Azure Vulns, Vendor Layoff’s, Rob Lee, & Bye Bye Internet Explorer – ESW #277
This week, in the Enterprise News: Vanta raises a $110M Series B to automate SOC 2, ISO, PCI and other compliance efforts Immuta raises a $100M Series E for secure data access (an everything-old-is-new-again market that’s exploding) Perimeter 81 raises $100M Series C and becomes a unicorn - You get a VPN! I get a VPN! Everyone gets a VPN! Over a dozen other vendors raise funding! IBM acquires EASM vendor, Randori Another Azure vulnerability allowing tenancy escapes Microsoft’s Purview goes beyond DLP and gets into the pre-crime business Half a dozen cybersecurity vendor layoff announcements! We discuss the controversy around Rob Lee’s involvement with developing federal standards for critical infrastructure protection and we say farewell (and good riddance) to Internet Explorer… but not really Then, after the news, we’re going to air some segments recorded at the RSA conference last week.
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. FUNDING: Announcing Vanta’s $110 Million Series BVanta raises a $110M Series B to automate SOC 2, ISO, PCI and other compliance efforts
- 2. FUNDING: Immuta’s $100M Series E Funding and Why We’re the Leader in Secure Data AccessImmuta raises a $100M Series E for secure data access (an everything-old-is-new-again market that’s exploding)
- 3. FUNDING: Perimeter 81 Secures $100 Million Series C Funding Led By B Capital, Leading to $1 Billion ValuationEveryone's reaction, basically: "$100M for a VPN?". I'm sure this is somewhat unfair, but $100M and $1B+ funding definitely seems like a stretch in the seller-saturated and unproven market fit that is the SASE/ZTNA space.
- 4. FUNDING: AppOmni raises $70M to find and secure vulnerabilities in SaaS app stacks – TechCrunchAppOmni is part of what I've been calling the CASBv2 market - focused on discovering and managing security concerns around corporate and shadow SaaS use.
- 5. FUNDING: Good Day Sunshine – HYCU Raises $53M Series B
- 6. FUNDING: Vendor Security Leader Whistic Announces $35 Million Series B Funding Round Led by JMI Equity
- 7. FUNDING: CybSafe Raises $28M Series B Funding Round as It Eyes Up Global Leadership
- 8. FUNDING: Keeping data safe in cloud lands $22.5 million debt funding for Keepit
- 9. FUNDING: GreyNoise to expand its threat intel collection after securing $15M in funding – TechCrunch
- 10. FUNDING: Flare Raises CAD$9.5M in Series A Funding
- 11. FUNDING: 443ID Emerges from Stealth, Announces $8 Million in Seed Funding to Bring Open Source Intelligence to Identity Management
- 12. FUNDING: HackNotice Closes $7 million Series A Funding Round Led by Strategic Cyber Ventures.
- 13. FUNDING: Cybersecurity startup SubCom raises $1 million in funding led by YourNest
- 14. FUNDING: ORNA Inc. Raises Over $1 Million In Seed Funding To Revolutionize Cyber Incident Response
- 15. ACQUISITIONS: Forescout Announces Intent to Acquire Cysiv to Deliver Data-Powered Threat Detection and Response
- 16. ACQUISITIONS: IBM Tackles Growing Attack Surface Risks with Plans to Acquire Randori
- 17. VULNERABILITIES: SynLapse – Technical Details for Critical Azure Synapse VulnerabilityYAAE (Yet Another Azure Escape)
- 18. NEW FEATURES: Microsoft Purview’s new classifiers detect sexual harassment and more in Teams and emailsMicrosoft Purview appears to be a collection of DLP and NLP functionality that aims to detect compliance or policy issues in data. The existing list of Purview classifications is what you'd expect to find in any DLP product: a pile of regex for detecting PII or financial data for nearly every country on earth: https://docs.microsoft.com/en-us/azure/purview/supported-classifications The NLP bit, which is on Microsoft's roadmap (which doesn't necessarily mean it will ever hit production) is a bit more troubling though. Classifiers include: - Leavers: people planning to leave the organization - Sexual harassment - Corporate sabotage: intentional destruction of corporate assets - Gifts and entertainment: accepting bribes - Money laundering - Stock manipulation - Unauthorized disclosure - Workplace collusion: price fixing, sharing of trade secrets, etc We know DLP is traditionally insanely false-positive prone. If these NLP classifiers are anywhere near that same level of false positives, these classifiers could easily be abused, misunderstood, and misused. False positives are a bit more dangerous when they're inaccurately pointing a finger at an employee.
- 19. LAYOFFS: OneTrust Organizational UpdateOneTrust laying off 25% of its workforce, around 950 employees. The largest cybersecurity layoff we've seen this year, but unlikely to be the last...
- 20. LAYOFFS: $1.47 billion identity startup ID.me, which closed deals with unemployment agencies and the IRS, lays off staff after growth spurtID.me lays off 130 employees
- 21. LAYOFFS: Cybereason laying off 100 employees in Israel, U.S. and Europehttps://www.calcalistech.com/ctechnews/article/s1zg60v005
- 22. LAYOFFS: Automox announces a second round of layoffs2 months after Automox's first round of layoffs (11% of its workforce) comes its second round (rumored to be an additional 75-100 employees).
- 23. LAYOFFS: Exclusive: Cybersecurity Company Deep Instinct Cuts Staff As Tech Layoffs ContinueAround 37 employees laid off by Deep Instinct
- 24. LAYOFFS: Tripwire’s new owner lays off dozens, three months after buying the Portland tech company
- 25. LAYOFFS: Job cuts hit cybersecurity industry despite surging growth from ransomware attacksThe title's suggestion that somehow, cybersecurity markets should be connected to trends in cybercrime and not actual business market forces is totally wrong, but that's just the age we live in these days. Clickbait. Before we even get to the article proper, the key points admit that these layoffs are due to market forces that have nothing to do with cybercrime trends or ransomware trends. Is there irony in the fact that the cybersecurity market has enjoyed a meteoric rise in value that matches the rise in cybercrime profits? Probably. We might want to look into that.
- 26. CONTROVERSY: Cyber CEO’s US Advisory Work Echoed Sales Pitch His Firm UsesCompetitors complain that Dragos's founder manipulated government efforts to organize and standardize efforts to shore up the defenses of critical infrastructure providers. It is a contentious topic. To those of us used to "vendors vendoring", we're not terribly surprised. Vendors have been trying to insert sales pitches for their products into standards and legislation since cybersecurity standards and legislation have existed. I wouldn't be surprised if some vendors have employees dedicated for this specific purpose - getting on standards review panels, donating their 'expertise', and participating in rounds of comments on standards before they're finalized. Perhaps what makes this situation different is that cybersecurity vendors focused on critical infrastructure are still relatively new, and the folks on the federal side dealing with vendors aren't experienced in spotting and filtering out vendors' attempts to slide in subtle sales pitches. It's an area that deserves more scrutiny and transparency, as self-serving language in standards are more likely to hamper security efforts more than help them, in a holistic sense.
- 27. SQUIRREL: The Floppotron 3.0 » Silent’s Homepage
- 28. SQUIRREL: Google engineer put on leave claims AI bot LaMDA became ‘sentient’https://nypost.com/2022/06/12/google-engineer-blake-lemoine-claims-ai-bot-became-sentient/
- 29. SQUIRREL: RIP Internet Explorer – j/k, Welcome to Zombie IEWe all know a loss of support doesn't mean much - many enterprises will still have niche needs for Internet Explorer far beyond today's end of support date. They're either unable (e.g. due to third party requirements) or unwilling to pay down the tech debt that puts them in this position, but the chance that continued IE use will bite them will continue to increase with time. For now, we'll celebrate IE's 27 year run with some of the most entertaining Twitter tributes to one of the original browsers that allowed us to navigate the Internet.