Ukraine says government websites hit by “massive cyber attack”

A Ukrainian Military Forces serviceman watches through a spyglass in a trench on the frontline with Russia-backed separatists near Avdiivka, southeastern Ukraine, on January 9, 2022.

Enlarge / A Ukrainian Military Forces serviceman watches through a spyglass in a trench on the frontline with Russia-backed separatists near Avdiivka, southeastern Ukraine, on January 9, 2022. (credit: Anatolii Stepanov | Getty Images)

Ukraine said it was the target of a “massive cyber attack” after about 70 government websites ceased functioning.

On Friday morning targets included websites of the ministerial cabinet, the foreign, education, agriculture, emergency, energy, veterans affairs, and environment ministries. Also out of service were the websites of the state treasury and the Diia electronic public services platform, where vaccination certificates and electronic passports are stored.

“Ukrainians! All your personal data has been uploaded to the public network,” read a message temporarily posted on the foreign ministry’s website. “All data on your computer is being erased and won’t be recoverable. All information about you has become public, fear and expect the worst.”

Read 20 remaining paragraphs | Comments

#biz-it, #cyberattack, #cyberwarfare, #hacking, #policy, #russa, #ukraine

Web host Epik was warned of a critical website bug weeks before it was hacked

Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that provides services to far-right sites like Gab, Parler and 8chan, which found refuge in Epik after they were booted from mainstream platforms.

In a statement attached to a torrent file of the dumped data this week, the group said the 180 gigabytes amounts to a “decade’s worth” of company data, including “all that’s needed to trace actual ownership and management” of the company. The group claimed to have customer payment histories, domain purchases and transfers, and passwords, credentials, and employee mailboxes. The cache of stolen data also contains files from the company’s internal web servers, and databases that contain customer records for domains that are registered with Epik.

The hackers did not say how they obtained the breached data or when the hack took place, but timestamps on the most recent files suggest the hack likely happened in late February.

Epik initially told reporters it was unaware of a breach, but an email sent out by founder and chief executive Robert Monster on Wednesday alerted users to an “alleged security incident.”

TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach.

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

Leo ran a proof-of-concept command from the public-facing WHOIS page to ask the server to display its username, which confirmed that code could run on Epik’s internal server, but he did not test to see what access the server had as doing so would be illegal.

It’s not known if the Anonymous hacktivists used the same vulnerability that Leo discovered. (Part of the stolen cache also includes folders relating to Epik’s WHOIS system, but the hacktivists left no contact information and could not be reached for comment.) But Leo contends that if a hacker exploited the same vulnerability and the server had access to other servers, databases or systems on the network, that access could have allowed access to the kind of data stolen from Epik’s internal network in February.

“I am really guessing that’s how they got owned,” Leo told TechCrunch, who confirmed that the flaw has since been fixed.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

#8chan, #computer-security, #computing, #cyberspace, #cyberwarfare, #epik, #gab, #parler, #rob-monster, #security, #texas, #world-wide-web

BitSight raises $250M from Moody’s and acquires cyber risk startup VisibleRisk

BitSight, a startup that assesses the likelihood that an organization will be breached, has received a $250 million investment from credit rating giant Moody’s, and acquired Israeli cyber risk assessment startup VisibleRisk for an undisclosed sum.

Boston-based BitSight says the investment from Moody’s, which has long warned that cyber risk can impact credit ratings, will enable it to create a cybersecurity risk platform, while the credit ratings giant said it plans to make use of BitSight’s cyber risk data and research across its integrated risk assessment product offerings.

The investment values BitSight at $2.4 billion and makes Moody’s the largest shareholder in the company.

“Creating transparency and enabling trust is at the core of Moody’s mission,” Moody’s president and CEO Rob Fauber said in a statement. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of cyber loss.”

Meanwhile, BitSight’s purchase of VisibleRisk, a cyber risk ratings joint venture created by Moody’s and Team8, brings in-depth cyber risk assessment capabilities to BitSight’s platform, enabling the startup to better analyze and calculate an organization’s financial exposure to cyber risk. VisibleRisk, which has raised $25 million to date, says its so-called “cyber ratings” are based on cyber risk quantification, which allows companies to benchmark their cyber risk against those of their peers, and to better understand and manage the impact of cyber threats to their businesses.

Following the acquisition, BitSight will also create a risk solutions division focused on delivering a suite of critical solutions and analytics serving stakeholders including chief risk officers, C-suite executives, and boards of directors. This division will be led by VisibleRisk co-founder and CEO Derek Vadala, who previously headed up Moody’s cyber risk group.

Steve Harvey, president and CEO of BitSight, said the company’s partnership with Moody’s and its acquisition of VisibleRisk will expand its reach to “help customers manage cyber risk in an increasingly digital world.”

BitSight was founded in 2011 and has raised a total of $155 million in outside funding, most recently closing a $60 million Series D round led by Warburg Pincus. The startup has just shy of 500 employees and more than 2,300 global customers, including government agencies, insurers and asset managers. 

#articles, #boston, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #leader, #risk, #risk-analysis, #risk-management, #safety, #security, #team8, #warburg-pincus

Thoma Bravo takes a stake in threat intelligence provider Intel 471

Private equity giant Thoma Bravo has taken a stake in Intel 471, a provider of cyber threat intelligence for enterprises and governments.

The strategic growth investment, which comes as organizations double-down on cybersecurity amid a pandemic-fueled rise in cyber threats, will enable Intel 471 to evolve its product suite, broaden its go-to-market strategy and continue to “aggressively pursue innovation,” according to Thoma Bravo. Financial terms of the deal were not disclosed.

Intel 471, a Texas-based firm founded in 2014, takes a preventative approach to cybersecurity. It leverages its access to forums and dark web marketplaces to equip organizations with intelligence and monitoring on threat actors and malware attacks. Using the company’s platform, businesses can track threat actor activity and vulnerability exploits, analyze near-real-time monitoring of malware activity, trace threats that could cause security breaches, and receive alerts on compromised credentials.

“As cybercriminals and their tactics become increasingly sophisticated, our monitoring and intelligence solutions have become mission-critical, with organizations of all sizes looking to us to help them protect against attacks,” said Mark Arena, CEO of Intel 471.

Arena, along with fellow co-founder Jason Passwaters, will continue to lead Intel 471 and will retain a “significant” ownership position

Thoma Bravo’s investment in Intel 471 sees the private equity firm continue its cybersecurity investing spending-spree. Its recent $12.3 billion purchase of Proofpoint, for example, said to be the largest acquisition in cybersecurity history, trumps Broadcom’s $10.7 billion purchase of Symantec, Intel’s $7.6 billion acquisition of McAfee, and Okta’s proposed $6.5 billion acquisition of Auth0.

Thoma Bravo also previously acquired Sophos for $3.9 billion, took a majority stake in LogRhythm and paid $544 million for authentication startup Imprivata. 

#auth0, #broadcom, #ceo, #computing, #cybercrime, #cyberwarfare, #logrhythm, #mcafee, #security, #security-software, #sophos, #symantec, #technology, #texas, #thoma-bravo

A popular smart home security system can be remotely disarmed, researchers say

A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.

Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give to companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Riling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.

Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.

Vishwakarma said homeowners could add a plus-tagged email address with a long, unique string of letters and numbers in place of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal bug until Fortress addresses it.

Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It’s not known if Fortress builds the device itself or buys the hardware from another manufacturer.

Read more:

#api, #computer-security, #cryptography, #cyberwarfare, #hacking, #law, #massachusetts, #password, #rapid7, #security, #software-testing, #vulnerability

Cybersecurity VC funding surges to a record $11.5B in 2021

The pandemic completely upended the threat landscape as we know it. Ransomware accounted for an estimated 2.9 million attacks so far in 2021, and supply-chain attacks that targeted Kaseya and SolarWinds have increased fourfold over 2020, according to the European Union’s cybersecurity agency, ENISA, which recently warned that the more traditional cybersecurity protections are no longer effective in defending against these types of attacks.

This has created an unprecedented need for emerging technologies, attracting both organizations and investors to look closer at newer cybersecurity technologies.

“We are seeing a perfect storm of factors coming together to create the most aggressive threat landscape in history for commercial and government organizations around the world,” said Dave DeWalt, founder and managing director of NightDragon, which recently invested in multi-cloud security startup vArmour. “As an investor and advisor, I feel we have a responsibility to help these organizations better prepare themselves to mitigate this growing risk.”

According to Momentum Cyber’s latest cybersecurity market review out Wednesday, investors poured $11.5 billion in total venture capital financing into cybersecurity startups in the first half of 2021, up from $4.7 billion during the same period a year earlier.

More than 36 of the 430 total transactions surpassed the $100 million mark, according to Momentum, which includes the $543 million Series A raised by passwordless authentication company Transmit Security and the $525 million round closed by cloud-based security company Lacework.

“As an investor in the cyber market for over fifteen years, I can say that this market climate is unlike anything we’ve seen to date,” said Bob Ackerman, founder and managing director of AllegisCyber Capital, which recently led a $26.5 million investment in cybersecurity startup Panaseer. “It is encouraging to finally see CEOs, boards of directors, investors and more paying serious attention to this space and putting the resources and capital in place to fund the innovations that address the cybersecurity challenges of today and tomorrow.”

Unsurprisingly, M&A volume also saw a massive increase during the first six months of the year, with significant deals for companies in cloud security, security consulting, and risk and compliance. Total M&A volume reached a record-breaking $39.5 billion across 163 transactions, according to Momentum, more than four-times the $9.8 billion spent in the first half of 2020 across 93 transactions.

Nine M&A deals in 2021 so far have been valued at greater than $1 billion, including Proofpoint’s $12.3 billion acquisition by Thoma Bravo, Auth0’s $6.4 billion acquisition by Okta, and McAfee’s $4 billion acquisition by TG.

“Through the first half of 2021, we have witnessed unprecedented strategic activity with both M&A and financing volumes at all-time highs,” said Eric McAlpine and Michael Tedesco, managing partners at Momentum Cyber. “We fully expect this trend to continue through the rest of the year and into 2022.”

Read more on Extra Crunch:

#computer-security, #computing, #cyberwarfare, #fundings-exits, #network-management, #security, #thoma-bravo, #venture-capital

Insider hacks to streamline your SOC 3 certification application

If you’re a tech company offering anyone a service, somewhere in your future is a security assessment giving you the seal of approval to manage clients’ data and operate on your devices. No one takes security lightly anymore. The business costs of cyberattacks have now hit an all-time high. Government bodies, companies and consumers need the assurance that the next software they download isn’t going to be an open door for hackers.

For good reason, security certifications like the SOC 3 really put you through the wringer. My company, Waydev, has just attained the SOC 3 certification, becoming one of the first development analytics tools to receive that accreditation. We learned so much from the process, we felt it was right to share our experience with others that might be daunted by the prospect.

As a non-tech founder, it was hard not only to navigate the process, but to appreciate its value. But by putting our business caps on, our team was able to optimize our approach and minimize the time and effort needed to achieve our goal. In doing so, we were granted SOC 3 compliance in two weeks, as opposed to the two months it takes some companies.

We also turned the assessment into an opportunity to better our product, align our internal teams, boost our brand and even launch partnerships.

So here’s our advice on how teams can smoothly reach an SOC 3 while simultaneously balancing workloads and minimizing disruption to users.

First, bring your teams on board

Because we can’t expect employees to stack those hours on top of their regular workdays, as a leader you have to accept — and communicate — that the speed of your output will inevitably decrease.

As a founder, you’ll be acting as captain steering a ship into that SOC 3 port, and you’ll need all members of your crew to join forces. This isn’t a job for a specially designated security team alone and will require deep involvement from your development and other teams, too. That might lead to internal resistance, as they still have a full-time job tending to your product and customers.

That’s why it’s so important to start by being crystal clear with your employees about what this process will mean to their work lives. However, they have to embrace the true benefits that will arise. SOC 3 will immediately raise your brand’s appeal and likely see new customers come in as a result.

Each employee will also come out the other end with well-honed cybersecurity skills — they’ll have a deep understanding of potential cyber threats to the company, and all security initiatives will carry a far lighter burden. There’s also the sense of pride and fulfillment that comes with having an indisputable edge over your competitors.

#column, #computer-security, #cryptography, #cyberwarfare, #data-security, #ec-column, #ec-cybersecurity, #ec-how-to, #security, #security-tools, #startups

A bug in a medical startup’s website put thousands of COVID-19 test results at risk

A California-based medical startup that provides COVID-19 testing across Los Angeles has pulled down a website it used to allow customers to access their test results after a customer found a vulnerability that allowed access to other people’s personal information.

Total Testing Solutions has ten COVID-19 testing sites across Los Angeles, and processes “thousands” of COVID-19 tests at workplaces, sports venues, and schools each week. When test results are ready, customers get an email with a link to a website to get their results.

But one customer said they found a website vulnerability that allowed them to access other customers’ information by increasing or decreasing a number in the website’s address by a single digit. That allowed the customer to see other customers’ names and the date of their test. The website also only requires a person’s date of birth to access their COVID-19 test results, which the customer who discovered the vulnerability said “wouldn’t take long” to brute-force, or simply guess. (That’s just 11,000 birthday guesses for anyone under age 30.)

Read more on TechCrunch

Although the test results website is protected by a login page that prompts the customer for their email address and password, the vulnerable part of the website that allowed the customer to change the web address and access other customers’ information could be accessed directly from the web, bypassing the sign-in prompt altogether.

The customer passed on details of the vulnerability to TechCrunch to get the vulnerability fixed before someone else finds it or exploits it, if not already.

TechCrunch verified the customer’s findings, but while we did not enumerate each result code, through limited testing found that the vulnerability likely put around 60,000 tests at risk. TechCrunch reported the vulnerability to TTS chief medical officer Geoffrey Trenkle, who did not dispute the number of discovered tests, but said the vulnerability was limited to an on-premise server used to provide legacy test results that has since been shut down and replaced by a new cloud-based system.

“We were recently made aware of a potential security vulnerability in our former on-premises server that could allow access to certain patient names and results using a combination of URL manipulation and date of birth programming codes,” said Trenkle in a statement. “The vulnerability was limited to patient information obtained at public testing sites before the creation of the cloud-based server. In response to this potential threat, we immediately shut down the on-premises software and began migrating that data to the secure cloud-based system to prevent future risk of data breach. We also initiated a vulnerability assessment, including the review of server access logs to detect any unrecognized network activity or unusual authentication failures.”

Trenkle declined to say when the cloud server became active, and why the allegedly legacy server had test results as recently as last month.

“Currently, TTS is not aware of any breach of unsecured protected health information as a result of the issues with its prior server. To our knowledge, no patient health information was actually compromised, and all risk has been mitigated going forward,” said Trenkle.

Trenkle said the company will comply with its legal obligations under state law, but stopped short of explicitly saying if the company plans to notify customers of the vulnerability. Although companies aren’t obliged to report vulnerabilities to their state’s attorney general or to their customers, many do out of an abundance of caution since it’s not always possible to determine if there was improper access.

TTS chief executive Lauren Trenkle, who was copied on an email chain, did not comment.

#attorney-general, #california, #computer-security, #covid-19, #cyberwarfare, #hacking, #health, #jamaica, #los-angeles, #privacy, #security, #software-testing, #tts, #vulnerability

Siga secures $8.1M Series B to prevent cyberattacks on critical infrastructure

Siga OT Solutions, an Israeli cybersecurity startup that helps organizations secure their operations by monitoring the raw electric signals of critical industrial assets, has raised $8.1 million in Series B funding.

Siga’s SigaGuard says its technology, used by Israel’s critical water facilities and the New York Power Authority, is unique in that rather than monitoring the operational network, it uses machine learning and predictive analysis to “listen” to Level 0 signals. These are typically made up of components and sensors that receive electrical signals, rather than protocols or data packets that can be manipulated by hackers.

By monitoring Level 0, which Siga describes as the “richest and most reliable level of process data within any operational environment,” the company can detect cyberattacks on the most critical and vulnerable physical assets of national infrastructures. This, it claims, ensures operational resiliency even when hackers are successful in manipulating the logic of industrial control system (ICS) controllers.

Amir Samoiloff, co-founder and CEO of Siga, says: “Level 0 is becoming the major axis in the resilience and integrity of critical national infrastructures worldwide and securing this level will become a major element in control systems in the coming years.”

The company’s latest round of funding — led by PureTerra Ventures, with investment from Israeli venture fund SIBF, Moore Capital, and Phoenix Contact — comes amid an escalation in attacks against operational infrastructure. Israel’s water infrastructure was hit by three known cyberattacks in 2020 and these were followed by an attack on the water system of a city in Florida that saw hackers briefly increase the amount of sodium hydroxide in Oldsmar’s water treatment system. 

The $8.1 million investment lands three years after the startup secured $3.5 million in Series A funding. The company said it will use the funding to accelerate its sales and strategic collaborations internationally, with a focus on North America, Europe, Asia, and the United Arab Emirates. 

Read more:

#articles, #asia, #computer-security, #cryptography, #cyberattack, #cybercrime, #cybersecurity-startup, #cyberwarfare, #data-security, #energy, #europe, #florida, #israel, #machine-learning, #north-america, #nozomi-networks, #phoenix, #ransomware, #security, #united-arab-emirates

Checkmarx acquires open source supply chain security startup Dustico

Checkmarx, an Israeli provider of static application security testing (AST), has acquired open-source supply chain security startup Dustico for an undisclosed sum. 

Founded in 2020, Dustico provides a dynamic source-code analysis platform that employs machine learning to detect malicious attacks and backdoors in software supply chains. 

The acquisition will see Checkmarx combine its AST capabilities with Dustico’s behavioral analysis technology to give customers a consolidated view into the risk and reputation of open-source packages, and as a result, a more comprehensive approach to preventing supply chain attacks. 

The deal comes amid a sharp rise in supply chain attacks, in which threat actors slip malicious code into a trusted piece of software or hardware. Last December, it was revealed that Russian hackers had breached software firm SolarWinds to plant malicious code in its IT management tool Orion. This allowed the hackers — later identified as Russia’s Foreign Intelligence Service (SVR) — to access as many as 18,000 networks that used the Orion software.

Dustico’s technology, which is similar to that offered by Sonatype, analyses open source packages using a three-pronged approach. First, it factors in trust, providing visibility into the credibility of package providers and individual contributors in the open-source community, and then it examines the health of packages to determine their level of maintenance. Finally, Dustico’s advanced behavioral analysis engine inspects the package and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans. 

This insight, coupled with vulnerability results from Checkmarx’s AST solutions, aims to give organizations and developers greater insights for managing the risks associated with open-source and the supply chains dependent on them, according to the two companies.

“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO of Checkmarx. “Blending Dustico’s differentiated approach to open-source analysis with Checkmarx’s security testing capabilities will bring disruptive value to our customers as they manage the challenges with securing software supply chains.”

The acquisition of Dustico comes after Checkmarx was bought by private equity firm Hellman & Friedman at a valuation of $1.15 billion in March 2020. Prior to this, in 2015, the company was sold to Insight Partners with an $84 million investment. 

#backdoor, #ceo, #checkmarx, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #developer, #hellman-friedman, #insight-partners, #ma, #machine-learning, #security, #software, #solarwinds, #supply-chain, #supply-chain-attack, #supply-chain-management, #united-states

Finite State lands $30M Series B to help uncover security flaws in device firmware

Columbus, Ohio-based Finite State, a startup that provides supply chain security for connected devices and critical infrastructure, has raised $30M in Series B funding. 

The funding lands amid increased focus on the less-secure elements in an organizations’ supply chain, such as Internet of Things devices and embedded systems. The problem, Finite State says, is largely fueled by device firmware, the foundational software that often includes components sourced from third-party vendors or open-source software. This means if a security flaw is baked into the finished product, it’s often without the device manufacturers’ knowledge. 

“Cyber attackers see firmware as a weak link to gain unauthorized access to critical systems and infrastructure,” Matt Wyckhouse, CEO of Finite State, tells TechCrunch. “The number of known cyberattacks targeting firmware has quintupled in just the last four years.”

The Finite State platform brings visibility to the supply chains that create connected devices and embedded systems. After unpacking and analyzing every file and configuration in a firmware build, the platform generates a complete bill of materials for software components, identifies known and possible zero-day vulnerabilities, shows a contextual risk score, and provides actionable insights that product teams can use to secure their software.

“By looking at every piece of their supply chain and every detail of their firmware — something no other product on the market offers — we enable manufacturers to ship more secure products, so that users can trust their connected devices more,” Wyckhouse says.

The company’s latest funding round was led by Energize Ventures, with participation from Schneider Electric Ventures and Merlin Ventures, and comes a year after Finite State raised a $12.5 million Series A round. It brings the total amount of funds raised by the firm to just shy of $50 million. 

The startup says it plans to use the funds to scale to meet the demands of the market. It plans to increase its headcount too; Finite State currently has 50 employees, a figure that’s expected to grow to more than 80 by the end of 2021.  

“We also want to use this fundraising round to help us get out the message: firmware isn’t safe unless it’s safe by design,” Wyckhouse added. “It’s not enough to analyze the code your engineers built when other parts of your supply chain could expose you to major security issues.”

Finite State was founded in 2017 by Matt Wyckhouse, founder and former CTO of Battelle’s Cyber Business Unit. The company showcased its capabilities in June 2019, when its widely-cited Huawei Supply Chain Assessment revealed numerous backdoors and major security vulnerabilities in the Chinese technology company’s networking devices that could be used in 5G networks. 

Read more:

#articles, #battelle, #ceo, #columbus, #computer-security, #computing, #cto, #cyberwarfare, #energize-ventures, #firmware, #funding, #hardware, #huawei, #internet-of-things, #open-source-software, #security, #supply-chain, #supply-chain-management, #technology

Industrial cybersecurity startup Nozomi Networks secures $100M in pre-IPO funding

Nozomi Networks, an industry cybersecurity startup that aims to shield critical infrastructure from cyberattacks, has raised $100 million in pre-IPO funding. 

The Series D funding round was led by Triangle Peak Partners, and also includes investment from a number of equipment, security, service provider and go-to-market companies including Honeywell Ventures, Keysight Technologies and Porsche Digital. 

This funding comes at a critical time for the company. Cyberattacks on industrial control systems (ICS) — the devices necessary for the continued running of power plants, water supplies, and other critical infrastructure — increased both in frequency and severity during the pandemic. Look no further than May and June, which saw ransomware attacks target the IT networks of Colonial Pipeline and meat manufacturing giant JBS, forcing the companies to shut down their industrial operations.

Nozomi Networks, which competes with Dragos and Claroty, claims its industrial cybersecurity solution, which works to secure ICS devices by detecting threats before they hit, aims to prevent such attacks from happening. It provides real-time visibility to help organizations manage cyber risk and improve resilience for industrial operations.

The technology currently supports more than a quarter of a million devices in sectors such as critical infrastructure, energy, manufacturing, mining, transportation, and utilities, with Nozomi Networks doubling its customer base in 2020 and seeing a 5,000% increase in the number of devices its solutions monitor. 

The company will use its latest investment, which comes less than two years after it secured $30 million in Series C funding, to scale product development efforts as well as its go-to-market approach globally. 

Specifically, Nozomi Networks said it plans to grow its sales, marketing, and partner enablement efforts, and upgrade its products to address new challenges in both the OT and IoT visibility and security markets. 

#articles, #australia, #canada, #colonial-pipeline, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #energy, #funding, #internet-of-things, #malware, #manufacturing, #mining, #nozomi-networks, #porsche, #security, #technology, #united-states

Biden warns cyber attacks could lead to a “real shooting war”

Men in suits and uniforms sit on one side of a long, curved table.

Enlarge / US President Joe Biden, NATO Secretary General Jens Stoltenberg and Belgian Prime Minister Alexander De Croo attend a plenary session of a NATO summit at the North Atlantic Treaty Organization (NATO) headquarters in Brussels, on June 14, 2021. (credit: Laurie Dieffembacq | Getty Images)

President Joe Biden has warned that cyberattacks could escalate into a full-blown war as tensions with Russia and China mounted over a series of hacking incidents targeting US government agencies, companies, and infrastructure.

Biden said on Tuesday that cyber threats including ransomware attacks “increasingly are able to cause damage and disruption in the real world.”

“If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” the president said in a speech at the Office for the Director of National Intelligence, which oversees 18 US intelligence agencies.

Read 12 remaining paragraphs | Comments

#biz-it, #china, #cyberwarfare, #policy, #ransomware, #russia, #usa

Noetic Cyber emerges from stealth with $15M led by Energy Impact Partners

Noetic Cyber, a cloud-based continuous cyber asset management and controls platform, has launched from stealth with a Series A funding round of $15 million led by Energy Impact Partners.

The round was also backed by Noetic’s existing investors, TenEleven Ventures and GlassWing Ventures, and brings the total amount of funds raised by the startup to $20 million following a $5 million seed round. Shawn Cherian, a partner at Energy Impact Partners, will join the Noetic board, while Niloofar Razi Howe, a senior operating partner at the investment firm, will join Noetic’s advisory board.

“Noetic is a true market disruptor, offering an innovative way to fix the cyber asset visibility problem — a growing and persistent challenge in today’s threat landscape,” said Howe.

The Massachusetts-based startup claims to be taking a new approach to the cyber asset management problem. Unlike traditional solutions, Noetic is not agent-based, instead using API aggregation and correlation to draw insights from multiple security and IT management tools.

“What makes us different is that we’re putting orchestration and automation at the heart of the solution, so we’re not just showing security leaders that they have problems, but we’re helping them to fix them,” Paul Ayers, CEO and co-founder of Noetic Cyber tells TechCrunch.

Ayer was previously a top exec at PGP Corporation (acquired by Symantec for $370 million) and Vormetric (acquired by Thales for $400 million) and founded Noetic Cyber with Allen Roger and Allen Hadden, who have previously worked at cybersecurity vendors including Authentica, Raptor and Axent. All three were also integral to the development of Resilient Systems, which was acquired by IBM.

“The founding team’s experience in the security, orchestration, automation and response market gives us unique experience and insights to make automation a key pillar of the solution,” Ayers said. “Our model gives you the certainty to make automation possible, the goal is to find and fix problems continuously, getting assets back to a secure state.”

“The development of the technology has been impacted by the current cyber landscape, and the pandemic, as some of the market drivers we’ve seen around the adoption of cloud services, and the increased use of unmanaged devices by remote workers, are driving a great need for accurate cyber asset discovery and management.”

The company, which currently has 20 employees, says it plans to use the newly raised funds to double its headcount by the end of the year, as well as increase its go-to-market capability in the U.S. and the U.K. to grow its customer base and revenue growth.

“In terms of technology development, this investment allows us to continue to add development and product management talent to the team to build on our cyber asset management platform,” Ayers said. 

“The beauty of our approach is that it allows us to easily add more applications and use cases on top of our core asset visibility and management model. We will continue to add more connectors to support customer use cases and will be bringing a comprehensive controls package to market later in 2021, as well as a community edition in 2022.”

#api, #cloud-services, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #data-security, #energy-impact-partners, #funding, #glasswing-ventures, #ibm, #information-technology, #malware, #massachusetts, #partner, #raptor, #resilient-systems, #security, #shawn-cherian, #symantec, #technology-development, #teneleven-ventures, #thales, #united-kingdom, #united-states, #vormetric

Cyber risk startup Safe Security lands $33M from UK telco BT

Safe Security, a Silicon Valley cyber risk management startup, has secured a $33 million investment from U.K. telco BT. 

Founded in 2012, Safe Security — formerly known as Lucideus — helps organizations to measure and mitigate enterprise-wide cyber risk using its security assessment framework for enterprises (SAFE) platform. The service, which is used by a number of companies including Facebook, Softbank and Xiaomi, helps businesses understand their likelihood of suffering a major cyberattack, calculates a financial cost to customers’ risks and provides actionable insight on the steps that can be taken to address them.

This funding round saw participation from Safe Security’s existing investors, including former Cisco chairman and chief executive John Chambers, and brings the total amount raised by Safe Security to $49.2 million.

BT said the investment, which is its first major third-party investment in cybersecurity since 2006, reflected its plans to grow rapidly in the sector. Philip Jansen, BT CEO said: “Cybersecurity is now at the top of the agenda for businesses and governments, who need to be able to trust that they’re protected against increasing levels of attack. 

“Already one of the world’s leading providers in a highly fragmented security market, this investment is a clear sign of BT’s ambition to grow further.”

The startup’s co-founder and chief executive Saket Modi said he was “delighted” to be working with BT.

“By aligning BT’s global reach and capabilities with SAFE’s ability to provide real-time visibility on cyber risk posture, we are going to fundamentally change how security is measured and managed across the globe,” he said.

As part of the investment, which will see Safe Security double its engineering team by the end of the year, BT will combine the SAFE platform with its managed security services, and gain exclusive rights to use and sell SAFE to businesses and public sector bodies in the UK. BT will also work collaboratively with Safe Security to develop future products, according to an announcement from the company.

Safe Security’s competitors include UpGuard, Exabeam, VisibleRisk.

#bt, #ceo, #cisco, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #exabeam, #facebook, #funding, #philip-jansen, #security, #softbank, #united-kingdom, #xiaomi

DNSFilter secures $30M Series A to step up fight against DNS-based threats

DNSFilter, an artificial intelligence startup that provides DNS protection to enterprises, has secured $30 million in Series A funding from Insight Partners.

DNSFilter, as its name suggests, offers DNS-based web content filtering and threat protection. Unlike the majority of its competitors, which includes the likes of Palo Alto Networks and Webroot, the startup uses proprietary AI technology to continuously scan billions of domains daily, identifying anomalies and potential vectors for malware, ransomware, phishing, and fraud. 

“Most of our competitors either rent or lease a database from some third party,” Ken Carnesi, co-founder and CEO of DNSFilter tells TechCrunch. “We do that in-house, and it’s through artificial intelligence that’s scanning these pages in real-time.” 

The company, which counts the likes of Lenovo, Newegg, and Nvidia among its 14,000 customers, claims this industry-first technology catches threats an average of five days before competitors and is capable of identifying 76% of domain-based threats. By the end of 2021, DNSFilter says it will block more than 1.1 million threats daily.

DNSFilter has seen rapid growth over the past 12 months as a result of the mass shift to remote working and the increase in cyber threats and ransomware attacks that followed. The startup saw eightfold growth in customer activity, doubled its global headcount to just over 50 employees, and partnered with Canadian software house N-Able to push into the lucrative channel market.  

“DNSFilter’s rapid growth and efficient customer acquisition are a testament to the benefits and ease of use compared to incumbents,” Thomas Krane, principal at Insight Partners, who has been appointed as a director on DNSFilter’s board. “The traditional model of top-down, hardware-centric network security is disappearing in favor of solutions that readily plug in at the device level and can cater to highly distributed workforces”

Prior to this latest funding round, which was also backed by Arthur Ventures (the lead investor in DNSFilter’s seed round), CrowdStrike co-founder and former chief technology officer  Dmitri Alperovitch also joined DNSFilter’s board of directors. 

Carnesi said the addition of Alperovitch to the board will help the company get its technology into the hands of enterprise customers. “He’s helping us to shape the product to be a good fit for enterprise organizations, which is something that we’re doing as part of this round — shifting focus to be primarily mid-market and enterprise,” he said.

The company also recently added former CrowdStrike vice president Jen Ayers as its chief operating officer. “She used to manage their entire managed threat hunting team, so she’s definitely coming on for the security side of things as we build out our domain intelligence team further,” Carnesi said.

With its newly-raised funds, DNSFilter will further expand its headcount, with plans to add more than 80 new employees globally over the next 12 months.

“There’s a lot more that we can do for security via DNS, and we haven’t really started on that yet,” Carnesi said. “We plan to do things that people won’t believe were possible via DNS.”

The company, which acquired Web Shrinker in 2018, also expects there to be more acquisitions on the cards going forward. “There are some potential companies that we’d be looking to acquire to speed up our advancement in certain areas,” Carnesi said.

#arthur-ventures, #artificial-intelligence, #co-founder, #computing, #coo, #crowdstrike, #cto, #cyberwarfare, #director, #dns, #funding, #information-technology, #insight-partners, #lenovo, #newegg, #nvidia, #palo-alto-networks, #ransomware, #security, #startup-company, #techcrunch, #vp, #webroot

US blames China for Exchange server hacks and ransomware attacks

The Biden administration has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.

The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.

Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.

In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”

“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.

The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.

The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.

Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.

The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.

The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.

#attorney-general, #biden, #biden-administration, #china, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #department-of-justice, #doj, #federal-bureau-of-investigation, #government, #hacker, #hacking, #healthcare, #internet-security, #microsoft, #national-security-agency, #norway, #russia, #security, #switzerland, #technology, #united-kingdom, #united-states

To end cyberterrorism, the government should extend a hand to the private sector

It is said that the best way to lose the next war is to keep fighting the last one. The citadels of the medieval ages were an effective defense until gunpowder and cannons changed siege warfare forever. Battlefield superiority based on raw troop numbers ceded to the power of artillery and the machine gun.

During World War I, tanks were the innovation that literally rolled over fortifications built using 19th-century technology. Throughout military history, innovators enjoyed the spoils of war while those who took too long to adapt were left crushed and defeated.

Cyberwarfare is no different, with conventional weapons yielding to technologies that are just as deadly to our economic and national security. Despite our military superiority and advances on the cyber front, America is still fighting a digital enemy using analog ways of thinking.

Despite our military superiority and advances on the cyber front, America is still fighting a digital enemy using analog ways of thinking.

This must change, and it begins with the government making some difficult choices about how to wield its offensive powers against an enemy hidden in the shadows, how to partner with the private sector and what it will take to protect the nation against hostile actors that threaten our very way of life.

Colonial Pipeline was one step forward, two steps back

In the aftermath of the ransomware attack against Colonial Pipeline, the Russia-linked hacking group known as DarkSide reportedly shuttered and the Federal Bureau of Investigation recovered part of the $4.4 million ransom that was paid. These are positive developments and an indicator that our government is taking these types of attacks seriously. But it does not change the fact that cyberterrorists, acting with impunity in a hostile foreign country using a technique that has been known for years, managed to shut down the country’s largest oil pipeline and walk away with millions of dollars in ransom payments. They will likely never face justice, Russia will not face any real consequences and these attacks will no doubt continue.

The reality is that while companies can get smarter about cyber defenses and users can get more vigilant in their cyber hygiene practices, only the government has the power to bring this behavior to a halt.

Countries that permit cybercriminals to operate within their borders should be made to hand them over or be subject to crippling economic sanctions. Those found providing sanctuary or other assistance to such individuals or groups should face material support charges like anyone who assists a designated terrorist organization.

Regulators should insist that cryptocurrency exchanges and wallets help track down illicit transactions and parties or be cut off from the U.S. financial system. Law enforcement, the military and the intelligence community should be aggressively working to make it so difficult, so unsafe and so unprofitable for cyberterrorists to operate that they would not dare attempt another attack against American industry or critical infrastructure.

Government must facilitate cooperation with private actors

Our biggest vulnerability and missed opportunity is the inability of public and private entities to form a unified front against cyberwar. It is essential from both a defensive and offensive perspective that the government and private sectors share cyber risk and incident information in real time. This is not currently happening.

Companies are too scared that in revealing vulnerabilities they will be sued, investigated and further victimized by the very government that is supposed to help them defend against attack. The federal government still has no answer for the problems of overclassification of information, overlapping bureaucracies and cultural barriers that provide no incentive to proactively engage with private industry to share information and technologies.

The answer is not to strong-arm companies into coming to the table and expect one-way information flow. Private actors should be able to come forward voluntarily and share information without having to fear plaintiff litigation and regulatory action. Self-disclosed cyber data made in real time should be kept confidential and used to defend and fight back, not to further punish the victim. That is no basis for a mutual partnership.

And if federal agencies, the military or the intelligence community have intelligence about future attacks and how to prevent them, they should not sit on it until long after it will do any good. There are ways to share information with private industry that are safe, timely and mutually beneficial.

Cooperation should also go beyond the exchange of cyber event information. The private sector and academia account for a massive amount of advancement in the cyber space, with total research and development spending split roughly 90%-10% between the private and public sector over the past two decades.

Our private sector — with technology companies employing the best and brightest spanning from Silicon Valley to Austin, Texas, to the technology corridor of Northern Virginia — has a tremendous amount to offer to the government yet remains a largely untapped resource. The same innovations driving private-sector profit should be used to strengthen national security.

China has already figured this out, and if we cannot find a way to leverage private-sector innovation and young talent in the United States, we will fall behind. If there has ever been a call to action where the Biden administration, Democrats and Republicans in Congress can set politics aside and embrace bipartisan solutions, this is it.

Look to the military-defense industry model

Thankfully, there is a model public-private dynamic that in many ways is working. Weapons systems today are almost exclusively manufactured by the Defense Industrial Base, and when deployed to the battlefield there is constant two-way communication with warfighters about vulnerabilities, threats and opportunities to improve effectiveness. This relationship was not forged overnight and is far from perfect. But after decades of efforts, secure collaboration platforms were developed, security clearance standards were established and trust was formed.

We must do the same between cyber authorities in the federal government and actors throughout the private sector. Financial institutions, energy companies, retailers, manufacturers and pharmaceuticals must be able to engage the government to share real-time cyber data in both directions. If the federal government learns of a threat group or technique, it should not only take the offensive to shut it down but also push that information securely and quickly to the private sector.

It is not practical for the FBI, the Department of Homeland Security or the military to assume the burden of defending private networks against cyberattacks, but the government can and should be a shoulder-to-shoulder partner in the effort. We must adopt a relationship that recognizes this is both a joint battle and burden, and we do not have years to get it right.

Call to action

When you look at the history of war, the advantage has always gone to those who innovate first. With respect to cyberwarfare, the solution does not lie solely in advanced technologies like artificial intelligence, quantum computing or blockchain. The most powerful development in today’s war against cyberterrorism might be as simple as what we all learned in preschool: the value of sharing and cooperation.

The government, the technology industry and the broader private sector must come together not only to maintain our competitive edge and embrace advances like cloud computing, autonomous vehicles and 5G, but to ensure that we defend and preserve our way of life. We have been successful in building public and private partnerships in the past and can evolve from an analog relationship to a digital one. But the government must take the reins and lead the way.

#biden-administration, #colonial-pipeline, #column, #cyberattack, #cyberterrorism, #cyberwarfare, #department-of-homeland-security, #federal-bureau-of-investigation, #national-security, #opinion, #russia, #security, #tc

Zero trust unicorn Illumio closes $225M Series F led by Thoma Bravo

Illumio, a self-styled zero trust unicorn, has closed a $225 million Series F funding round at a $2.75 billion valuation. 

The round was led by Thoma Bravo, which recently bought cybersecurity vendor Proofpoint by $12.3 billion, and supported by Franklin Templeton, Hamilton Lane, and Blue Owl Capital. 

The round lands more than two years after Illumio’s Series E funding round in which it raised $65 million, and fueled speculation of an impending IPO. The company’s founder, Andrew Rubin, still isn’t ready to be pressed on whether the company plans to go public, though he told TechCrunch: “If we do our job right, and if we make our customers successful, I’d like to think that would be part of our journey.”

Illumio’s latest funding round is well-timed. Not only does it come amid a huge rise in successful cyberattacks which show that some of the more traditional cybersecurity measures are no longer working, from the SolarWinds hack in early 2020 to the more recent attack on Colonial Pipeline, but it also comes just weeks after President Joe Biden issued an executive order pushing federal agencies to implement significant cybersecurity initiatives, including a zero trust architecture. 

“And just a couple of weeks ago, Anne Neuberger [deputy national security adviser for cybersecurity] put out a memo on White House stationary to all of corporate America saying we’re living through a ransomware pandemic, and here’s six things that we’re imploring you to do,” Rubin says. “One of them was to segment your network.”

Illumio focuses on protecting data centers and cloud networks through something it calls micro-segmentation, which it claims makes it easier to manage and guard against potential breaches, as well as to contain a breach if one occurs. This zero trust approach to security — a concept centered on the belief that businesses should not automatically trust anything inside or outside its perimeters — has never been more important for organizations, according to Illumio. 

“Cyber events are no longer constrained to cyber space,” says Rubin. “That’s why people are finally saying that, after 30 years of relying solely on detection to keep us safe, we cannot rely on it 100% of the time. Zero trust is now becoming the mantra.”

Illumio tells TechCrunch it will use the newly raised funds to make a “huge” investment in its field operations and channel partner network, and to invest in innovation, engineering and its product. 

The late-stage startup, which was founded in 2013 and is based in California, says more than 10% of Fortune 100 companies — including Morgan Stanley, BNP Paribas SA and Salesforce — now use its technology to protect their data centers, networks and other applications. It saw 100% international growth during the pandemic, and says it’s also broadening its customer base across more industries. 

The company has raised more now raised more $550 million from investors include Andreessen Horowitz, General Catalyst and Formation 8.

#america, #andreessen-horowitz, #anne-neuberger, #california, #colonial-pipeline, #computer-security, #computing, #cyberwarfare, #executive, #formation-8, #franklin-templeton, #funding, #general-catalyst, #information-technology, #joe-biden, #morgan-stanley, #network-management, #president, #proofpoint, #salesforce, #security, #solarwinds, #system-administration, #thoma-bravo, #unicorn, #white-house

Mitiga raises $25M Series A to help organizations respond to cyberattacks

Israeli cloud security startup Mitiga has raised $25 million in a Series A round of funding as it moves to “completely change” the traditional incident response market.

Mitiga, unlike other companies in the cybersecurity space, isn’t looking to prevent cyberattacks, which the startup claims are inevitable no matter how much protection is in place. Rather, it’s looking to help organizations manage their incident response, particularly as they transition to hybrid and multi-cloud environments. 

The early-stage startup, which raised $7 million in seed funding in July last year, says its incident readiness and response tech stack accelerates post-incident bounce back from days down to hours. Its subscription-based offering automatically detects when a network is breached and quickly investigates, collects case data, and translates it into remediation steps for all relevant divisions within an organization so they can quickly and efficiently respond. Mitiga also documents each event, allowing organizations to fix the cause in order to prevent future attacks.

Mitiga’s Series A was led by ClearSky Security, Atlantic Bridge, and DNX, and the startup tells TechCrunch that it will use the funds to “continue to disrupt how incident readiness and response is delivered,” as well as “significantly” increasing its cybersecurity, engineering, sales, and marketing staff.

The company added that the funding comes amid a “changing mindset” for enterprise organizations when it comes to incident readiness and response. The pandemic has accelerated cloud adoption, and it’s predicted that spending on cloud services will surpass $332 billion this year alone. This acceleration, naturally, has provided a lucrative target for hackers, with cyberattacks on cloud services increasing 630% in the first four months of 2020, according to McAfee. 

“The cloud represents new challenges for incident readiness and response and we’re bringing the industry’s first incident response solution in the cloud, for the cloud,” said Tal Mozes, co-founder and CEO of Mitiga. 

“This funding will allow us to further our engagements with heads of enterprise security who are looking to recover from an incident in real-time, attract even more of the most innovative cybersecurity minds in the industry, and expand our partner network. I couldn’t be more excited about what Mitiga is going to do for cloud-first organizations who understand the importance of cybersecurity readiness and response.”

Mitiga was founded in 2019 by Mozes, Ariel Parnes and Ofer Maor, and the team of 42 currently works in Tel Aviv with offices in London and New York. It has customers in multiple sectors, including financial service institutions, banks, e-commerce, law enforcement and government agencies, and Mitiga also provides emergency response to active network security incidents such as ransomware and data breaches for non-subscription customers.

Recent funding:

#artificial-intelligence, #atlantic-bridge, #claroty, #cloud-services, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #data-security, #e-commerce, #funding, #law-enforcement, #london, #malware, #new-york, #security, #series-a, #techcrunch, #tel-aviv

Addressing the cybersecurity skills gap through neurodiversity

Addressing the skills gap and strengthening your own security team means bringing in different minds and perspectives — and that starts with embracing neurodiversity. To even have a chance at closing the cybersecurity skills gap, we need people with a variety of different abilities and thought processes. But did you know that there’s an untapped potential in individuals who are neurodivergent?

Neurodiversity can mean different things to different people. It’s a concept that views the spectrum of neurological differences — like ADHD, autism, dyslexia, Tourette’s and other cognitive and developmental disorders — as natural variations of the human brain. In a nutshell, neurodiversity recognizes that brain differences are just that: differences.

I was always aware of the fact that I had a different operating system. It was like growing up on a Mac OS, but made specifically for Windows OS. It wasn’t until I was diagnosed as autistic that I understood why I am the way that I am. My diagnosis gave me a purpose. It’s a purpose I’ve taken with me into the working world, and it’s helped me realize how vital neurodiverse individuals can and will be to the cybersecurity industry.

To even have a chance at closing the cybersecurity skills gap, we need people with a variety of different abilities and thought processes.

There are many inherent traits in people with autism that are well suited for working in cybersecurity. For example, many people with autism are pattern thinkers and are highly detail-oriented. This allows someone in a threat-hunting position to find those subtle differences between malicious and nonmalicious code and catch the threats that automated tools might miss. We also have the ability to hyperfocus, which allows us to concentrate on problem-solving and stick with complex issues that other people may abandon.

Of course, we all have a different set of skills, interests, strengths and weaknesses. But there are some characteristics that — when given the right support and environment — can translate to cybersecurity positively.

This is especially true when autistic adults are interested in technology and cybersecurity. Their interest can complement their attention to detail, which can make for a successful blue team cyber professional. The number and types of cyber threats are constantly changing. Some are obvious to hunt down, and some are much more subtle. Some malware even has the ability to “live off the land” by using already created applications or executables that live natively on a computer. Knowing this information, and knowing what to look for and where to hone in, allows a neurodivergent person to consistently inspect, investigate and hunt down even the most persistent threats.

Embrace the benefits

Instead of focusing on what makes a neurodivergent person “different,” we should embrace the benefits that different minds and viewpoints bring to the field of cybersecurity. Let’s face it: The world is going to need more cybersecurity professionals. Ensuring diversity in these teams includes embracing neurodiversity. Having a blend of unique talents provided by these detail-oriented, rule-bound, logical and independent-thinking individuals is — and will be — a competitive edge in cybersecurity.

Having a career in cybersecurity typically requires logic, discipline, curiosity and the ability to solve problems and find patterns. This is an industry that offers a wide spectrum of positions and career paths for people who are neurodivergent, particularly for roles in threat analysis, threat intelligence and threat hunting.

Neurodiverse minds are usually great at finding the needle in the haystack, the small red flags and minute details that are critical for hunting down and analyzing potential threats. Other strengths include pattern recognition, thinking outside the box, attention to detail, a keen sense of focus, methodical thinking and integrity.

The more diverse your teams are, the more productive, creative and successful they will be. And not only can neurodiverse talent help strengthen cybersecurity, employing different minds and perspectives can also solve communication problems and create a positive impact for both your team and your company.

According to the Bureau of Labor Statistics, the demand for Information Security Analysts — one of the common career paths for cybersecurity professionals — is expected to grow 31% by 2029, much higher than the average growth rate of 4% for other occupations. While vital jobs in cybersecurity are going unfilled, millions of smart people who’d be ideally suited for the work remain unemployed.

Taking the first step

It’s time to challenge the assumption that qualified talent equals neurotypicality. There are many steps companies can take to ensure inclusivity and promote belonging in the workplace. Let’s start all the way at the beginning and focus on job postings.

Job postings should be black and white in terms of the information they are asking for and the job requirements. Start by making job postings more inclusive and less constrictive in what is being required. Include a contact email address where an applicant can ask for accommodations, and provide a less traditional approach by providing these accommodations.

Traditional interviews can be a challenge for neurodivergent individuals, and this is often the first hurdle to employment. For example, to ease some candidates’ nerves, you could provide a list of questions that will be asked as a guideline. More importantly, don’t judge someone based on their lack of eye contact.

To promote an inclusive and belonging culture of neurodiversity in the workplace, the workplace should be more supportive of different needs. It is vital to ensure employees at all levels have the knowledge and understanding on how to empower a diverse team and create an open and inclusive workplace. This starts with diversity, equity, inclusion and belonging training for all employees. Companies should also consider changing their communication style. Neurodiverse individuals communicate differently and not altering the way you communicate could lead to a disconnect in the workplace.

My advice to other neurodivergent and/or autistic adults looking to break into the cybersecurity field is to continue your learning, connect with cybersecurity professionals for networking purposes and never give up. The more we push for awareness and inclusion in all aspects of all companies — small and large — the more opportunities there will be for success.

#adhd, #autism, #column, #computer-security, #cybercrime, #cybersecurity, #cyberwarfare, #diversity, #diversity-and-inclusion, #diversity-in-technology, #dyslexia, #neurodiversity, #opinion, #security, #tc, #tourettes

Your boss might tell you the office is more secure, but it isn’t

For the past 18 months, employees have enjoyed increased flexibility, and ultimately a better work-life balance, as a result of the mass shift to remote working necessitated by the pandemic. Most don’t want this arrangement, which brought an end to extensive commutes and superfluous meetings, to end: Buffer’s 2021 State of Remote Work report shows over 97% of employees would like to continue working remotely at least some of the time.

Companies, including some of the biggest names in tech, appear to have a different outlook and are beginning to demand that staff start to return to the workplace.

While most of the reasoning around this shift back to the office centers around the need for collaboration and socialization, another reason your employer might say is that the office is more secure. After all, we’ve seen an unprecedented rise in cybersecurity threats during the pandemic, from phishing attacks using Covid as bait to ransomware attacks that have crippled entire organizations.

Tessian research shared with TechCrunch shows that while none of the attacks have been linked to staff working remotely, 56% of IT leaders believe their employees have picked up bad cybersecurity behaviors since working from home. Similarly, 70% of IT leaders believe staff will be more likely to follow company security policies around data protection and data privacy while working in the office.

“Despite the fact that this was an emerging issue prior to the pandemic I do believe many organizations will use security as an excuse to get people back into the office, and in doing so actually ignore the cyber risks they are already exposed to,” Matthew Gribben, a cybersecurity expert, and former GCHQ consultant, told TechCrunch.

“As we’ve just seen with the Colonial Pipeline attack, all it takes is one user account without MFA enabled to bring down your business, regardless of where the user is sat.”

Will Emmerson, CIO at Claromentis, has already witnessed some companies using cybersecurity as a ploy to accelerate the shift to in-person working. “Some organizations are already using cybersecurity as an excuse to get team members to get back into the office,” he says. “Often it’s large firms with legacy infrastructure that relies on a secure perimeter and that haven’t adopted a cloud-first approach.”

“All it takes is one user account without MFA enabled to bring down your business, regardless of where the user is sat.”
Matthew Gribben, former GCHQ consultant

The bigger companies can try to argue for a return to the traditional 9-to-5, but we’ve already seen a bunch of smaller startups embrace remote working as a permanent arrangement. Rather, it will be larger and more risk-averse companies, says Craig Hattersley, CTO of cybersecurity startup SOC.OC, a BAE Systems spin-off, tells TechCrunch, who “begrudgingly let their staff work at home throughout the pandemic, so will seize any opportunity to reverse their new policies.”

“Although I agree that some companies will use the increase of cybersecurity threats to demand their employees go back to the office, I think the size and type of organization will determine their approach,” he says. “A lack of direct visibility of individuals by senior management could lead to a fear that staff are not fully managed.”

While some organizations will use cybersecurity as an excuse to get employees back into the workplace, many believe the traditional office is no longer the most secure option. After all, not only have businesses overhauled cybersecurity measures to cater to dispersed workforces over the past year, but we’ve already seen hackers start to refocus their attention on those returning to the post-COVID office.

“There is no guarantee that where a person is physically located will change the trajectory of increasingly complex cybersecurity attacks, or that employees will show a reduction in mistakes because they are sitting within the walls of an office building,” says Dr. Margaret Cunningham, principal research scientist at Forcepoint.

Some businesses will attempt to get all staff back into the workplace, but this is simply no longer viable: as a result of 18 months of home-working, many employees have moved away from their employer, while others, having found themselves more productive and less distracted, will push back against five days of commutes every week. In fact, a recent study shows that almost 40% of U.S. workers would consider quitting if their bosses made them return to the office full time.

That means most employers will have to, whether they like it or not, embrace a hybrid approach going forward, whereby employees work from the office three days a week and spend two days at home, or vice versa.

This, in itself, makes the cybersecurity argument far less viable. Sam Curry, chief security officer at Cybereason, tells TechCrunch: “The new hybrid phase getting underway is unlike the other risks companies encountered.

“We went from working in the office to working from home and now it will be work-from-anywhere. Assume that all networks are compromised and take a least-trust perspective, constantly reducing inherent trust and incrementally improving. To paraphrase Voltaire, perfection is the enemy of good.”

#articles, #bae-systems, #cio, #computer-security, #cto, #cyberattack, #cybercrime, #cybereason, #cybersecurity-startup, #cyberwarfare, #data-security, #gchq, #malware, #security, #soc, #telecommuting, #united-states

CISA launches platform to let hackers report security bugs to US federal agencies

The Cybersecurity and Infrastructure Security Agency has launched a vulnerability disclosure program allowing ethical hackers to report security flaws to federal agencies.

The platform, launched with the help of cybersecurity companies Bugcrowd and Endyna, will allow civilian federal agencies to receive, triage and fix security vulnerabilities from the wider security community.

The move to launch the platform comes less than a year after the federal cybersecurity agency, better known as CISA, directed the civilian federal agencies that it oversees to develop and publish their own vulnerability disclosure policies. These policies are designed to set the rules of engagement for security researchers by outlining what (and how) online systems can be tested, and which can’t be.

It’s not uncommon for private companies to run VDP programs to allow hackers to report bugs, often in conjunction with a bug bounty to pay hackers for their work. The U.S. Department of Defense has for years warmed to hackers, the civilian federal government has been slow to adopt.

Bugcrowd, which last year raised $30 million at Series D, said the platform will “give agencies access to the same commercial technologies, world-class expertise, and global community of helpful ethical hackers currently used to identify security gaps for enterprise businesses.”

The platform will also help CISA share information about security flaws between other agencies.

The platform launches after a bruising few months for government cybersecurity, including a Russian-led espionage campaign against at least nine U.S. federal government agencies by hacking software house SolarWinds, and a China-linked cyberattack that backdoored thousands of Microsoft Exchange servers, including in the federal government.

#bugcrowd, #cisa, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #federal-government, #government, #information-technology, #internet-security, #security, #solarwinds, #united-states

The rise of cybersecurity debt

Ransomware attacks on the JBS beef plant, and the Colonial Pipeline before it, have sparked a now familiar set of reactions. There are promises of retaliation against the groups responsible, the prospect of company executives being brought in front of Congress in the coming months, and even a proposed executive order on cybersecurity that could take months to fully implement.

But once again, amid this flurry of activity, we must ask or answer a fundamental question about the state of our cybersecurity defense: Why does this keep happening?

I have a theory on why. In software development, there is a concept called “technical debt.” It describes the costs companies pay when they choose to build software the easy (or fast) way instead of the right way, cobbling together temporary solutions to satisfy a short-term need. Over time, as teams struggle to maintain a patchwork of poorly architectured applications, tech debt accrues in the form of lost productivity or poor customer experience.

Complexity is the enemy of security. Some companies are forced to put together as many as 50 different security solutions from up to 10 different vendors to protect their sprawling technology estates.

Our nation’s cybersecurity defenses are laboring under the burden of a similar debt. Only the scale is far greater, the stakes are higher and the interest is compounding. The true cost of this “cybersecurity debt” is difficult to quantify. Though we still do not know the exact cause of either attack, we do know beef prices will be significantly impacted and gas prices jumped 8 cents on news of the Colonial Pipeline attack, costing consumers and businesses billions. The damage done to public trust is incalculable.

How did we get here? The public and private sectors are spending more than $4 trillion a year in the digital arms race that is our modern economy. The goal of these investments is speed and innovation. But in pursuit of these ambitions, organizations of all sizes have assembled complex, uncoordinated systems — running thousands of applications across multiple private and public clouds, drawing on data from hundreds of locations and devices.

Complexity is the enemy of security. Some companies are forced to put together as many as 50 different security solutions from up to 10 different vendors to protect their sprawling technology estates — acting as a systems integrator of sorts. Every node in these fantastically complicated networks is like a door or window that might be inadvertently left open. Each represents a potential point of failure and an exponential increase in cybersecurity debt.

We have an unprecedented opportunity and responsibility to update the architectural foundations of our digital infrastructure and pay off our cybersecurity debt. To accomplish this, two critical steps must be taken.

First, we must embrace open standards across all critical digital infrastructure, especially the infrastructure used by private contractors to service the government. Until recently, it was thought that the only way to standardize security protocols across a complex digital estate was to rebuild it from the ground up in the cloud. But this is akin to replacing the foundations of a home while still living in it. You simply cannot lift-and-shift massive, mission-critical workloads from private data centers to the cloud.

There is another way: Open, hybrid cloud architectures can connect and standardize security across any kind of infrastructure, from private data centers to public clouds, to the edges of the network. This unifies the security workflow and increases the visibility of threats across the entire network (including the third- and fourth-party networks where data flows) and orchestrates the response. It essentially eliminates weak links without having to move data or applications — a design point that should be embraced across the public and private sectors.

The second step is to close the remaining loopholes in the data security supply chain. President Biden’s executive order requires federal agencies to encrypt data that is being stored or transmitted. We have an opportunity to take that a step further and also address data that is in use. As more organizations outsource the storage and processing of their data to cloud providers, expecting real-time data analytics in return, this represents an area of vulnerability.

Many believe this vulnerability is simply the price we pay for outsourcing digital infrastructure to another company. But this is not true. Cloud providers can, and do, protect their customers’ data with the same ferocity as they protect their own. They do not need access to the data they store on their servers. Ever.

To ensure this requires confidential computing, which encrypts data at rest, in transit and in process. Confidential computing makes it technically impossible for anyone without the encryption key to access the data, not even your cloud provider. At IBM, for example, our customers run workloads in the IBM Cloud with full privacy and control. They are the only ones that hold the key. We could not access their data even if compelled by a court order or ransom request. It is simply not an option.

Paying down the principal on any kind of debt can be daunting, as anyone with a mortgage or student loan can attest. But this is not a low-interest loan. As the JBS and Colonial Pipeline attacks clearly demonstrate, the cost of not addressing our cybersecurity debt spans far beyond monetary damages. Our food and fuel supplies are at risk, and entire economies can be disrupted.

I believe that with the right measures — strong public and private collaboration — we have an opportunity to construct a future that brings forward the combined power of security and technological advancement built on trust.

#cloud-computing, #cloud-infrastructure, #cloud-management, #colonial-pipeline, #column, #cybersecurity, #cyberwarfare, #data-security, #developer, #encryption, #opinion, #security, #software-development, #tc

Fujifilm becomes the latest victim of a network-crippling ransomware attack

Japanese multinational conglomerate Fujifilm has been forced to shut down parts of its global network after falling victim to a suspected ransomware attack.

The company, which is best known for its digital imaging products but also produces high tech medical kit including devices for rapid processing of COVID-19 tests, confirmed that its Tokyo headquarters was hit by a cyberattack on Tuesday evening.

“Fujifilm Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the company said in a statement posted to its website.

“We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.

“We are currently working to determine the extent and the scale of the issue. We sincerely apologize to our customers and business partners for the inconvenience this has caused.”

As a result of the partial network shutdown, Fujifilm USA added a notice to its website stating that it is currently experiencing problems affecting all forms of communications, including emails and incoming calls. In an earlier statement, Fujifilm confirmed that the cyberattack is also preventing the company from accepting and processing orders. 

Fujifilm has yet to respond to our request for comment.

While Fujifilm is keeping tight-lipped on further details, such as the identity of the ransomware used in the attack, Bleeping Computer reports that the company’s servers have been infected by Qbot. Advanced Intel CEO Vitali Kremez told the publication that the company’s systems were hit by the 13-year-old Trojan, typically initiated by phishing, last month.

The creators of Qbot, also known as QakBot or QuakBot, have a long history of partnering with ransomware operators. It previously worked with the ProLock and Egregor ransomware gangs, but is currently said to be linked with the notorious REvil group.

“Initial forensic analysis suggests that the ransomware attack on Fujifilm started with a Qbot trojan infection last month, which gave hackers a foothold in the company’s systems with which to deliver the secondary ransomware payload,” Ray Walsh, digital privacy expert at ProPrivacy, told TechCrunch. “Most recently, the Qbot trojan has been actively exploited by the REvil hacking collective, and it seems highly plausible that the Russian-based hackers are behind this cyberattack.”

REvil, also known as Sodinokibi, not only encrypts a victim’s files but also exfiltrates data from their network. The hackers typically threaten to publish the victim’s files if their ransom isn’t paid. But a site on the dark web used by REvil to publicize stolen data appeared offline at the time of writing.

Ransomware attacks have been on the rise since the start of the COVID-19 pandemic, so much so that they have become the biggest single money earner for cybercriminals. Threat hunting and cyber intelligence firm Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, and that the average ransom demand increased more than twofold to $170,000.

At the time of writing, it’s unclear whether Fujifilm has paid any ransom to the hackers responsible for the attack on its systems.

#articles, #ceo, #computer-security, #crime, #crimes, #cyberattacks, #cybercrime, #cyberwarfare, #dark-web, #digital-imaging, #fujifilm, #hardware, #intel, #ransomware, #security

FireEye to sell products unit to Symphony-led group for $1.2B

Cybersecurity giant FireEye has agreed to sell its products business to a consortium led by private equity firm Symphony Technology Group for $1.2 billion.

The all-cash deal will split FireEye, the maker of network and email cybersecurity products, from its digital forensics and incident response arm Mandiant.

FireEye’s chief executive Kevin Mandia said the deal unlocks its “high-growth” Mandiant business, allowing it to stand alone as a separate business running incident response and security testing.

The move to split the two companies comes almost a decade after FireEye acquired Mandiant, and made Mandia chief executive.

Mandia said: “STG’s focus on fueling innovative market leaders in software and cybersecurity makes them an ideal partner for FireEye Products. We look forward to our relationship and collaboration on threat intelligence and expertise.”

STG managing partner William Chisholm said there is an “enormous untapped opportunity for the business that we are excited to crystallize by leveraging our significant security software sector experience and our market leading carve-out expertise.”

The company said the deal is expected to close by the end of the fourth quarter.

FireEye has become one of the more prominent names in cybersecurity, known for its research into hacking groups — some linked to governments — and its Mandiant unit for responding to major security incidents. Mandiant was called in to help Colonial Pipeline recover from a recent ransomware attack.

In December, FireEye admitted that its own networks had been hacked, a move praised across the cybersecurity industry for helping to speed up efforts that led to the discovery of the SolarWinds espionage attack, later attributed to Russian foreign intelligence.

FireEye becomes the latest cybersecurity giant to STG’s portfolio. In March, Symphony bought McAfee’s enterprise business for $4 billion and bought RSA for $2 billion.

#colonial-pipeline, #computer-security, #computing, #cybercrime, #cyberwarfare, #fireeye, #information-technology, #kevin-mandia, #mandiant, #mcafee, #partner, #rsa, #rsa-security, #security, #solarwinds, #symphony-technology-group

Echelon exposed riders’ account data, thanks to a leaky API

Image Credits: Echelon (stock image)

Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information.

Fitness technology company Echelon, like Peloton, offers a range of workout hardware — bikes, rowers, and a treadmill — as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment.

But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday, and workout statistics and history — of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number.

Masters, if you recall, found a similar bug with Peloton’s API, which let him make unauthenticated requests and pull private user account data directly from Peloton’s servers without the server ever checking to make sure he (or anyone else) was allowed to request it.

Echelon’s API allows its members’ devices and apps to talk with Echelon’s servers over the internet. The API was supposed to check if the member’s device was authorized to pull user data by checking for an authorization token. But Masters said the token wasn’t needed to request data.

Masters also found another bug that allowed members to pull data on any other member because of weak access controls on the API. Masters said this bug made it easy to enumerate user account IDs and scrape account data from Echelon’s servers. Facebook, LinkedIn, Peloton and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms.

Ken Munro, founder of Pen Test Partners, disclosed the vulnerabilities to Echelon on January 20 in a Twitter direct message, since the company doesn’t have a public-facing vulnerability disclosure process (which it says is now “under review”). But the researchers did not hear back during the 90 days after the report was submitted, the standard amount of time security researchers give companies to fix flaws before their details are made public.

TechCrunch asked Echelon for comment, and was told that the security flaws identified by Masters — which he wrote up in a blog post — were fixed in January.

“We hired an outside service to perform a penetration test of systems and identify vulnerabilities. We have taken appropriate actions to correct these, most of which were implemented by January 21, 2021. However, Echelon’s position is that the User ID is not PII [personally identifiable information,” said Chris Martin, Echelon’s chief information security officer, in an email.

Echelon did not name the outside security company but said while the company said it keeps detailed logs, it did not say if it had found any evidence of malicious exploitation.

But Munro disputed the company’s claim of when it fixed the vulnerabilities, and provided TechCrunch with evidence that one of the vulnerabilities was not fixed until at least mid-April, and another vulnerability could still be exploited as recently as this week.

When asked for clarity, Echelon did not address the discrepancies. “[The security flaws] have been remediated,” Martin reiterated.

Echelon also confirmed it fixed a bug that allowed users under the age of 13 to sign up. Many companies block access to children under the age of 13 to avoid complying with the Children’s Online Privacy Protection Act, or COPPA, a U.S. law that puts strict rules on what data companies can collect on children. TechCrunch was able to create an Echelon account this week with an age less than 13, despite the page saying: “Minimum age of use is 13 years old.”

#api, #chief-information-security-officer, #computer-security, #computing, #cyberwarfare, #echelon, #facebook, #founder, #health, #peloton, #pen-test-partners, #security, #software, #software-testing, #technology, #united-states, #vulnerability

Cybersecurity startup Panaseer raises $26.5M Series B led AllegisCyber Capital

Panaseer, which takes a data science approach to cybersecurity, has raised $26.5 million in a Series B funding led by AllegisCyber Capital. Existing investors, including Evolution Equity Partners, Notion Capital, AlbionVC, Cisco Investments and Paladin Capital Group, as well as new investor, National Grid Partners also participated. Panaseer has now raised $43m to date.

Panaseer’s special sauce and sales pitch amount to what it calls ‘Continuous Controls Monitoring’ (CCM). In plainer English that means correlating a great deal of data from all available security tools to check assets, control gaps, you name it.

As a result, the company says it can identify zero-day and other exposures faster, or exposure to, say, FireEye or SolarWinds vulnerabilities.

Jonathan Gill, CEO, Panaseer said: “Most enterprises have the tools and capability to theoretically prevent a breach from occurring. However, one of the key reasons that breaches occur is that there is no technology to monitor and react to failed controls. CCM continuously validates and measures levels of protection and provides notifications of failures. Ultimately, CCM enables these failures to be fixed before they become security incidents.”

Speaking to me on a call he added: “The investment, allows us to scale our organization to meet those demands of customers with a team of people to implement the platform and help them get tremendous value and to evolve the product. To add more and more capability to that technology to support more and more use cases. So they’re the two main directions, and there’s a market we think of 10s of 1000s of organizations of a certain size, who are regulated or they have assets worth protecting and a level of complexity that makes it difficult to solve the problem themselves. And our Advisory Board and the customers I’ve spoken with think maybe there are barely 20 companies in the world who can solve this problem. And everybody else gets stuck on the fact that it’s a really difficult data science problem to solve. So we want to scale that and take that to more organizations.”

And why did they pick these investors: “I think we picked them and they picked us, we’ve been on that journey together. It takes months to find the best combination. The dollars are all the same when it comes to investors, but I think they can help improve as an organization and grow just like the existing investors do. They give us access and reach into parts of the market and help make us better as organizations as well.”

Bob Ackerman, founder and managing director of AllegisCyber Capital, and co-founder of DataTribe said: ‘The emergence of Continuous Controls Monitoring as a new cybersecurity category demonstrates a ‘coming of age’ for cybersecurity. Cyber is the existential threat to the global digital economy. All levels of the enterprise, from the CISO, to Chief Risk Officer, to the Board of Directors are demanding comprehensive visibility, transparency and hard metrics to assess cyber situational awareness.”

#advisory-board, #albionvc, #ceo, #cisco-investments, #co-founder, #computer-security, #computing, #cybercrime, #cyberwarfare, #europe, #evolution-equity-partners, #fireeye, #information-technology, #national-grid-partners, #network-management, #notion-capital, #paladin-capital-group, #security-tools, #solarwinds, #system-administration, #tc

Window Snyder’s new startup Thistle Technologies raises $2.5M seed to secure IoT devices

The Internet of Things has a security problem. The past decade has seen wave after wave of new internet-connected devices, from sensors through to webcams and smart home tech, often manufactured in bulk but with little — if any — consideration to security. Worse, many device manufacturers make no effort to fix security flaws, while others simply leave out the software update mechanisms needed to deliver patches altogether.

That sets up an entire swath of insecure and unpatchable devices to fail, and destined to be thrown out when they break down or are invariably hacked.

Security veteran Window Snyder thinks there is a better way. Her new startup, Thistle Technologies, is backed with $2.5 million in seed funding from True Ventures with the goal of helping IoT manufacturers reliably and securely deliver software updates to their devices.

Snyder founded Thistle last year, and named it after the flowering plant with sharp prickles designed to deter animals from eating them. “It’s a defense mechanism,” Snyder told TechCrunch, a name that’s fitting for a defensive technology company. The startup aims to help device manufacturers without the personnel or resources to integrate update mechanisms into their device’s software in order to receive security updates and better defend against security threats.

“We’re building the means so that they don’t have to do it themselves. They want to spend the time building customer-facing features anyway,” said Snyder. Prior to founding Thistle, Snyder worked in senior cybersecurity positions at Apple, Intel, and Microsoft, and also served as chief security officer at Mozilla, Square, and Fastly.

Thistle lands on the security scene at a time when IoT needs it most. Botnet operators are known to scan the internet for devices with weak default passwords and hijack their internet connections to pummel victims with floods of internet traffic, knocking entire websites and networks offline. In 2016, a record-breaking distributed denial-of-service attack launched by the Mirai botnet on internet infrastructure giant Dyn knocked some of the biggest websites — Shopify, SoundCloud, Spotify, Twitter — offline for hours. Mirai had ensnared thousands of IoT devices into its network at the time of the attack.

Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside.

Since device manufacturers have done little to solve their security problems among themselves, lawmakers are looking at legislating to curb some of the more egregious security mistakes made by default manufacturers, like using default — and often unchangeable — passwords and selling devices with no way to deliver security updates.

California paved the way after passing an IoT security law in 2018, with the U.K. following shortly after in 2019. The U.S. has no federal law governing basic IoT security standards.

Snyder said the push to introduce IoT cybersecurity laws could be “an easy way for folks to get into compliance” without having to hire fleets of security engineers. Having an update mechanism in place also helps to keeps the IoT devices around for longer — potentially for years longer — simply by being able to push fixes and new features.

“To build the infrastructure that’s going to allow you to continue to make those devices resilient and deliver new functionality through software, that’s an incredible opportunity for these device manufacturers. And so I’m building a security infrastructure company to support that security needs,” she said.

With the seed round in the bank, Snyder said the company is focused on hiring device and back-end engineers, product managers, and building new partnerships with device manufacturers.

Phil Black, co-founder of True Ventures — Thistle’s seed round investor — described the company as “an astute and natural next step in security technologies.” He added: “Window has so many of the qualities we look for in founders. She has deep domain expertise, is highly respected within the security community, and she’s driven by a deep passion to evolve her industry.”

#apple, #bank, #botnet, #california, #co-founder, #computer-security, #computing, #cybercrime, #cyberwarfare, #dyn, #fastly, #intel, #internet-of-things, #internet-traffic, #malware, #microsoft, #mirai, #science-and-technology, #security, #shopify, #soundcloud, #spotify, #startups, #technology, #true-ventures, #united-kingdom, #united-states