Hello everyone,
The CISA has released a detailed Red Teaming report, simulating an attack by a Nation State Actor on a U.S. federal agency (“Stormshield”). The initial part of the attack chain was conducted without prior notification of the agency (compromise of an unpatched Solaris web server).
In my opinion, it’s worth a read (~30 minutes) and probably even more worthwhile to go through the individual steps and measures with your own team.
In addition to the usual basics such as segmentation, DNS monitoring, and hardening of domain controllers (why does a DC need access to AWS EC2 instances?), some interesting points were raised, such as:
- Alerts from the EDR system were not checked daily, and the retention period for suspicious telemetry was only 30 days => Suggests the need for an MDR service.
- Unclear responsibilities for Sysmon configuration.
- Server admins and domain admins could access the same jump host => This was used to steal a domain admin’s session token.
- Insufficient custom detection rules in use (out-of-the-box detection rules can be tested by attackers beforehand).
- Detection rules were stored unencrypted locally in configuration files => These were read by the Red Team.
If anyone knows of other realistic published pen test / Red Teaming reports, please let me know. I find these reports more illustrative than, for example, advisories on new CVEs, which in most cases are not practically exploitable. Additionally, it is, of course, interesting to see what kind of security tools are used on the defender side or listed in the lessons learned.
Follow-up on NIS-2: A keen reader (so there is at least 1 other than my mother! Thank you!) pointed out the annex (Ares(2024)4640447), which actually specifies the required measures much more concretely for a small subset of affected organizations under increased scrutiny (IT service providers like data center operators and MSSPs).
Examples:
- 3.2.2 “To the extent feasible, monitoring shall be automated and carried out either continuously or in periodic intervals, subject to business capabilities. The relevant entities shall implement their monitoring activities in a way which minimizes false positives and false negatives.”
- 3.2.3 (g) “The relevant entities shall maintain, document, and review logs. Logs shall include […] event logs and logs from security tools, such as antivirus, intrusion detection systems or firewalls”
- 6.7.2 (h) “The relevant entities shall allow connections of service providers only after an authorization request and for a set time period, such as the duration of a maintenance operation.”
Overall, the impression is solidifying that even as a cloud computing provider, you largely comply with NIS-2 if you can also pass an ISO27001 audit without incident. For all other regular companies: No need to panic.
The mentioned acquisition price of ~23 billion USD for Wiz (a multiple of about 25 on the rumored revenue of < 1 billion USD) only makes sense if Google/Alphabet can thereby attract more customers not only for other security products like Chronicle/SecOps but especially for GCP. For comparison: The market value of Tenable is ~5 billion USD, Qualys is also ~5 billion USD, and Rapid7 is ~2.5 billion USD. These are multiples of 8-15 on revenue.
Unlike the security solutions, GCP is not only highly profitable but also already generates ~35 billion USD in revenue => So every percent of growth is worth it. And the market allows for it: GCP is still somewhat like the sympathetic chimpanzee next to the AWS and Azure gorillas on the monkey rock, while the IaaS market continues to grow at ~20% per year. In my perception, GCP has so far been preferred mainly by startups and small development teams. Wiz can bring more presence in the professional enterprise segment here.
This could happen through a (perceived as free for the customer) bundle, similar to MS Defender. I don’t believe in exclusivity, as it would annoy too many customers (large customers use multiple cloud solutions). And Wiz does not have sufficient defensible unique selling points for that.
In the pure security environment, customer projects show that 99.9% of all large companies have a hybrid infrastructure and will likely still have on-prem systems in 10 years. A vulnerability management tool only for cloud infrastructure? Customer feedback: Can be a supplement, but always brings more interfaces with it. Solutions like the ones mentioned above or from Microsoft, Cisco, or Fortra cover on-prem systems in addition to the cloud, and in pure cloud vulnerability management, Wiz is facing more and more competitors – not only the known ones like Orca but also from all EDR/XDR manufacturers (Lacework was acquired by Fortinet in June) and the External Attack Surface Management (EASM) scanners, which are constantly expanding their features. One option for Google/Wiz would be to extend the functionality of the local SIEM forwarders of Chronicle. Let’s see. In any case, it is already a huge success what the Wiz team has achieved in ~16 years.
Plagued by exhausting budget discussions, lack of resources, and postponed projects? You are not alone: Horvath found in its annual survey of CxOs that cybersecurity is now only in the top 3 on the agenda of boards and managing directors. The optimization of cost structures has unsurprisingly moved even further to the forefront.

Here are a few notes from vendor meetings:
Anvilogic:
- An interesting solution for customers with their own SIEM to save log costs with Azure Sentinel or Splunk (typically around 30%) without compromising security.
- The data is partially migrated to Snowflake or Azure Data Explorer.
- Anvilogic has already translated the queries of SIEM systems, so analysts don’t have to do any work.
- Surprisingly, it is rather unsuitable for MSSPs because the architecture is not ideal for multi-tenants.
- Competitors are primarily Hunters, Panther, or Cribl, but each has a slightly different approach. Anvilogic focuses on security logs.
Grip Security:
- Cloud Security Posture Management (CSPM)
- Interesting approach: employee email inboxes are scanned to discover SaaS solutions and accounts that were established long before Grip was acquired.
- Practically every SaaS solution communicates with users via email (registration, billing, login information, other touchpoints). This allows for a fairly comprehensive inventory without needing integration and without huge manual effort.
- The mention of scanning email inboxes initially triggers GDPR alarm bells. However, it is apparently not a problem because only the metadata of auto-generated emails from SaaS solutions is used. And fundamentally, every email gateway must scan emails upon entry (though not internal ones between employees).
- Can also recognize privileges like OAuth scopes and partially restrict user access rights. Advantages over Microsoft Defender for Cloud include better integration with Google Auth.
- Interesting feature: during offboarding, access rights to SaaS applications that are not connected to the identity provider via SSO can be revoked (Non-Federated => App Credentials, Dangling Access).
- Possible complement to CASB => To also detect access to Dropbox, Hubspot, etc., via unmanaged devices.
- Currently, no reference customers in the EU, but PoCs are ongoing.
- The founder of Crowdstrike, George Kurtz, has invested here.
Alkira:
- Networking as a Service
- Can consolidate individual firewalls and routers in cloud infrastructure, reducing operational costs and complexity.
- Example customer: Installed one Palo Alto firewall instance each in Azure, AWS, and GCP in three regions (EU, US, APAC), totaling nine firewall licenses => Reduced to three (one per region, each on a “Cloud Exchange Point” node).
- Customers include Cisco/Splunk, Warner Music, S&P Global, indicating it is more suited for large corporations.
- Not widely spread in the EU/DACH region yet.
- Investors include Sequoia, Kleiner Perkins.
Panaseer:
- Cybersecurity management system (as an alternative to DIY PowerBI dashboards).
- Integration with vulnerability scanners, endpoint solutions, CMDBs, etc.
- Dashboard: tracking of EOL systems, display of unpatched systems, results of phishing campaigns, also along regulatory frameworks like ISO.
- Creation and tracking of tickets.
- The friendly and actually very competent salesperson was from Scotland, so I only understood a fraction – the solution can probably do much more, but the rest was lost in translation.
As always: Feel free to send questions, suggestions, comments, experiences, and even opposing opinions or corrections via email. Thanks again for the support so far!
Best regards.
Jannis Stemmann
The Marktkommentar by Jannis Stemmann
Subscribe to Marktkommentar.
Gain More Insights Early On.
Marktkommentar includes insights from discussions with providers and customers on security projects and vendor briefings, questions and selective observations as well as unpopular theses in the security community.