Hello everyone,
at the end of the year, today is more of a lightweight introduction to general amusement, even if it is only peripherally related to security. We all deserve that, I think. And it’s about high stock market prices (also, but not only, of security companies) and my impressive lack of talent to earn money from them. Maybe some of the readers suffer from similar symptoms – if so, hopefully you feel a little better at the thought of not being 😉 poor alone. And the rest can just secretly rejoice or send me a postcard from the private island.
Since ~2017, every year has been running roughly according to the following pattern:
- I think valuations, especially in the tech sector, are already relatively high, all the growth is already priced in, so let’s wait and see, the hype will certainly normalize soon and then there will be reasonable entry prices. Bitcoin is the new tulip bulb (where’s the dividend, here you go?!), trees don’t grow into the sky even with the best business models, NVIDIA and Microsoft will certainly soon have competition, Google has the quantum computer and is reshuffling the cards, Tesla’s share price is not comprehensible anyway.
- Next, these stocks that I consider to be overvalued will rise by another 30-300%.
- My neighbors and colleagues become crypto billionaires through leveraged day trading, while my portfolio with Buffett-style value treasures performs similarly well as the FDP or FC Cologne.
- Goto 1
For those of us who are quickly striving towards financial independence, I therefore simply recommend my investment tips as a reliable contrarian indicator (please contact me if you are interested).
Anyone who has experienced the dot-com bubble probably knows the following quote from Scott McNealy, former CEO of Sun Microsystems, from an interview in 2002:
“At 10 times revenues, to give you a 10-year payback, I have to pay you 100% of revenues for 10 straight years in dividends. That assumes I can get that by my shareholders. That assumes I have zero cost of goods sold, which is very hard for a computer company. That assumes zero expenses, which is really hard with 39,000 employees. That assumes I pay no taxes, which is very hard. And that assumes you pay no taxes on your dividends, which is kind of illegal. And that assumes with zero R&D for the next 10 years, I can maintain the current revenue run rate. Now, having done that, would any of you like to buy my stock at $64? Do you realize how ridiculous those basic assumptions are? You don’t need any transparency. You don’t need any footnotes. What were you thinking?“
Actually, it’s quite conclusively derived why a multiple of 10 on sales is sporty – even with decent growth and low variable costs, which most SaaS providers can claim for themselves. However, the majority of investors seem to see it completely differently when you look at the current valuations (the technical term at this point is probably “Hold my beer”):
Enterprise | Multiple Market Cap / Revenue |
---|---|
Crowdstrike | 24x |
Broadcom | 20x (Private Funding) |
Abnormal | 20x (Private Funding) |
Bracelet | 17x |
Palo Alto Networks | 13x |
Fortinet | 13x |
Microsoft | 13x |
ZScaler | 13x |
1Password | 13x (Private Funding) |
SentinelOne | 11x |
Tanium | 11x (Private Funding) |
Rubric | 10x |
Elastic | 9x |
Palantir | 63x |
Is this a bubble now? Who knows, see above. My in-depth analysis of the concretely perceptible effects in our industry: General stock market euphoria (of course primarily an American phenomenon, in Europe we have practically no tech giants, but rather score points through tax legislation) => High valuations also for cybersecurity companies => More funding via venture capital + private equity => supply higher than actual demand => Horrendous expenditure for marketing and sales in the Hope to be able to meet the exaggerated growth expectations = > hostesses who follow CISOs at security events.
By the way, I have to defend the said event provider retrospectively: Some participants probably misinterpreted the function of the chip in the card. The chip was an RFID blocker and was of course not used for location (which is done purely conventionally without electronic aids). That would have been absurd at a security event. If anyone still has an original, please send it to us for a forensic analysis.
The French cyber insurer Stoïk has probably started to stir up the German market, among other things with an in-house CERT and prevention services such as vulnerability scans (thanks for the hint, Klaus!). This naturally gives the insurer a very transparent view of the effectiveness of certain security measures. In any case, they have published an easy-to-read report on the cyber damage cases processed (focus on SMEs 2023), a few figures/statements from it:
- Across the entire insurance portfolio, about 4% of companies reported cyber damage within a year, most of them a compromise of mailboxes without further impact
- Approximately 1% of companies suffered a ransomware attack (similar to the number of detected fraud cases)
- In approximately 75% of ransomware cases, the affected company was able to resume operations within less than 1 week. 100% correlation with working backups and tested recovery.
- In negotiations, an average of 50% reduction in the ransom demand (to an average of EUR 700 thousand) was achieved
I think that in the coming years we will receive much clearer recommendations from the insurance industry as to which preventive measures are effective and efficient – as is already the case today with fire protection or burglary protection.
There was (as far as I noticed) little earth-shattering in the M&A news, apart from the merger of Veritas with Cohesity ( ~12 in total.000 customers). So here is the transition to the notes from vendor briefings:
Bitdefender (Update):
- Certainly known, one of the few EPP/EDR/XDR manufacturers from EU (Romania, where the MDR analysts for EU customers are also located), and who also offer an on prem variant
- Due to the increasingly better rating in MITRE tests and the now available MDR service, we are also often on the longlist for EDR/XDR projects of larger customers
- In the meantime, modules for identity protection (local AD + Entra ID), vulnerability scans, mail filters, CSPM, CWP and a separate NDR (here, however, the functionality still seems to be limited, e.g. pattern recognition for encrypted data traffic)
- In fact, there are (still) major differences between the on-premise and the SaaS solution: For example, there is only integration with the email gateway or an agent for EC2 in the cloud version, but no monitoring of some hypervisor types
- And as with all EDR solutions, the agent has limited functionality on Linux systems, e.g. no real tamper protection or sandbox
- Interesting: OEM solutions for other endpoint solutions and IoT device manufacturers. The AV Engine can also be found as a white-label solution in the products of Withsecure, Cybereason, Trellix, Acronis, Cisco and G-Data, for example. There are also threat intelligence feeds for MSSPs.
Exeon:
- Swiss manufacturer for NDR (but with a rather unusual approach). I was already in some of our RfPs, but colleagues always worked on it => That’s why I took a closer look
- Used by almost 100 customers, references include Swiss, Swiss Post, University of Bern, Win GD (Winterthur Gas+Diesel). By comparison, Darktrace now advertises 10,000 corporate customers. Shows once again the monumental challenges facing innovative European suppliers.
- Purely software-based, it is installed on prem on VM (all hypervisors incl. KVM possible). This is used to collect netflow and syslog data from (segmentation) firewalls, switches, data diodes, DNS servers or proxies. In addition, there are optionally logs from the IdP or other security tools such as EDR/IDS/vulnerability scanner or similar.
- No need to connect to a central cloud engine. New releases only ~4x/year, because no signatures are used, only anomaly detection
- Incidents that can be detected: Failed and unusual login attempts, e.g. on VPN Server => Detection of conspicuous lateral movements possible
- Of course, visualization of the network possible
- No break-up of encrypted network traffic, no deep packet inspection or application layer analysis, no PCAP recordings (since no traffic mirroring via TAP/SPAN). However, it can be partially mapped via Corelight integration.
- Can’t completely replace a SIEM because some use cases, such as the detection of configuration changes, can’t be mapped
- But especially for medium-sized or medium-sized infrastructures, this is a good complement to EDR, if a “real” SIEM would be too expensive/time-consuming. Or for customers in the financial sector who have to use an NDR for regulatory reasons.
- Licensing based on number of IP addresses
- MSSP Partner u.a. EnBW Cybersecurity, Eviden und Magellan
LayerX (Thanks to Ben for the recommendation + classification!):
- Enterprise Browser Extension from Israel, i.e., alternative to VDI, helps against (AI) data leakage and browsing risks such as phishing or password/session cookie reuse
- At first I thought it was more or less the same as Iceland. But the highlight of LayerX is that it is a browser extension (not a separate browser), i.e. it works with the common desktop browsers and in the near future also with mobile devices
- Of course, use can be forced with managed devices
- For unmanaged devices, a rule must be built in via the IdP, which then forces the use of LayerX, e.g. when accessing Salesforce or similar. So a two-way integration is necessary here (or the way via a reverse proxy). This would then also be more than just protection against insider threats
- Also interesting:
- Regardless of the application, MFA can be enforced for login to all web apps (no integration required)
- Websites can be displayed with watermarks => This makes them visible on photos taken with the mobile phone
- In addition, central discovery and management of all other browser extensions (such as SearchGPT) across users
- Each creation of user accounts in Web Apps can be registered to create an inventory of “shadow accounts”. Sounds like something that is probably better coordinated with the works council beforehand.
- Still in the early phase of market entry in the EU, but already larger customers in the US and UK (probably > 1 million users in total)
- Ballpark Number 25 EUR / user / year
OneTrust (Update für IT + Security Risk Management):
- We and my colleague Janina (thank you for that!) recently took another look at each other as part of a comparison of offers for GRC tools. Janina also used to work with OneTrust
- Linkages (parent/child) between business processes, software tools used and organizational units can be modeled (=> Answers the question: Who uses what in which process where in the world?)
- For imports of asset inventories: Incorrect records are identified, i.e., partial import and targeted troubleshooting / addendum of fields or attributes possible
- Security Controls (Maßnahmen)
- can be inherited via processes to other assets/org units
- are deduplicated at the task level: Example MFA => For 2 necessary standards (such as HIPAA and ISO), each formulated and defined differently as separate controls, but contained as only 1 task. When this task is completed, both controls are fulfilled
- Custom controls can be easily uploaded via Excel spreadsheet import
- Guided risk and threat analyses with suggestions for typical company assets for the creation of heat maps (probability of occurrence/impact) and as a basis for risk management, of course linked to non-IT risks. Certainly more scalable than the typical Excel sheets.
- Risk Register: Risks can be defined as a “library” throughout the company and selected by org units to ensure uniform naming and categorization. But no Monte Carlo simulation of scenarios possible yet
- Questionnaires for maturity assessments or supplier evaluations can of course be individually configured or created on the basis of standards. As always, the evaluation of the effectiveness of the measures is extremely time-consuming if it is not a technical measure that can be queried automatically. It is therefore important that customers check whether native connectors exist for the security tools they use, such as IAM, firewalls, vulnerability scanners, etc. Overall strong TPRM module, which offers flexible collection options (e.g. bulk uploads, integrations with existing tools) and the review by directly marking the pot. Risks and creation of taks/follow-ups facilitated.
As always: Questions, suggestions, comments, experience reports and also opposing opinions or corrections are welcome by email.
I am now looking forward to the Christmas break, and wish everyone a relaxing time and then a good start into the new year!
Â
Regards
Jannis Stemmann