CyberCompare Market Comment #40: Vulnerability Management in Development + EDR Telemetry

Marktkommentar /

Hello everyone,

Looking for original material to spice up awareness trainings? Orange Cyberdefense has produced a film (duration approx. 1 h) about the Lockbit attack on the IT service provider Coaxis. Not only does it have a French accent, but it was even shown in some cinemas: a single click – and 350,000 companies are immediately paralyzed. So that you don’t have to loudly lecture your colleagues yourself for a change.

Since I have spent a large part of my life and working time in factories and on flipcharts, I imagine that modern software development at scale has many parallels to the “Lean” methodology. Lean was originally known as the Toyota production system, but is now part of many management systems in blue and white collar areas. At its core, it is about the development of fast-cycle + cascaded control loops (SW counterparts: CI/CD, Agile). This allows processes to be stabilized over time by systematically solving problems (i.e., discrepancies between the actual and target state).

In sufficiently complex systems, novel migraine error patterns (analogous to software bugs) are simply a fact of life due to partly unknown cause-and-effect relationships, which then manifest themselves in seemingly random failures and deviations. And just as waste often remains invisible with large inventories, it is also easy to lose track of vast amounts of code lines and issue tickets. A principle in manufacturing is therefore that the input (= the volume of the loaded production orders) must not exceed the capacity of the bottleneck. Otherwise, stocks will increase without increasing output. You also know this from the office (of course not your own): Project delayed because too few people => boss demands reports on it => project takes even longer because the same people are now working on slides.

The déjà vu phenomenon described above (partly age-related) recently overtook me again when I read the practical report of Synthesia (app for commercial AI videos, approx. 600 employees) on vulnerability management in development . There, it was also the case that new, supposedly critical vulnerabilities were found faster than worked through. So the backlog of open issues has grown constantly, you didn’t get “ahead of the wave”.

By changing the processes, the effort for the employees could probably be reduced by > 80%:

  • “Stale repositories” (unused for a long time) are automatically identified, removed from the pipeline and archived read only => No more Vuln Mgmt for this, directly reduced the backlog by ~60%
  • Prioritize the remaining repos based on 3 simple questions (“Is customer data processed? Are there any interactions of the customer with it? Is it part of the core product?”)
  • Risk acceptance at approx. 30% of the remaining weak points (via automatic classification) = > dregs of the haystack disposed of
  • Reduce false positives on SAST via Semgrep Assistant. In a cross-comparison with good security engineers, the tool is probably almost always right + still tends to be cautious, i.e., flags code as insecure
  • Findings in SCA (especially libraries) are classified according to accessibility, exploitability (EPSS) and system importance
  • As a result, only a fraction (the top 10-30%) of the findings from SAST and SCA need to be resolved by a small group of AI agents + adult supervision:
    • 3 different agents validate whether the bug is really exploitable (apparently ~50% of the vulnerabilities fall out here). In the event of different assessments, the simple majority decides.
    • Exploitable true positives start a coding agent, which programs a fix, embeds it within a new branch, and triggers the pull request. By the way, AWS already offers the whole workflow out of the box (“Security Agent“), currently even 2 months free of charge.
    • Final step: Review by a human programmer

Summa Summarum: Sounds good. With the CRA, but also with the prominent supply chain attacks of the last few weeks, effective + at the same time affordable vulnerability management in the DevSecOps pipeline is becoming even more important. Anthropic’s announcement of Project Glasswing / Claude Mythos also sounds dramatic. Further information from practice on the topic is therefore always welcome. 1 new takeaway for me from TeamPCP Trivy, npm Worm, LiteLLM etc.: Don’t use tags (version numbers), but SHA pinning (hashes) when referencing commits.  

If you are once again faced with the selection of an EDR system (or wonder where gaps lurk despite EDR), you should take a look at the EDR Telemetry Project by Kostas Tsialemis. A lot has happened here:

  • For Windows , Harfang, Palo Alto, Crowdstrike, Uptycs (more commonly known as CNAPP), SentinelOne , and Microsoft are in the lead, all with roughly comparable scores
  • For Linux, C-Prot (from Turkey) and Uptycs perform much better than all other solutions, which usually do not recognize on Linux whether services are started / changed / terminated, DNS requests are sent or new users are created
  • Also new are tests for MacOS, where the specialized Phorion solution is far ahead of the big brands
  • The reliability of the statements is presented transparently:
    • For example, Harfang and PAN provided evidence of the telemetry types, but did not allow access to the tools for the tests (unlike e.g. Microsoft, Elastic or Bitdefender)
    • The executed tests (Atomic Red Team Framework) are public
    • The telemetry categories are explained with examples + mapping on MITRE ATT&CK
    • For many products, it is explained why they were not included in the comparison: for example, Wazuh (SIEM), Tanium (no real-time transmission of endpoint data, but only selectively) or Cisco (no customer access to raw data)
  • The focus of the study continues to be on the fundamental ability to record specific events
  • Not (yet) considered are, for example, actual detection of attacks, signal-to-noise ratio in operation, prevention, endpoint management capabilities, compatibility with Windows Server and older OS versions, processor load or XDR functions. This is all to be edr-comparison.com part of the new company, which offers shopping advice as a service.

So, top addition to the MITRE evaluations. By the way, Kostas is not only one of the leading EDR/SIEM experts, but also a member of the Allowlisting Fanclub – still one of the most underestimated approaches to reducing the attack surface.

M&A:

  • Rapid7 acquires Kenzo (SecOps reinforcement by a swarm of AI agents for CTI, Threat Hunting, Detection Engineering + SOC analyses)
  • Databricks acquires SiftD (new SOAR approach from Splunk SQL developer)
  • Fortra acquires Red Team training provider Zero-Point. They had specialized in Cobalt Strike + Outflank, so good addition
  • Tenex.AI is raising US$ 250 million – for managed security services, primarily based on Google Secops. The money is to be used, among other things, for expansion into Europe. Relying on Google seems to me to be a smart strategy away from the mainstream – with Wiz CNAPP/EDR, Chronicle SIEM, Mandiant TI/IR you have a strong tech stack that has so far been served by a few MSSPs
  • Depthfirst (AppSec) gets $80 million
  • Censys also still exists – now with 70 million more in Debt+Equity, which is to be invested primarily in ASM product development
  • Firmware security specialist Eclypsium gets another 25 million

Conversations with providers:

Orion:

  • Israeli startup for DLP
  • ~20 enterprise customers, esp. US Banks/Insurance Companies
  • Relies on AI agents that provide context for the risk assessment of a data submission
  • Context therein sender/receiver/typical business transactions
  • Baselining for anomaly detection based on historical data transfers
  • Static rules can optionally be created for this purpose (e.g. never send data outside the EU)
  • Claim: Significantly lower false positive rate and lower operating costs compared to pure policy-based solutions
  • Deployment via endpoint sensor, browser extension and API connections for common SaaS solutions

Athereon:

  • GRC solution from D
  • SaaS (Telekom RZ) or in individual cases also on prem
  • Approx. 100 customers, including Benteler, Brose, Rehau, Bofrost
  • Extensive frameworks to choose from, e.g. also B3S medical care, BSI C5, ISO 27017, IEC 62443… . Own guidelines or individual adjustments possible
  • AI Assistant checks whether linked evidence is (probably) sufficient to meet requirements
  • Action tracking + document control (e.g. incl. validity) as usual
  • Risk management with hazard catalogues + assessment of protection needs
  • Asset management with inheritance of protection requirements of data via processes, applications to locations / scopes
  • Supply chain module, especially with DORA criteria
  • BCM module with BIA, emergency planning, exercise – granular with restart times, assigned teams, workflows. All in all, very mature impression.

Cyera (Update):

  • Probably the largest Pure Play DSPM provider in terms of market value (valued at ~9 billion USD in the last funding round, 1300 MA), competition e.g. Varonis, Proofpoint, IBM (Guardium), Forcepoint
  • AI as a growth driver (detect access from copilot and agents)
  • Already ~100 large customers, including Paramount and other security providers such as Armis
  • Scores above all with agentless scans, the enrichment of context to sensitive data used for classification, and the fast classification of large amounts of data (via customer-specific LLM, supposedly with typical precision ~95%)
  • Each customer receives a pre-trained LLM based on industry + region upon delivery. This is then further tuned at the customer’s site
  • Speed comes from the division into human-generated files (are completely scanned) and machine-generated content with high similarity (are only checked via random samples)
  • Classification engine on VM can also be operated in customer environment. Otherwise, as usual, on AWS in Frankfurt. 1 VM is probably enough for 2000 typical file servers
  • Then delivers policies to the common DLP/CASB solutions such as Purview, Netskope, Forcepoint, etc. Alternatively, enforcement options via browser plug-ins and endpoint agents for customers without E5 or similar are already in the works
  • Use case not only security, but also cost reduction: Combing through data for data that has been unused for a long time, which can then be moved to cheaper storage layers

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or hide the sugar-reduced Easter bunny (brand Extrabitter) in the archive, which you received “as a gift” from your mother-in-law.

Best regards,

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top