Hello everyone,
today a hodgepodge of topics I’ve stumbled across lately.
It starts with a rarity in the infosec media fairytale landscape: Grafana Labs does a public lap of honor after an attack is thwarted. Specifically, several thousand canary tokens were used to detect attempted access to an AWS API key. Canary Tokens are API keys, URLs, DynamoDB tables, S3 buckets, queues, and other files with embedded tokens – very similar to honeypots/tokens. The name comes from canaries, which used to be used in mining to warn of excessive carbon monoxide concentrations.
However, the article also mentions the difficulty of managing the false alarms triggered by your own MA. Approaches here are probably internal company conventions on naming or placing the tokens. If you are interested: Common deception tools of different kinds can be found at Fortinet, SentinelOne, Cynet, Sentrybox, Commvault, ZScaler, Thinkst or Tracebit, among others.
Lakera (now part of Checkpoint) presents us with Gandalf: A Gamified AI Prompt Injection Awareness training, you could say. I’m always up for brain teasers and puzzles, I immediately fell in love with it. Currently, and probably until retirement, I am stuck in level 8.
From Wiz comes with a similar approach The Ultimate Cloud Security Championship. However, a much higher level of technical knowledge (or Claude) is required to break out of containers and exploit Entra ID misconfigurations. Those who have learned this can then earn five-figure prize money from the $4.5 million bug bounty pool with 0-Click Remote Code Execution Exploits at the ZeroDay Cloud Hacking Challenge .
On an unrelated note: Wiz now offers its own incident response service for customers (Crowdstrike started like that, as far as I know), currently even free of charge. It is possible that the IR team resources will be shared with Google/Mandiant , would be obvious.
Cisco has made USD 8 billion in sales with security in the last 12 months, as was mentioned in the subordinate clause when presenting the financial year figures. That’s about the same level as PAN and twice as much as Crowdstrike. Organic growth (excluding Splunk) was around 9%, Splunk is probably developing positively since the acquisition with ~300 new customers. Cisco still lacks a good EDR to become a true security platform. Maybe you will soon strike at SentinelOne or similar.
Figma (design software, approx. 1600 employees, ~25 billion market capitalization) has published a report on the experience with the use of application allowlisting . The usual core argument against whitelisting is that developers are then no longer able to work. Figma uses Santa, an open source device/application control tool specifically for MacOS. But I think the success factors are transferable to WDAC, Drivelock, Matrix42 or similar:
- Introduction to monitoring / learning mode to first recognize all applications that are running
- General approval of ~150 applications signed by trusted manufacturers
- Central review of all remaining binaries installed on more than 3 devices
- Exception rules for compilers and package distributors (e.g. automatic test if the hash value of the local file matches that of the official source file).
- Default block and sandbox analysis of all remaining applications. However, if the application does not require sensitive rights (such as Full Disk Access), which is checked automatically, users can obtain the release themselves (i.e. without the 4-eyes principle)
- Phased rollout (10%-25%-50%-70%-98%-100%). The last 2% were probably the hardcore developers, for whom complex exception rules had to be defined
A public security benchmark of AI models (called riskrubric.ai) now comes from the Cloud Security Alliance and some AI security vendors (Noma, Haize Labs, Harmonic). GPT5, Claude Sonnet and Claude Opus were far ahead at the time of writing, Mistral far behind, I didn’t find Gemini. The methodology of the tests is also described.
A valued reader sent me a reply to the OT Sec paragraph from the last market commentary, which I reproduce here slightly edited:
“OT protection should not be taken lightly. However, an investment should be in reasonable proportion to the exposure to the probability of attackers on site and perimeter protection.
Two more aspects to cyberattacks:
- For state actors, “plausible deniability” and difficulties in attribution play a role.
- Costs rather not.
Therefore, cyber attacks play a role more in preparation for military action than after the start of hostilities.
I am convinced that the cyber component played a significant role in the elimination of Iran’s air defenses. Otherwise, at least one or the other rocket would have been fired.
What does that mean as a producer? To the extent that you go more into the armaments sector, you also have to expect targeted attacks on plants. My guess is that the attacks are more likely to come via IT or infrastructure (e.g. power grid), less via direct attacks by suppliers/suppliers on site. But you can’t rely on that.”
M&A News:
- Let’s Defend (provider of SOC analyst + pen tester training, ~400k users) was bought by competitor Hack the Box
- Valimail (Email Security) was acquired by DigiCert
- Cyberbit (Cyberrange / Incident Response Simulation Platform) has acquired US competitor Rangeforce
- Eleven (Email Security from Germany) has been acquired by Halon (Swedish provider of large email infrastructures)
- As expected, Netskope has had a fantastic IPO. I wasn’t there and therefore have to continue to live on toast and orange juice
Notes from vendor conversations:
Onum:
- Data Pipeline Mgmt from Spain (similar to Cribl, Tenzir etc.), were just bought by Crowdstrike, so I wanted to take a closer look
- Prior to that, the founding team launched Devo Security (SIEM/SOAR) and raised it to a valuation of ~2 billion
- Basic idea: Instead of the sequence of collection => storage => correlation & recognition => response, correlation & detection takes place before storage. This can reduce storage costs by 40-70% and also save a few minutes until the alarm is raised
- Marketplace with pre-configured pipelines (e.g. Cloudtrail AWS Logs to Splunk or Fortinet Forewall Logs to Exabeam) that contain the push/pull log collectors, parsers, detection and filtering logic
- Otherwise, customers can create their own pipelines => That seemed similar to normal SIEMs in terms of effort
- Of course, the intelligence lies in knowing what you can leave out without standing completely naked in the wind in threat hunting. To my surprise, there was still little in the platform. Actually, one could also suggest the filter logic for the 200 standard detection use cases depending on log sources. But that’s sure to come – CS can also contribute a lot of experience here.
Vali Cyber:
- U.S. Hypervisor Ransomware Protection Provider
- ~50 paying corporate customers, but not yet in the EU
- From my point of view, this is obvious: Many security managers have a problem with the fact that the EDR agent does not run on the hypervisor, but there is no budget for a SIEM
- Solution covers all 68 relevant MITRE ATT&CK TTPs (e.g. T1675 ESXi Admin Control) by means of:
-
- SSH MFA (for service accounts, conditions such as time window or IP can be defined to turn off the MFA challenge)
- Allowlisting
- Virtual patching of detected CVEs
- Process monitoring (without a learning phase, but based on typical malware behaviors)
- File Integrity Checks + Automated Rollback
- Interesting: No eBPF sensor, but in user space. Patented solution to avoid uninstall and reduce processor load. Works via 3 parallel processes that monitor each other, making it harder to trick.
- Operation air gapped possible – Agent is managed and updated via VM Lifecycle Mgmt
- Focus so far on Linux-based hypervisors, i.e. ESXi, Citrix, Nutanix, KVM, Proxmox, RedHat EV (Current market distribution VMWare 84%, Citrix 10%, Microsoft 4% and Nutanix/Rest 2%)
Persona:
- US provider for identity verification, i.e. competition with IDNow, Truuth.ID
- Customer focus of course banks / payment providers with AML (money laundering) and KYC (Know your Customer) requirements or age restrictions (Adult Entertainment, Gambling)
- Kern KnowHow:
-
- Detection of deepfakes and fraud attempts via plausibility checks of various data points (e.g. via databases in which invoices of the electricity and water suppliers are stored)
- Experience in building workflows that ensure compliance on the one hand and user-friendliness on the other
- ~1000 customers, including Microsoft, OpenAI, Okta. In Germany, among others, Miles Mobility
- See great growth potential in the area of employee onboarding (North Korean fake workers or similar)
Sprinto:
- GRC solution from US, with a strong footprint in India. Overall, the feature set is similar to Vanta
- Already ~3400 corporate customers after about 5 years (including AWS, SopraSteria, Kyndryl, also in EU – data will then be hosted in Frankfurt)
- Continuous evaluation of audit readiness
- Blueprints for all possible policies, which customers can then adapt with their own logos or the like
- Integrations out of the box looked very extensive (e.g. for vulnerability scanners not only Qualys + Tenable, but also the major EDR and code scan solutions)
- Interesting: Close link with provider’s own assistance service by auditors, e.g. to review existing policies or evidence
As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list. The next 3 days I can also be found on the inevitable it-sa.
For the people who have received the market commentary for the first time: Here you can register if you are interested or subject the archive to a compliance check for compliance with the archiving guidelines.
Regards
Jannis Stemmann
