Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!
We are excited to announce our speakers: Lesley Carhart, John Strand, Alyssa Miller, Dave Kennedy, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Nick Leghorn, Michael Schladt, Kevin Johnson, Justin Kohler, Jay Beale, Trenton Ivey & Ryan Cobb!
Large organizations develop hundreds of new web applications every year. Some of those deployments are lost in time, and others go wild with high severity vulnerabilities.
Forgotten and outdated web applications are a common culprit of successful hack attacks. What can you do to protect your organization? Let’s talk about the first step to securing web applications – continuous web asset discovery.
Tolga Kayas – Assistant Application Security Manager at Invicti Security
Tolga is a security consultant with proven skills in complex environments’ architecture and project management. He holds more than four years of experience in architecting, starting from systems administration to security-specific solutions. Subject matter expert in Open Source Intelligence investigations from a penetration testing perspective. Currently working for Invicti Security in the Application Security Management team, helping more than 3000 companies improve their DevSecOps.
Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!
Organizations are divided. Some will be able to lean into mitigations against catastrophic and cascading failures. Others will not. In this discussion, we will explore the risk tradeoffs in firmware security. This includes risks inherent in devices, supply chain, physical access, and malicious software. We will also explore various mitigation strategies throughout the lifecycle, which separate those leaning in from those that don’t.
John Loucaides – VP Federal Technology at Eclypsium
John Loucaides is the VP of Research and Development at Eclypsium, the comprehensive cloud-based device security platform that protects enterprise devices all the way down to the firmware and hardware level. Headquartered in Portland, Oregon, the company was named to Fast Company’s annual list of the World’s Most innovative Security Companies for 2020, the CNBC Upstart 100 list, and Gartner’s Cool Vendor list for Security Operations and Threat Intelligence. John has extensive history in hardware and firmware threats from experience at Intel Corporation and the United States government. At Intel he served as the Director of Advanced Threat Research, Platform Armoring and Resiliency, PSIRT, and was a CHIPSEC maintainer. Prior to this, he was Technical Team Lead for Specialized Platforms for the federal government.
InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!
This week in the Enterprise News: Adrian’s first Enterprise News in the Captain’s Seat, BitSight raises $250m on a $2.4bn valuation, Palo Alto Networks enters the consumer IoT market, Martin Roesch Joins Netography as CEO, the special “Squirrel of the Week” story, & more!
Senior Research Engineer at CyberRisk Alliance
FUNDING: JumpCloud raises $159M on $2.56B valuation for cloud directory tool – TechCrunch – The sun’s getting real low, guys. Maybe time to start thinking about an exit. This is a Series F on one of the most unique startups I’ve seen in a while. I spent some time with them when they were going for more of an endpoint security angle, after which they pivoted into a directory services play with benefits. Speculating as to who could be an acquirer here is an interesting exercise. An acquisition by an IdP/IAM/SSO provider could be interesting, but I’m not sure anyone could even afford it without getting a PE player involved. Who else might want to acquire a potential AD replacement? Someone with a UDM offering like VMware? Or someone who has dipped their toes into these waters like Okta or AWS? I honestly don’t know, but it’s fun to speculate.
FUNDING: SOAR Company D3 Security Raises $10 Million – Maybe this is a Series A? I couldn’t tell. I would have thought D3 would have raised more than this by now. It seems like they’ve been around a while. Maybe they were bootstrapped in the early days? Looks like they were founded in 2003. There’s definitely a deeper story here I’m missing…
ACQUISITION: FireMon Acquires Cloud Security Innovator DisruptOps – An interesting acquisition, to be sure. FireMon has positioned itself as the single pane of glass for all your firewall and network policy management. Now it is also positioned as the single pane of glass for cloud and SASE as well. DisruptOps is certainly positioned to help it do that, as it not only gives visibility into cloud configuration and policy, but the ability to automatically enforce guardrails as well.
EXEC MOVE: Snort Inventor and Sourcefire Founder Martin Roesch Joins Netography as CEO – Founder of Snort and Sourcefire, Martin Roesch joins Netography along with Dan Murphy. I got the impression that Roesch and the Sourcefire team really brought proper security credibility to Cisco and built what is now a proper security business group that has been joined by a number of other big acquisitions, most notably, Duo Security. We’ll all be paying a bit closer attention to Netography from now on, that’s for sure.
REGULATION: Moving the U.S. Government Towards Zero Trust Cybersecurity Principles – The power of standards or regulation to choose winners and losers in the markets is not to be underestimated. Just look at the impact the PCI DSS had on the security market. If you’re doing marketing for a vendor, it’s okay, I get it. You’re going to respond with feedback. If you’re NOT a vendor, please, even out these responses with an enterprise perspective, so that this doesn’t turn into a glorified invitation for cybersecurity product lobbying.
REGULATION: What China’s new data privacy law means for US tech firms – TechCrunch – Modeled after GDPR, the Personal Information Protection Law (PIPL) mostly applies to companies aiming to sell products or services to folks located within China. NOTE: there’s some fine print here and I’m not a lawyer. Should we be embarrassed that a state requiring its citizens to install malware passed federal privacy regulation before the US? I’ll let you decide.
NEW TECH: Palo Alto Enters Small Business, Remote and Home Markets with Okyo – This is an interesting one. It’s not just Palo Alto entering the consumer market, though it is that. This is also Palo Alto _connecting_ the consumer market with the enterprise market, because really, we’re kidding ourselves if we pretend like they’re not already inseparable. Currently, your remote employees are probably working from home through 8-year old Netgear routers that have never had a firmware update with UPnP wide open. For a few hundred bucks, wouldn’t you rather connect their networks to your existing Palo Alto Panorama instance and have some visibility into the safety of these networks? It will be interesting to see how employees react to this development, as putting MDM/EMM software on personal devices didn’t always result in happy endings.
NEW TECH: Researchers Bake Malware Protection Directly Into SSDs – I have my reservations about stuff like this. First off, it gets into an unwinnable game of leapfrog with attackers. They’ll find a new way to evade this technology every week, and I do what? Update my SSD firmware on a weekly basis to keep up with evasions? No thanks. My other concern is unintended consequences. I’m not sure I want my SSD blocking writes based on some arbitrary malicious behavior heuristic. It’s only inevitable until we find legitimate software or use cases that this approach breaks in horrible ways.
NEW TECH: Review: Facebook’s Ray-Ban Stories make the case for smart glasses – TechCrunch – New technology trends, whether enterprise or consumer, tend to have an impact on security, so we’ll start covering them in these news segments. While Google’s Glass was overpriced and underwhelming, it was clear that we’d see glasses-based tech return in some form. The big difference here is that the Facebook Ray-Ban Wayfarers look very similar to the non-tech-enabled versions. Which is good or bad, depending on your perspective. Hopefully, hearing “Hey Facebook, record video” won’t become a common phrase we hear in public restrooms.
BEST PRACTICES: OWASP Top 10:2021 (DRAFT FOR PEER REVIEW) – The OWASP Top 10 has been updated for the first time since 2017! Seems a reasonable update, with some terminology changes and some category consolidation. But does anyone care anymore? Most folks I talked to would rather OWASP focus on curating excellent open-source tools, as the OWASP Top 10 doesn’t seem to move the needle much anymore.
SQUIRREL: A biotech startup has raised millions to resurrect woolly mammoths – I’m introducing a SQUIRREL OF THE WEEK story, because the non-sequiturs are often my favorite part of newsletters and I wanted to emulate that here. This week, John Hammond, er, I mean, a biotech firm named Colossal aims to bring Wooly Mammoths back from extinction and drop them into the Siberian tundra. At the height (hopefully) of global warming. Where they’ll almost certainly get immediately poached right back into extinction.