Influencing CISOs, ISBs, IT leaders, and other budget decision-makers, whether subtly or overtly, is standard practice for every security salesperson. As whiskey and cigar tastings, “exclusive” events, and other relationship management measures have become somewhat overused, it’s logical to turn to more creative methods.
The prominent VC fund Cyberstarts, which backs successful security startups like Wiz, Armis, Island, and others, has taken this to heart. Following an extensive investigation by the Israeli magazine Calcalist, the fund is now facing allegations of effectively bribing CISOs of large corporations. The incentive scheme, euphemistically named “Sunrise,” apparently rewarded over 80 CISOs privately with profit shares in the fund if their employers purchased products from the relevant manufacturers.
This issue is currently causing some stir in the U.S. However, it seems everyone is relying on the single aforementioned report for now – we’ll see what else comes to light. In Fortune 500 companies, CISOs can significantly influence purchasing decisions for security products and services, but they can’t push them through alone. So, in my opinion, the overall damage should be limited, even if the allegations are fully confirmed.
Cyber insurance carriers are likely to emerge relatively unscathed from the CrowdStrike incident. While the damage is now estimated at around USD 15 billion, business interruptions of less than 8 hours are not covered in most policies. By the way, the global premium volume for cyber insurance is currently around USD 20 billion, which is about 10-15% of the market for cybersecurity products and services. Due to premium increases, the business is also very profitable for most players.
Even during the summer break, there are more M&A headlines: Next DLP was acquired by Fortinet, Acronis (Backup+Recovery) by Swedish private equity player EQT, Mimecast bought Aware (DLP), Digicert acquired Vercara (API Protection), and IBM finally completed the acquisition of Hashicorp (automation of cloud operations via Infrastructure as Code and Policy as Code).
As we know, predictions are always difficult, especially when they concern the future. Nevertheless, I’ll go out on a limb and, after taking a deep look into the glass (or crystal ball), predict the following:
- The product categories SIEM, EDR/XDR, and vulnerability management will continue to converge.
- In about 5 years, it will be standard to use security products that only require one endpoint agent for all three aforementioned functions. Finally, something that simplifies customers’ lives.
- The pioneers in this will be Cisco/Splunk, CrowdStrike, Fortinet, Microsoft, Palo Alto, and SentinelOne.
- There will still be room for 2-3 other providers before the market continues to consolidate in the long term.
- Qualys and Tenable will either be acquired by an EDR provider, acquire a smaller EDR provider, or integrate a white-label engine like Bitdefender’s. Developing the 30th EDR engine themselves makes no sense. Interestingly, Tenable has just put itself up for sale.
- The same goes for all SIEM providers that haven’t done this yet.
- For fringe players in the EDR market like Blackberry Cylance or Cynet, the next 2 years will be crucial. They will either be acquired soon, license their IP, or sell their customer base. Otherwise, their company value will tend towards zero.
- NDR will remain a niche topic, primarily used in critical infrastructure and network segments where an agent cannot be installed (Enterprise IoT).
Here are some semi-structured notes from vendor briefings:
SentinelOne (Update):
- General:
- We’ve seen SentinelOne in several projects with really good value for money, especially with the MDR service Vigilance Pro (better SLAs, remote incident response, and hours for customer-specific questions). However, the service during onboarding could be improved in some cases.
- I had the impression that the modules are now better integrated => Only one agent for all modules, all alarms in one console.
- Not surprisingly, there’s now an AI assistant: “Purple AI,” which can create queries or firewall rules from natural language and automate many incident analyses => Makes the work of MDR analysts easier, and is already being used in Germany.
- Initial installation on Windows (including Windows on ARM) is now possible without a reboot with 100% feature availability.
- Interesting developments like attack path management are on the roadmap.
- EPP including Asset Discovery and Vulnerability Scans:
- Vulnerability scans are possible as soon as one endpoint with an agent is in the network segment – even authenticated scans with credentials. Prioritization is not only based on CVSS/KEV but also on customer-specific exposure => So similar functionality to Qualys or Tenable, but with the ability to respond directly, even without a patch.
- Scans, especially of network periphery like routers, are of course still somewhat limited regarding OS, and I suspect they are only SNMP scans. The SSH scans from Tenable, etc., provide significantly more information regarding configuration and allow for a reduction of false positives. But it’s only a matter of time before leading EDR solutions catch up here.
- Conditional access can be configured based on policies, e.g., 2FA challenge depending on applications, users, and/or time of day.
- Identity: Expanded to include detection of compromised accounts via darknet searches. From my point of view, it is problematic if complete password hashes are shared.
- XDR:
- Now with many native data connectors for logs (normalized via Open Cybersecurity Schema Framework OCSF), e.g., for Zscaler, Netskope, Cloudflare, Rapid7, Cisco, Forti, Palo Alto, AWS, Azure, GCP, Proofpoint, Vectra. Partially bidirectional communication, i.e., automated responses.
- There are already customers who collect large volumes of Windows events/logs with SentinelOne XDR and forward only incidents to Splunk/QRadar to save costs.
- Will also be integrated into MDR in the future, but currently, the customer is still responsible for monitoring.
- Cloud Security/CNAPP Module:
- SentinelOne has acquired PingSafe (competitor to Wiz, Orca, MS Defender for Cloud), integration feels already at 90%. It allows workload protection for servers, containers, storage buckets, NetApp, as well as asset discovery, secret discovery in code repositories, and vulnerability scans.
- Very cool: Assessment of exploitability (“Offensive Engine, View Evidence of Exploitability”) through exploit code generation, similar to Pentera or manual pen tests. This allows for prioritization and exclusion of false positives in vulnerabilities and validation of EDR or SIEM.
- Of course, it also offers automated assessment of compliance requirements like SOC2.
- Regarding MITRE MDR Evaluation on Mean Time to Detect:
- Focus was reportedly on “signal-to-noise ratio” in reporting (=> CrowdStrike sent 8 times as many emails to the MITRE team).
- However, from my point of view, this is not entirely plausible: BitDefender sent only slightly more emails than SentinelOne, and MITRE explicitly evaluated the concreteness of action recommendations (“Actionable”).
- Fact: SentinelOne has been consistently among the top performers in MITRE evaluations for years, and an MTTD of 24 minutes is well below the SLA agreed upon with customers.
Cloud Range:
- Cyber Range: Particularly interesting for customers who want to test security tools against attack scenarios => Much is already preconfigured and automated as scripts.
- You can either model a “digital twin” of your own IT infrastructure as an environment or use a model environment out of the box.
- The model environment even includes an OT network and background traffic for HTTP/S, SSH, and SMTP, to make it realistic. Agents run on about 80 VMs, logging into applications, opening files, and sending emails. This background noise can also generate false positives in EDR and SIEM tools.
- The special highlight from my point of view: The provider has already licensed many of the common security tools (e.g., Splunk, QRadar, CrowdStrike, Defender, Nozomi, Claroty…), so you can take a look at them directly.
- If you’re interested, just let me know, and we’ll arrange a joint appointment. Perhaps as a simple alternative to more complex PoCs with Red Teaming.
Logpoint (Update):
- We had a joint meeting with Logpoint (a Danish SIEM provider with currently ~1000 enterprise customers) and Schwarz Digits / StackIT as a “sovereign cloud” in the EU.
- ~300 native integrations, e.g., with SAP ERP.
- ~1700 out-of-the-box alarm rules.
- Hybrid deployment is also possible: EAL3+ certified hardware appliance available.
- Multi-tenant capability for MSSPs / corporate structures.
- Log normalization: If, for example, JSON field descriptions of data sources change, they can be reported to Logpoint, and the old logs can be adjusted accordingly.
- Static enrichment of data like DNS to store the correct IP address promptly (which might otherwise be dynamically assigned differently at a later time).
- Logs can be stored individually in repositories, e.g., all Linux logs separately, all logs containing PII separately.
- Storage tiers typically: Hot on SSD for ~30 days, Warm on HDD up to ~180 days, and Cold on S3-compatible object storage for 1-3 years. Searching and rule checks are, of course, possible across all storage tiers, but the time to return results varies significantly => Access to data in Cold Storage is usually only needed for forensics, not daily operations.
- Focus on ease of use, e.g., via search templates for threat hunting and SOAR playbooks. Allegedly, with reasonable security knowledge, two days are enough to be able to use the platform effectively.
- Price range for Logpoint/StackIT licensing costs with the above-mentioned data retention times and including 24/7 SOC service by an MSSP: 120-180 EUR/endpoint/year. XM Cyber can be well integrated and costs an additional ~50-60 EUR/endpoint/year.
- According to their own statements, they have little experience and integrations with OT (if so, then via anomaly detection like Rhebo or Claroty).
- Besides the SIEM solution discussed above, ServiceNow is also supposed to be offered on StackIT => Huge potential in my view, much greater than for the security solutions.
Safebase:
- Trust Center software to manage compliance documents like certificates and answer customer questions on topics like data protection, legal issues, or information security.
- Sensitive documents, such as detailed technical and organizational measures (TOM), can be marked as “Private” and then downloaded by external partners based on approval workflows and rules (e.g., NDA signed? If not: NDA is automatically sent for signature). The documents are then automatically watermarked to trace them back to the partner who downloaded the document.
- Individual questionnaires from customers (e.g., “Do you use disk encryption like Bitlocker?”, “What algorithm is used for encryption?”, “What is the coverage of your cyber insurance in case of damage?”) are pre-filled by AI based on existing documents.
- Customers can automatically receive updates when documents in the Trust Center are updated (e.g., renewal of SOC2 audit).
- 700 enterprise customers (e.g., LinkedIn, Palantir, Asana, Hubspot), including some in the EU.
Appdome:
- Mobile app protection (for app developers) and mobile EDR (for users), competing with companies like Zimperium, Crowdstrike/SentinelOne/F5 Mobile Threat Protection.
- Mobile App Protection includes features like E2E transport encryption and in-memory encryption, out-of-the-box integrable into the CI/CD pipeline, so it doesn’t have to be self-developed.
- What’s interesting: Integration into customer apps occurs at the binary level (“Binary Merging”), without SDK or changes to the customer’s source code. This requires significantly fewer development resources on the customer side. And the entire PoV/PoC, including pen tests, can be carried out within 1-2 weeks to prove the security gain.
- Pen test reports are also very transparently available.
- Mobile EDR offers, for example, anti-reverse engineering, botnet protection, jailbreak protection, malware and rootkit detection for iOS and Android (via Intune, MobileIron, or other MDMs).
- Central monitoring of device telemetry is, of course, possible.
- US provider with a small team in Germany. The manufacturer claims to be installed on 1.5 billion mobile devices, via around 300 enterprise customers.
By the way, I thought we had reached the peak of cringe in security advertising with Crowdstrike’s Super Bowl ads. But far from it, that was just a stepping stone – Palo Alto has now followed suit and even engaged Keanu Reeves. But at least you can see from his expression that not only the audience is tortured by the humorlessly sanitized clip.
As always, feel free to send any questions, suggestions, comments, experiences, or even opposing opinions or corrections via email.
Best regards,
Jannis Stemmann