Tag: EC Cybersecurity

Posted on

Scammers snatch up expired domains, vexing Google

The web is a living thing — ever-evolving, ever-changing. This goes beyond just the content on websites; whole domains can expire and be taken over, allowing corners of the internet to become a little like your hometown: Wait, wasn’t there a Dairy Queen here?

For example, if TechCrunch forgets to pay its domain registrar, TechCrunch.com would eventually expire (on June 10, to be exact). At that point, some enterprising human could snap up the domain and do nefarious things with it. Now, if TechCrunch.com was suddenly red instead of green and sold penis enhancement pills instead of dicking around with great news and awful puns in equal measure, you’d probably figure out that something is up. But black-hat SEO tricksters are subtler than that.

When they seize a domain, they’ll often point the web domain to a new IP address, resurrect the site, and restore it to as close as it can to the original, and leave it for a while. When the IP address changes, SEO experts claim that Google temporarily “punishes” the domain by dropping it in the rankings.

This is called “sandboxing,” or “the sandbox period,” and during this time, Google puts the domain on notice. Once Google determines — sometimes erroneously —  that the IP address change underneath the domain was just part of a move from one web host to another, the theory is that the domain will start climbing in the rankings again. That’s when the new owner of the domain can start their sneaky business: Updating links to send traffic to new places for example, or keeping the traffic as it is and adding affiliate links to make money off its visitors. At the far end of the scamming spectrum, they can use the good name and reputation of the original business to scam or trick users.

Since the invention of PageRank in 1996, Google has been relying in part on the transferability of trust to determine what makes a good website. A site that is linked to by a lot of high-trust websites can, generally, be trusted. Links from that page can, in turn, be used as a measure of trust as well. Massively simplified, it boils down to this: The more links from high-quality sites a page has, the more it is trusted, and the better it ranks in the search engines.

You don’t have to dig deep to find examples of domains that, at first glance, look legitimate, but that have been sneakily shifted to another purpose.

While bad actors can take advantage of this fact, it’s also just something that happens on the internet — sites move from one host to another all the time for perfectly legitimate reasons. As Google’s Search Liaison, Danny Sullivan, pointed out when I talked to him about expired domains last week, TechCrunch itself has had a few changes of owners over the years, from AOL, to Oath, to Verizon Media, to Yahoo, which itself was bought by Apollo Global Management last year. Every time that that happens, there’s a chance that the new corporate overlords want to move stuff to new servers or new technology, which means that the IP addresses will change.

“If you were to purchase a site — even TechCrunch; I think it was AOL who bought you guys — the domain registry would have changed, but the site itself didn’t change the nature of what it was doing, the content that it was presenting, or the way that it was operating. [Google] can understand if domain names change ownership,” Sullivan said, pointing out that it’s also possible for the content to change without the underlying architecture or network topography shifting. “The site could rebrand, but just because it rebranded itself doesn’t mean that the basic functions of what it was doing had changed.”

The buying and selling of expired domains

You don’t have to look far to find places to buy expired domains. Serp.Domains, Odys, Spamzilla, and Juice Market are some of the most active in the business. (As a side note, I stuck a rel="nofollow" on all three of those links in the HTML of this article. They ain’t getting TechCrunch’s sweet, sweet link juice on my watch; as Google notes in its developer documentation; “Use the nofollow value when … you’d rather Google not associate your site with … the linked page.”)

A screenshot from Serp Domains, which lists around a hundred sites for sale, noting that “aged expired domains are not affected by the sandbox effect.” The company lists prices from $350 to $5,500, with original registration years ranging from 1998 to 2018.

“Get expired domains that have naturally gained (almost impossible to get) authoritative backlinks since they were actual businesses,” Odys advertises on its site, adding that they “are aged and out of the sandbox period by a mile, [and] already have organic, referral & direct, type-in traffic.”

These domains are listed for sale for anything from a few hundred bucks to thousands of dollars. Seeing the sites disappear from the “for sale” list and then pop up on the internet shows that some of these domains end up ethically dubious at best and scams at worst.

It’s pretty easy to determine why so-called “black hat SEO” folks are willing to go through all the trouble: Building a domain from scratch, filling it with high-quality content, waiting for people to link to it, and doing everything by the book takes for-flippin’-ever. Finding a shortcut that shaves months, if not years, off the process and adds the ability to make a quick buck? There will always be people who are willing to go for that sort of thing.

“Google has named inbound links as one of their top three ranking factors,” explained Patrick Stox, a product adviser at Ahrefs. “Content is going to be the most important, but your relevant links will provide a strength metric for them.”

What the spammers are doing

The spammers buy a domain that was recently expired and use a search engine optimization (SEO) tool like Ahrefs to gauge how valuable the site is; it checks how many links are going to the site and how valuable those links are. A link from TechCrunch or the BBC or WhiteHouse.gov would be highly valuable, for example. A link from a random blog post on Medium.com is probably less so.

Once they’ve found and bought a domain, they’ll use something like the WayBack Machine to copy an old version of the site, stick it on a server somewhere, and — voila! — the site is back. Obviously, that’s both trademark and copyright infringement, but if you’re in the market of spamming or scamming, that’s probably the least of your crimes against human decency, never mind the letter of the law.

Over time — sometimes weeks, sometimes months — Google un-sandboxes the domain and is effectively tricked into accepting the domain as the original. Traffic will start picking up, and black-hat SEO wizards are ready for the next phase of their plan: selling stuff or tricking people. There are whole guides for what to do next in order to use these domains, including checking whether there are trademarks registered and redirecting either the full domain or specific pages on the domain using a so-called 301 redirect (“moved permanently”).

“When a site drops off the internet [Google is] just going to drop all the signals from the links. That typically happens anyway when a page expires. Where it’s more complicated is going to be whether any of those signals will come back for a new owner. I don’t think [Google has] ever really answered this in a very clear way,” Stox explained. “But if the same site with the same type of content — or very similar content — comes back, it is more than likely the links are going to start counting again. If you were a site about technology and now suddenly you’re a food blog, all of the previous stuff will likely be ignored.”

As with all things in SEO, however, not everything is cut and dried; it turns out that negative signals continue on expired domains, so it stands to reason that positive signals do, too.

“It’s interesting because sometimes penalties will still carry over, regardless of the content of the new site,” Stox said. “So certain things may still factor in. There’s a giant list of Google penalties — such as backlink spam, content spam, paid links, etc. They can carry on to the new site, and sometimes people will buy … an expired domain and put a new site up. Nothing is ranking, and on closer inspection, they’ll find a penalty set in inside Google Search Console.”

Sullivan reassured us that the search engine giant knows what’s going on and that it has a handle on things.

“It’s not just fair to say that all purchased sites are spam and that they, therefore, should be treated as spam,” said Sullivan, pointing out that the company’s robust spam filters are there to protect searchers. “When actual spam happens, we have a whole ton of spam-fighting systems we have in place. There are millions and millions, if not hundreds of millions of [pages and sites] that we’re constantly keeping out of the top search results. One metaphor I like to use for people to understand just how much work we do on spam is this: If you go into your email spam folder, you go, ‘Wow, I didn’t see all these emails.’ That is stuff that existed but didn’t show up because your system said, ‘No, this isn’t really relevant for you. This is spam.’ That’s what’s happening on search all the time. If we didn’t have robust spam filters in place, our search results would look like what you see in your spam folder. There’s so much spam and our systems are in place to catch it.”

There’s no doubt that Google does a lot to defend us from spam, and yet there’s a thriving industry for high-value expired domains that are available, whether for honest attempts at corner-cutting or more nefarious deeds.

A thriving industry

You don’t have to dig very deep to find examples of domains that, at first glance, look legitimate, but that have been sneakily shifted to another purpose. Here are a few I came across.

One example is the Paid Leave Project, which used to live on paidleaveproject.org, but moved its site to USpaidleave.org at some point. Unfortunately, someone at the org didn’t renew and/or redirect the old domain, and the site that used to work hard to ensure that workers in the U.S. can get paid family leave is now, well … helping families grow in different ways:

A screenshot of paidleaveproject.org, which now appears to be some sort of affiliate site for erectile dysfunction pills.

Another tragic story is Genome Mag, which ran from 2013 to 2016, expired, and then came back online as a different magazine that the original owner doesn’t have control over.

Posted on

Fraud as a service: Scammers are using encrypted messaging to undercut BNPL revenue

Brittany Allen Contributor
As Sift's Trust and Safety Architect, Brittany Allen has more than a decade of experience combating e-commerce marketplace fraud at companies such as Etsy, Airbnb, 1stDibs and letgo.

Buy now, pay later (BNPL) is booming in popularity, particularly among the traditional credit-wary millennial and Gen Z consumer populations. With $680 billion in transaction volume by 2025 up for grabs, fintech startups and long-standing financial institutions alike are jumping into the mix with their own offerings.

But, as we’ve seen with other emerging tech trends, rapid growth leads to new challenges.

While many industry pundits would point to the recent Consumer Financial Protection Bureau (CFPB) probe into BNPL vendors as the sector’s biggest headwind, there’s another area that regulators and industry players should be concerned about: fraud. Cybercrime often acts as a barometer of economic trends, and as the BNPL market continues to soar, fraudsters are cashing in.

Rather than relegating their activities to dark web marketplaces, scammers are hiding in plain sight on encrypted messaging apps. They collaborate through publicly available forums on these platforms to target BNPL providers with new tactics.

The only way to get ahead of these scams is for BNPL vendors to ensure they have the right defense strategy in place to combat fraud on their own platforms and networks.

Payment fraud is going mainstream, and anyone with an internet connection can join in. Yet, rather than hoping that platforms remove these fraud forums from their services, BNPL providers and the merchants who use them can shore up their own properties by understanding exactly how they are at risk.

So, what do these new fraud methods look like, and how can providers protect against them? Let’s dive in.

The dark web versus the deep web: The rise of fraud as a service

The dark web has, for years, been home to cybercrime and has become an oasis for scammers looking to obtain compromised information. However, with the recent crackdown on dark web marketplaces, cybercriminals have turned to new and under-the-radar hubs to commit illegal activity.

Malign actors have set their sights on secure messaging apps, such as Telegram, to conduct their illegal activity. As a part of the deep web, which isn’t indexed by search engines, secure messaging apps are a haven for professional criminals hoping to remain anonymous.

Within these forums, fraudsters have evolved their attack strategies. Instead of solely buying and selling access to information, cybercriminals have begun to promote fraud as a service.

One example is a Telegram scheme in which cybercriminals steal from restaurants and food delivery services. By advertising their ability to purchase food and beverage orders with stolen information (e.g., log-in credentials or credit card numbers), they offer opportunistic diners a meal at a heavily discounted rate.

Posted on

Unpacking SailPoint’s $6.9B sale to private equity firm Thoma Bravo

Good morning and happy Monday! It’s Early Stage week here at TechCrunch, which means that I have some prep work to do. That in mind, we’re briefly going to dig into SailPoint’s huge private equity buyout to divine what the transaction says about the value of technology companies.

The SailPoint sale comes amid a changing exit market for technology companies more broadly. Per exit data collated by CB Insights, while global M&A activity is stable thus far in 2022 compared to last year’s pace, IPO and SPAC exits fell sharply in the first quarter. That means that M&A is more important than ever for tech exits, making the SailPoint deal worth spending time on.

The Exchange explores startups, markets and money.

Read it every morning on TechCrunch+ or get The Exchange newsletter every Saturday.

From a high level, SailPoint’s exit is not a mercy-killing. Before the deal was announced, the company’s stock price was effectively $50 per share, down only modestly from its 52-week high of a little more than $63 per share; compared to many public technology companies, that’s a very limited valuation haircut from peak levels.

Thoma Bravo will pay $65.25 per share in cash for SailPoint, which sells enterprise security products.

To understand why the company is selling, and why Thoma Bravo is buying, we’ll need to peek into the company’s results. That will bring us to the question of how the company is valued and what its price could mean for unicorns and other high-priced startups. This will be fun, and quick! Let’s go!

Is SailPoint a good business?

Posted on

The how and why of raising OT security capital

Matt Gatto Contributor
Matt Gatto is a managing director at Insight Partners. He focuses on high-growth software and SaaS businesses across infrastructure, healthcare and enterprise applications, and also has experience with leveraged buyouts.

Last year was huge for the cybersecurity market, fueled by rising incidents of cyberattacks, particularly ransomware that disrupted services and held companies hostage.

The numbers are striking: Investments in the space more than doubled from the year before to $29.3 billion, according to a recent report by investment bank Momentum Cyber. Two recent funding rounds, in November and February, even exceeded $1 billion. A record 286 M&A deals, worth $77.5 billion, were made, and 14 deals of those were over $1 billion each. This year is off to a promising start with Google’s $5.4 billion acquisition of Mandiant in March.

The market is responding to the evolving threat landscape. As new types of attacks arise, security vendors respond with new tools in what has become a cat-and-mouse game. This dynamic has driven the market for decades, but things are heating up now that the stakes are higher with hits on critical infrastructure and the U.S. supporting Ukraine in the Russian invasion.

One security area that has been seeing particular interest of late is operational technology.

Many attacks last year targeted companies that provide basic necessities of life, and consumers felt the pain. In February 2021, someone gained unauthorized access to the water treatment system in Oldsmar, Florida, and tried unsuccessfully to add more lye to the water supply.

And last May, drivers on the East Coast panicked when they couldn’t get gasoline after a ransomware attack disrupted Colonial Pipeline’s distribution network. That month, a ransomware attack on Brazilian meat supplier JBS resulted in beef shortages in South America, North America and Australia. JBS ended up paying $11 million in ransom.

The transportation industry has also been hit hard in recent years, seeing a 186% increase in weekly attacks from 2020 to 2021, and a 900% increase in maritime attacks since 2017. Recent incidents include attacks on the New York Metropolitan Transportation Authority and the CSX Class I freight railroad.

Critical infrastructure attacks and regulation

All these attacks on critical sectors have led to a slew of federal action plans and regulations affecting the water sector, pipeline operators and other critical industries.

In one example, the Department of Homeland Security’s Transportation Systems Sector-Specific Plan cites a number of elevated risks, including cyber and aging equipment, in guiding industry efforts to strengthen infrastructure security and resilience.

As Russian attacks on Ukraine have intensified, the U.S. government is increasingly concerned about Russia launching cyberattacks on American businesses, especially critical infrastructure. On March 15, President Joe Biden signed into law the Cyber Incident Reporting Act, which requires critical infrastructure providers to report cyberattacks to the Cybersecurity and Infrastructure Security Agency within 72 hours and ransomware payments within 24 hours.

Then, on March 21, the president reiterated earlier warnings, citing “evolving intelligence that the Russian government is exploring options for potential cyberattacks.”

Then the U.S. Department of Justice unsealed indictments on March 24, charging four Russians who worked for the Russian government with hacking operational technology (OT) of companies in the energy sector around the world over six years.

Legacy equipment in a modern world

For decades, cybercriminals focused on stealing information they could monetize, but now that OT environments are increasingly connected to the Internet, bad actors are trying to shut down infrastructure and conduct cyber-physical attacks like in Oldsmar.

The advent of ransomware and targeted attacks on critical infrastructure have changed the game and are putting operational technology security in the spotlight. At the end of the day, OT security is a national security issue.

Posted on

Cloud providers’ default retention policies are not enough: You better back your SaaS up

Brian Spanswick Contributor
Brian Spanswick is the chief information security officer (CISO) and head of IT at Cohesity.

If there’s one thing that recent earnings reports from Microsoft, Google and Amazon made clear, it’s that their cloud businesses are booming.

While the shift to the cloud is well underway, many companies aren’t paying attention to a critical aspect of this growth: the dramatic increase in data generated by SaaS that is not adequately protected. This exposure can put companies at greater risk for ransomware attacks, breaches, compliance woes and much more.

The growth of enterprise SaaS is rapid and inevitable. Gartner expects end-user spending on SaaS to rise over 18% to $171.9 billion in 2022 from $145.5 billion in 2021 — and it’s easy to see why.

The SaaS model offers significant value to both service providers and customers, ranging from reduced costs to simplified management and maintenance. The benefits of SaaS are many: It eliminates the need to install and configure software; it gives the customer greater financial flexibility by moving from licensing fees to subscriptions; there is no need to purchase and maintain hardware; and new releases and upgrades are automatically deployed.

Without the right policies in place, organizations often have little visibility into what SaaS data they actually have; whether that data is in compliance, protected or compromised.

But despite its rapid growth and countless benefits, there are significant challenges associated with managing and protecting SaaS data. That’s a problem that can only get worse, as for many organizations, SaaS is the fastest-growing segment of their data.

Cloud providers’ default retention policies are not enough

Each cloud service provider (CSP) and SaaS provider has its own data retention policy, and once that policy expires, the customer is responsible for backing up, protecting, and, if needed, restoring the data in the event of a cyber attack.

Not only is the customer responsible, but data retention policies can differ based on the provider and the type of SaaS data. In the current world of rampant ransomware attacks and stringent privacy and compliance regulations, leaving data unmanaged and unprotected is a risk few organizations can take.

Let’s look at Microsoft 365 as an example. Microsoft 365 adoption has been phenomenal, with nearly 300 million users and over 50% subscriber growth over the past two years. It is one of the most popular enterprise SaaS applications, and yet backup options are limited in terms of data stored on Azure.

Posted on

Study: 30% of Log4Shell instances remain vulnerable

Mehul Revankar Contributor
Mehul Revankar is a cybersecurity professional with over 15 years of experience in vulnerability management, policy compliance and security operations. He leads the product management and engineering functions for VMDR (Vulnerability Management, Detection and Response) at Qualys.

On December 9, 2021, a critical zero-day vulnerability affecting Apache’s Log4j2 library, a Java-based logging utility, was disclosed to the world and broke the internet.

As the third most used computer language, Java is practically ubiquitous, and its Log4j2 library is extremely popular, with an estimated 15 billion devices around the globe currently running Java. The worst part is that Log4j is hard to find and easy to exploit, which places hundreds of millions of Java-based applications, databases and devices at severe risk.

The full scope of risk presented by the vulnerability is unprecedented, spanning every type of organization across every industry. Due to the ease of the exploit combined with the difficulty in uncovering the vulnerability within your organization, Log4Shell is the proverbial needle in a haystack.

Cybersecurity and Infrastructure Security Agency director Jen Easterly noted that Log4Shell is the “most serious” vulnerability she has witnessed in her decades-long career. She urged business leaders not to delay remediation processes, noting that this vulnerability could take years to address. Remediating this vulnerability would not be a simple, one-and-done process, and multiple detection methods would be required.

Quick to patch, quicker to exploit

As many companies prepared to operate with skeleton IT staff in the last two weeks of 2021, hackers and attackers saw an opportunity. It didn’t take long for this critical Java vulnerability to be exploited in the wild. Nearly 1 million attack attempts were launched in just 72 hours following the vulnerability’s disclosure.

What’s worse, as part of an ongoing information-gathering operation, notorious Chinese hacking group APT41, which breached local government agencies in at least six U.S. states in the last 10 months, quickly leveraged Log4Shell as the primary vector to infiltrate at least two of the states’ computer systems.

Posted on

As war escalates in Europe, it’s ‘shields up’ for the cybersecurity industry

Yaron Tal Contributor
CTO and founder of Reposify, Yaron Tal is a tech entrepreneur and cybersecurity expert with nearly two decades of experience developing cybersecurity software solutions.

In unprecedented times, even government bureaucracy moves quickly. As a result of the heightened likelihood of cyberthreat from Russian malactor groups, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — part of the Department of Homeland Security — issued an unprecedented warning recommending that “all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”

The blanket warning is for all industries to take notice. Indeed, it’s a juxtaposition of sorts to think the cybersecurity industry is vulnerable to cyberattack, but for many nation state groups, this is their first port of call.

Inspired by the spike in attacks on cybersecurity agencies globally, a report from Reposify assessed the state of the cybersecurity industry’s external attack surface (EAS). It coincides with CISA’s warning, and highlights critical areas of concern for the sector and how they mirror trends amongst pharmaceutical and financial companies, providing vital insight into where organizations can focus their efforts, and reinforce the digital perimeter.

The first step to resiliency is to reduce the likelihood of a damaging cyber intrusion in the first place.

The report examined 35 cybersecurity companies and their 350+ subsidiaries with shocking results: during only a two-week period in January 2022, more than 200,000 exposed assets were uncovered at top firms, 42% of which were identified as high-severity issues.

As CISA outlines in its “Shields Up” guidance, the first step to resiliency is to reduce the likelihood of a damaging cyber intrusion in the first place. Recognizing the problem is only the first in a series of actionable moves organizations can make to minimize their external weaknesses to bad actors.

If addressing digital perimeter exposures is the foundation, zoning-in on problem areas is the framing. A deep dive into these deficiencies points to clear solutions all industries – cybersecurity or otherwise – can embrace to protect themselves.

What do companies need to do?

Many factors, including the transition to remote work environments, increased reliance on third-party vendors, digital transformation and offloading services onto the cloud, have significantly increased companies’ external attack surface.

According to the report, the rise of remote access sites saw 89% of identified assets classified as part of the unofficial perimeter. Similarly, 87% of databases were unaccounted for, along with 67% of development tools and 62% of all network assets.

Databases were found to be among the most vulnerable to cybersecurity threat, with over half (51%) of cybersecurity companies hosting an exposed database. Nearly all (97.14%) of security agencies have exposed assets on their Amazon Web Services (AWS), and 86% of those analyzed have at least one sensitive remote access service exposed to the internet.

Posted on

A CISO’s playbook for responding to zero-day exploits

Jonathan Trull Contributor
Jonathan Trull is the SVP of customer solutions, architecture and engineering at Qualys, where he brings over 18 years' experience in cybersecurity, including leadership roles across industry, academia, the U.S. Navy Reserves and as the CISO for the state of Colorado, Optiv and Qualys.

SolarWinds, Colonial Pipeline, MSFT Exchange — these names have become synonymous with infamous cybersecurity events. We keep calling every new zero-day exploit a “wake-up call,” but all we have been doing is collectively hitting the snooze button.

But the discovery of the newest widespread critical vulnerability, Log4Shell, ruined the industry’s holiday season. It’s the biggest cybersecurity threat to emerge in years, thanks to the near ubiquity of Java in web applications and the popularity of the Log4j library. Due to its unprecedented scale, compounded by the fact that it is not easy to find, getting rid of this bug from your IT environment isn’t a “one-and-done” activity.

Security teams across the globe are once again racing to remediate a software flaw, even as attackers have begun targeting the low-hanging fruit — public web servers — at a recently reported rate of 100 attempts per minute. A mere seven days after its discovery, more than 1.8 million attacks had been detected against half of all corporate networks.

Are you awake now?

I’ve participated in many urgent Log4Shell briefings with Qualys customers (who include 19,000+ enterprises worldwide, 64% of Forbes Global 100), and it’s clear that dealing with a constant barrage of zero-day vulnerabilities is one of the greatest challenges faced by today’s security teams.

Just like inventorying, gathering and analyzing threat intelligence is crucial to provide the necessary foundation for security teams to take calculated and intentional steps.

It can be overwhelming to prioritize fixes and patches when responding to a zero-day exploit like Log4Shell. Here are a few steps to respond to security threats that we have learned and cataloged over the years:

Establish a standard operating procedure

Create a detailed standard operating procedure that includes step-by-step activities tailored to the vulnerability type.

For a zero-day response, the following information must be included:

  • Process flow for responses. If you need help, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created an excellent guide.
  • Categorize the vulnerability by the type, severity and required response times. There should be a specific category for critical zero-day vulnerabilities.
  • Pre-determined service-level agreements for each response team.
  • Procedure for declaring and communicating an incident (this could be a reference to the incident response standard operating procedure).
  • Steps for tracking, reporting, and concluding the incident and returning to normal operations.
Posted on

Constant compliance is security theater

Justin Beals Contributor
Justin Beals is the CEO and co-founder of Strike Graph, a SaaS solution that simplifies security compliance such as SOC 2 Type I/II, HIPAA and ISO 27000 Series to achieve trust and move deals.

As a former CTO, I know that integrations are required to deliver data-driven products online. I’ve designed transactional data systems that integrated with global telecom networks, applicant tracking systems and cloud-based infrastructures. Powerful integrations are not hard to conceive. It’s easy to identify data you would like to share between two different systems.

An integration, however, is beset by the same suite of pitfalls that any product feature or technological innovation may require, with one big wrinkle: At least half of the requirements were never designed with you, your use case or your organizational goals in mind.

The complex relationship of your vendors, technology and your overall business makes integrations a hard problem. It also makes potential solutions very brittle. If the problem you’re trying to solve is a SOC 2 audit or ISO 27001 certification to drive sales, an integration will not make passing your audit quicker. In reality, it will make it harder to achieve.

The problem you’re trying to solve

Before widely published security standards like SOC 2 or ISO 27001, much of security work was siloed into specific business functions like board management, HR or infotech. Each group designed best practices according to the expertise of their leaders. Few buyers ever asked questions.

Having a published standard with a validated testing or audit methodology provides an important new signal in your entire organization’s maturity. Buyers can point at specific credentials and require companies to accomplish an independent assessment to be certified. As the number and variety of vendors have grown, buyers have increasingly identified efficient tools to analyze your security stance.

The best time to implement an integration is when you’re sure it’s useful.

If the problem you’re trying to solve is trust via certification, does a technical integration accelerate compliance?

Integrations inhibit compliance and increase risk

There are zero integration requirements for SOC 2, ISO 27001, HIPAA or even CMMC, and there is no published security standard that requires an integration to achieve compliance. Even common standards such as PCI-DSS, GDPR or CCPA can be achieved without integrations, deployed agents or enterprise technology.

This is because all security standards are designed to not require any specific technology, personnel or processes. The authors of standards such as ISO 27001 recognize that each company is increasingly unique. For example, companies that offer an on-prem or private cloud deployment model are likely not required to comply with the monitoring portion of the SOC 2 Security standard during audit. Services organizations that develop intellectual property, such as software for their customers, are likely not required to comply with the change management portions of ISO 27001 and SOC 2 Security.

Posted on

Israel’s cybersecurity startups post another record year in 2021

Yonit Wiseman Contributor
Yonit Wiseman, associate at YL Ventures, champions the Israeli cybersecurity community through technological due diligence and provides value-add support to the firm’s portfolio companies.

Over the past decade, the Israeli cybersecurity industry has secured its place as a formidable wellspring of technological innovation. No longer famous only for its high level of human technological capital born and bred in elite army intelligence units, the Israeli industry has matured into a veritable ecosystem of its own. With enough capital in this booming ecosystem to grow massive category leaders and cultivate internal M&A, Israeli startups are now major players in the global cybersecurity industry.

In last year’s recap of the Israeli cybersecurity ecosystem, we anticipated that the record-breaking rounds of 2020 and marked-up valuations would continue in 2021, but upon collecting and assessing this past year’s data, we were taken aback by the magnitude. Israeli cybersecurity startups in 2021 raised a stunning $8.84 billion, more than triple the amount in 2020 ($2.75 billion). Investments last year were distributed across 135 rounds, up from 109 in 2020, with 15 startups raising more than one funding round last year.

The cybersecurity market today has limited patience, and a “go big or go home” mindset has permeated as founders focus on laying the groundwork for reaching unicorn status, building multibillion-dollar companies, going public and more. Cybersecurity in Israel has become a polarized market that accepts only two types of startups: potential unicorns and actual unicorns.

Image Credits: YL Ventures

With such early and constantly growing investments, the industry has taken on a new approach that favors the survival of the fittest. It quickly becomes clear who will stay the course and catapult to growth and success, and who will look for the nearest exit with no time to linger in limbo.

Off to a running start

In order to achieve this growth, founders are making their goals distinctly clear in investment board rooms. They require more funding for a strong head start and later on for entering the unicorn club at record speed. Fortunately, such sizable amounts of capital are readily available.

Capital allocation for growth rounds in 2021 skewed towards the later stages

Capital allocation for growth rounds in 2021 skewed toward the later stages. Image Credits: YL Ventures

The total amount raised in seed rounds last year increased slightly to $233 million from $203 million in 2020, but Series A rounds surged 140% to a whopping $693 million from $288 million a year earlier. At the other end of the spectrum, growth rounds (Series C and above) rose 300% to an astounding $6.46 billion in 2021 from $1.63 billion in 2020.

“As entrepreneurs, [2021] has drastically changed the industry’s rules,” says Assaf Hefetz, co-founder of Snyk, an Israeli cloud-native application security unicorn. “As threats abound and with skyrocketing demand for innovative solutions, Israeli cybersecurity startups now have an invaluable opportunity to grow big and grow fast. The table stakes are higher [ … ] and in such a competitive arena you have to stand out, or fold.”

The average seed round increased by 35% in 2021

The average seed round increased by 35% in 2021, but fewer startups were minted. Image Credits: YL Ventures

The average seed round increased by 35% to $7 million from $5.2 million. As investments rise, so does the bar for entry into the market. Only 58 new startups were founded in 2021 compared with 2020’s 64, a testament to the competitive and highly ambitious landscape.