Tag: EC Cybersecurity

Posted on

Silence gets you nowhere in a data breach

In cybersecurity, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organizations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches.

LastPass has refused to answer any of TechCrunch+’s questions since it confirmed in December that hackers had exfiltrated customers’ encrypted password vaults a month earlier. Fortra is not only declining to answer our questions but also concealed details of a recent security breach — potentially affecting upwards of 130 of its corporate customers — behind a paywall on its website.

TechCrunch+ has learned that LastPass has already lost customers because of its silent-treatment approach to its breach. And Fortra is likely to face a similar fate after TechCrunch+ heard from multiple customers that they only learned that their data had been stolen after receiving a ransom demand; Fortra had assured them that the data was safe.

Smaller companies, too, are employing a silent-treatment approach to data breaches: Kids’ tech coding camp iD Tech failed to acknowledge a January breach that saw hackers access the personal data of close to 1 million users, including names, dates of birth, passwords stored in plaintext, and about 415,000 unique email addresses. Concerned parents told us at the time that they only became aware of the breach after receiving a notification from a third-party data breach notification service.

Cyberattacks are now a fact of doing business: Almost half of U.S. organizations suffered a cyberattack in 2022, and attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies. This means that your startup is likely to get compromised at some point.

Transparency is key

While getting hacked can be forgivable, an organization’s victim status will not last long if it fails to respond appropriately or at all — as demonstrated by LastPass and Fortra.

Silence gets you nowhere in a data breach by Carly Page originally published on TechCrunch

Posted on

Time to trust: Questions cybersecurity customers ask and how to answer them

Ross Haleliuk Contributor
Ross Haleliuk is an investor and head of product at LimaCharlie.io.
More posts by this contributor

Trust is fundamentally about a sense of safety, familiarity and assurance that “everything will be fine.” Faith is built as we address our doubts and the questions that make us wonder if we can rely on someone or something to be there when we need them.

The process of vendor selection in cybersecurity is not very different. What’s different are the questions people ask and the clues they are hoping to find.

What problem is this company trying to solve?

The No. 1 question people ask as they learn about a new tool is: “What problem is this company trying to solve?”

It is on this first step that many startups fail. Intentionally or not, cybersecurity marketing rarely makes it easy to understand what the product does, and equally importantly, what it doesn’t do.

In the rare cases when a company is clear and transparent about where it stands, we’ll see security practitioners getting impressed.

Action items

You should make it easy for people to understand where in the security stack the product fits, what it does and what it does not do. Make it easy to access your help center, technical and API documentation and other materials so that people can quickly build a mental model of your offering.

Does it actually solve it?

The fact that someone is trying to solve a problem does not mean they are actually solving it. There is a lot to be said about the importance of social proof, but the tough part is that security teams often do not want to disclose what solutions they are using and how they fit in their environment, as adversaries can use this information to accomplish their goals.

The best way to build trust at an early stage is to start with an open source version of your product that prospective buyers can inspect.

There are, however, other ways to provide real user feedback and prove that the company does what it says it does:

Action items

Collect customer testimonials and make them easily accessible. If you don’t have any paying customers, ask if your design partners would be comfortable going on the record as users of the product.

Make sure that your testimonials are real and truthful, and that the person who provided the quote is prepared to be randomly pinged by prospects with questions. A good security team will do its due diligence and talk to other customers, especially if the startup doesn’t have an established reputation yet.

Have an easily accessible online community where people can ask questions, talk, and send direct messages to one another. It is very common for security professionals to DM their peers to get some unfiltered feedback about the vendor.

Will this company be around a year from now?

It can get incredibly expensive to try and implement new security tools, and organizations are not looking to replace their security stack every year. At the same time, the vast majority of cybersecurity companies are startups, and startups come and go all the time.

Time to trust: Questions cybersecurity customers ask and how to answer them by Ram Iyer originally published on TechCrunch

Posted on

How to manage third-party cybersecurity risks that are too costly to ignore

Jon Siegler Contributor
Jon Siegler, co-founder and chief product officer of LogicGate, has over a decade of experience in designing customer-centric enterprise risk and compliance systems.

Many cybersecurity professionals, if not all, have experienced that “after the breach” feeling — the moment you realize you’ll have to tell your customers their personal information may have been compromised because one of your vendors had a data breach.

Such situations also involve spending significant amounts of time and resources fixing a problem caused by a third party. No matter how well you clean things up, the reputational hit to your organization will continue to cost you in lost business down the road.

The fact is, the consequences of failing to properly manage third-party risk are far too costly to ignore.

The cost of neglecting cyber risk

Ransomware attacks, data breaches and widespread IT outages ranked this year as the most significant risk concerns for companies worldwide. More than seven in ten organizations fear third parties have too much control over customer data, including needlessly broad permissions and authorization. Of the 44% of organizations that reported a data breach last year, 75% said the breach stemmed from a third party’s excessive privileged access.

Because they integrate so seamlessly with many aspects of modern organizations, third-party vendors’ risks are your risks.

While managing third-party cyber risk is essential to maintaining customer trust, it’s also increasingly important for organizations looking to purchase cyber insurance policies. All it takes is an accidental email containing personal information sent to the wrong customer, and the basic standards for a data breach have been met. Add the various state and federal data laws and costs associated with remediation, and it becomes clear why every organization could benefit from cyber insurance.

As more contracts between businesses contain cyber insurance clauses, it’s important to consider the impact security standards have on obtaining a policy. To put it plainly, the better your security standards are, the better your rates, especially at a time when cyber insurance premiums are soaring.

Cyber insurance providers want to see that you have high standards of security before they issue a policy, so effective third-party risk management could mean the difference between potential insurers offering you a good rate or deeming you ineligible for coverage.

How to manage third-party risk

An organization’s ability to handle third-party cyber risk proactively depends on its risk management strategies. According to Forrester, 70% of enterprise decision-makers agree that third-party risk is a business priority, but about 69% use manual processes in their third-party risk programs.

How to manage third-party cybersecurity risks that are too costly to ignore by Ram Iyer originally published on TechCrunch

Posted on

Cybersecurity teams, beware: The defender’s dilemma is a lie

David J. Bianco Contributor
David J. Bianco is the staff security strategist on the SURGe by Splunk team.

Practically every security professional has run across “the defender’s dilemma” sometime in their career. It goes like this: “Defenders have to be right every time. Attackers only need to be right once.”

The idea that attackers have all the advantages and that defenders must be passive and wait for something to respond to is practically an axiom of cybersecurity.

It is also a lie.

Basing a security strategy around the defender’s dilemma harms your security program. Starting with an incorrect premise leads to bad decisions. You may waste money on products, services or capabilities you don’t truly need or underinvest in the ones you do. Your security staff becomes overwhelmed, demoralized and has trouble delivering good outcomes.

Defenders rightly expect attackers to lie and cheat to achieve their goals, but sometimes we forget that lying and cheating can work both ways.

If you believe the lie of the defender’s dilemma, there are other lies you have to believe as well because the defender’s dilemma relies upon them. Let’s look at each of these lies in detail and discuss strategies you can use to negate their harmful effects and turn them into advantages for your team.

Lie No. 1: Defense and offense are separate

The defender’s dilemma implies that your security team is purely passive, sitting around waiting for attacks to happen. But thinking in terms of “defense” and “offense” is a false dichotomy.

The Pyramid of Pain shows that by consistently detecting and responding to threat actor activity quickly enough to stop attacks in their tracks, you can impose cost on that actor, turning defense into offense. By concentrating your detection development efforts on the top half of the pyramid, you may not be able to prevent attacks entirely, but you will make actors work harder to be successful. That changes the economics of their attacks and also buys you valuable time to respond.

Lie No. 2: Defenders must be on duty 24/7

Your defenses must operate around the clock, while attackers can carefully choose the timing of their attacks to occur on evenings, weekends or holidays. That doesn’t mean humans always have to be engaged for everything, though.

Automation and SOAR technology can turn IR playbooks into an automated response. Driving an incident to containment within seconds or minutes of detection and collecting basic IR data along the way improves time-to-containment and significantly decreases reliance on off-hours staffing.

Consider also what each side is doing in between attacks. While threat actors plan their next attacks, your team should not be sitting idle. Use the time between incidents to level up group capabilities and individual skills. Learn from past incidents to improve detection and playbooks. Take classes or learn new skills. Use threat hunting to identify new detection or IR techniques. What you might have fallen prey to yesterday could be something you detect and interdict tomorrow.

Lie No. 3: Defenders have to play fair

Cybersecurity teams, beware: The defender’s dilemma is a lie by Annie Saunders originally published on TechCrunch

Posted on

Twitter’s data leak response is a lesson in how not to do cybersecurity

Twitter finally broke its silence over the first security incident of the Musk era: an alleged data breach that exposed the contact information of millions of users.

In late December, a poster on a popular cybercrime forum claimed to have scraped the email addresses and phone numbers of 400 million Twitter users by way of a zero-day security flaw in Twitter’s systems, previously blamed for exposing at least 5 million Twitter accounts before it was fixed in January 2022. The subsequent sale of another, smaller dataset containing the email addresses associated with more than 235 million Twitter accounts is said to be a cleaned-up version of the alleged dataset of 400 million Twitter users. Researchers warned that the email addresses, which included the details of politicians, journalists and public figures, could be used to dox pseudonymous accounts.

Twitter, or what’s left of the company, addressed the situation last week.

In an unattributed blog post, Twitter said it had conducted a “thorough investigation” and found “no evidence” that the data sold online was obtained by exploiting a vulnerability of Twitter’s systems. An absence of evidence, however, is not vindication, as it’s unclear if Twitter has the technical means, such as logs, to determine if any user data was exfiltrated. Rather, the company said that hackers had likely been circulating a collection of data pulled from past breaches and said the data did not correlate to any of the data obtained by way of exploiting the bug that was fixed in January 2022.

What Twitter is saying may very well be true, but it’s difficult to have confidence in the company’s statement. Twitter’s erratic response raises many of the same questions that regulators will want to know: Who was tasked with investigating this breach, and does Twitter have the resources to do a thorough job?

An important lesson in what not to do

Twitter’s data leak response is a lesson in how not to do cybersecurity by Carly Page originally published on TechCrunch

Posted on

Twitter’s data leak response is a lesson in how not to do cybersecurity

Twitter finally broke its silence over the first security incident of the Musk era: an alleged data breach that exposed the contact information of millions of users.

In late December, a poster on a popular cybercrime forum claimed to have scraped the email addresses and phone numbers of 400 million Twitter users by way of a zero-day security flaw in Twitter’s systems, previously blamed for exposing at least 5 million Twitter accounts before it was fixed in January 2022. The subsequent sale of another, smaller dataset containing the email addresses associated with more than 235 million Twitter accounts is said to be a cleaned-up version of the alleged dataset of 400 million Twitter users. Researchers warned that the email addresses, which included the details of politicians, journalists and public figures, could be used to dox pseudonymous accounts.

Twitter, or what’s left of the company, addressed the situation last week.

In an unattributed blog post, Twitter said it had conducted a “thorough investigation” and found “no evidence” that the data sold online was obtained by exploiting a vulnerability of Twitter’s systems. An absence of evidence, however, is not vindication, as it’s unclear if Twitter has the technical means, such as logs, to determine if any user data was exfiltrated. Rather, the company said that hackers had likely been circulating a collection of data pulled from past breaches and said the data did not correlate to any of the data obtained by way of exploiting the bug that was fixed in January 2022.

What Twitter is saying may very well be true, but it’s difficult to have confidence in the company’s statement. Twitter’s erratic response raises many of the same questions that regulators will want to know: Who was tasked with investigating this breach, and does Twitter have the resources to do a thorough job?

An important lesson in what not to do

Twitter’s data leak response is a lesson in how not to do cybersecurity by Carly Page originally published on TechCrunch

Posted on

How well did Israel’s cybersecurity industry do in 2022?

Yuval Krigel Contributor
Yuval Krigel is an associate at YL Ventures who focuses on deal sourcing, technological due diligence and providing value-add support to the firm’s portfolio companies.

The massive valuations and funding rounds of 2021 left some room for optimism around the state of the Israeli cybersecurity industry in 2022, instilling a sense of security in Q1 of the new year. While other sectors began to feel the shifting tides of the market as the year progressed, capital continued to freely flow into cybersecurity, further reinforcing the belief that it is a persistently resilient outlier in tech, immune to market instabilities and unable to be shocked into a downturn.

After closing the book on 2022 this week, it is safe to say that this optimism was somewhat misguided. With hindsight, 2021 can be categorized as an anomaly that sent the industry into a tailspin, with bloated valuations exceeding actual revenue and funding rounds scaling at what many warned was an unhealthy pace. The repercussions of this spiral are evident in our 2022 analysis of funding and M&A data for the Israeli cybersecurity ecosystem.

In 2022, overall funding for Israeli cybersecurity startups fell by a dramatic 64%, from $8.84 billion in 2021 to $3.22 billion this year, and the number of funding rounds decreased from 135 in 2021 to 94. When compared to overall funding in 2020 ($2.75 billion over 109 funding rounds), it seems that 2021 was a blip on the radar, and that the industry is returning to where it left off in 2020.

The majority of capital that did flow into Israel’s cybersecurity industry poured directly into seed rounds of early-stage startups.

Early stage gets the funding

Our data indicate that the majority of capital that did flow into cybersecurity this year poured directly into one very distinct area: seed rounds of early-stage cybersecurity startups. The average 2022 seed round actually shattered the 2021 record ($7 million), reaching a whopping $9 million. In total, seed funding rose by 65% this year, from $233 million in 2021 to $384 million in 2022.

This striking amount of capital, dedicated to the earliest stages of company building, demonstrates ongoing investor confidence in the cybersecurity industry’s potential to innovate and build solutions for increasingly acute threats.

Furthermore, it indicates the difficulty in raising Series A rounds this year, as investors’ thresholds for these rounds grew in light of the economic crisis. While the number of Series A rounds remained almost unchanged since 2021 (30 rounds last year and 24 rounds in 2022), investors preferred to support the seed rounds of startups that will grow sustainably and cautiously from the get-go.

“Investors understand that seed funding has a clear baseline, as the costs of building a company have not decreased,” says Iren Reznikov, director of Corporate Development and Ventures at Sentinel One. “They know that building a company from the ground up and ensuring that it reaches its Series A round with maximum maturity while hitting all of its benchmarks, costs money. At the same time, investors expect founding teams to set clear goals for reaching their Series A and strive to reach product-market fit at an early stage by engaging with prospective customers faster.”

This confidence is shared by cybersecurity founders, who, despite this year’s market volatility, still believe in the potential to build something meaningful for enterprise protection and business continuity. “Early-stage startups are best poised to respond to the changing needs of a fiscally constrained market,” says Slavik Markovich, co-founder and CEO of Descope, a stealth startup building a service for application developers in the authentication space.

“A tight economy is usually accompanied by increased fraud and cyber attacks. User adoption and conversion have become even more critical in this market, with businesses looking for solutions that reduce friction for their end customers in order to prevent any sources of churn. Founding teams at early-stage companies that focus on solving these problems will continue to attract investor interest.”

Return of the cyberveterans

How well did Israel’s cybersecurity industry do in 2022? by Walter Thompson originally published on TechCrunch

Posted on

Pitch Deck Teardown: MedCrypt’s $25M Series B deck

In September, the FBI warned that more than half of connected medical devices in hospitals had known critical security vulnerabilities, and these flaws are leading to a surge in attacks on the healthcare industry. As Carly Page reported, MedCrypt raised a $25 million round to help device manufacturers think security-by-design when creating the next generation of medical devices.

The company is a Y Combinator graduate that provides software for anything the U.S. Food and Drug Administration would consider a medical device where cybersecurity could be a concern, from insulin pumps and heart rate monitors to AI-based radiology tools and autonomous robots. I’m sure we can all agree that we don’t want to live in a world where people get blackmailed so hackers won’t send their critical health devices on the fritz, so let’s take a look at the story MedCrypt shared with its investors to raise its Series B.

We’re looking for more unique pitch decks to tear down, so if you want to submit your own, here’s how you can do that

Slides in this deck

The MedCrypt Series B deck is a tidy 12-slide deck. The company’s COO, Vidya Murthy, who shared the deck with me, said that it’s as-pitched, except that some of the customer adoption information has been redacted. Makes sense; security is sensitive business, and I imagine keeping the customer list under your hat might be a smart move. The company does claim that three of the top five device manufacturers use their products.

  1. Cover slide
  2. Problem slide
  3. Target audience/market size slide
  4. Opportunity slide
  5. Mission slide
  6. Product slide: Vulnerability tracking
  7. Product slide: Behavior monitoring
  8. Product slide: Cryptography
  9. Product slide: MedISAO
  10.  Team slide
  11.  Summary/traction slide
  12.  Closing slide

Three things to love

MedCrypt’s slide deck shows that it is a mature organization with a broad product lineup and even the beginnings of an ecosystem influence play. The deck is pretty unusual in that it is missing a fair amount of information that I’d expect to see in a deck from a company at this stage, but the narrative is clean and (mostly) easy to follow.

A surprising amount of the deck focuses on the company’s product lineup, with four of the 10 content slides dedicated to that. It makes sense to tell the story of a company through its products, but the deck itself doesn’t do a great job of that; it’s obvious that it needs a voice-over to contextualize this information.

Rallying the industry

[Slide 9] Mediwhatnow? Image Credits: MedCrypt

This slide is at once very good and pretty lacking. When it first came up, I was confused about what MedISAO was and why it was on the company’s slide deck. It shows that this deck was designed with a voice-over in mind rather than being readable on its own. This slide comes after three slides that explain MedCrypt’s products and uses the same design. Perhaps that should have been the tip-off that this is also one of the company’s products, but I found it confusing at first. Why is it good that the FDA recommends ISAO memberships? What the hell even is an ISAO? (I had to Google it; it’s an information sharing and analysis organization). Why is it important that MedISAO is good for MDM? (I know, I know. I had to Google that, too: medical device manufacturer). Yay, sales pipeline, I suppose?

When I visited the MedISAO website, it finally clicked. The site’s FAQ states that “MedISAO is organized by MedCrypt, Inc., a healthcare-first cybersecurity company.”

So! We got there in the end, which isn’t really a good thing to say about a pitch deck. What is tremendously impressive, though, is that if MedCrypt is able to be the central repository for sharing security information across all medical devices, it has an opportunity to keep a finger on everything that’s going on across its entire industry. It’s a really powerful position to be in.

Of course, there’s nothing on this slide about how successful it is so far, and its website says “MedISAO does not publish a complete list of member organizations, but you can see a partial list of members on the home page.” It’s hard to gauge whether this is a mature, successful initiative that’s helping cement MedCrypt in its space or a website the company flung up over a couple of afternoons. I would have loved to see some metrics here, specifically about the value of the sales pipeline from the site and what impact it has.

A gut punch of an opportunity slide

[Slide 4] Yeah, that seems important. Image Credits: MedCrypt

This slide is an absolute slam dunk. It doesn’t take a lot of imagination to see how there’s an enormous market with a lot of money at stake.

One of the big questions an investor asks themselves is whether there is a market for a product or company. Regulatory shifts can be a powerful driver for adoption. For example, before GDPR legislation went into effect in May 2018, every website in Europe and every company that wanted to do business with EU countries very quickly needed to make changes. That created a booming industry for web development houses that specialized in privacy.

Well, it seems like the same is happening in the medical device industry; this slide claims that more than $1 trillion worth of devices need to get secured to be in compliance. Unlike web development, however, this is a pretty specialized industry. If you thought GDPR was wild, get a load of HIPAA. On top of that, it’s often non-trivial to update the firmware on embedded electronic devices (that’s part of the reason we are in this mess in the first place).

This slide is an absolute slam dunk: It doesn’t take a lot of imagination to see how there’s an enormous market with a lot of money at stake (and a lot of money to spend) — with a ticking clock. It’s a perfect storm, and MedCrypt has built a boat that just might be able to weather it.

Strong summary slide

[Slide 11] Great summary. Image Credits: MedCrypt

Personally, I’m not a fan of READING LARGE AMOUNTS OF TEXT IN ALL CAPS; it’s shouty and reader-unfriendly. It also means that people who are adept at speed-reading aren’t able to use their speed-reading skills. That aside, this slide is a great one to end on. It includes a huge amount of really good information: It summarizes the market opportunity, products, number of customers and previous fundraises, and helps set the tone for the Q&A at the end. Another approach would have been to move the summary slide to the beginning of the deck to set the tone, but it works either way.

Hook your investors with the perfect summary slide

In the rest of this teardown, we’ll look at three things MedCrypt could have improved or done differently, along with its full pitch deck!

Pitch Deck Teardown: MedCrypt’s $25M Series B deck by Haje Jan Kamps originally published on TechCrunch

Posted on

A guide to navigating your first 90 days as a new CISO

Heather Gantt-Evans Contributor
Heather Gantt-Evans, M.S., CISSP is chief information security officer at SailPoint.

Carrying out the mandate of the chief information security officer (CISO) has never been easy, but today’s increasingly fraught digital landscape has made it even more difficult. What’s more, new and complex compliance requirements have opened the door for potential personal criminal liability in the event of a data breach or other cyber incident.

It’s a big job that touches just about every part of the organization, and the ability to hit the ground running can make a big difference. But with so many tasks at hand, just knowing where to start can be a significant challenge.

How a new CISO operates during their first 90 days on the job will set the tone and precedent for the remainder of their term. When I first stepped into my role as a CISO, I established clear goals for myself at the 30-, 60- and 90-day benchmarks because I knew it was important to enter with a plan and a clear vision of what would constitute success.

It was a learning experience, and despite the fact that not everything went according to plan, I look back on those first 90 days with pride and fondness. Here’s what I learned from my initial three months on the job:

Hit the ground running, but don’t try to sprint

Preparation is critical. Before you even set foot in your new office, you should be doing extensive research on the threat landscape of your industry.

The worst thing you can do is hear about a risk and not document it.

What recent threat activity has been in the news? What major (and minor) incidents have taken place over the past year or so? You should also know the relevant costs associated with a breach in your industry based on the attack activity your research reveals. It’s important to know what dangers are out there and the cost of inaction.

One piece of advice has always stuck with me: you’ll never get those first 90 days back. There will never be another time when you can focus purely on research and discovery. As you settle into the role, you’ll become more ingrained in daily activities and begin executing your vision. But during those first 90 days, it’s important to resist the urge to dive in, start working on deliverables or going heads-down on new initiatives. This is your time to watch and listen.

Know who can give you the answers you need

As soon as you can, map out the internal and external stakeholders you need to know and start scheduling meetings with them.

Before I even started, I sent a complete document collection request to each one, asking for recent maturity assessments, organizational charts, recent board decks, and documentation on any relevant processes. Because of that, I had all the documentation I needed on my first day.

A guide to navigating your first 90 days as a new CISO by Ram Iyer originally published on TechCrunch