Briefly Briefed: Newsletter #3 (21/09/23)
Greetings and salutations,
I must apologise for a slightly abridged version of Briefly Briefed: today, I underwent (minor) heart surgery on Monday (it went well, thankfully) and I’ve been convalescing at home since yesterday. I’ve been trying to avoid the Cyber world and reading as much as usual, but one can only ‘Netflix and chill’ so much.
This week’s findings are quite ‘businessy’, due to a slight uptick in acquisitiveness in the sector. My favourite posts this week were:
Ross Haleliuk’s take on what he calls ‘enmeshment’ and the benefits of hybrid service-SaaS business models.
A call for responses by the CyberUp campaign in the UK. The campaign seeks to reform the Computer Misuse Act of 1990. Please do consider responding!
Be well, Cyber Spartan.
Lawrence
Funny Cyber Quote || Meme of the Week:
An interesting post on "Enmeshment in cybersecurity: blurring boundaries between products and services" by Ross Haleliuk
The article presents an analysis of the dynamics affecting cybersecurity companies, specifically contrasting product-based and service-based models. It highlights key challenges service companies face: limited scalability due to talent scarcity, lower margins, and consequently, a reduced attractiveness to venture capital. These issues have led to a lesser valuation in mergers and acquisitions. A hybrid approach—adding a product or SaaS component—appears to be a potent solution to improve these metrics. Moreover, the post calls attention to evolving customer expectations, particularly a demand for more visibility and a shift towards 'outcomes' rather than just products or services. In my view, the article accurately identifies the financial and operational hurdles unique to service-based models, and suggests that the future lies in a blend of both models to meet customer expectations and improve economic viability. With my 'creators' hat on, I'd suggest the next evolution of this will be a convergence on tighter CSP integration (especially with cloud-native SIEM/XDR) or native solutions. We've already seen the success of this with MDR and MSSPs (MS Sentinel and GCP Chronicle especially) and other sub-sector point solutions. It'll be interesting to see the likes of Palo Alto, Crowdstrike et al. gobble up point solutions in an effort to unify and operationalise their stacks to compete with the might of the CSPs for Cyber dominance.
Palo Alto to acquire Talon Cyber Security for $600mil
With the recent acquisition of Bionic by Crowdstrike, it’s good to see an slight uptick in more significant-size acquisitive activity.
An interesting article in the South China Morning Post, finally acknowledging that the US NSA ‘hacked Huawei HQ’ (per Snowden’s leaked documents) by William Zheng
The Chinese State Security Ministry report acknowledges cyberattacks detailed in internal papers revealed by the former contractor. The report accuses the NSA of ‘repeated, systematic attacks’ on the telecoms giant and other targets in China and other countries. Old news you may say, but it demonstrates the uptick in China’s interest in global propaganda.
The CyberUp campaign launches a survey for community and industry feedback
A great opportunity to provide input into an important campaign to reform the UK Computer Misuse Act of 1990. Please consider completing the survey.
A really interesting post from the Atlantic Council: ‘How China Weaponises Software Vulnerabilities’ By Dakota Cary and Kristin Del Rosso
In the post, they scrutinise China's RMSV regulation, which compels immediate reporting of software vulnerabilities to the MIIT. The regulation diverges from the US’ voluntary approach, establishing a centralised database accessible to agencies with offensive cyber capabilities. The report unveils four key findings:
1) Mandatory data sharing with agencies like CNCERT/CC raises ethical concerns
2) Existing voluntary databases have been undercut, reducing vulnerability disclosures
3) MIIT is also funding vulnerability discovery through grants
4) A separate database obliges private-sector companies to provide vulnerabilities for potential offensive use.
In essence, China's centralised system not only aims to fortify cybersecurity but also to aid in cyber-offensive operations, contrasting sharply with the U.S.'s decentralised framework.
Although mainly non-state actors are utilising these techniques, the concern is growing due to their increasing sophistication. Deepfakes pose risks to organisational reputation, can mimic key personnel, and may compromise sensitive data. The report advises implementing real-time verification and passive detection techniques as defensive measures. It also underscores the need for organisations to proactively prepare against phishing attacks using deepfakes. Collaboration with initiatives like the Coalition for Content Provenance and Authenticity is encouraged.
Microsoft released a handy video for Sentinel users, showing what’s new in the last six months by Jeremy Tan and Naomi Christis
If you’re a Sentinel user, engineer or ‘house’, I’d encourage you to have a watch to ensure you’ve not missed anything useful. There are some good tips and discussion at the end with attendees also.
A threat intelligence orientated database for AI
The AI Incident Database is dedicated to indexing the collective history of harms or near harms realised in the real world by the deployment of artificial intelligence systems. Like similar databases in aviation and computer security, the AI Incident Database aims to learn from experience so we can prevent or mitigate bad outcomes.