Breach details need to be transparent and kids need cybersecurity education – ESW #393

I've been saying for a while that it would be really RAD if an external attack surface management (EASM) vendor and a CSPM got together and it was possible to map external exposures to internal assets and vice versa.

This isn't exactly that, but it might be the closest thing we've seen. I'm wasn't familiar with either company before this announcement, but it looks like CYE does "attack route visualization" among other things, like breach cost quantification. I haven't seen anyone go after attack route analysis since Core Security and RedSeal were correlating network infrastructure configs and vuln scan results back in the mid-2000s.

Still interesting if only that I don't see anyone else going after this combination. The result could potentially save teams a LOT of remediation and analysis time.

We discussed this back in October when the news broke, so this is just the announcement that the deal closed. Sophos is a UK-based company, which might explain the extra time required.

We really need to kill and bury traditional outbound sales tactics. This makes me want to automate retaliation against folks that keep doing this. Remember that guy that backed up a dump truck and dumped hundreds of thousands of AOL CDs onto the company's front steps?

That's about where I'm at with this right now.

Hmm... it doesn't seem too difficult to auto-enroll corporate spammers in spam, returning the favor and filling their own inboxes with junk. It is also fairly ethical when compared to some of the other knee-jerk responses my brain comes up with.

"Private equity-backed companies are expected to lead the initial public offering market as sponsors look to unload holdings and return capital to investors.

Austin, Texas-based SailPoint and parent Thoma Bravo are offering 47.5 million and 2.5 million shares, respectively, priced between $19 and $21 each to raise a total of up to $1.05 billion."

I don't have too much to say about this, except that PE firms continue to seem to have success with very basic model of:

• take private
• improve efficiency (even though this tends to reduce customer happiness and increase churn) or combine with other, similar/complementary companies
• sell for 2-3x or take public again

Mike Privette's annual market summary report for 2024 is out and is full of interesting insights, check it out!

Seems like a bit of a myopic view of the reasons for Wiz's success, but as a product of the lens she viewed the company through, and how she competed with them. Still, a lot of interesting insights to mull over, some of which I'm not sure I fully understand (e.g. "Wiz is marketing-led instead of product-led"??)

TL;DR:

• the cybersecurity industry needs to learn from failures to improve
• lawyers specialize in making sure that details of failures don't become known
• the industry has limited information to learn from

I've been frustrated by this for a long time. The irony is that we don't really need to know the identity of the breached company to learn from its failures - they can be anonymous!

Directly related to the following research article: How Privilege Undermines Cybersecurity

The context here for the term "privilege" is attorney-client privilege.

Sure, why not. What could go wrong?

Man, I miss the "Internet is a series of tubes" days. It's hard to tell when legislation is serious, or just trying to make a point, but this feels like it is solidly in "F12 is not a crime" territory.

These attempts to block/ban Chinese tech are such a waste of time.

• The Huawei rip-and-replace efforts never completed, years after they were put in place
• The TikTok ban was delayed
• Bytedance has its SDK baked into thousands of other apps not affected by the ban
• TP-Link is installed in millions of homes and businesses across the US

The bill assumes that it is China that needs the US and not the other way around. As I do more research and testing with models, benchmarks, and AI evaluation tools, the more I notice how much of these frameworks and models are coming from China. It seems likely that severing AI ties might be mutually harmful. I wouldn't be surprised if it hurts us more than it hurts them. An "AI Brexit" if you will.

But then, it's my experience that politicians are more successful when they're seen doing something, regardless of when that something is the right thing to do. Inaction looks worse than wrong action - it is perceived as weakness. Campaigns, appearances, and egos win out over practicality and efficacy.

It's not an easy read at about 8,000 more words than necessary, but I do love this kind of research that doesn't just talk about potential harm from vulnerabilities and exposures, they demonstrate it.

How ethical their approach was can be debated, but strongly feel that anything less wouldn't make anyone budge. That's one of the major reasons folks hire pentesting firms - they can't get any support and hire a team to demonstrate that systems really are vulnerable/hackable.

As for this research, the TL;DR is "like subdomain takeovers, but with S3 buckets"

In 2015, researchers at George Mason University developed a technology that uses low-frequency sound waves to extinguish fires. The device emits sound waves in the 30 to 60 hertz range, disrupting the combustion process by separating oxygen from fuel, thus putting out the fire. This method is chemical-free and eco-friendly, with less risk of property damage compared to traditional fire suppression methods.

Imagine how impactful this could be during emergencies, like the recent devastating fires in LA.