Events , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development
ISMG Editors: RSA Conference 2024 Preview
Also: Insights From Verizon's Data Breach Investigations Report; Investment Trends Anna Delaney (annamadeline) • May 3, 2024In the latest weekly update, Information Security Media Group editors discussed what the thousands of attendees at RSA Conference 2024 can expect this year, key insights from Verizon's Data Breach Investigations Report, and how significant funding rounds are shaping the cybersecurity industry.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Michael Novinson, managing editor, ISMG business - discussed:
- Highlights from ISMG's Fraud, Security & Risk Management Summit in New York and what to expect from our coverage next week at RSA Conference 2024;
- Key takeaways from Verizon's 2024 Data Breach Investigations Report, which highlights a surge in data breaches driven by attackers exploiting vulnerabilities - particularly zero-day and known flaws - and by stolen credentials, ransomware and human errors;
- The recent wave of $100M+ funding rounds for vendors such as ThreatLocker, Island and Corelight and the factors driving these investments, including the need for advanced cybersecurity solutions, global expansion and technological innovation.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the April 12 edition on unpacking the Change Healthcare attack saga and the April 19 edition on the global fallout from leaked LockBit ransomware.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this week we'll be looking at what to expect at the RSA Conference 2024, key insights from Verizon Data Breach Investigations Report and how significant funding rounds are shaping the cybersecurity industry. And it's a great pleasure to be joined by Tom Field, senior vice president of editorial; Mathew Schwartz; executive editor of DataBreachToday and Europe. And Michael Novinson, managing editor for ISMG Business. Very good to see you all. Tom, you've been flying from summit to summit - the ISMG AI Summit a few weeks ago in Seattle, ISMG Fraud, Security and Risk Management Summit in New York last week. And we'll all be at RSA Conference next week. So it's rock'n'roll time and cybersecurity. Maybe share some highlights from New York and then we'll get to RSA.
Tom Field: I consider this the ISMG World Tour that has just started. Yes, you and I did a show in New York City last week. And it was financial services. It was fraud, cybersecurity AI. Some highlights for me. Were sitting down with Chris Wysopal of Veracode to talk about AI and application security. And everybody talks about the benefits of AI in writing code. Chris was there to talk about that. But also the challenges - the security challenges - that come from writing code with generative AI. Unique conversation. Glad to have that; we're going to pick that up at RSA Conference next week. I enjoyed a panel discussion on payments fraud, or believe it or not, the dominant form of fraud that came up in our conversation is, yes as the 21st century, but it is check fraud. Still, number one in many financial institutions fraud lists. I enjoyed a panel about the new SEC Rule and how organizations can be preparing not just for any incident announcements they need to make but also how the SEC goes about forming a case and what you can do to potentially keep yourself out of the spotlight there. We've benefited from having former official from the SEC on the panel, joined by some folks from financial institutions as well as attorneys, giving some very relevant advice and taking some questions. But I got to say also one of the highlights was watching you oversee the big deepfake tabletop exercise that we held where we had FBI and Secret Service and various CISOs involved. I saw that happen the week before we participated in Seattle, Michael and I were there, and just love this exercise, which basically comes down to a CFO receiving a deepfake video from the CEO, asking for the big wire transfer over the weekend that was necessary for an acquisition going through the transfer of finding out it was fraudulent, and what do you do? I had people leaving, taking the exercise with them, so they could bring it back to work and presented to their own executives. What did you see, Anna?
Delaney: I just loved the interaction and the fact that people got an opportunity to speak directly with law enforcement. And I think this always comes up that why haven't we established ties with law enforcement before the incident, and there's a bit of apprehension to engage. And I think they took that as a lesson from the event. We need to be working on these bonds. And cementing these relationships before anything like this happens. But what a great scenario, and the fact that it's already happened is proof that people need to update their incident response plans and their tabletop exercises.
Field: And not leave all the power in the hands of one person to make a transfer such as that.
Delaney: Exactly! Two sets of eyes, at least is better than one. So tell us about RSA. Set the scene. How would you describe the overall vibe of the event for the uninitiated? And how does it foster a sense of community with the industry?
Field: The Mardi Gras of cybersecurity! I think that sums it up. But look, we're going to have what 40,000-50,000 people converging in San Francisco for the week. The who's who of cybersecurity talking not just about cybersecurity, but about privacy, about compliance, risk, other key issues. From ISMG's perspective, once again, we're going to be the premier media sponsor of the event. We will be hosting not one but two video studios, through which we'll do probably 150 to 200 interviews among the four of us and some friends. And who are we talking to? We're talking to government officials, we're talking to CISOs, CIOs, OT specialists, researchers, venture capitalists. It is the who's who of the global cybersecurity, technology, privacy communities. I will say if you can't be at RSA, let us be there for you. I think we're going to be able to give people a great sense of what's being talked about who's talking about it, and trends you need to be paying the most attention to as we complete 2024.
Delaney: Very good. It certainly sets us up for the year in terms of content and what we should be watching. We all can't wait to be there. I'm looking forward to our breakfasts.
Field: My friends, get your rest because it ain't happening next week.
Delaney: Bring it on. Mat, the 2024 Data Breach Investigations Report from Verizon was published this week, which is regarded generally as a comprehensive source of information on cybersecurity trends. What was of most interest to you, Mat, any surprises were any eyebrows raised.
Mathew Schwartz: Eyebrows are always raised when it comes to data breaches, Anna. But in terms of specific surprises, I would say this wasn't necessarily a surprise. But the impact of the Clop campaign, they targeted users of secure file sharing software, made by Progress Software, MOVEit software, was interesting. There's a little bit of a trailing impact here in terms of ... we saw these attacks hit last year, last May, the end of May and 2023. And it looked bad. And the news has just kept getting worse in terms of the number of organizations that were directly or indirectly affected. I think we're up to nearly 100 million individuals had their personal details exposed and this attack. So I mentioned that in part because major attack, it's definitely reflected in this year's report. Will that mean we will see it next year? Who knows? But this report is a great time to pause, not for too long, and take stock of the tactics most recently being used by attackers. And over than more than a decade that Verizon has been putting out this report. It's always very, very useful to see what the tactics are that attackers are using. Perhaps because we all here collectively cover this news. We might be close to what's going on, closer in some cases than maybe senior executives, or CISOs who are having to make a bigger picture case about where their defense needs to go. So, with all that in mind, we continue to see a massive number of stolen credentials used in breaches. Over the last decade, stolen credentials have factored in a third of all known breaches. With the most recent report, they accounted for about three quarters of all attacks against web applications. That was a little bit of a surprise to me, just how bad that is. So web applications, and by that we also mean cloud connected email or platforms, in three quarters of all successful hacker attacks against those platforms, it was because the attackers were able to either steal, or otherwise get their way past credentials, that were meant to be guarding these sorts of applications. It's an obvious cry for more organizations to be using multifactor authentication. We've been hearing that for a long time. But the rollout needs to get much better than it has been. Other things highlighted in the report, about 1/3 of all breaches that were seen by the various organizations that contributed data to this. And there are a ton of organizations sharing information based also on actual real life incidents, which may not have publicly come to light, very useful. But a third of all of the incidents that were confirmed to have resulted in data breaches did involve ransomware, perhaps no surprise, there's been a slight increase also in not the use of crypto locking malware and these attacks, but just pure play extortion, as a lot of experts have been predicting for some time. Two other interesting takeaways, human error continues to be a factor, which demands that organizations are putting controls in place, just like we were talking about a second ago, with these attacks that trick people into transferring money to others, there should be checks in place - don't even necessarily need to be technical - but business process controls that prevent that from happening. Finally, third parties, they are a massive data breach challenge. And what the report did this year for the first time was they started to count third parties that make software for example, such as the MOVEit File Transfer Utility, count them, where they're looking at the impact of supply chains. And so I spoke to Verizon. And I know, you did, Anna. And they highlighted to me that they did this, because they want organizations to be able to look at their supply chain, and judge their suppliers better on their secure-by-design ethos, they want to know, or they want organizations to spend their money on organizations that are vendors, suppliers, that are putting the resources they should be putting into designing more secure software. Hence, we have this look at supply chains, of which during the timeframe of the report, 15% of breaches somehow involved the supply chain. So that's huge. Third parties, inadvertently causing your data to spill. So it's a rising challenge, as we all know, but it's going to only probably get worse.
Delaney: That was a brilliant overview, Mat. And then, of course, there's this huge disparity between the speed of exploitation and patching, which was quite shocking from the report. And when I spoke to one of the authors, the report's author, one of the authors of the report, Alex Pinto, I guess his main message to organizations was to consider implementing more effective patch prioritization. And as you say, like focus on the vendor management programs, especially for critical vulnerabilities and external facing systems. So brilliant report. I know you've followed it for a few years. Do you see any of these trends evolve or persisted over time?
Schwartz: Well, there's been some good news, which was pretexting, for example. So pretexting instead of just getting a generic spam or phishing email that says, dear customer, pretexting will often involve you in an email chain that you are already part of, but the attacker has wormed their way in or somehow gets some personalized information in there. And there has been a rise in that which might not seem like a good thing, but it is because it seems like phishing attacks aren't working so well. So we are seeing some cautious optimism with all of these things. You also raised patch speed, which I think was yes, one of the great takeaways from this report. Five days is all it takes before attackers start to probe for critical the most critical vulnerabilities. Your average patch cycle is 30 to 60 days in the enterprise, maybe 15 for emergencies, but 15 is already 10 days more than attackers are probing. Hence, this, I think, should be a real rallying cry, how are we going to lock things down when attackers come along to hit these flaws, especially in edge devices. And the report says, for next year's report, we very much expect to be talking about edge devices. Because in the beginning of this year, we've seen so many attacks, zero day or otherwise, against VPNs, firewalls, remote connectivity tools. So the writing's on the wall there. The takeaway is, as you say, we need to get a lot quicker with responding to this.
Delaney: Brilliant, Mat. Thank you. Well, Michael, the cybersecurity industry seems to be taking a positive turn with several huge funding rounds taking place recently. So what are these developments indicate? And what's driving this wave of investment?
Michael Novinson: It's a good question, and I appreciate it. So I think at a high level, this is significant. And I'm happy to get into each of the individual companies briefly. But I want to talk more broadly, why this matters, which is that these are 100 million dollar investment rounds. We've seen three of them in the past week. And this is the area that was by far and away the most impacted by the economic downturn that in late 2022 and 2023, we saw 100 million dollar funding rounds were few and far between because this is just ... almost a tortured place to be that these companies at this point are too big to be scooped up by Palo Alto Network or CrowdStrike, or another technology company. And they're often too small to be appealing to a private equity firm and nowadays much too small to go public. So this is not a space a lot of investors who have wanted to get into. And so when we saw companies at this level of maturity, who needed money, they had to come up with different machinations, we saw these debt rounds, where companies were essentially just taking an IOU, so they wouldn't have to get a new valuation, and they pay them back later, when they exit hoping the economy was better. We've seen a lot of extension rounds, we've seen company who hasn't keeps extending their funding round dating back to 2021. Because they don't want to go out for a new valuation, because it's hard to match the 2021 valuation. But what's interesting here is that all three of these are new funding rounds, they're all Series D or Series E rounds, which again late stage ... and a lot of them we're focused on building out a global sales force which means that you're not looking to get acquired by another cybersecurity company or technology company that don't need your global sales force. These are companies that are looking to do it independently. And you have investors on the other hand who feel ... look at these companies and think that yes, I can make money on this that , this company is going to go public three or five years from now or they're going get bought by a private equity firm. And my exit will be worth more than my entrance. So all positive signs to the industry to briefly touch on each of them. So we have ThreatLocker, which is focused on zero trust security, specifically taking that allow listing and deny listing technology and applying it not only to applications but to devices. They got 115 million, are they're focused on that SMB market and the mid-market too, but less on the enterprise, but trying to extend some of these enterprise-grade capabilities to the masses. And yeah, building out the odd global expansion during trade shows; they did 420 last year, they're looking to do 840 this year, so must have a lot of frequent flyer miles, but wanting to educate businesses that maybe aren't the most savvy on the benefits of allow listing and deny listing, and rather than allowing people by default, so that's one. The second one is Island, which ... this one's interesting. They're in the enterprise browser space, the category leader. And what's notable here is that they doubled their valuation since October. So back in October, investors said they're worth a billion and a half. Today, investors are saying they're worth 3 billion, which is pretty remarkable, because it hasn't ... six months isn't that long for a period of time. So I asked my favorite CEO, like what changed? It's been six months. So he said, part of its the economy, but investors are optimistic in the economy. And part of it is the validation of the market that they're able to show some of the new customers they have that they have fortune 100 companies across a whole variety of verticals. And I think in that space, the enterprise browser space, there's a question of like, is this a fad? Or is this something that there's going to be mass adoption of and I think, based on the use cases, and the fact that you now have broader companies, companies like Palo Alto Networks or CyberArk, you've either built or bought their own enterprise browsers, suggests that there is going to be widespread adoption of this. So that was pretty remarkable. And then Corelight, which is in the network detection and response market, got 150 million that a $900 million valuation, so almost a unicorn, and they are looking to do more with partnerships. They work closely with CrowdStrike and Mandiant, and so they're looking to deepen their partnerships time and on EDR together, and they are looking to add some additional capabilities. So yeah, certainly signs for optimism, certainly gives all these companies something to talk about at RSA next week. So I don't think ... and to that extent, the timing of these announcements is a coincidence, but certainly a reason for optimism in the industry.
Delaney: Very good. Just a brief question, have there been any shifts in the types of investors entering the cybersecurity market? Is it the traditional tech investors expanding into cybersecurity? Or are we seeing more specialized investors?
Novinson: Yeah, it is a good questions, which is why I'm taking out my sheets, but it's all familiar names, which says something about the market; Accel invested for the third time in Corelight, we had Coatue and Sequoia Capital going into Island Sequoia is been around for a very long time. General Atlantic, which is a European base, you don't necessarily see them as much in North American companies, but ThreatLocker thought it'd be helpful as they try to do more in Europe. So these are familiar names. It's not 2021 where we're just getting general investors to see cybersecurity is easy. It's with deep roots and cyber. So I would like to think it's not stupid money.
Delaney: Okay. Great, great analysis there. Thank you so much, Michael. Okay and finally, and just for fun, in preparation for RSA Conference 2024, what's one essential item you always bring to the cybersecurity conference? And why? Tom, go for it.
Field: Well, the easiest is going to be comfy shoes. Yeah, we've learned that, everybody learns that after their first year there. But for me, it comes down to good notes. You need to go into RSA conference with a plan. Otherwise, it's so overwhelming, particularly when we're sitting down with 150 to 200 different individuals over the course of four days, you need to have some kind of plan. What you're going to talk about, who you're talking to, what you're going to ask so to me that's the biggest thing, Come armed with notes and I try to supply you guys with as many notes as I can.
Delaney: I have to agree with you there, Tom. Mat?
Schwartz: Any cybersecurity conference, I go to, any conference, but especially cybersecurity, I always make sure I've got a VPN running on every last device that I carry. That's just good practice. And I also happen to have been to probably more than one session where the focus of the session was, here's what I sniffed at the conference this week from the WiFi traffic from people who weren't using a VPN.
Delaney: Yes, you don't want to be the one.
Field: I got outed by Phil Wylie some years ago.
Delaney: Michael?
Novinson: So I'm going to be lame because I think Mat and Tom made it cyber specific ones and just say water, and granola or snacks that you can eat that especially when you're in the Moscone and you have a meeting during lunch hour, so you miss when they're serving food that ... you often find yourself surprisingly far from a water source. So, for all of us in the studios, where we're running our mouths for nine hours a day, I do find that sometimes it's like, oh, man, I need some water in order for folks to be able to understand me so boring, but important.
Delaney: It's very important. Homeostasis, all good stuff. I'm going to be even more boring and say, a phone charger or an iPad charger, because great notes, Tom but if they go down, we're a bit lost. So, yes, I think I'm going to have to do that. And the comfortable, comfortable shoes. Of course, I'm not running anywhere in my heels. So anyway, as a team, we'd be okay. I think camping out in the wild.
Field: Let's make sure we take our own advice.
Delaney: Yes, exactly. Well, thank you so much for all your insight. See you all next week. How often do we get to say that?
Schwartz: Yes. See you soon.
Delaney: Safe flights. And thanks so much for watching. Until next time, where we will be live at RSA conference.