Hello everyone,
“Our clear goal: no longer accept price increases from Microsoft. We reprogram Office with AI.”
This is the rather self-confident statement of an enterprise architect at the Rethink! event last week. DIY is probably more attractive than OpenDesk, LibreOffice or similar. Supposedly, his employer (a European company) is already replicating SW tools using Claude Code instead of renewing the licenses. And further in the original sound: “With purely internal use, the development and operating effort is much lower than if you want to sell the SW externally. Some of the security tools I’ve seen here are now unsaleable from my point of view, you can simply replicate them.”
So, if you are threatened by Microsoft or Broadcom before the next appointment: I will be happy to put you in touch with the negotiation professionals. Can’t be that hard to vibe a hypervisor. 😉
In fact, however, the distance to AI tinkering output seemed quite manageable to me even with some demo presentations. To quote Daniel Miessler, many smaller sec tools are likely to become an API/MCP interface without their own GUI. The future remains exciting!
At the same conference, Checkmarx presented a cool survey of 1500 developers and security managers – among other things, it came out that 80% of the SW developers surveyed knowingly run code with known vulnerabilities in production environments . 30% of them in the hope that no one would notice.
In the presentation, it was also pointed out that according to Baxbench , 20-30% of the code generated by Opus/GPT is logically correct, but insecure. Of course, this was to prove the need for AppSec tools. Everything is understandable. But: What is a realistic target value today that can be achieved at comparable standards in a good SDLC and Snyk, Veracode, Sonarqube or similar tools? Nobody could/wanted to tell me that – if anyone has any information, gladly.
Some more information from a presentation by BMW:
- 80% of suppliers with breaches did not have TISAX certification
- Time to recovery for suppliers with certification was an average of 3-4 days, where without ~10 days = > certificate is a necessary, not sufficient condition. Therefore, requirements that go beyond TISAX and are audited continue to be set
- Smart approach: BMW not only tortures suppliers with gap assessments / audits, but also provides technical specialists on site in the event of incidents. Same interest as supplier: Fast restart
- Side note on the security organization: BMW does not have a central CISO, but separate responsibilities for IS, IT-Sec, OT-Sec, supplier security (the latter is located in purchasing)
ETH Zurich has examined some password managers to see whether the manufacturer really cannot access stored customer keys despite the E2EE claim (e.g. in the event of a server compromise or in the context of insider threats). Some takeaways from it:
- Attacks on the key escrow mechanism made it possible to read the vaults of Bitwarden and LastPass in their entirety. DashLane does not offer a corresponding recovery service => more secure, but of course it also means that if you lose the master password, the vault is lost
- The main attack vector was the reset of the master PW of customers using the (super) admin public key, which is not authenticated by the solution and can therefore be easily replaced by attackers with their own key
- In addition, backward compatibility with older client versions with poor encryption methods could be exploited
- 1Password has an advantage in the cryptographic concept compared to Bitwarden, LastPass and Dashlane: For the generation of the Vault customer key via the detour of a kek (key encryption key), a high entropy salt is used in addition to the master password, not the trivial customer email address as with the other 3 solutions examined
- The providers have probably partially fixed the problems found in the meantime
What can customers expect from SOC vendors by using generative AI? DefenseBench uses the Splunk Boss of the SOC dataset to show the current state of the use of agents as SOC analysts. The history of queries’ inputs and outputs is really exciting. The latest models from Anthropic + OpenAI give the exact correct answers about 50% of the time (a little faster than most human MAs, of course). In the case of the answers declared as “wrong”, often only the syntax is not quite OK, in some cases (such as the question about the processor type of the web server) the answers contain more information than necessary. In my opinion, the actual rate of useful answers is probably already > 80% today. Mind you, these are the off-the-shelf models, not trained on security use cases. And the prompt put the agent under time pressure, i.e., explicitly not optimized for accuracy.
The results roughly coincide with the compilations of tests that Wiz or Cotool , for example, publish regularly. Cotool also specifies the cost per task (tasks are e.g. code unobfuscation, analysis of PCAPs, scripts, binaries or searching for suspicious communication in log dumps). So far, there is no correlation between results and costs, so you can make real arbritrage profits by choosing the model wisely until the market matures.
Conclusion for me: If you don’t use this consistently in the SOC, you will lose a lot of competitiveness. In addition to the previous headlines about analysis / enrichment and enormous progress in dark web research, I see threat hunting as an agent task in the future: Much more thorough than it can de facto be done today by human personnel alone. Below the thresholds of detection engines, more and more is happening: About half of all vulnerabilities are now exploited before or within 24 hours of publication => So we have to expect an increase in successful compromises. Perhaps we will also soon see new price breakers on the market that offer today’s monitoring quality at significantly lower costs. This would be affordable not only for SMEs, but also for some organizations with increased requirements as an additional layer of defense.
Last but not least, some news from Crowdstrike‘s annual financial statements:
- Strong year, sales +22% to USD 4.8 billion. Of which ~600 million is revenue from SIEM. Order intake via AWS is already around USD 1.5 billion, i.e. almost a third. Now Azure Marketplace Consumption Commitments are also being added.
- Due to continued high expenditure on marketing + sales (38%) and R&D (29% of sales), the bottom line is a loss – but the company is of course cash flow positive.
- Flex is well received by customers as a type of contract => Other providers should also take a look at it and perhaps look at it. For the sovereignty freaks among us, CS will soon be available on StackIT
Notable M&A + Funding News:
- USD 125 million for “Kai“, the new startup from the Claroty + SecurityMatters co-founders. Objective: Orchestrate across all tools available to defenders. With, you guessed it, AI agents
- 120 million each for XBOW (automated pentesting) and Oasis (NHI Mgmt., incl. AI agents)
- 60 million is available for Gambit to use AI to create a mapping of the IT infrastructure, security tools and backup/recovery solutions and to find gaps
- Back to on prem EDR: Palo Alto founder Nir Zuk collects 45 million for Cylake together with one of the SentinelOne founders (Udi Shamir) to develop modern security minus the cloud. We are curious!
- OpenAI kauft Promptfoo (AI Sec Testing)
Provider talks:
telent (Update):
- Specialist for network and process control technology (approx. 550 employees, of which approx. 150 in service, now belong to the Zech Group), I of course took a special look at the OT Security department (formerly Koramis, i.e., active in the segment for ~10 years)
- Consulting, pen tests, system implementation (e.g. segmentation using Cisco or Fortigate, implementation of FortiEDR on Windows XP, FortiSIEM, inventory using Tenable OT, Rhebo NIDS, remote access), physical security (e.g. by means of camera surveillance, control cabinet sensors) and OT SOC incl. vulnerability management
- SOC: 24/7 on call outside office hours. So far, the customer has not requested any intervention by SOC analysts, only alerting. Also experience in interaction with parallel IT MSOC
- > 100 customers, especially critical infrastructure such as distribution system operators or rail transport
- Among other things, a self-developed data lock for USB sticks
Digit Solutions:
- German MSPP, approx. 200 employees, locations also in Austria, UAE and South Africa
- SOC either German or English from Dubai
- Approx. 15 SOC customers, e.g. Stadtwerke Osnabrück
- FortiSIEM, Crowdstrike, Vectra, Hornet, Halcyon as preferred tool stack
- In addition, firewalling, vulnerability mgmt., PAM, darknet research as managed services
- Code Blue as an IR Partner
Teleport:
- US scaleup for just-in-time access (“Ephemeral Authorization”, also for NHI) optimized for cloud environments, i.e. roughly located at PAM
- Interesting story: It used to be an MSSP, founded by former Rackspace people
- Meanwhile ~600 customers, including Tesla, IBM, Bloomberg, Nasdaq, Databricks. Probably also some banks in the EU
- Custom CA => Issues short-lived certificates for individual sessions that are used for tunneled access. End of the session = expiration of certificate validity
- Can either use IdP (Entra/Okta) other than Golden Records, or create a separate ID directory (e.g. for development teams)
- Display of Access Graphs similar to Cyberdesk possible
- Search for channel partners in the DACH region, please contact us if you are interested
Proliance:
- Some may still know it under the old name Datenschutzexperte.de
- For some time now, we have been offering ISB as a Service and advice on certifications for ISO27001 or NIS2, as well as an in-house developed ISMS-SW
- Clear focus on SMEs (approx. 2,500 customers), approx. 80 employees => A good alternative for simple requirements
As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.
For the people who have received the market commentary for the first time: Here you can register if you are interested or read articles that have been preserved for a long time in the archive (all still up-to-date, of course).
Best regards, Jannis Stemmann
