esw242

Enterprise Security Weekly Episode #242 – September 15, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Web Asset Discovery in Application Security – 01:00 PM-01:30 PM

Sponsored By

sponsor
Visit https://securityweekly.com/invicti for more information!

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    We are excited to announce our speakers: Lesley Carhart, John Strand, Alyssa Miller, Dave Kennedy, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Nick Leghorn, Michael Schladt, Kevin Johnson, Justin Kohler, Jay Beale, Trenton Ivey & Ryan Cobb!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

Large organizations develop hundreds of new web applications every year. Some of those deployments are lost in time, and others go wild with high severity vulnerabilities.
Forgotten and outdated web applications are a common culprit of successful hack attacks. What can you do to protect your organization? Let’s talk about the first step to securing web applications – continuous web asset discovery.

Segment Resources:
https://www.acunetix.com/blog/docs/benefits-of-web-asset-discovery/ https://www.netsparker.com/features/continous-web-asset-discovery-engine/

This segment is sponsored by Invicti.

Visit https://securityweekly.com/ to learn more about them! This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

Guest(s)

Tolga Kayas

Tolga Kayas – Assistant Application Security Manager at Invicti Security

Tolga is a security consultant with proven skills in complex environments’ architecture and project management. He holds more than four years of experience in architecting, starting from systems administration to security-specific solutions. Subject matter expert in Open Source Intelligence investigations from a penetration testing perspective. Currently working for Invicti Security in the Application Security Management team, helping more than 3000 companies improve their DevSecOps.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerShields

Tyler Shields

@txs

CMO at JupiterOne

2. The Device Security Divide – 01:30 PM-02:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/eclypsium for more information!

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

Organizations are divided. Some will be able to lean into mitigations against catastrophic and cascading failures. Others will not. In this discussion, we will explore the risk tradeoffs in firmware security. This includes risks inherent in devices, supply chain, physical access, and malicious software. We will also explore various mitigation strategies throughout the lifecycle, which separate those leaning in from those that don’t.

This segment is sponsored by Eclypsium.

Visit https://securityweekly.com/eclypsium to learn more about them!

Guest(s)

John Loucaides

John Loucaides – VP Federal Technology at Eclypsium

@JohnLoucaides

John Loucaides is the VP of Research and Development at Eclypsium, the comprehensive cloud-based device security platform that protects enterprise devices all the way down to the firmware and hardware level. Headquartered in Portland, Oregon, the company was named to Fast Company’s annual list of the World’s Most innovative Security Companies for 2020, the CNBC Upstart 100 list, and Gartner’s Cool Vendor list for Security Operations and Threat Intelligence. John has extensive history in hardware and firmware threats from experience at Intel Corporation and the United States government. At Intel he served as the Director of Advanced Threat Research, Platform Armoring and Resiliency, PSIRT, and was a CHIPSEC maintainer. Prior to this, he was Technical Team Lead for Specialized Platforms for the federal government.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerShields

Tyler Shields

@txs

CMO at JupiterOne

3. Palo Alto Goes IoT, Numbers Lose Their Meaning, BitSight, & Colossal Mammoths – 02:00 PM-02:30 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week in the Enterprise News: Adrian’s first Enterprise News in the Captain’s Seat, BitSight raises $250m on a $2.4bn valuation, Palo Alto Networks enters the consumer IoT market, Martin Roesch Joins Netography as CEO, the special “Squirrel of the Week” story, & more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

  1. FUNDING: JumpCloud raises $159M on $2.56B valuation for cloud directory tool – TechCrunch – The sun’s getting real low, guys. Maybe time to start thinking about an exit. This is a Series F on one of the most unique startups I’ve seen in a while. I spent some time with them when they were going for more of an endpoint security angle, after which they pivoted into a directory services play with benefits. Speculating as to who could be an acquirer here is an interesting exercise. An acquisition by an IdP/IAM/SSO provider could be interesting, but I’m not sure anyone could even afford it without getting a PE player involved. Who else might want to acquire a potential AD replacement? Someone with a UDM offering like VMware? Or someone who has dipped their toes into these waters like Okta or AWS? I honestly don’t know, but it’s fun to speculate.
  2. FUNDING: SOAR Company D3 Security Raises $10 Million – Maybe this is a Series A? I couldn’t tell. I would have thought D3 would have raised more than this by now. It seems like they’ve been around a while. Maybe they were bootstrapped in the early days? Looks like they were founded in 2003. There’s definitely a deeper story here I’m missing…
  3. FUNDING: Neosec, an API security startup, emerges from stealth with $20.7M – “The platform automatically finds all APIs involved with an organization and maintains a complete inventory, generating missing documentation for previously unknown APIs.” <-- Quite a statement!
  4. FUNDING: BitSight raises $250M from Moody’s and acquires cyber risk startup VisibleRisk – TechCrunch – Actually, this is funding AND an acquisition. It’s nearly two acquisitions, as the $250m round gives Moody’s a significant stake in BitSight. And the acquisition is… yet another cyber risk scoring startup?
  5. FUNDING: Rezilion raises $30M to help security operations teams with tools to automate their busywork – TechCrunch – You know that Drake meme? When I hear a company say they’re using AI to automate someone out of a job, or to solve a problem, I’m like the first Drake. When someone says, “yeah, we’re just going to sort some of the busy work”, I’m like the second Drake. This one is in the second category.
  6. FUNDING: Cyber security software startup Snyk raises $300 mln, valued at $8.5 bln – I’m sorry, WHAT? Run those numbers by me again?
  7. FUNDING: TrueFort snares $30M Series B to expand zero trust application security solution – TechCrunch – This looks like an acute case of buzzword abuse. I’m not seeing anything Zero Trust related here – this looks like a RASP, or WAP-related play. I’m sure Tyler will know more, given his background in this market.
  8. FUNDING: Corelight Secures $75 Million in Series D Funding Led by Energy Impact Partners with Participation from H.I.G. Growth Partners, CrowdStrike and Capital One Ventures – I’m not sure how the pure play NDR space is doing, but this seems like a solid Series D for this market. Corelight is a particularly performance and scale-focused NDR product that leverages Zeek (fka Bro).
  9. ACQUISITION: Audax Private Equity Announces Majority Investment in Risk Intelligence Leader Flashpoint – “Majority investment”
  10. ACQUISITION: FireMon Acquires Cloud Security Innovator DisruptOps – An interesting acquisition, to be sure. FireMon has positioned itself as the single pane of glass for all your firewall and network policy management. Now it is also positioned as the single pane of glass for cloud and SASE as well. DisruptOps is certainly positioned to help it do that, as it not only gives visibility into cloud configuration and policy, but the ability to automatically enforce guardrails as well.
  11. ACQUISITION: Tenable Announces Intent to Acquire Cloud-Native Security Company, Accurics – Ever-expanding its capabilities, Tenable picked up a company that can check all your YAMLs for security issues. I can see the need for it – the number of tweets I see complaining about YAML syntax frustrations has increased a lot in the last year.
  12. ACQUISITION: TransUnion Accelerates Growth of Identity-Based Solutions with Agreement to Acquire Neustar for $3.1 Billion – Insurance companies and consulting firms are buying up cybersecurity businesses, so sure, why not a credit scoring agency?
  13. ACQUISITION: Booz Allen acquires cyber incident & response company Tracepoint – Washington Business Journal – If you’re an insurance company or consulting firm without your own internal Mandiant, what are you even doing these days? Get with it!
  14. EXEC MOVE: Snort Inventor and Sourcefire Founder Martin Roesch Joins Netography as CEO – Founder of Snort and Sourcefire, Martin Roesch joins Netography along with Dan Murphy. I got the impression that Roesch and the Sourcefire team really brought proper security credibility to Cisco and built what is now a proper security business group that has been joined by a number of other big acquisitions, most notably, Duo Security. We’ll all be paying a bit closer attention to Netography from now on, that’s for sure.
  15. EXEC MOVE: Palo Alto Networks Nabs Barracuda Networks CEO BJ Jenkins As President – Palo Alto has brought on Barracuda’s CEO, BJ Jenkins, to help them boost their channel sales.
  16. REGULATION: Moving the U.S. Government Towards Zero Trust Cybersecurity Principles – The power of standards or regulation to choose winners and losers in the markets is not to be underestimated. Just look at the impact the PCI DSS had on the security market. If you’re doing marketing for a vendor, it’s okay, I get it. You’re going to respond with feedback. If you’re NOT a vendor, please, even out these responses with an enterprise perspective, so that this doesn’t turn into a glorified invitation for cybersecurity product lobbying.
  17. REGULATION: What China’s new data privacy law means for US tech firms – TechCrunch – Modeled after GDPR, the Personal Information Protection Law (PIPL) mostly applies to companies aiming to sell products or services to folks located within China. NOTE: there’s some fine print here and I’m not a lawyer. Should we be embarrassed that a state requiring its citizens to install malware passed federal privacy regulation before the US? I’ll let you decide.
  18. REGULATION: GDPR Enforcement Tracker – list of GDPR fines – I knew GDPR fines were being levied, but never knew the details until now. It’s interesting to see how many smaller fines there are, against smaller businesses.
  19. NEW TECH: Palo Alto Enters Small Business, Remote and Home Markets with Okyo – This is an interesting one. It’s not just Palo Alto entering the consumer market, though it is that. This is also Palo Alto _connecting_ the consumer market with the enterprise market, because really, we’re kidding ourselves if we pretend like they’re not already inseparable. Currently, your remote employees are probably working from home through 8-year old Netgear routers that have never had a firmware update with UPnP wide open. For a few hundred bucks, wouldn’t you rather connect their networks to your existing Palo Alto Panorama instance and have some visibility into the safety of these networks? It will be interesting to see how employees react to this development, as putting MDM/EMM software on personal devices didn’t always result in happy endings.
  20. NEW TECH: Researchers Bake Malware Protection Directly Into SSDs – I have my reservations about stuff like this. First off, it gets into an unwinnable game of leapfrog with attackers. They’ll find a new way to evade this technology every week, and I do what? Update my SSD firmware on a weekly basis to keep up with evasions? No thanks. My other concern is unintended consequences. I’m not sure I want my SSD blocking writes based on some arbitrary malicious behavior heuristic. It’s only inevitable until we find legitimate software or use cases that this approach breaks in horrible ways.
  21. NEW TECH: Review: Facebook’s Ray-Ban Stories make the case for smart glasses – TechCrunch – New technology trends, whether enterprise or consumer, tend to have an impact on security, so we’ll start covering them in these news segments. While Google’s Glass was overpriced and underwhelming, it was clear that we’d see glasses-based tech return in some form. The big difference here is that the Facebook Ray-Ban Wayfarers look very similar to the non-tech-enabled versions. Which is good or bad, depending on your perspective. Hopefully, hearing “Hey Facebook, record video” won’t become a common phrase we hear in public restrooms.
  22. NEW TECH: Xiaomi launches its own smart glasses, of course – TechCrunch – Xiaomi is never far behind in tech trends, so of course, they’ve announced their own camera-enabled sunglasses right along with Ray-Ban. Similar to the Ray-Bans, the Xiaomi shades also have an LED that will turn on to indicate when video recording is active.
  23. BEST PRACTICES: OWASP Top 10:2021 (DRAFT FOR PEER REVIEW) – The OWASP Top 10 has been updated for the first time since 2017! Seems a reasonable update, with some terminology changes and some category consolidation. But does anyone care anymore? Most folks I talked to would rather OWASP focus on curating excellent open-source tools, as the OWASP Top 10 doesn’t seem to move the needle much anymore.
  24. SQUIRREL: A biotech startup has raised millions to resurrect woolly mammoths – I’m introducing a SQUIRREL OF THE WEEK story, because the non-sequiturs are often my favorite part of newsletters and I wanted to emulate that here. This week, John Hammond, er, I mean, a biotech firm named Colossal aims to bring Wooly Mammoths back from extinction and drop them into the Siberian tundra. At the height (hopefully) of global warming. Where they’ll almost certainly get immediately poached right back into extinction.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerShields

Tyler Shields

@txs

CMO at JupiterOne