Hello everyone,
As part of an ongoing customer project, we took a closer look at the “Breach Warranties” of some MDR providers and tried to compare them. Neither my colleagues nor I are lawyers, so the table below is just a professional assessment. At the time of writing, binding confirmation from some providers was still pending.
- In general, the breach warranty can, of course, only be claimed for the endpoints where the EPP/EDR solution is installed. However, there are also additional restrictions. For example, while Sophos offers an endpoint agent for many Linux distributions, they do not seem entirely convinced of their own detection rate – in any case, the warranty does not cover Linux.
- The maximum amount paid out, $1 million, is of course just a drop in the ocean in the event of damage. Moreover, the respective terms and conditions contain even more potential pitfalls in detail (e.g., “the ransomware attack was not related to third-party software”). In the event of a dispute, it would be challenging to enforce the payment. However, I increasingly see the basic concept of breach warranties as more than just a marketing gimmick, but rather as a good step towards performance-based compensation or the alignment of interests between customers and providers.
- What I find even more convincing is the public written statement from WithSecure that no customer with the Countercept service has been compromised by a ransomware attack – even a single contradiction from a customer on Reddit or similar would be embarrassing. So, the statement is likely to be true.
If anyone has practical experience with the breach warranties or interprets the conditions differently, please feel free to reach out.
Everyone knows the MITRE ATT&CK matrices, and now there’s also MITRE ATLAS as a supplement for AI attack techniques:
- It includes methods on how attackers can use AI to increase productivity (e.g., “Search for Victim’s Publicly Available Research Materials”).
- It also covers attacks on AI applications (e.g., “LLM Prompt Injection,” “LLM Jailbreak”).
- Includes a collection of related case studies.
- Personally, I found the re-engineering of the anomaly detection of a NIDS (in this case, by a Palo Alto researcher) to bypass malware detection quite interesting. It emphasizes the need for customized detection rules, honeypots, etc., tailored to the customer. Anything commercially available off the shelf can probably also be circumvented by attackers.
- If anyone needs to give a presentation or participate in a panel discussion on the topic of AI in security, this is a well-structured starting point. It’s also useful for security assessments of AI applications within an organization.
By the way, there’s also MITRE D3FEND (mapping of defensive and detection techniques such as MFA to attack techniques) available for about two years now. It sounds like a great idea, but I haven’t seen any practical applications for it yet. If anyone has a tip on this, I’d be happy to hear it.
After Airbus decided not to acquire Eviden (which narrowly avoided bankruptcy), Infodas made an acquisition. MasterCard has strengthened its position with Recorded Future (the Threat Intel Feed). For those who wonder about MasterCard as a cybersecurity provider: they’ve been active in the market with RiskRecon, a third-party cyber risk management tool similar to Bitsight, Security Scorecard, or Locaterisk. NTT Data has acquired GISA, presumably to soon offer managed SOC services from Germany.
Here are some key points from vendor briefings:
FBPro “Enforce Administrator”:
- A German provider (~25 employees) for automated system hardening according to customer-specific security baselines, BSI recommendations, or CIS benchmarks, etc.
- Significantly more efficient and thorough than manual or script-based configuration via Intune or group policies.
- Typically involves around 600–700 settings for Windows systems, ~200 for Linux, plus the usual applications. Example: ~50 settings for endpoint logging.
- Allows the setup of exceptions (e.g., enabling cameras) and also controls AppLocker/DeviceGuard for whitelisting.
- Enables monitoring of security-relevant configuration changes during OS updates.
- Simple reporting for compliance (e.g., VAIT/DORA, TISAX) / cyber insurance, etc.
- Deployment on-premises or in a private cloud (not SaaS).
- Currently has around 45 corporate customers, including financial service providers, energy suppliers, and some larger corporations.
- A free assessment tool is available.
- What I particularly like: Finally, a cybersecurity product where the marketing claims can be fully verified.
- Budget indication is ~30 EUR per endpoint per year for 5,000 endpoints.
- The whole solution is, of course, also offered as a managed service.
Kiteworks:
- A US provider (~450 employees) for the secure exchange of sensitive data (“Private Content Network”), a competitor to Cryptshare, MoveIT, FTAPI, Citrix, Seppmail, and of course Microsoft, depending on the use case.
- Supports email, file sharing, Teams, M2M (API e.g., for SAP, Salesforce, Office, Cloud Repositories), web forms, with up to 16 TB per file.
- Strong presence among Swiss banks and some DAX corporations; in some cases, limited to specific user groups (e.g., HR).
- Deployment on-premises, private or public cloud.
- Interesting: The new “SafeEDIT/SafeVIEW” module allows editing of CAD data by external service providers without the file being downloaded.
- Certified according to all relevant standards.
- Price around 40 EUR per user per year.
OpsMx Delivery Shield (Disclaimer: The Bosch VC fund has invested here):
- Application Security Posture Management: Provides a consolidated view of code scanners, CI/CD platforms, and vulnerabilities in the DevSecOps infrastructure used.
- Aligns with CIS benchmarks, NIST 800-53, FedRAMP, Git Security, OpenSSF Scorecard…
- Simplifies and documents compliance reporting with history.
- Also provides deduplication and prioritization of vulnerabilities/misconfigurations, including using EPSS.
- Native integrations with common development tools like Jira, SonarQube, JFrog, Aqua, GitHub, etc.
- SBOMs are also scanned for licensing issues.
- Customer references include Cisco, Adobe, Zendesk, Google, Western Union, but currently no customers in the EU (the provider’s headquarters are in the USA/India).
Omicron (StationGuard):
- An Austrian provider of electronic testing and measurement technology in power plants, substations, and power grids, with around 1,200 employees, and a world market leader in some areas.
- We looked at the “StationGuard,” which is an OT NIDS, competing with Rhebo, Dragos, Claroty, Nozomi, etc.
- Strong focus on customers in power generation and network operation (~50 corporate customers).
- Architecture and functions typical of other OT NIDS:
- Passive disturbance and anomaly detection with deep packet inspection for protocols like IEC 61850, 60870-5-105, DNP3, Modbus, S7… and the usual IT protocols.
- Ring buffer for PCAP raw data.
- Inventory and vulnerability management.
- Sensor connection via mirror port to switches and firewalls.
- Central engine installed on-premises as a VM.
- Optimized for use in control centers, substations, etc.: The system includes a model of the plant, which is automatically created from the SCL file. The model also includes the intended functions of the plant components and authorized communication in normal or maintenance modes, which can be adjusted and supplemented.
- For vulnerabilities, a proprietary database maps exactly the installed component types (IED) with used modules to CVE advisories to filter out only truly relevant vulnerabilities (typically reducing the vulnerability list by ~80% according to their own statements).
- What’s interesting is the evaluation and consulting for plant optimization as a managed service by Omicron, who rely not only on security know-how but also operational expertise.
- Confirmed again in conversation: No known cyberattacks have been detected so far. 99% of detected issues are functional disturbances in processes, with the rest being potentially security-relevant misoperations (e.g., incorrect password entries, access by unknown devices).
As always, feel free to reach out with questions, suggestions, comments, experience reports, as well as opposing opinions or corrections via email.
Best regards
Jannis Stemmann
The Marktkommentar by Jannis Stemmann
Subscribe to Marktkommentar.
Gain More Insights Early On.
Marktkommentar includes insights from discussions with providers and customers on security projects and vendor briefings, questions and selective observations as well as unpopular theses in the security community.