Marktkommentar #17: Vulnerability Aggregation and Remediation

Marktkommentar /

Hello everyone

Vulcan has just been bought by Tenable – we took a look at the market for vulnerability aggregation tools (also known as Risk Based Vulnerability Management / RBVM, Exposure Risk Management) as part of a customer project. In addition to Vulcan, there were, among others:

Armis, Axonius, Brinqa, Nopsec, Northstar, Nucleus, Qualys, Skybox, Strobes, Zafran.

The tools offer as their main function the aggregation of multiple vulnerability scanners (on premise, OT, cloud, code) and asset inventories / CMDBs. The intelligence then lies in the deduplication of asset and vulnerability data, and in the assessment of risks (e.g. exploitability) in order to be able to make a high-level prioritization for a large organization, avoid duplication of work and present the status in an audit-proof manner. Of course, there are other features, esp. Workflows for tracking and remediating vulnerabilities. The solutions are usually “agentless”.

Key findings from the RfI:

  • The most important thing is still to record all assets in the first place and to determine those responsible for vulnerability management. For example, in the case of a server with a hypervisor, OS and application, this can mean 3 different responsible persons.
  • Differences between the tools were, for example:
    • Deployment: Some vendors only have SaaS as an option
    • Native connectors (i.e., without customer maintenance) for data sources such as MDM or EDR solutions, enterprise architecture tools (e.g., LeanIX), threat intelligence feeds, or customized databases
    • Assessment of vulnerabilities (e.g. based on KEV, EPSS, libraries used during runtime, Internet accessibility of the asset or dark web information)
    • Automated capture of balancing measures such as segmentation firewalls
    • Readability of pen test results
    • Processing times (can be > 24 hours)
    • Practicality of the recommendations for action
    • Customizability of workflows and dashboards
  • Licensing is typically based on the number of assets. However, the weighting of individual assets (especially for cloud assets such as containers, load balancers, secrets) differs between providers
  • Basically, 99% of the effort is still incurred for internal coordination (when can patching be done, who does what, testing + tuning). It is therefore obvious to further (AI-supported) automation of patch processes, including previous automated tests, such as Backline wants to offer.

Palantir has published several very detailed articles about its own security measures, here are a few aspects of software supply chain / development:

  • All developers have a Yubikey (5C FIPS, i.e. an expensive variant) hardware token
  • The private key is stored on the Yubikey, which cannot be exported
  • Git Commit Signing: Developers have to confirm code that should be in the pipeline by touching the Yubikey to generate the signature
  • GitHub Enterprise Access Tokens are probably only allowed in exceptional cases
  • Code reviews (4 / 6 eye principle) are enforced and are given rule-based via Github Policy Bot workflows
  • Developers must not hold a Git repository “Owner” role (“Maintainer only”)
  • Development Tools Team admins make configuration changes through Privileged Access Workstations and disconnected accounts
  • Static code analysis with CodeQL. Dedicated AppSec team to maintain the CodeQL rules
  • In-house developed tools to control the release process into the different phases (test stages, production)
  • Miscellaneous: Github repos are private by default, regular checks of all accounts for access rights (apparently there are also external service providers with access)

If you can trick SIEM or EDR solutions, you now have the opportunity for a new side hustle: Elastic is offering a special form of bug bounty program until May to test the rule sets of its own solutions. Focus is on Windows, and there are a few rules of the game (e.g. no kernel mode, no sleep/timing evasion attacks). Cool approach!

The first cybersecurity providers have published their annual figures for 2024. Here is Check Point randomly picked out:

  • Revenue up 6% to $2.6 billion
  • Highly profitable cash flow machine: net profit and free cash flow ~800 million USD, sitting on approx. 3 billion cash/securities
  • Marketing + Sales expenses of USD 760 million (30% of sales)
  • Development expenditures of $340 million (13% of sales)
  • Changes in the footnotes (regarding the definition of metrics) are limited – another indicator that the company is doing well

By the way, the ranking of the EDR Telemetry Project in the Linux rating changed slightly after the last market commentary was sent out (or I had tomatoes on my eyes): In any case, Microsoft Defender is up-to-date and, as usual, now also at the top. Thanks to Gabriel for the hint!

M&A News:

  • Sectigo acquires Entrust (PKI / certificate management)
  • The Juniper + HP merger is blocked by the US Department of Justice
  • Wiz has raised another billion from VCs, reportedly at a valuation of $12 billion

And so to some vendor briefings…

Datagroup:

  • I watched it on the occasion of the SOC control center opening in Hamburg (️ ❤🦪)
  • Perhaps known as a large system house (> 3500 employees, > 500 million euros in sales), listed on the stock exchange. We also operate some data centers for banks
  • Have developed their own AI tool to support IT admins, maybe also worth a look
  • 250 employees for security
  • SOC analysts are all based in Germany. 3-shift operation for Level 1 analysts, Level 2/3 on call
  • Tech stack includes: Cisco XDR / Splunk SIEM, Fortinet SOAR, LocateRisk for external scans, Check Point for threat intelligence, Secutec Darknet monitoring
  • Also part of the DIRT (German Incident Response Team) network. International IR support from Cisco Talos

Intezer:

  • American provider of “AI SOC/MDR” with automated triage, enrichment of context, investigation and decision including reactions. So it’s not just about assistance, but with the clear objective of replacing Tier1/Tier2 analysts in the medium term
  • ~250 customers, including e.g. Pepsi, Anheuser Busch, MGM, but also in the EU, e.g. Ferrero and DPD, here of course GDPR-compliant with hosting in AWS EU. Overall, much more mature impression than e.g. Dropzone
  • Supposedly compared to typical analyst team, average reduction in time to conclusion (“Mean Time to Conclusion”) + reaction by ~99%
  • Customer case studies for replacing Ontinue, Crowdstrike Falcon Complete or SentinelOne Vigilance MDR with interesting savings shown, each with comparison of the number of processed + escalated alerts
  • ~4% of the alarms (across all severities) were rated as “inconclusive”, but also here with concrete recommendations for action to clarify the case
  • Also ideal for automatically evaluating phishing emails reported by users
  • Integrates with all major SIEM and EDR
  • Budget indication for 10k endpoints: EUR 200 thousand/year
  • Are still looking for channel and integration partners in Germany.
  • I was really excited (hopefully not completely unjustified – feel free to contact me if I missed something). Actually, there should also be a market opportunity for a European manufacturer here

RunReveal:

  • US SIEM / Logmanagement startup, cool slogan: “Stop paying the SIEM tax”. The founder was formerly Head of Product Security at Cloudflare and was probably annoyed by the licensing costs for Splunk
  • ~10 customers, still a small team
  • The usual log connectors and use cases out of the box
  • Deployment options from SaaS to on prem
  • Incl. log filtering / storage optimization similar to Cribl or Anvilogic
  • Log data is normalized when stored in tabular form (schema on write), but at the same time the original data is also retained (schema on read). As I understand it, this allows faster search queries than with the common SIEMs and at the same time flexibility to cover all types of log sources
  • The Query Language (PQL) is similar to Kusto, but open source

Frenos:

  • US Startup für OT Security Assessments bzw. Attack Path Simulation, ~20 MA
  • Approx. 5 customers, all critical infrastructure (banks/power plants)
  • Similar to XM Cyber, but specifically for OT:
    • Digital twin of the network with asset data, security tools + segments used. For this purpose, the config information from routers/switches/firewalls is read, or the data from Claroty/Dragos/Tenable/Rapid7 etc. is used
    • Then calculation + representation of probable attack paths based on the target systems (selected by the customer) and vulnerabilities found
    • The advantage in OT environments, of course, is that no scans or exploits have to be executed
    • Graphical representation but not particularly fancy yet => To get management buy-in for OT Sec projects, a few flashing hexagons and euro signs have to be added
  • Deployment exclusively on prem, without agent installation (laptop apparently sufficient)
  • Compensatory measures such as whitelisting can be saved so that the same vulnerabilities are not always prioritized
  • Rob Lee (Founder Dragos) is on the Advisory Board

Swimlane (thanks for the tip, Thomas!)

  • U.S. SOAR and Low-Code Provider Automation of Security and Compliance Workflows
  • E.g. rule-based triage of EDR/NDR/SIEM/DLP/Mailgateway alerts, case management, employee onboarding/offboarding, vulnerability remediation
  • ~250 MA, on the market since 2014
  • SaaS or on prem installation possible
  • Can probably be painlessly and flexibly connected to common tools such as ServiceNow, Slack, and practically all other common applications via existing connectors, of course supplemented by typical playbooks
  • Creation of KPI-based dashboards possible (e.g. Mean Time to Detect/Respond, utilization analysts, ratio of false positives/total number of alarms, proportion of suspicious phishing mails that are automatically assigned as spam), many templates are also available out of the box for this
  • Of course, AI (“Hero AI”) can support SOC analysts, for example, in prompt and query engineering. No customer data is used to train the AI
  • License costs depend on the number of events – for ~10k events/day, a budget indication of 400-500 thousand EUR/a was mentioned
  • The majority of customers are MDR vendors/MSSPs such as Bitdefender, Deloitte, fernao magellan or NTT Data, as well as larger companies with their own SOCs such as ZF or BMW

As always: Questions, suggestions, comments, experience reports and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received this email: Here you can register if you are interested or delve deeper into the archive.

Regards

Jannis Stemmann

P.S.: The Sailpoint IPO is twenty times oversubscribed and the PE partners of Thoma Bravo can hardly believe their luck. You heard it first on this channel.

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top