Marktkommentar #28: M&A Autumn Bonanza, SIEM Costs Under Control, and No Panic Fear of Attacks on Automation Technology

Hello everyone,

unrestricted applause at every security conference and other echo chambers can certainly be obtained by demanding more budget for security. Or by complaining loudly about the cost of Splunk . Someone from Cisco/Splunk probably heard that too. Therefore, now comes the offer to process logs from Cisco firewalls for free. At this year’s User Conference, new approaches such as the Triage Agent and “Federated Search” in Snowflake were presented – in my opinion, direct alternatives to data pipeline solutions such as Cribl, Tenzir, Databahn, Anvilogic or as Crowdstrike and SentinelOne have just purchased (see below). This is intended to reduce ingest and storage costs and at the same time increase the detection speed. This blurs the boundary between XDR and SIEM even further – in the end, it’s all about analyzing large amounts of data as quickly and accurately as possible.

So far, however, I have the impression that, despite great lamentations about budget explosions, once established Splunk or QRadar installations will only be replaced by customers when the decision from on prem to IaaS/SaaS SIEM has been made. The effort (and in the case of DORA regulated banks, for example, also the risk) of a migration is very daunting.

Reduce log volume, but without increasing the risk? A practical example here from monad, where the SIEM costs were reduced by ~50 thousand EUR/year by storing Okta logout events directly in S3 instead of the SIEM, i.e. filters before ingest. This means that the data is still available for in-depth analysis if necessary. Other events mentioned above, which can probably be saved for real-time detections, are e.g. email status messages.

And once you’ve optimized your SIEM budget, you can move on to threat hunting. Certis Foster has put MITRE’s “Time-Terrain-Behavior” approach into practice for the first time (as far as I know) and tested it using the publicly available Splunk Boss of the SOC dataset (BOTSv2, ~70 million events, 100 log sources, 16 GB). Essentially, attacks without detection rules were detected by looking for statistical outliers along multiple dimensions – completely independent of attack chains or “if… then…” Logic. The dimensions were e.g. time period, signal source and behavior (e.g. login, access, execution). If I have misunderstood the methodology, please let me know. That 3D visualization also works well in more complex infrastructures? Hardly. But this can also be evaluated automatically using AI, and then even with even more dimensions. I could well imagine it as a supplement to the previous UEBA.

Our friend Dale Peterson (who has been organizing S4, probably the world’s largest conference on OT security, for about 20 years), writes as follows: „The impact of OT cyber incidents has been minimal. …The threat, as expressed in vendor reports, government pronouncements, industry studies, conference presentations, and media articles, is vastly overstated. Hyped up. A look at the expressed threat and actual consequences over any time period in the last 20 years clearly shows this.” Well.

Despite repeated prophecies of doom, there has been no incident with significant consequences that could have been prevented by better OT security. Yes, there have been isolated OT-specific attacks. No, the damage caused was not relevant in a cross-comparison with other risks. Yes, attacks on IT regularly result in massive production shutdowns (you can currently see it again at JLR, or a few years ago at Colonial Pipelines) because, for example, ERP systems are not available. No, attacks on automation technology have not led to production losses.

• And this despite the fact that “insecure by design” automation technology is still being used on the market and by customers, esp. without the possibility of authenticating control commands. CRA, MVO and NIS2 are still to come!
• Although this is not confirmed in the marketing material, it is confirmed by experts in the DACH region, including providers of OT NIDS solutions
• How many successful attacks on energy suppliers (including transmission/supply network operators and power plants) in which critical services were affected have there been in Germany in the last 5 years? Zero (according to BSI).But of course, as infosec evangelists, we first doubt the validity of the numbers, not our own importance.
• One reason: Sensible basic security measures such as network segmentation, emergency drills, USB blockers and antivirus have effectively contained standard IT malware outbreaks in most cases
• But: The main reason for the fortunately very manageable impact is, of course, that we do not build power plants or factories that do not survive the failure of a control system or a hard drive or suddenly pose a danger to life and limb when an absurdly high sensor value is entered. In the physical world, we build redundancy and security features into everything we hold dear. Occupational safety, quality, productivity, delivery reliability – these are the top priorities of plant managers.
• In addition, the effective manipulation of automation technology is much more complex (= costly) for the attackers, because each attack requires a much higher degree of individualization. Coupled with the robustness described above (have fun hacking a mechanical pressure relief valve), the business case makes no sense.

People who have never worked in production also tell fairy tales along the lines of “Cyber attackers can cause billions in damage by adjusting a spray nozzle in painting robots!”

• Spoiler alert: No. They can’t.
• In the real world, it occurs due to wear and tear, entropy and humanity to constant problems such as process parameters that lie outside the limits of intervention or tolerance. For example: Too low pressure, temperature fluctuations, wrong spray angle, inhomogeneous pigmentation, slightly offset position of the body or robot, abrasion and dust in the most impossible places, or simply a wrong setting because someone made a typo
• Therefore, there are control loops that either automatically readjust or alarm, stop processes and signal the need for manual intervention to reduce waste
• Does it work perfectly? Of course not. We all know from the newspaper or from the post office in the mailbox recalls by car manufacturers. What we don’t know: Recalls due to cyberattacks. And even if there were one, it would only be 1 in 1000 other possible causes.

What I would like to know, maybe experts in cyber warfare can tell me:

• To this day, when asked about a real attack on automation technology, there is always one example: Stuxnet. Is that all? After 14 years, we cite a state cyberattack by the US and Israel on Iran as a reason for buying OT NIDS?
• If Stuxnet was so successful, why were Iran’s nuclear facilities recently spectacularly attacked with bunker-buster bombs?
• Why do we read every day about Russian drone and missile attacks on Ukrainian power plants, and no longer about devastating cyberattacks?
• Why does Israel have to bomb banks in Lebanon instead of taking them out by Unit 8200 & Co. by means of a cyberattack? Are Lebanese banks better protected against cyberattacks than our own?

I believe that there is a growing recognition that cyberattacks have comparatively little impact in the physical world – and we should all be happy about that. We have enough to do with ransomware and other IT problems. Other opinions (or even better: other facts)? Always with pleasure!

The M&A bankers, in contrast to me, were apparently also busy during the summer break:

• Mitsubishi Electric (previously a shareholder) is buying Nozomi outright, at a valuation of around $1 billion. However, Nozomi (with currently ~75 million in sales, 33% growth, ~12,000 installations worldwide, estimated unprofitable) is to remain largely independent, similar to Rhebo / Landis + Gyr. Apparently, a lot of synergies are expected on the sales side if Nozomi’s sensors are used for process optimization. In my perception, Nozomi often prevails against competitors in the DACH region, also driven by an increasingly strong partner network.
• Crowdstrike goes shopping and buys Pangea (AI Security, e.g. against Prompt Injection) for ~260 million USD and Onum (Data Pipeline Mgmt.) for ~300 million USD.
• Of course, Sentinel One is not letting this sit on its own, but is following suit directly with the purchase of Observo.AI (also Data Pipeline Mgmt.), for ~200 million USD
• Cato Networks (SASE, ZTNA) buys Aim Security (AI Security, u.a. Token Exfiltration Detection) für ~300 Mio. USD
• Checkpoint buys the practically congruent features of AI Sec from Lakera
• Varonis kauft Slash Next (Email, Teams, Zoom, WhatsApp etc. Security) für ~150 Mio. USD
• Security Scorecard acquires Hyper Comply (automated questionnaire filling) to upgrade its third-party risk management offering
• F5 buys Calypso. AI (AI for protection against AI attacks, e.g. agent-based red teaming of models. On the homepage, it feels like every 3rd word is “inference”)
• Accenture buys IAM Concepts from Canada (consulting + managed services for everything to do with identity, similar to IC Consult, I would say). Accenture now has an incredible 790,000 employees and will be larger than Switzerland in 2035 if this continues.
• Shift5 gets 75 million for further expansion. Cool solution, especially for equipment of the US military: anomaly detection on layer 1 level (serial buses).

Notes from Vendor Briefings:

Deep Instinct (Update):

• The last time I had contact with Deep Instinct was in the early days of CyberCompare, at that time still positioned as a preventive supplement to AV/EDR (“EDR+1”) based on Deep Learning. Since then, however, the solution has played almost no role in customer projects and was not particularly present in the DACH market
• Apparently, however, there are internationally well-known corporate customers, including American Express, Citibank, Blackrock, Honeywell. At least one German bank is probably among them
• Now there is a reboot in DACH. The focus is on a new containerized solution (“DSX”) that scans binary files for anomalies before saving. A single container can scan ~100 GB/hour, which is significantly faster than typical AV engines.
• Native integrations via API are already available with the common email solutions (API or icap connection), Amazon S3, NAS (Dell + NetApp)
• Interesting for on prem enthusiasts: Can also be operated air gapped. Updates only take place about 2-3x/year
• Too bad: The Breach Warranty no longer exists
• Unfortunately, there are also no test reports that substantiate statements such as “Achieves over 99% detection of zero-day malware”
• Licensing based on number of scans
• Still looking for local channel partners

Confident Security:

• Wrapper around AI applications (Open LLMs such as Llama or Mistral and customer-specific models) to ensure confidentiality of company and user data (“You bring the AI, we bring confidentiality”)
• Anonymizes prompts and contextual data
• Encrypts E2E traffic
• No storage of customer data (including prompts) on the provider’s servers
• Logging of the successful execution of the above operations in order to achieve traceability for customers. Guarantee HIPAA and PCI-DSS compliance. Provide proof that customer data cannot be used for training purposes.
• Will soon also offer the option of customers running the AI application on their own GPU on prem
• Sounds like the ideal solution for a European clone, right?

Accuknox:

• US startup for CNAPP (i.e. competition with Wiz, Orca, PAN/Prisma, MS, CS, Forti/Lacework…), now want to accelerate market entry in Europe
• Combine SAST + DAST incl. Secret + Container Scanning, CSPM, KSPM, AISPM and CWP
• > 100 customers worldwide (some of them in Europe, but not yet large), approx. 100 employees
• Purpose-built for hybrid environments. Can also be operated by the customer on prem
• Integrations with e.g. Snyk, Checkmarx, Semgrep, Nessus…
• The GRC functionality appeared extensive: Compliance reporting of the configuration vs. 33 frameworks possible
• Runtime Protection (CWP): In contrast to other players, this offers a preventive approach, similar to allowlisting. The externally perceptible behaviors of applications (esp. network connections or file accesses) are recorded via an eBPF sensor and translated into a policy that will only allow these transactions in the future. On the other hand, there is no possibility (as far as I understand) to dynamically adjust the anomaly detection over time, e.g. to continuously adjust threshold values.
• Still looking for channel partners in the DACH region – please let us know if you are interested

Dawnguard:

• Dutch startup for secure and at the same time cost-optimized cloud environments. In principle, a development environment for cloud architects
• ~15 employees, ~25 test customers, is flooded with funding
• customers with prompt requests, e.g. “Access to XY-API should be twice as fast in the future” or upload design documents from FIGMA or similar
• Compliance requirements such as PCI-DSS, DORA or similar can be taken into account automatically
• Result: Infrastructure as Code
• Works for AWS and Azure so far, GCP is of course on the roadmap

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

And another call on our own behalf: We are looking for reinforcement for our project management team – just contact me if it sounds interesting.

For the people who have received the market commentary for the first time: Here you can register if you are interested or perform a recovery test from the archive.

Regards

Jannis Stemmann