Sun Tzu Vs Infosec, 2 Weeks of News, AI Trends, & De-Horned Unicorns – ESW #316
This week, we start with the news: 2 weeks of news to catch up on! 16 funding stories, 4 M&A stories, Cybereason prunes its valuation… a lot, First Republic Bank seized by FDIC, Ransomware is irrelevant Sun Tzu hates infosec, AI Trends, Kevin Mandia’s 7 tips for defense, & How much time should we spend automating tasks?
Our teams from Security Weekly and SC Media were onsite at RSA Conference 2023 delivering in-depth reporting, analysis and interviews from the conference. If you were unable to join us in person, or didn't manage to catch our video livestream from Broadcast Alley, you can access all of our RSAC 2023 coverage at https://securityweekly.com/rsac.
- 1. FUNDING: Coro raises $75M at a $575M valuation to grow its all-in-one cybersecurity platform
- 2. FUNDING: Semgrep, a code & supply chain security search engine, raises $53M Series C
$53M Series C led by Lightspeed. The REAL startups to get behind are the ones raising a Series C right now. Nice job, Semgrep.
- 3. FUNDING: Halcyon Closes $50M in Series A Funding
A $50M Series A for a startup that wants to solve the 2017 version of the ransomware problem. Ransomware is nothing more than any attack where leverage can be used to extort money out of the target. You can't build a product to solve this problem. Literally your entire security program is the solution to this problem, as these types of attacks touch nearly every aspect of security.
- 4. FUNDING: Safe Security Raises $50 Million in Series B Funding
- 5. FUNDING: Avalor Emerges from Stealth with $30M to Make Sense of Security Data
- 6. FUNDING: Token Closes $30 Million Financing to Bring its Next-Generation Multifactor Authentication Solution to Market
$30M found financed by PE firm Grand Oaks, in the form of a $20M secured note and a $10M convertible note.
"a revolutionary provider of secure, wearable authentication solutions"
- 7. FUNDING: Dasera Raises $12 Million Series A Funding to Pioneer a New Era of Data Security and Governance Risk Management
- 8. FUNDING: CyberQP Raises $12M in Funding
- 9. FUNDING: Elevate Security Receives Investment from CrowdStrike to Drive Proactive Defense for High-Risk Users – Elevate Security
- 10. FUNDING: NetRise Announces $8 Million in Funding to Advance XIoT Security Technology
- 11. FUNDING: Sonet.io Raises $6M in Seed Funding
- 12. FUNDING: Automatic Vulnerability Fixer Mobb Secures $5.4m and Launches Community Tool
- 13. FUNDING: Stack Identity Emerges from Stealth with $4M Seed Funding
"Solves Shadow Access Problem with Automated AIM Operations"
- 14. FUNDING: Operant Networks raises $3.8M in funding led by Constellation Technology Ventures – Operant Networks
- 15. FUNDING: BreachBits Raises $3.2M for pentest as a service
- 16. FUNDING: lockr Raises $2.5 Million to Help Consumers Take Control of their Digital Identity – lockr
- 17. M&A: ZeroFox Acquires LookingGlass
Acquired for $23M on $119 raised. Ouch.
- 18. M&A: Akamai Technologies To Acquire API Security Company Neosec
- 19. M&A: Yubico is merging with ACQ Bure: merged company intends to go public on Nasdaq First North Growth Market in Stockholm – Yubico
- 20. M&A: Kaseya Acquires Vonahi Security to Revolutionize Cybersecurity with Automated Network Penetration Testing
- 21. NEW GROUP: Thoma Bravo Sponsors Launch of Industry Group to Advance Cybersecurity Sector
I'm not sure I understand the purpose of this consortium. All the members are business founders and leaders, not security experts or researchers (though there is some venn diagram overlap between the two).
- 22. DEHORNED: Cybereason cuts valuation by more than 90%, loses unicorn status
- 23. BANK FAILURE: First Republic Bank seized by FDIC and sold to JPMorgan
- 24. SUPPLY CHAIN: Introducing npm package provenance
A small, but important step in the right direction.
- 25. BREACHES: Mandiant Breach: Initial Intrusion Vector Found
- 26. BREACHES: DOJ Detected SolarWinds Breach Months Before Public Disclosure
- 27. ESSAYS: The Ever Changing API Security Market
- 28. ESSAYS: Ransomware Is Irrelevant (Wait WHAT?!)
- 29. ESSAYS: Sun Tzu wouldn’t like the cybersecurity industry
- 30. REPORTS: Ransom demands, recovery times, payments and breach lawsuits all on the rise
- 31. REPORTS: M-Trends 2023: Cybersecurity Insights From the Frontlines
- 32. REPORTS: New Report Supported by Hundreds of Security Leaders Uncovers Enterprise Risks and Opportunities of Generative AI
A good summary of what security leaders should be worried about with regards to generative AI.
- 33. AI TRENDS: Expert Insight: Dangers of Using Large Language Models Before They Are Baked
I'm including this story as an example of a trend in Really Bad Takes on AI. What everyone gets wrong about GenAI is they compare its output to the top tier of human-created output. What's remarkable about this technology is that it is capable of replacing ANY tier of human-created output in such an early stage.
Scenarios where the where the bar is already set quite low, or the task is highly repetitive, or isn't that difficult are where we're going to initially see AI take off. This is stuff no human really wants to do anyway and largely won't miss (with some exceptions).
- 34. AI TRENDS: Prompt injection: What’s the worst that can happen?
An EXCELLENT read on the very difficult problem of prompt injection.
- 35. AI TRENDS: Web LLM
Taking advantage of LLM AI without exposing sensitive data to a 3rd party service is a key problem that will need to be solved. One idea is to copy a lightweight version of the model to the user's browser, so that input and output can be passed locally, without exposing any sensitive input or output to the 3rd party.
- 36. AI TRENDS: TP#14 How To Avoid Leaking PII to ChatGPT
Taking advantage of LLM AI without exposing sensitive data to a 3rd party service is a key problem that will need to be solved. Threat Prompt's Craig Balding suggests tokenizing data or transforming it in some way that is only reversible by the data owner.
- 37. AI TRENDS: AI for security is here. Now we need security for AI
A nice overview by Ross Haleliuk (of LimaCharlie and the Venture in Security newsletter) on the threats to AI-based services.
- 38. TOOLS: Ransomware Control Matrix
- 39. AI TRENDS: Capturing the Flag with GPT-4
Using ChatGPT to win at CTF!
- 40. AI TRENDS: Stack Overflow Joins Twitter and Reddit in Charging AI Companies for Training Data
"F&$% you, pay me."
- 41. EVENTS: Mike Privette’s Review/Summary of RSAC 2023
Pretty much nails it.
- 42. LESSONS: Mandiant CEO’s 7 tips for cyber defense
- 43. SQUIRREL: Is It Worth the Time?
Just as we're starting to think about the things AI can replace for us, this handy XKCD chart helps us understand how much effort is worth automating something.