Getting Vulnerability Management Back on the Rails – Patrick Garrity – ESW #356
NVD checked out, then they came back? Maybe?
Should the xz backdoor be treated as a vulnerability?
Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats?
What were some of the takeaways from the first-ever VulnCon?
EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it?
How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild?
There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails.
Segment Resources:
Patrick Garrity is a security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors. Having worked in the cybersecurity professional with over 15 years of experience in security research, marketing, sales, and product roles for high-growth SaaS cybersecurity startups including VulnCheck, Nucleus Security, Blumira, Censys and Duo Security.
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
On the evening of Monday, May 6, 2024, W2 Communications and CyberRisk Alliance are bringing CYBERTACOS back to San Francisco! If eating FREE tacos, sipping on margaritas and mingling with cyber professionals from all over the world sounds good to you, make sure to register to secure your spot! Visit securityweekly.com/cybertacos to RSVP today!
Have you heard about AI? Lots of AI news. Also, RSA conference, and RooBadges! – ESW #356
As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show.
In this week's news segment,
- We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach
- We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere
- We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly
- Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover.
- Finally, we discuss the amazing innovation that is the Volkswagen RooBadge!
By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
We’d like to invite our listeners to be part of our prestigious 2024 SC Awards! Entries are officially open.
The SC Awards continue to serve as a beacon of excellence, recognizing the industry’s best solutions, organizations, and people that are advancing information security. This year, there are 34 categories, many updated to reflect trends in artificial intelligence, cloud security and continuous threat exposure management. This is your chance to shine among the brightest in the cybersecurity world.
Take advantage of the early bird rate by April 12! Visit securityweekly.com/scawards to submit your entries by May 31st!
Adrian Sanabria
- FUNDING: Coro Secures $100 Million Funding Round To Drive Aggressive Growth To Transform Cybersecurity For SMEs
$100M Series D, led by One Peak. This brings funding to a total of $255M in the last 2 years for the startup. It's easy to see why they need the money. Going after the SME market requires resources, channel partners, and a product that checks a lot of boxes.
It looks like that's exactly what they're trying to execute on - their platform has modules for endpoint security, email security, and cloud app protection. There's a SASE offering, and managed offerings for all of the aforementioned modules.
- FUNDING: Skyflow Raises $30M in Extended Series B
$30M Series B led by Khosla Ventures. Described as a "data privacy vault" company, it definitely looks like Skyflow is going after some of the core concerns that exist between GenAI services and customers. What's not clear is how this solution works, exactly. The company's website suggests a tool that reminds me of data-focused CASB products like CipherCloud and Perspecsys. It sounds like the intent is to:
- detect sensitive data
- "de-identify it" (sounds like tokenization, maybe?)
- polymorphic encryption is mentioned - maybe as an alternative to tokenization? Is polymorphic encryption similar to homomorphic encryption?
- audit it
It sounds like it would have to be in-line, would need some modern DLP classifiers, tokenization tech, and encryption tech to do all this. It is certainly possible - the CASB market built a ton of these tools a decade ago. I'm curious as to why and how this product will be different. Would be interesting to have a chat with them.
- FUNDING: Zafran Emerges from Stealth with Over $30M as the First Risk and Mitigation Platform to Fight Threat Exploitation
$30M Series A led by Sequoia Capital and Cyberstarts. "Zafran Risk & Mitigation Platform defuses threat exploitation by mobilizing existing security tools"
Intriguing, but I'm still trying to zero in on exactly what they do. Direct competitor with VulnCheck?
- FUNDING: Permiso Raises $18.5M Series A To Unify Threat Detection and Response In The Cloud
$18.5M Series A led by Altimeter Capital. Permiso claims to help detect and defend against identity-based cloud attacks, which is a great product to be selling at the moment, as the CSRB review of Microsoft's 2023 email breach points to a lack of identity security as the core of the problem. The product comes across as a detection/response product for the cloud (with "over 200 detection signals").
Also, the website is delightful. Well done to whomever came up with this design, it REALLY stands out in all the best ways.
- FUNDING: Bedrock Security Unveils the Industry’s First Frictionless Data Security Platform, Announces $10 Million in Seed Funding
$10M Seed round led by Greylock. Great timing, as this funding announcement comes around the same time that they're announced as an Innovation Sandbox finalist!
They're aiming to help with data security, particularly around LLMs.
- FUNDING: Abstract Security Emerges from Stealth; Raises $8.5M to Forge the Complete AI-Powered Data Streaming Platform for Security
$8.5M Seed round led by Crosslink Capital. Focused on security analytics and SIEM replacement? Suggesting that alert data should be streamed and analyzed in real time, not stored and queried. SIEMs already do this, but additionally store it because most folks have retention requirements. Just look at the state of Microsoft in this CSRB report!
Looks interesting though, I'd love to learn more about what they're doing here.
- FUNDING: Sandfly Security Secures Funding from Gula Tech Adventures & Sorenson Capital
Oversubscribed $8.5M seed round led by Crosslink Capital, Rally Ventures, and Liquid 2 Ventures. AI-powered SIEM? "Next-gen SIEM is not a SIEM" <- okay, you've got my attention. "Legacy SIEM isn't providing business value" <- okay, now you've REALLY got my attention. Appears to be analyzing security event/log data in real time using AI, rather than storing and querying it?
Looks very interesting, I'd love to learn more.
- FUNDING: Sprocket Secures $8 Million in Series A Financing
$8M Series A led by Blueprint Equity. Continuous pentesting solution.
- FUNDING: StealthMole raises $7M Series A for its AI-powered dark web intelligence platform
$7M Series A led by Korea Investment Partners. Singapore-based with R&D in South Korea. Darkweb intel startup.
- FUNDING: SydeLabs raises $2.5M seed to develop an intent-based firewall guard for AI
$2.5M seed round led by RTP Global and Picus Capital. Reportedly helps developers "stay clear of LLM vulnerabilities, including the lesser-known ones" throughout the dev lifecycle. Has 3 AI-focused products. The first is in beta now, and the others are labeled "Coming Soon":
- SydeBox: seems like a fuzzer/automated QA tester for LLM-enabled apps
- SydeGuard: reviews prompts for threats, and assigns a risk score - no automated blocking at the moment, just logs the data for analysts to review, and gives options to block, monitor, do nothing, or use a honeypot to deceive the user into thinking nothing was done
- SydeComply: "Dynamic Compliance Gap Assessment"
Competes with other LLM security-focused vendors, like Lakera and Prompt Security
Syde note (ha) - very cool Transformers vibe, VentureBeat!
- FUNDING: Desilo, a Korean Security Startup, Secures Investment with Homomorphic Encryption Tech
Undisclosed round from SV Investment and the Korea Development Bank. They have a product called the "Desilo Data Cleanroom" that appears to be using homomorphic encryption.
- ACQUISITIONS: Flare Acquires Foretrace to Accelerate Threat Exposure Management Growth – Flare
Montreal-based Flare picks up US-based Foretrace. This deal seems to be all about EASM, though the press release mentions "Threat Exposure Management" (TEM).
- NEW PRODUCTS: Introducing umbrelOS 1.0: The ultimate home cloud OS
A very tempting, feature-filled "personal cloud" product. The attack surface on these things always makes me nervous though - there have been no shortage of personal/small business NAS devices getting ransomed over the years.
- BREACH REPORT: Cyber Safety Review Board – Review of the Summer 2023 Microsoft Exchange Online Intrusion
A comprehensive report that pulls no punches on perceived inadequacy in Microsoft's security culture, controls, and programs. TL;DR - the board recommends that Microsoft take their foot off the innovation gas and start pumping the security brakes.
I'll be writing up a full essay/post with my thoughts after I finish reading the full report.
- ESSAYS: Unveiling the Art of Mastering Vulnerability Management in Cybersecurity
I did a bit of a doubletake at this one. Vulnerability management has been going through a lot of chances, and one of the key ones is the traditional vuln mgmt process. As we'll likely talk about in the interview with Patrick Garrity before this news segment, the traditional scan-driven approach just takes too long to be useful for defending against emerging threats.
This essay does a good job of capturing the traditional approach to vuln mgmt, which still works for compliance and regulatory use cases, where vulnerabilities must be fixed, even if they aren't currently a risk. But most orgs I talk to today are moving towards an intelligence-driven approach, or just doing away with vuln mgmt as a process, preferring to fully automate patching instead (at least, for COTS systems, this doesn't work for in-house applications, obviously).
- ESSAYS: The Two-Headed SIEM Monster
A great analysis of the current state of the SIEM market, and the dilemmas buyers are having to deal with, as the market goes through growing pains.
- ESSAYS: It’s Time for a Microsoft Trustworthy Cloud Initiative – Securosis
Rich Mogul, analyst and longtime cloud security expert does a great job of summarizing what we've all been talking about for a while: Microsoft has really been dropping the ball with regards to security in Azure, and Azure-dependent products, and it has GOT to change.
- RSAC: Innovation Sandbox
We're getting close to RSAC, which means we get to start talking about my favorite part of the conference: Innovation Sandbox! This is a competition where hundreds of startups submit videos and the top 10 are chosen to compete in-person at RSAC. Each startup will have 3 minutes to pitch a panel of judges (and a fairly large audience), and then have a few minutes to answer some of the judges' questions.
It's a hugely entertaining event, and I look forward to it every year!
This year, we've got:
- Aembit: "The First Workload Identity and Access Management Platform", "Manage Access, Not Secrets"
- Antimatter: "The Sensitive Data Platform", "Define policies for LLMs"
- Bedrock Security: "Frictionless Data Security", "Use GenAI Safely"
- Dropzone AI: "AI SOC Analysts that never sleep. So you can."
- Harmonic: "Accelerate secure AI adoption without risking the security and privacy of your data."
- Mitiga: "Cloud Incident Response"
- P0 Security: "Access is our Priority Zero", "Secure cloud access for all identities - human and machine - without disrupting developer workflows."
- RAD Security: "Behavioral Cloud Native Detection and Response"
- Reality Defender: "Leveraging AI to detect AI-generated threats"
- VulnCheck: "Exploit Intelligence for Vulnerability Prioritization"
- GOOD NEWS: The market is forcing cloud vendors to relax data egress fees
What's this? Good news? CSPs are relaxing egress fees? What's the catch? The article calls it a "change of heart", but I don't buy it. I think there had to be some pain point or lever that forced CSPs to reduce these fees. Perhaps customer pressure finally did it?
- AI NEWS: Apple researchers explore dropping “Siri” phrase & listening with AI instead
Apple is all over the place at the moment. They've promised some AI magic for their event this summer, and they've been releasing their own AI models, while there are rumors that they're in talks with Google to use Gemini on their devices as well. This reminds me a bit of their difficulty in finding anyone to build their now-abandoned self-driving car project. Is Apple just a difficult partner/customer? Too demanding?
We'll have to wait to see what happens this summer, but it seems like Siri is getting shaken up in some way!
- AI NEWS: Intel confirms Microsoft’s Copilot AI will soon run locally on PCs, next-gen AI PCs require 40 TOPS of NPU performance
This will address a lot of privacy and data residency concerns, but there will likely be tradeoffs. With smaller, more performant on-device models, the risk of hallucination may increase. There are also projects to put GPT models entirely into web browser tabs as well, so expect to see a lot more versatility and options when it comes to GenAI implementations.
- AI NEWS: Microsoft customers complain Copilot doesn’t work as well as ChatGPT. Microsoft says they’re not using it right.
To date, I've done nearly 20 advisory calls on Microsoft Copilot, and understanding how to get value out of LLMs is one of the most challenging problems right now. Sure, people are concerned about risks, but a lot of folks don't even see the point of paying $360/year per employee for this tool.
It's a mixture of not understanding the technology, what it's good at, what it's bad at and needing to see lots of examples to get the imagination going on how this tech could be used. "It's a copilot, not an autopilot", one Microsoft employee said, referring to the need to train users on how to write effective prompts.
- RESOURCES: Risk Based Prioritization
A great writeup on risk-based vulnerability management, with lots of examples.
- DUMPSTER FIRE: NVD Program Announcement – Updated
NVD is saved... maybe?
- DUMPSTER FIRE: Technologist vs spy: the xz backdoor debate
There are a LOT of takes on the xz backdoor. This one was written pretty early, so it might be missing some of the latest news, but it's a pretty solid take on the incident and an easy read.
- SQUIRREL: Collin Rugg on X: “Rival monkey gangs are taking over a Thai tourist town…”
Can't make this up. I suspected someone had, but looked a little deeper, and it seems legit.
- SQUIRREL: r/LegalAdviceUK – Someone in IT trolled me for over a decade. Have I any recourse?
Absolutely insane - the most bonkers case of gaslighting I've ever seen. Largely because of how long it was carried out!
- SQUIRREL: Introducing RooBadge
Not an April Fool joke, this is totally serious, and seems like some awesome, potentially life-saving scientific research.
- SQUIRREL: Microsoft 365 admin center tab in Croatian
This doesn't worry me at all. Nope!
