Six tips for getting the most out of your SIEM investment

Security information and event management (SIEM) is one of the most well-established categories of security software, having first been introduced about 20 years ago. Nevertheless, very little has been written about SIEM vendor evaluation and management.

To fill that gap, here are six top-line tips on procuring and implementing a SIEM solution for maximum value.

Evaluating and purchasing a SIEM solution

Size your spend

SIEM software solutions are priced differently: either by the number of employees in the customer organization, by the rate of events per second, or based on the log volume ingested. It’s important to figure this out early to get a rough idea of what you will pay over time. You’ll also identify the various data sources meaningful to your Security Operations Center (SOC).

Buying a SIEM is a massive commitment: you and your organization will need to live with your decision for years to come.

If you already have a SIEM in place, give the vendor your current use cases and consumption, and they should be able to replicate it. If you don’t, you’ll need to do a little leg work. A good starting point is assessing the volume of logs you’ll send to the SIEM. Measure actual daily log volume from each source by checking out the locally stored logs for a “normal” day and tallying the results.

If the SIEM vendor charges by your number of employees, be wary. This is usually a way to charge more for the SIEM by counting employees who don’t generate any relevant data.

Evaluate your vendor’s practices

The next step is to conduct a proof-of-concept (POC); this should be a starting point for an eventual implementation, not a standalone, canned exercise. During this process, your vendor should demonstrate a service level that you’ll want to maintain post-sale. Here are some key questions to consider during this process:

  • Who will staff your account? Ideally, a vendor will commit skilled technical staff to both execute your initial evaluation and conduct an implementation.
  • Who from your team will take the technical lead on the evaluation, and who’ll ultimately implement it? Ideally this will be the same person or small group of people.
  • After you buy a SIEM, what’s next on your roadmap? SOAR? CSPM? Make sure your vendor can integrate with a broad range of technologies.
  • It’s critical to fully understand the vendor’s front- and backend software architecture. Some vendors calling themselves “true SaaS” or “cloud-native” are not. Don’t lock yourself into a 12-month contract when you don’t know what’s going on under the hood.

Don’t be fooled: Know the total cost of implementation

Six tips for getting the most out of your SIEM investment by Walter Thompson originally published on TechCrunch

3 things businesses must do to secure applications in the AI era

Organizations must quickly adapt their application security strategies to address new threats fueled by AI.

They include:

  • More sophisticated bot traffic.
  • More believable phishing attacks.
  • The rise of legitimate AI agents accessing customers’ online accounts on behalf of users.

By understanding the implications of AI on identity access management (IAM) and taking proactive measures, businesses can stay ahead of the AI curve and protect their digital assets. Here are the top three actions organizations preparing their application security for a post-AI world need to consider in their security strategies:

We’re already seeing examples of reverse engineering AI-powered sites to get free AI computing.

Defend against reverse engineering

Any app that exposes AI capabilities client-side is at risk of particularly sophisticated bot attacks looking to “skim” or spam those API endpoints — and we’re already seeing examples of reverse engineering AI-powered sites to get free AI computing.

Consider the example of GPT4Free, a GitHub project dedicated to reverse engineering sites to piggyback on GPT resources. It accumulated an astonishing 15,000+ stars in just a few days in a blatant public example of reverse engineering.

To prevent reverse engineering, organizations should invest in advanced fraud and bot mitigation tools. Standard anti-bot methods like CAPTCHA, rate limiting and JA3 (a form of TLS fingerprinting) can be valuable in defeating ordinary bots, but these standard methods are easily defeated by more complex bot problems like those facing AI endpoints. Protecting against reverse engineering requires more sophisticated tooling like custom CAPTCHAs or tamper-resistant JavaScript and device fingerprinting tools.

3 things businesses must do to secure applications in the AI era by Walter Thompson originally published on TechCrunch

Why aren’t venture capitalists flocking to fund cybersecurity startups?

On the back of pretty strong earnings reports and valuations, public cybersecurity companies are outperforming the broader technology segment. Yet, funding for cybersecurity startups has flatlined.

The Exchange explores startups, markets and money.

Read it every morning on TechCrunch+ or get The Exchange newsletter every Saturday.

It’s an interesting issue that is worth taking a moment to consider. This morning, let’s look at how cybersecurity companies have performed, as well as a number of datasets regarding Q1 2023 venture capital investment to understand why investments have been tepid in this sector despite stellar results from the companies.

Sounds good? To work!

How to make a lot of money in the technology game

If you want to earn truckloads of cash selling software today, I wouldn’t recommend making an API to connect a blockchain to the e-sports world. Both of those sectors are struggling after a period of over-investment and hype, though I hope both rise again: The former because it would be entertaining in a business context, and the latter because I am a huge nerd who is patiently waiting for a Starcraft revival.

No, if you wanted to make a lot of money in the technology game today, you would build and sell cybersecurity products.

The evidence is clear. Cybersecurity is chugging along quite smoothly, even as the largest tech companies muddle along and Zoom figures out how to grow again after one of the most impressive runs in corporate history.

Why aren’t venture capitalists flocking to fund cybersecurity startups? by Alex Wilhelm originally published on TechCrunch

3 key metrics for cybersecurity product managers

The conventional product management wisdom suggests that one of the responsibilities of a product leader is to track and optimize metrics — quantitative measurements that reflect how people benefit from a specific solution. Anyone who has read product management books, attended workshops or even simply gone through an interview, knows that what is not measured cannot be managed.

The practice of product management is, however, much more nuanced. Context matters a lot, and the realities of different organizations, geographies, cultures and market segments heavily influence what can be measured and what actions can be taken based on these observations. In this article, I am looking at cybersecurity product management and how metrics product leaders are tempted to track and report on may not be what they seem.

Detection accuracy

Although not all cybersecurity products are designed to generate some kind of detections, many do. Detection accuracy is a metric that applies to the security tooling that does trigger alerts notifying users that a specific behavior has been detected.

Two types of metrics are useful to track in the context of detection accuracy:

  • False positives (a false alarm, when the tool triggers a detection on normal behavior).
  • False negatives (a missed attack, when the tool misidentifies an attack as normal behavior and does not trigger a detection).

Security vendors are faced with a serious, and I dare to say, an impossible-to-win challenge: how to reduce the number of false positives and false negatives and bring them as close to zero as possible.

The reason it is impossible to accomplish this is that every customer’s environment is unique and applying generic detection logic across all organizations will inevitably lead to gaps in security coverage.

Product leaders need to keep in mind that false positives make it more likely that a real, critical detection will be missed, while false negatives mean that the product is not doing the job the tool was bought to do.

Conversion rate

Conversion rate is one of the most important metrics companies, and subsequently — product teams, obsess about. This metric tracks the percentage of all users or visitors who take a desired action.

Who owns conversions in the organization will depend upon who can influence the outcome. For example:

  • If the product is fully sales-led and whether the deal gets closed is in the hands of sales, then conversion is owned by sales.
  • If the product is fully product-led and whether a free user becomes a paying customer is in the hands of product, then conversion is owned by marketing and product teams (marketing owns the sign-up on the website, product owns in-app conversion).

    3 key metrics for cybersecurity product managers by Walter Thompson originally published on TechCrunch

AI is just someone else’s computer

Samsung this week became the latest big name to ban its employees from using generative AI tools such as ChatGPT and Google Bard, warning staff that they could be fired if they’re caught using them.

In an internal memo obtained by Bloomberg, Samsung said the ban was prompted by the discovery of a leak of sensitive internal source code by an engineer who uploaded it to ChatGPT last month. According to earlier reports, one Samsung employee reportedly asked the chatbot to check sensitive database source code for errors, while another fed a recorded meeting into ChatGPT and asked it to generate minutes.

The Korean tech giant is the latest company to crack down on the use of ChatGPT. American banking giant JPMorgan recently restricted its use among employees due to compliance concerns, and Amazon has reportedly urged staff not to share code with the AI chatbot. Verizon and Accenture have also taken similar steps, and Italy also briefly banned ChatGPT last month, saying it was concerned the services breached EU data protection laws.

Even Microsoft, which has a multibillion-dollar stake in ChatGPT owner OpenAI, has doubts. According to a new report, Microsoft’s Azure cloud server unit plans to sell an alternative version of ChatGPT that runs on dedicated cloud servers, where the data will be kept separate from those of other customers.

These concerns are by no means unfounded. Not only could tools such as ChatGPT help attackers write legitimate-sounding phishing emails and malicious code, they also carry a data breach risk. Those risks have already manifested: OpenAI admitted in March that ChatGPT has already suffered its first significant data breach, which exposed the personal and partial payment data of ChatGPT Plus subscribers.

Cutting-edge AI, legacy tech

Generative AI tools like ChatGPT bring powerful capabilities to non-technical users and represent a huge leap forward both in what AI can do and its potential to revolutionize everything from the way we work to the way we make decisions. For non-technical users who are now using the technology to generate human-like text for essays and social media copy, it might feel like the future has arrived. Indeed, some have even called it a new industrial revolution.

While it might feel like some sort of magical eight ball, the underlying infrastructure behind generative AI is nothing new. Much like a cloud storage service, all of the data you share with ChatGPT is stored on OpenAI’s servers. Along with prompts and chat conversations, OpenAI saves other data, too, such as your account details, approximate location, IP address, payment details and device information. This data is used to train and improve the model, according to OpenAI, so it can better understand and respond to natural language queries.

AI is just someone else’s computer by Carly Page originally published on TechCrunch

3 questions CISOs expect you to answer during a security pitch

It’s a difficult time to be a CISO or a security startup founder: Resources are tight and the stakes are high when deciding where to allocate them. This means the CISO deciding whether or not to onboard your product has less time, budget and staff than in recent years, and your pitch has to be that much better to make the cut.

Working in your favor, the growing number of cyberattacks and exfiltration ransomware which continue to threaten the bottom line for enterprises, means security remains a business priority. Gartner predicts that end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026, so opportunity remains plentiful.

Just as security executives are condensing and refining their strategies, founders must do the same in the way they’re pitching these CISOs. There’s no more room for a good product winning over a CISO despite a bad pitch.

Based on our more than four combined decades in computer engineering, cybersecurity, and security startup investment and advisory experience, these are the important questions we see smart security founders answering in their pitches over the next few months to close critical deals and adapt to the unique market conditions and industry landscape:

1. How does your solution help me sell more X?

In the industry we often hear about, “a solution looking for a problem,” when the onus is put on the CISO listening to your pitch to figure out what problem your product is trying to solve and why it’s critical to their business. While this may have worked in the past when there weren’t as many solutions, today it can be a dealbreaker. With the increasing number of vendors now in the market, CISOs no longer have the time to do this work for you.

Just as security executives are refining their strategies, founders must do the same in the way they’re pitching these CISOs.

A question Steve asked more than a hundred security vendors as the CISO at Levi Strauss was, “how does this solution sell more jeans?”

In all too many cases, the answer was “we are here to help you find more vulnerabilities or identify more risks in your environment,” which lead to a quick “thank you, no thank you” response, since handing the CISO more issues is not helping sell more jeans or solving a problem. It showed a lack of understanding and demonstrated they simply wanted to sell another tool.

When the response was along the lines of “our product will address the use case of identifying and remediating malicious or accidental misconfiguration of your consumer PII data in the cloud to limit the financial risk of regulatory fines and brand risk of violating consumer trust,” it demonstrated that they were thinking about the business problem and addressing how to accept responsibility for solving some facet(s) of it.

Steve appreciated that they brought a solution to a business use case problem and it allowed him to quickly determine if this was “interesting” or important” in the priority of problems he needed to solve in the next 6-18 months. It was also all too common when the “how do you sell more jeans” question was posed that the individual would just stop and stare, unprepared to answer, resulting again in a quick end to the discussion.

Similar key questions to answer speaking to the bottom line include:

The crackdown on pixel tracking in telehealth is a warning for every startup

Healthcare startups are scrambling to reassess how their websites and apps are built, and how third parties may, inadvertently or not, be putting patients’ protected health information at risk.

In March, U.S. mental health startup Cerebral admitted it shared the private health information of more than 3 million users with Facebook, Google, TikTok and other ad giants via so-called tracking pixels. These near-invisible bits of code are typically embedded in web pages to share information about users’ activity, often for analytics. Cerebral said these trackers inadvertently collected sensitive user data since it began operating in October 2019.

In its disclosure to the U.S. Department of Health and Human Services (HHS), Cerebral said that following a review of its code, it “determined that it had disclosed certain information that may be regulated as protected health information under [the Health Insurance Portability and Accountability Act],” or HIPAA, as it’s commonly referred to. This information included patients’ phone numbers, IP addresses, insurance information, mental health assessment responses and associated clinical data.

This data lapse is the third-largest breach of health data in 2023, according to the HHS, which is investigating the breach. However, while Cerebral’s lapse ranks among the most serious and damaging, the breach is just one of many currently being investigated by HHS — and this list is likely to grow.

More casualties

Last year, a joint investigation by STAT and The Markup found that dozens of hospital websites and telehealth startups were sharing patients’ medical information with advertisers and tech giants.

The crackdown on pixel tracking in telehealth is a warning for every startup by Carly Page originally published on TechCrunch

6 common challenges facing cybersecurity teams and how to overcome them

Building products and companies in cybersecurity is not an easy task because in many ways, the industry behaves differently from others. To start, it is very crowded, with hundreds and thousands of undifferentiated solutions promising to solve all security problems and more often than not, falling short of their promises. Moreover, it is an incredibly dynamic space with the landscape sometimes shifting overnight.

As a product leader, I meet many entrepreneurs and startup founders and see over and over how the vast majority get slowed down by the same types of problems. In this post, I am looking at six challenges of building products in cybersecurity and ways to overcome them.

1. The challenge of customer discovery

As a product leader, I meet many entrepreneurs and startup founders and see over and over how the vast majority get slowed down by the same types of problems.

In most industries, buyers and end users are open to talking to vendors because they recognize that software providers are there to identify their problems, pain points and inefficiencies, and build solutions that remove them. The same, unfortunately, cannot be said about cybersecurity where few leaders (Chief Information Security Officers or CISOs) or practitioners are open to having transparent conversations with strangers. There are several reasons why this is the case:

  • Security teams are chronically overextended and understaffed, and therefore cannot prioritize talking to vendors over improving the security posture of their company.
  • CISOs and practitioners alike are inundated by vendors who reach out from all fronts — calls, emails, social media messages and conferences, to name a few.
  • Product managers and founders tend to ask the same types of questions that an adversary would (what products the company is using, where their gaps are, etc.) — questions that can only be answered if there is a level of trust between parties.

All this makes the lives of cybersecurity product leaders incredibly hard as it essentially makes them unable to do customer discovery, learn about pain points and brainstorm potential solutions. Here are some of the ways to address this:

  • Build relationships with CISOs and security practitioners by attending events, workshops and webinars.
  • Ask existing customers, VCs and design partners for introductions to people in their network.
  • When PMs get an opportunity to talk to security people, use that time to ask questions and be curious, instead of pitching their products and solutions.

2. Using traditional product management frameworks

6 common challenges facing cybersecurity teams and how to overcome them by Jenna Routenberg originally published on TechCrunch

What’s going on with the TikTok ban?

With a U.S. ban of TikTok looming, it might look like game-over for the hit video sharing app, which has taken the world by storm in recent years, reshaping every aspect of culture in the process.

Uncertainty abounds right now, but TikTok’s fate is far from sealed. We’ve answered some common questions about a situation that’s complex, confusing and changing as we speak.

What happened in Congress?

TikTok CEO Shou Zi Chew testified before Congress last week, enduring five hours of intense questioning from lawmakers over concerns that China might leverage the app to compromise U.S. national security. TikTok is owned by Chinese tech giant ByteDance, setting it apart from other major social media companies based in the U.S.

“Let me state this unequivocally: ByteDance is not an agent of China or any other country,” Chew said in his opening statements, a refrain TikTok’s CEO repeated throughout the hearing as he sought to reassure lawmakers.

National security concerns were just one of the worries that representatives expressed about TikTok. Members of the House Energy and Commerce Committee committee also raised red flags over issues ranging from the app’s eating disorder content and viral challenges to its flimsy tools designed to prevent social media addiction among teens. Those concerns, which focus mainly on vulnerable underage users, are serious, but also issues that TikTok shares with U.S.-based social media companies like Instagram and YouTube.

In many ways, the TikTok hearing went much like other major tech CEO hearings have gone in recent years. Lawmakers generally spent their time grandstanding and posturing for sound bytes, dredging up little in the way of new information on TikTok, ByteDance and their operations in the process. Ultimately, the hearing isn’t likely to move the needle on TikTok’s domestic fate, but it does serve as a useful barometer for the headwinds the company faces in its biggest market.

Why ban TikTok?

The effort to ban TikTok in the U.S. began during the Trump administration, but the Biden White House recently picked up the baton.

What’s going on with the TikTok ban? by Taylor Hatmaker originally published on TechCrunch