esw258

Enterprise Security Weekly Episode #258 – January 27, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Log4Shell: Impact & Lessons Learned – 03:00 PM-03:30 PM

Announcements

  • Join us February 16th to learn about validation techniques within applications. Then join us March 2nd to learn five things you can do to catch more bad guys! To register for these webcasts visit https://securityweekly.com/webcasts. Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.

Description

If 2021 taught us anything, it’s that our supply chain–especially our technical supply chain–hangs in the balance of a very fragile system. In this interview, ExtraHop’s Jamie Moles examines the impact of the Log4Shell zero day and how enterprises can be assured that they’re in the clear with the help of a live demo of the vulnerability in a lab environment.

This segment is sponsored by ExtraHop Networks.

Visit https://securityweekly.com/extrahop to learn more about them!

Guest(s)

Jamie Moles

Jamie Moles – Senior Technical Marketing Manager at ExtraHop

Jamie has a wealth of experience having worked in the Computer Industry for over 34 years – cutting his teeth in IT-MIS he quickly discovered a talent for handling complex technical issues, building sophisticated infrastructure solutions to meet enterprise business requirements and talking to people at all levels of an organization to share knowledge.

With his passion for security and networking being long standing, having been a leader in the early Antivirus industry with his own scanning software and having built and maintained the Cisco routing and switching infrastructure for Europe’s first Application Service Provider his career has always been focused on the cutting edge of security and infrastructure solutions which he enjoys mastering and telling anyone who will listen how great these new technologies are.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

BillBrenner

Bill Brenner

@BillBrenner70

VP, Content Strategy at CyberRisk Alliance

KatieTeitler

Katie Teitler

@Katherinert15

Sr. Product Marketing Manager at Axonius

2. New Startups From Stealth, It’s Not Matt Damon’s Fault, Merck Wins, & Pearson Fined – 03:30 PM-04:00 PM

Announcements

  • CRA’s Business Intelligence Unit has launched its next survey on Zero Trust! What are Your Barriers to Zero Trust Implementation? Take our survey and enter to win a $500 Tango card by visiting https://securityweekly.com/zerotrust. Report results will be released at our upcoming Zero Trust E-Summit in March!

Description

This week, in the Enterprise Security News, Hunters raises a series C to continue building XDR, Anitian raises a $55M Series B, Four new startups emerge from stealth with seed funding, BugAlert is a new tool for notifying the public of new vulnerabilities, Turns out, Crypto.com WAS hacked, but it wasn’t Matt Damon’s fault, Who is at fault if a hacked car kills someone?, Merck wins – it was NOT an act of war, according to one court…Pearson is fined $1M for misleading investors about their 2018 data breach, Secrets of Successful Security Programs, & Why employees don’t care about your security policies!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

  1. FUNDING: Hunters Secures Series C Funding to Become a Leading SOC Platform – Hunters picks up a $68M Series C, led by Stripes. Hunters is an XDR play, which can be a vague term at times. The core focus of XDR is to make it easier to detect and respond to malicious activity – relying less on dozens of SOC analysts to sort things out. This is a very hot market segment – Hunters’ last round came only 5 months ago, in late August 2021.
  2. FUNDING: Rising Beaverton cybersecurity company, Anitian, raises $55M – $55M series B was led by Sageview Capital and included Series A investor Forgepoint Capital. Anitian is part of a growing market segment focused on making it easier to achieve and maintain compliance in the cloud.
  3. FUNDING: Revelstoke Launches Next Generation SOAR Solution to Automate Security Operations Centers – Revelstoke – Both a GA announcement and a Series A ($13M) announcement in one. It’s tough to find anything novel in this press release, as “Next Generation SOAR Solution to Automate SOCs” isn’t exactly revolutionary. There are plenty of products automating security badly in the SOC, so the more attempts there are to get it right, the better the chances of someone getting it right, right? RIGHT?

    Series A funding comes via ClearSky, Crosslink Capital, and Rally Ventures

  4. FUNDING: Polar Security unveils cloud data protection platform, $8.5M seed round – Polar comes out of stealth with$8.5M in seed funding. One of many startups we’ve seen recently, focused on discovering, analyzing and tracking company data on systems. It doesn’t look like this product aims to compete with Digital Shadows or Terbium Labs (looking for proprietary company data across the entire public Internet is a huge undertaking). Rather it seems to focus on unmapped or unorganized data within the known bounds of corporate cloud accounts.

    One of the cofounders, Dov Yoran, also co-founded ThreatGRID (acquired by Cisco in 2014), and is Tenable’s CEO, Amit Yoran’s brother.

  5. FUNDING: ArmorCode adds $8M for comprehensive application security platform – Additional funding brings ArmorCode’s funding to $11m.
    ArmorCode does “Application Security Posture Management” (not to be confused with CSPM, I guess)
    Centralizes findings from SAST, DAST, and SCA tools (so, like a Kenna Security, but just for appsec?)
    So… vulnerability prioritization and management.
  6. FUNDING: CodeSee Announces $7M in New Funding – Additional seed funding brings the seed total to $10M for CodeSee. While not a pure-play security startup, building interactive code diagrams could possibly help appsec folks understand code and perform better code audits.
  7. ACQUISITION: Morgan Stanley Acquiring MSSP Fusion Connect – !! -> This is technology M&A deal number 81 that MSSP Alert and sister site ChannelE2E have covered so far in 2022.
    Fusion Connect has managed security services, but they seem complementary to the company’s heavier managed IT focus.
    Disclosure: MSSPAlert is a CRA sister company.
  8. ACQUISITION: Cloudastructure Signs Letter of Intent to Acquire IPG – IPG makes IoT security products.
    Cloudastructure does video surveillance.
    There’s a long history of surveillance cameras getting hacked and enlisted into botnet armies (Mirai is still around).
    The combo makes sense.
  9. NEW PRODUCTS: Ambient.ai aims to provide AI-powered building security, minus bias and privacy pitfalls – Smart surveillance cameras attempting to detect humans IN trouble or CAUSING trouble. Without biases. I guess we’ll see how they do once they start getting used at scale…
  10. TOOLS: We desperately need a way to rapidly notify people of high-impact vulnerabilities, so I built one: BugAlert.org – A no-frills security bug alerting service.
  11. TOOLS: Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4 – Open Source Security Foundation – A small, but important contribution to supply chain and open source security, updated Scorecards in GitHub will make it possible for developers to automatically detect risky code choices and configurations.
  12. BREACH: Crypto.com Says ‘Incident’ Was Actually $30 Million Hack – “Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies.”
    Not the biggest crypto exchange hack, but still pretty sizable. Good that Crypto.com is covering the losses (unlike exchanges in the past), but it’s not the kind of losses they’ll want to cover on a regular basis.

    Apparently 2FA either wasn’t required for some users, or wasn’t working? The company apparently reset 2FA for all users, migrated to an entirely new 2FA product, and are now enforcing 2FA for all customer and employee access to systems involved in transactions and withdrawals. The company is also implementing a quarter million dollar guarantee against losses for qualified users. It’s not the FDIC, but better than nothing.

    We can only assume Matt Damon approves of these new security measures.

  13. TRENDS: Who’s at fault when autonomous cars kill? – We’re starting to see legal precedents get set for (pseudo) self-driving cars. In this case, it’s a question of who is at fault – the auto manufacturer, or the individual behind the wheel (even if they aren’t actively driving).
    Why include it here? It seems possible that we could see an “it wasn’t me, I was hacked” defense at some point in the future. We’ve already seen CISOs held personally liable in some situations, so this leads to some interesting discussions of liability for integrated systems, IoT devices, and industrial computing scenarios.
  14. TRENDS: Merck wins cyber-insurance lawsuit related to NotPetya attack – Court rules against the insurance company that refused Merck’s claim, on the basis that the NotPetya attack was NOT an “act of war”.
    Good news: there’s now one less BS reason for insurance companies to deny your cyberinsurance claim.
    Bad news: there’s now one MORE reason for your rates to go up even more.
  15. TRENDS: Philippines bank will no longer use clickable website links on promo materials – Widespread fraud campaigns targeting bank customers via SMS and email led to some big policy changes. With the likes of Google and Salesforce making 2FA mandatory, it looks like the path has been paved for smaller companies to start requiring and enforcing strong (not SMS-based) MFA across all customers.
  16. TRENDS: Money and Payments: The U.S. Dollar in the Age of Digital Transformation – The Federal Reserve released its study on formally adopting a digital currency, though it isn’t discussing any decisions or future plans at this point. New acronym you might see floating around: CBDC (Central Bank Digital Currency).
  17. TRENDS: SEC fines Pearson $1M for data breach and misleading investors – A very interesting precedent here. Pearson is the company many folks likely know as the destination for the majority of their money in college (aside from tuition). The SEC slapped them with a $1M fine for downplaying a data breach in 2018, where attackers gained access to 13,000 Pearson accounts. Don’t get too excited about the fine. $1M is around two thousandths of a percent (0.000229%) of Pearson’s $4.4B annual revenue.
  18. TRENDS: SEC Looks to Bolster Market’s Cyber Defenses – “The Securities and Exchange Commission is exploring ways to improve cybersecurity in capital markets, including by extending compliance obligations to companies that currently don’t have to meet them, Chairman Gary Gensler said Monday”

    That’s quite an opener! Then we get this quote from Mr. Gensler, “The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars”, and the initial statement becomes harder to take seriously. There’s some broad misinformation flying around about actual cybercrime damages, overinflating amounts to preposterous levels. All the same, this is a serious topic, but digging into the article reveals that they’re *playing* with the idea of requiring a very small handful of large financial firms to start adhering to more stringent cybersecurity regulations.

  19. TRENDS: Google’s attempt to kill off cookies with FLoC fails, replaces it with “Topics” – Okay, whatever, Google, let us know when it leaves the labs.
  20. EXECS: Twitter shakes up its security team. – Shake up indeed – it wasn’t too long ago that we were scratching our heads and trying to figure out the roles of Peiter Zatko (aka Mudge) and Rinki Sethi. Now, the new Twitter CEO, Parag Agrawal, has apparently dismissed them. This is far from the only change Agrawal has made – more just the latest step in a broad executive leadership shakeup.

    Lea Kissner, the head of privacy engineering will step up to the CISO role on an interim basis.

    Yikes, that’s a slight job change. No pressure!

  21. ESSAY: Secrets of Successful Security Programs – Part 1 – The latest from Phil Venables (and already covered by Application Security Weekly on Monday), this is an excellent read that digs into some nitty-gritty details on how modern attacks occur. At the same time, it discusses successful strategic perspectives that have resulted in positive security outcomes.

    TL;DR – focus narrowly on wins that net big improvements. Be relentless about sticking to routines and practices. In a health metaphor, “diet and exercise really gets results”.

  22. ESSAY: Scott Galloway – Tell Me a Story – Following up on Theranos discussions we’ve had in the past, this post discusses the nuances of the “fake it ’till you make it” startup culture. The solution for problems borne of overpromising and underdelivering, of course, is also nuanced and isn’t as simple as implementing brutal honesty as a corporate value. This very much applies to infosec, as it’s often difficult to measure the value of security products. How do we know they have any value at all? It’s a worrying problem in cybersecurity.
  23. METRICS: State of the DORA DevOps Metrics in 2022 – In the same vein as the Phil Venables piece, this is an excellent deep dive into DevOps Metrics, what they mean, and how to use them.

    “But this isn’t security.”

    Understanding DevOps workflows is key to understanding what security products, processes, and tools are likely to work, or fail completely in these environments.

  24. RESEARCH: Why Employees Violate Cybersecurity Policies – If you’re reading this title and loudly thinking, “TO GET THEIR FREAKING WORK DONE”, you’re right. That’s basically it.

    However, before you move on, there is some interesting detail in the research around how, by breaking policies to get work done, employees are more likely to fall for BEC scams and other social engineering attacks. One lesson that can be taken away here is that bad security policies don’t just hurt productivity, they make the organization less secure!

  25. SQUIRREL: Twitter launches NFT Profile Pictures — but only for Twitter Blue subscribers – TechCrunch
BillBrenner

Bill Brenner

@BillBrenner70

VP, Content Strategy at CyberRisk Alliance

KatieTeitler

Katie Teitler

@Katherinert15

Sr. Product Marketing Manager at Axonius

3. Continuous Red Teaming Trends – 04:00 PM-04:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Why is continuous security here to stay? How is Red Teaming getting automated and moving towards continuous?

Guest(s)

Bikash Barai

Bikash Barai – Co-founder, CEO at FireCompass

@bikashbarai1

Bikash is the co-founder of FireCompass – a SaaS Platform for Automated Red Teaming. He is a serial cyber security entreprenuer with past exits. Bikash has multiple patents, part of Fortune 40-under-40 and an active speaker at various forums like RSA Conference, Interop, TEDx etc.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance