Personal blog of Yzmir Ramirez

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

IT security software company Ivanti has acquired two security companies: enterprise mobile security firm MobileIron, and corporate virtual network provider Pulse Secure.

In a statement on Tuesday, Ivanti said it bought MobileIron for $872 million in stock, with 91% of the shareholders voting in favor of the deal; and acquired Pulse Secure from its parent company Siris Capital Group, but did not disclose the buying price.

The deals have now closed.

Ivanti was founded in 2017 after Clearlake Capital, which owned Heat Software, bought Landesk from private equity firm Thoma Bravo, and merged the two companies to form Ivanti. The combined company, headquartered in Salt Lake City, focuses largely on enterprise IT security, including endpoint, asset, and supply chain management. Since its founding, Ivanti went on to acquire several other companies, including U.K.-based Concorde Solutions and RES Software.

If MobileIron and Pulse Secure seem familiar, both companies have faced their fair share of headlines this year after hackers began exploiting vulnerabilities found in their technologies.

Just last month, the U.K. government’s National Cyber Security Center published an alert that warned of a remotely executable bug in MobileIron, patched in June, allowing hackers to break into enterprise networks. U.S. Homeland Security’s cybersecurity advisory unit CISA said that the bug was being actively used by advanced persistent threat (APT) groups, typically associated with state-backed hackers.

Meanwhile, CISA also warned that Pulse Secure was one of several corporate VPN providers with vulnerabilities that have since become a favorite among hackers, particularly ransomware actors, who abuse the bugs to gain access to a network and deploy the file-encrypting ransomware.

A newly discovered bug in a cloud system used to manage SonicWall firewalls could have allowed hackers to break into thousands of corporate networks.

Enterprise firewalls and virtual private network appliances are vital gatekeepers tasked with protecting corporate networks from hackers and cyberattacks while still letting in employees working from home during the pandemic. Even though most offices are empty, hackers frequently look for bugs in critical network gear in order to break into company networks to steal data or plant malware.

Vangelis Stykas, a researcher at security firm Pen Test Partners, found the new bug in SonicWall’s Global Management System (GMS), a web app that lets IT departments remotely configure their SonicWall devices across the network.

But the bug, if exploited, meant any existing user with access to SonicWall’s GMS could create a user account with access to any other company’s network without permission.

From there, the newly created account could remotely manage the SonicWall gear of that company.

In a blog post shared with TechCrunch, Stykas said there were two barriers to entry. Firstly, a would-be attacker would need an existing SonicWall GMS user account. The easiest way — and what Stykas did to independently test the bug — was to buy a SonicWall device.

The second issue was that the would-be attacker would also need to guess a unique seven-digit number associated with another company’s network. But Stykas said that this number appeared to be sequential and could be easily enumerated, one after the other.

Once inside a company’s network, the attacker could deliver ransomware directly to the internal systems of their victims, an increasingly popular tactic for financially driven hackers.

SonicWall confirmed the bug is now fixed. But Stykas criticized the company for taking more than two weeks to patch the vulnerability, which he described as “trivial” to exploit.

“Even car alarm vendors have fixed similar issues inside three days of us reporting,” he wrote.

A SonicWall spokesperson defended the decision to subject the fix to a “full” quality check before it was rolled out, and said it is “not aware” of any exploitation of the vulnerability.

Like all business leaders, chief information security officers (CISOs) have shifted their roles quickly and dramatically during the COVID-19 pandemic, but many have had to fight fires they never expected.

Most importantly, they’ve had to ensure corporate networks remain secure even with 100% of employees suddenly working from home. Controllers are moving millions between corporate accounts from their living rooms, HR managers are sharing employees’ personal information from their kitchen tables and tens of millions of workers are accessing company data using personal laptops and phones.

This unprecedented situation reveals once and for all that security is not only about preventing breaches, but also about ensuring fundamental business continuity.

While it might take time, everyone agrees the pandemic will end. But how will the cybersecurity sector look in a post-COVID-19 world? What type of software will CISOs want to buy in the near future, and two years down the road?

To find out, I asked six of the world’s leading CISOs to share their experiences during the pandemic and their plans for the future, providing insights on how cybersecurity companies should develop and market their solutions to emerge stronger:

• Ian Amit, Cimpress
• Colin Anderson, Levi Strauss & Co.
• Al Ghous, ServiceMax
• Adrian Ludwig, Atlassian
• Rinki Sethi, Rubrik
• Elwin Wong, Ross Stores

The security sector will experience challenges, but also opportunities

The good news is, many CISOs believe that cybersecurity will weather the economic storm better than other enterprise software sectors. That’s because security has become even more top of mind during the pandemic; with the vast majority of corporate employees now working remotely, a secure network has never been more paramount, said Rinki Sethi, CISO at Rubrik. “Many security teams are now focused on ensuring they have controls in place for a completely remote workforce, so endpoint and network security, as well as identity and access management, are more important than ever,” said Sethi. “Additionally, business continuity and disaster recovery planning are critical right now — the ability to respond to a security incident and have a robust plan to recover from it is top priority for most security teams, and will continue to be for a long time.”

That’s not to say all security companies will necessarily thrive during this current economic crisis. Adrian Ludwig, CISO at Atlassian, notes that an overall decline in IT budgets will impact security spending. But the silver lining is that some companies will be acquired. “I expect we will see consolidation in the cybersecurity markets, and that most new investments by IT departments will be in basic infrastructure to facilitate work-from-home,” said Ludwig. “Less well-capitalized cybersecurity companies may want to begin thinking about potential exit opportunities sooner rather than later.”

A lot of enterprise cybersecurity efforts focus on malicious hackers that work on behalf of larger organizations, be they criminal groups or state actors — and for good reason, since the majority of incidents these days come from phishing and other malicious techniques that originate outside the enterprise itself.

But there has also been a persistent, and now growing, focus also on “insider threats” — that is, breaches that start from within organizations themselves. And today a startup that specialises in this area is announcing a round of growth funding to expand its reach.

Dtex, which uses machine learning to monitor network activity within the perimeter and around all endpoints to detect unusual patterns or behaviour around passwords, data movement and other network activities, is today announcing that it has raised $17.5 million in funding.

The round is being led by new investor Northgate Capital with Norwest Venture Partners and Four Rivers Group, both previous investors, also participating. Prior to this, the San Jose-based startup had raised $57.5 million, according to data from PitchBook, while CrunchBase puts the total raised at $40 million.

CEO Bahman Mahbod said the startup is not disclosing valuation except to say that it’s “very excited” about it.

For some context, the company works with hundreds of large enterprises, primarily in the financial, critical infrastructure, government and defence sectors. The plan is to now extend further into newer verticals where it’s started to see more activity more recently: pharmaceuticals, life sciences and manufacturing. Dtex says that over the past 12 months, 80% of its top customers have been increasing their level of engagement with the startup.

Dtex’s focus on “insider” threats sounds slightly sinister at first. Is the implication here that people are more dishonest and nefarious these days and thus need to be policed and monitored much more closely for wrongdoing? The answer is no. There are no more dishonest people today than there ever have been, but there are a lot more opportunities to make mistakes that result in security breaches.

The working world has been on a long-term trend of becoming increasingly digitised in all of its interactions, and bringing on a lot more devices onto those networks. Across both “knowledge” and front-line workers, we now have a vastly larger number of devices being used to help workers do their jobs or just keep in touch with the company as they work, with many of them being brought by the workers themselves rather than being provisioned by the companies. There has also been a huge increase in cloud services,

And in the realm of “knowledge” workers, we’re seeing a lot more remote or peripatetic working, where people don’t have fixed desks and often work outside the office altogether — something that has skyrocketed in recent times with stay-at-home orders put in place to mitigate the spread of COVID-19 cases.

All of this translates into a much wider threat “horizon” within organizations themselves, before even considering the sophistication of external malicious hackers.

And the current state of business has exacerbated that. Mahbod tells us that Dtex is currently seeing spikes in unusual activity from the rise in home workers, who sometimes circumvent VPNs and other security controls, thus committing policy violations; as well as more problems arising from the fact that home networks have been compromised and that is leaving work networks, accessed from home, more vulnerable. These started, he said, with COVID-19 phishing attacks but have progressed to undetected malware from drive-by downloads.

And, inevitably, he added that there has been a rise in intentional data theft and accidental loss arising in cases where organizations have had to lay people off or run a round of furloughs, but might still result from negligence rather than intentional actions.

There are a number of other cybersecurity companies that provide ways to detect insider threats — they include CloudKnox and Obsidian Security, along with a number of larger and established vendors. But Mabhod says that Dtex “is the only company with ‘next-generation’ capabilities that are cloud-first, AI/ML baked-in, and enterprise scalable to millions of users and devices, which it sells as DMAP+.

“Effectively, Next-Gen Insider Threat solutions must replace legacy Insider Threat point solutions which were borne out of the UAM, DLP and UEBA spaces,” he said.

Those providing legacy approaches of that kind include Forcepoint with its SureView product and Proofpoint with its ObserveIT product. Interestingly, CyberX, which is currently in the process of getting acquired by Microsoft (according to reports and also our sources), also includes insider threats in its services.

This is one reason why investors have been interested.

“Dtex has built a highly scalable platform that utilizes a cloud-first, lightweight endpoint architecture, offering clients a number of use cases including insider threat prevention and business operations intelligence,” said Thorsten Claus, partner, Northgate Capital, in a statement. Northgate has a long list of enterprise startups in its portfolio that represent potential customers but also a track record of experience in assessing the problem at hand and building products to address it. “With Dtex, we have found a fast-growing, long-term, investible operation that is not just a band-aid collection of tools, which would be short-lived and replaced.”

As cybercrime continues to evolve and expand, a startup that is building a business focused on endpoint security has raised a big round of funding. SentinelOne — which provides a machine learning-based solution for monitoring and securing laptops, phones, containerised applications and the many other devices and services connected to a network — has picked up $200 million, a Series E round of funding that it says catapults its valuation to $1.1 billion.

The funding is notable not just for its size but for its velocity: it comes just eight months after SentinelOne announced a Series D of $120 million, which at the time valued the company around $500 million. In other words, the company has more than doubled its valuation in less than a year — a sign of the cybersecurity times.

This latest round is being led by Insight Partners, with Tiger Global Management, Qualcomm Ventures LLC, Vista Public Strategies of Vista Equity Partners, Third Point Ventures and other undisclosed previous investors all participating.

Tomer Weingarten, CEO and co-founder of the company, said in an interview that while this round gives SentinelOne the flexibility to remain in “startup” mode (privately funded) for some time — especially since it came so quickly on the heels of the previous large round — an IPO “would be the next logical step” for the company. “But we’re not in any rush,” he added. “We have one to two years of growth left as a private company.”

While cybercrime is proving to be a very expensive business (or very lucrative, I guess, depending on which side of the equation you sit on), it has also meant that the market for cybersecurity has significantly expanded.

Endpoint security, the area where SentinelOne concentrates its efforts, last year was estimated to be around an $8 billion market, and analysts project that it could be worth as much as $18.4 billion by 2024.

Driving it is the single biggest trend that has changed the world of work in the last decade. Everyone — whether a road warrior or a desk-based administrator or strategist, a contractor or full-time employee, a front-line sales assistant or back-end engineer or executive — is now connected to the company network, often with more than one device. And that’s before you consider the various other “endpoints” that might be connected to a network, including machines, containers and more. The result is a spaghetti of a problem. One survey from LogMeIn, disconcertingly, even found that some 30% of IT managers couldn’t identify just how many endpoints they managed.

“The proliferation of devices and the expanding network are the biggest issues today,” said Weingarten. “The landscape is expanding and it is getting very hard to monitor not just what your network looks like but what your attackers are looking for.”

This is where an AI-based solution like SentinelOne’s comes into play. The company has roots in the Israeli cyberintelligence community but is based out of Mountain View, and its platform is built around the idea of working automatically not just to detect endpoints and their vulnerabilities, but to apply behavioral models, and various modes of protection, detection and response in one go — in a product that it calls its Singularity Platform that works across the entire edge of the network.

“We are seeing more automated and real-time attacks that themselves are using more machine learning,” Weingarten said. “That translates to the fact that you need defence that moves in real time as with as much automation as possible.”

SentinelOne is by no means the only company working in the space of endpoint protection. Others in the space include Microsoft, CrowdStrike, Kaspersky, McAfee, Symantec and many others.

But nonetheless, its product has seen strong uptake to date. It currently has some 3,500 customers, including three of the biggest companies in the world, and “hundreds” from the global 2,000 enterprises, with what it says has been 113% year-on-year new bookings growth, revenue growth of 104% year-on-year and 150% growth year-on-year in transactions over $2 million. It has 500 employees today and plans to hire up to 700 by the end of this year.

One of the key differentiators is the focus on using AI, and using it at scale to help mitigate an increasingly complex threat landscape, to take endpoint security to the next level.

“Competition in the endpoint market has cleared with a select few exhibiting the necessary vision and technology to flourish in an increasingly volatile threat landscape,” said Teddie Wardi, managing director of Insight Partners, in a statement. “As evidenced by our ongoing financial commitment to SentinelOne along with the resources of Insight Onsite, our business strategy and ScaleUp division, we are confident that SentinelOne has an enormous opportunity to be a market leader in the cybersecurity space.”

Weingarten said that SentinelOne “gets approached every year” to be acquired, although he didn’t name any names. Nevertheless, that also points to the bigger consolidation trend that will be interesting to watch as the company grows. SentinelOne has never made an acquisition to date, but it’s hard to ignore that, as the company to expand its products and features, that it might tap into the wider market to bring in other kinds of technology into its stack.

“There are definitely a lot of security companies out there,” Weingarten noted. “Those that serve a very specific market are the targets for consolidation.”

Immersive Labs, a cybersecurity skills platform, has raised $40 million in its Series B, the company’s second round of funding this year following an $8 million Series A in January.

Summit Partners led the fundraise, with Goldman Sachs participating, the Bristol, U.K.-based company confirmed.

Immersive, led by former GCHQ cybersecurity instructor James Hadley, helps corporate employees learn new security skills by using real, up-to-date threat intelligence in a “gamified” way. Its cybersecurity learning platform uses a variety of techniques and psychology to build up immersive and engaging cyber war games to help IT and security teams learn. The platform aims to help users better understand cybersecurity threats, like detecting and understanding phishing and malware reverse-engineering.

It’s a new take on cybersecurity education, as the company’s founder and chief executive Hadley said the ever-evolving threat landscape has made traditional classroom training “obsolete.”

“It creates knowledge gaps that increase risk, offer vulnerabilities and present opportunities for attackers,” said Hadley.

The company said it will use the round to expand further into the U.S. and Canadian markets from its North American headquarters in Boston, Mass.

Since its founding in 2017, Immersive already has big customers to its name, including Bank of Montreal and Citigroup, on top of its U.K. customers, including BT, the National Health Service and London’s Metropolitan Police.

Goldman Sachs, an investor and customer, said it was “impressed” by Immersive’s achievements so far.

“The platform is continually evolving as new features are developed to help address the gap in cyber skills that is impacting companies and governments across the globe,” said James Hayward, the bank’s executive director.

Immersive said it has 750% year-over-year growth in annual recurring revenues and more than 100 employees across its offices.

Cybereason, which uses machine learning to increase the number of endpoints a single analyst can manage across a network of distributed resources, has raised $200 million in new financing from SoftBank Group and its affiliates. 

It’s a sign of the belief that SoftBank has in the technology, since the Japanese investment firm is basically doubling down on commitments it made to the Boston-based company four years ago.

The company first came to our attention five years ago when it raised a $25 million financing from investors, including CRV, Spark Capital and Lockheed Martin.

Cybereason’s technology processes and analyzes data in real time across an organization’s daily operations and relationships. It looks for anomalies in behavior across nodes on networks and uses those anomalies to flag suspicious activity.

The company also provides reporting tools to inform customers of the root cause, the timeline, the person involved in the breach or breaches, which tools they use and what information was being disseminated within and outside of the organization.

For co-founder Lior Div, Cybereason’s work is the continuation of the six years of training and service he spent working with the Israeli army’s 8200 Unit, the military incubator for half of the security startups pitching their wares today. After his time in the military, Div worked for the Israeli government as a private contractor reverse-engineering hacking operations.

Over the last two years, Cybereason has expanded the scope of its service to a network that spans 6 million endpoints tracked by 500 employees, with offices in Boston, Tel Aviv, Tokyo and London.

“Cybereason’s big data analytics approach to mitigating cyber risk has fueled explosive expansion at the leading edge of the EDR domain, disrupting the EPP market. We are leading the wave, becoming the world’s most reliable and effective endpoint prevention and detection solution because of our technology, our people and our partners,” said Div, in a statement. “We help all security teams prevent more attacks, sooner, in ways that enable understanding and taking decisive action faster.”

The company said it will use the new funding to accelerate its sales and marketing efforts across all geographies and push further ahead with research and development to make more of its security operations autonomous.

“Today, there is a shortage of more than three million level 1-3 analysts,” said Yonatan Striem-Amit, chief technology officer and co-founder, Cybereason, in a statement. “The new autonomous SOC enables SOC teams of the future to harness technology where manual work is being relied on today and it will elevate  L1 analysts to spend time on higher value tasks and accelerate the advanced analysis L3 analysts do.”

Most recently the company was behind the discovery of Operation SoftCell, the largest nation-state cyber espionage attack on telecommunications companies. 

That attack, which was either conducted by Chinese-backed actors or made to look like it was conducted by Chinese-backed actors, according to Cybereason, targeted a select group of users in an effort to acquire cell phone records.

As we wrote at the time:

… hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records — including times and dates of calls, and their cell-based locations — on at least 20 individuals.

Researchers at Boston-based Cybereason, who discovered the operation and shared their findings with TechCrunch, said the hackers could track the physical location of any customer of the hacked telcos — including spies and politicians — using the call records.

Lior Div, Cybereason’s co-founder and chief executive, told TechCrunch it’s “massive-scale” espionage.

Call detail records — or CDRs — are the crown jewels of any intelligence agency’s collection efforts. These call records are highly detailed metadata logs generated by a phone provider to connect calls and messages from one person to another. Although they don’t include the recordings of calls or the contents of messages, they can offer detailed insight into a person’s life. The National Security Agency  has for years controversially collected the call records of Americans from cell providers like AT&T and Verizon (which owns TechCrunch), despite the questionable legality.

It’s not the first time that Cybereason has uncovered major security threats.

Back when it had just raised capital from CRV and Spark, Cybereason’s chief executive was touting its work with a defense contractor who’d been hacked. Again, the suspected culprit was the Chinese government.

As we reported, during one of the early product demos for a private defense contractor, Cybereason identified a full-blown attack by the Chinese — 10,000 thousand usernames and passwords were leaked, and the attackers had access to nearly half of the organization on a daily basis.

The security breach was too sensitive to be shared with the press, but Div says that the FBI was involved and that the company had no indication that they were being hacked until Cybereason detected it.

In an era of massive data breaches, most recently the Capital One fiasco, the risk of a cyberattack and the costly consequences are the top existential threat to corporations big and small. At TechCrunch’s first-ever enterprise-focused event (p.s. early-bird sales end August 9), that topic will be front and center throughout the day.

That’s why we’re delighted to announce United’s chief information security officer Emily Heath will join TC Sessions: Enterprise in San Francisco on September 5, where we will discuss and learn how one of the world’s largest airlines keeps its networks safe.

Joining her to talk enterprise security will be a16z partner Martin Casado and DUO / Cisco’s head of advisory CISOs Wendy Nather, among others still to be announced.

At United, Heath oversees the airline’s cybersecurity program and its IT regulatory, governance and risk management.

The U.S.-based airline has more than 90,000 employees serving 4,500 flights a day to 338 airports, including New York, San Francisco, Los Angeles and Washington, D.C.

A native of Manchester, U.K., Heath served as a former police detective in the U.K. Financial Crimes Unit where she led investigations into international investment fraud, money laundering and large scale cases of identity theft — and ran joint investigations with the FBI, SEC and London’s Serious Fraud Office.

Heath and her teams have been the recipients of CSO Magazine’s CSO50 Awards for their work in cybersecurity and risk.

At TC Sessions: Enterprise, Heath will join a panel of cybersecurity experts to discuss security on enterprise networks large and small — from preventing data from leaking to keeping bad actors out of their network — where we’ll learn how a modern CSO moves fast without breaking things.

Join hundreds of today’s leading enterprise experts for this single-day event when you purchase a ticket to the show. The $249 early-bird sale ends Friday, August 9. Make sure to grab your tickets today and save $100 before prices go up.

In June of this year, Chinese hackers managed to install software into the networks of a contractor for the U.S. Navy and steal information on a roughly $300 million top-secret submarine program.

Two years ago, hackers infiltrated the networks of a vendor servicing the Australian military and made off with files containing a trove of information on Australian and U.S. military hardware and plans. That hacker stole roughly 30 gigabytes of data, including information on the nearly half-a-trillion dollar F-35 Joint Strike Fighter program.

Third-party vendors, contractors and suppliers to big companies have long been the targets for cyber thieves looking for access to sensitive data, and the reason is simple. Companies don’t know how secure their suppliers really are and can’t take the time to find out.

“The Department of Defense can have the best cybersecurity on the planet, but when that moves off to a subcontractor how can the DOD know how the subcontractor is going to protect that data?” says Kelly White, the chief executive of RiskRecon, a new firm that provides audits of vendors’ security profile. 

The problem is one that the Salt Lake City-based executive knew well. White was a former security executive for Zion Bank Corporation after spending years in the cybersecurity industry with Ernst & Young and TrueSecure — a Washington, DC-based security vendor.

When White began work with Zion, around 2 percent of the company’s services were hosted by third parties; less than five years later and that number had climbed to over 50 percent. When White identified the problem in 2010, he immediately began developing a solution on his own time. RiskRecon’s chief executive estimates he spent 3,000 hours developing the service between 2010 and 2015, when he finally launched the business with seed capital from General Catalyst .

And White says the tools that companies use to ensure that those vendors have adequate security measures in place basically boiled down to an emailed checklist that the vendors would fill out themselves.

That’s why White built the RiskRecon service, which has just raised $25 million in a new round of funding led by Accel Partners with participation from Dell Technologies Capital, General Catalyst and F-Prime Capital, Fidelity Investments’ venture capital affiliate.

The company’s software looks at what White calls the “internet surface” of a vendor and maps the different ways in which that surface can be compromised. “We don’t require any insider information to get started,” says White. “The point of finding systems is to understand how well an organization is managing their risk.”

White says that the software does more than identify the weak points in a vendor’s security profile, it also tries to get a view into the type of information that could be exposed at different points on a network.

According to White, the company has more than 50 customers among the Fortune 500 that are already using his company’s services across industries like financial services, oil and gas and manufacturing.

The money from RiskRecon’s new round will be used to boost sales and marketing efforts as the company looks to expand into Europe, Asia and further into North America.

“Where there’s not transparency there’s often poor performance,” says White. “Cybersecurity has gone a long time without true transparency. You can’t have strong accountability without strong transparency.”