Zoho.
- 9. FUNDING: Blueshift to scale XDR security with new $6M funding - $6M Seed, led by WestWave and CyberJunction. Product is SOC-as-a-Service (XDR) for SMBs.
- 10. FUNDING: Strike Security lands $5.4M to make pen testing accessible – TechCrunch - $5.4M seed round led by Greyhound Capital. They're offering a continuous pen testing service that appears to be backed by a 'crowd' of contracted hackers (a la HackerOne, BugCrowd, SynAck, and Cobalt). I suspect there will be some differentiators from existing crowdsourced testing firms.
- 11. FUNDING: Surance.io Closes US$4M Series A Funding Round - $4M Series A, led by Tech Mahindra. Israel-based "InsurTech" startup intends to offer some form of cyber insurance (likely whitelabel) for consumers, which includes an app and live support to assist with personal security incidents.
- 12. FUNDING: alphaMountain.ai Raises $2.7M in Seed Funding - $2.7M seed round, led by Mercato Partners. They are Yet Another Threat Intel Vendor.
- 13. FUNDING/ACQUISITION: Thoma Bravo Makes Additional Investment in Imprivata to Fund SecureLink Acquisition - Thoma Bravo picked up Imprivata for $544M in 2016. A sale aiming to net $2B in 2020 was cancelled due to the pandemic. 2 years later, Thoma seems to be padding their asset with the acquisition of SecureLink. Another attempt to sell Imprivata seems inevitable.
- 14. TRENDS: 224 of the biggest, costliest startup failures of all time - A list of a few hundred of the biggest startup failures of all time. How many cybersecurity companies are among them? Zero. This backs up what I've been observing for years - cybersecurity defies the startup failure rate present in nearly every other market. It's perhaps worth some thinking and discussion on why security startups seem to be so much more resilient.
- 15. REGULATION: The SEC Is About To Force CISOs Into America’s Boardrooms - The title and most of the article misrepresents what's actually in the SEC proposal. It drew attention to it and it's something that should be discussed, so I suppose we can forgive Forbes on this one. - The proposed item is a requirement to DISCLOSE any cybersecurity expertise at the board level, not to require it (though admittedly, a second order effect could be that public companies are pressured to then add cybersecurity expertise to their boards) - It goes on to say that "the proposed item... would not define what constitutes 'cybersecurity expertise'" - but it does "include the following non-exclusive list of criteria that a registrant should consider" (followed by the three bullet points that the article misinterpreted)
- 16. NEW INTEGRATION: Announcing Risk-Based Endpoint Security with Cisco Secure Endpoint and Kenna Security - Something I didn't see with the combination of Kenna and Cisco - the opportunity to leverage Cisco's Secure Endpoint (AMP for Endpoint, originally from the SourceFire acquisition) as a host-based vuln scan agent.
- 17. INTERVIEWS: Security Voices – Startup Straight Talk with Serial Entrepreneur Alfred Huger - For us to recommend a competing podcast, it's going to be a good one. I wasn't familiar with Alfred Huger or his background, but this discussion was a whirlwind of nostalgia as the hosts take him through his multi-decade career. The real meat of the conversation is towards the end, however, when he shares his thoughts about what works and doesn't work in the world of cybersecurity startups.
- 18. SNAKE OIL: British Encryption Startup Arqit Overstates Its Prospects, Former Staff and Others Say - There has been a ton of quantum hype in cybersecurity already and it looks like one of these startups is getting called out. It's not that quantum computing doesn't represent benefits and challenges for security (encryption, particularly), it's that the days of quantum computers cracking current encryption standards in seconds is still far off.
- 19. ESSENTIAL READING: 10 Fundamental (but really hard) Security Metrics - Phil Venables is a great read at the worst of times and this is quite a bit better than his worst. Though I'm left wondering how one would implement some of the metrics he suggests, they're all thought provoking suggestions.
- 20. SQUIRREL: Binah.ai Health Data Platform - I often run across some weird stuff, but I'm having a hard time with this one. Using nothing but a camera as a sensor, Binah claims its software can accurately measure "blood pressure, heart rate, heart rate variability (HRV SDNN and RRI raw data), oxygen saturation, respiration rate, sympathetic stress, parasympathetic activity, and pulse-respiration quotient (PRQ)" What.