IAC plans to spin off Vimeo as an independent company

IAC announced today that it plans to turn Vimeo into an independent, publicly traded company.

Last month, IAC CEO Joey Levin wrote a letter to shareholders in which he said the holding company had “begun contemplating spinning Vimeo off to our shareholders.” It sounds like the company has moved beyond the contemplation phase, with plans that will be submitted for stockholder approval in the first quarter of 2021, and the actual spin off happening in Q2.

“The combination of Vimeo’s remarkable growth, solid leadership position and enormous market opportunity have made clear its future,” Levin said in a statement today. “It’s time for Vimeo to spread its wings and become a great independent public company.”

While Vimeo once competed with YouTube as a consumer video destination, its strategy has shifted in recent years to providing video tools for businesses. In November, the company said it had 1.5 million paying subscribers and 3,500 enterprise clients — and that its most recent quarter was with positive EBITDA, plus year-over-year revenue growth of 44%.

The announcement notes that this is the eleventh company that IAC has spun off, a process in which it distributes its ownership stake to IAC shareholders. (Match Group completed its separation from IAC over the summer.)

“Today we have a rare opportunity to help every team and organization in the world integrate video throughout their operations, across all the ways they communicate and collaborate,” said Vimeo CEO Anjali Sud in a statement. “Our all-in-one solution radically lowers the barriers of time, cost and complexity that previously made professional-quality video unattainable. We’re ready for this next chapter and focused on making video far easier and more effective than ever before.”

With a $50B run rate in reach, can anyone stop AWS?

AWS, Amazon’s flourishing cloud arm, has been growing at a rapid clip for more than a decade. An early public cloud infrastructure vendor, it has taken advantage of first-to-market status to become the most successful player in the space. In fact, one could argue that many of today’s startups wouldn’t have gotten off the ground without the formation of cloud companies like AWS giving them easy access to infrastructure without having to build it themselves.

In Amazon’s most-recent earnings report, AWS generated revenues of $11.6 billion, good for a run rate of more than $46 billion. That makes the next AWS milestone a run rate of $50 billion, something that could be in reach in less than two quarters if it continues its pace of revenue growth.

The good news for competing companies is that in spite of the market size and relative maturity, there is still plenty of room to grow.

While the cloud division’s growth is slowing in percentage terms as it comes firmly up against the law of large numbers in which AWS has to grow every quarter compared to an ever-larger revenue base. The result of this dynamic is that while AWS’ year-over-year growth rate is slowing over time — from 35% in Q3 2019 to 29% in Q3 2020 — the pace at which it is adding $10 billion chunks of annual revenue run rate is accelerating.

At the AWS re:Invent customer conference this year, AWS CEO Andy Jassy talked about the pace of change over the years, saying that it took the following number of months to grow its run rate by $10 billion increments:

123 months ($0-$10 billion) 23 months ($10 billion-$20 billion) 13 months ($20 billion-$30 billion) 12 months ($30 billion to $40 billion)

Image Credits: TechCrunch (data from AWS)

Extrapolating from the above trend, it should take AWS fewer than 12 months to scale from a run rate of $40 billion to $50 billion. Stating the obvious, Jassy said “the rate of growth in AWS continues to accelerate.” He also took the time to point out that AWS is now the fifth-largest enterprise IT company in the world, ahead of enterprise stalwarts like SAP and Oracle.

What’s amazing is that AWS achieved its scale so fast, not even existing until 2006. That growth rate makes us ask a question: Can anyone hope to stop AWS’ momentum?

The short answer is that it doesn’t appear likely.

Cloud market landscape

A good place to start is surveying the cloud infrastructure competitive landscape to see if there are any cloud companies that could catch the market leader. According to Synergy Research, AWS remains firmly in front, and it doesn’t look like any competitor could catch AWS anytime soon unless some market dynamic caused a drastic change.

Synergy Research Cloud marketshare leaders. Amazon is first, Microsoft is second and Google is third.

Image Credits: Synergy Research

With around a third of the market, AWS is the clear front-runner. Its closest and fiercest rival Microsoft has around 20%. To put that into perspective a bit, last quarter AWS had $11.6 billion in revenue compared to Microsoft’s $5.2 billion Azure result. While Microsoft’s equivalent cloud number is growing faster at 47%, like AWS, that number has begun to drop steadily while it gains market share and higher revenue and it falls victim to that same law of large numbers.

Ransomware Fallout: Talking Cyber Liabilities and Insurance

In this special holiday episode, sponsored by SentinelOne, Recorded Future and Travelers Insurance, Aaron Bregg and Jim Kuiphof discuss with Tim Francis about Cyber Insurance and Liabilities with respect to the increasing threat of ransomware attacks.

These are just some of the questions and topics that are covered:

  • What is cyber liabilities insurance and why do some think they don’t need it?
  • While ransomware attacks are increasing in the public eye, some websites are reporting that ransomware attacks aren’t being reported and that is a problem.
  • What trends are being seen in the insurance industry right now?
  • Are attacks truly going up, or it is just that there is more ‘visibility’ in to this area of cybersecurity?
  • Why are some incidents just not being talked about?

Ransomware Fallout: Talking Cyber Liabilities and Insurance transcript powered by Sonix—easily convert your audio to text with Sonix.

Ransomware Fallout: Talking Cyber Liabilities and Insurance was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Welcome to a very special event, a holiday fundraising episode of hashtag, we’ll talk with Mir host Erin Breg. Today I’m joined with a special co-host, my one of my directors, Mr. Jim Poff. I want to do some special shout outs to Brian the Schneeberger. Don’t call me Steeves or you may call me Steeves Snavely from SentinelOne, one who is one of our gracious sponsors today. And where are we at? There’s Chris. I was going to say Chris and the recorded future gang is also an awesome sponsor today. I very much appreciate their help. We’ll talk about that. We’ll give them a little few minutes at the end to talk about this, but we have a lot to cover. So I want to jump right in. Today’s topic is cyber insurance, cyber liabilities and kind of like what you can do before, during and after a ransomware attack. My special guest today is Tim Francis from Travelers. Tim, I’m going to be quiet for a few minutes. Can you talk about who you are and how you got information got into information security?

Sure. Tim Francis, I’m the enterprise cyber leader for travelers, so that means I’m responsible for the products that we provide to our customers in the cyber arena. And I’ve been in that role for about 10 years now and with travelers for just celebrated my 15th anniversary. So happy to be here, happy to talk to your listeners and always interested in talking about cyber and cyber insurance.

Excellent. All right, I actually did my homework before this event, and I actually going to do a little bit of a prelude because it kind of sets up some of the questions. So those of you may or may not know, on October 28th, this SISA Cyber Information Security Security or SARAY Cybersecurity and Infrastructure Security Agency say that five times real fast, the FBI and the Department of Health and Human Services released a joint advisory on an imminent threat and attacks of health care systems in the United States. Around that same time, we had their release, their Q3 20/20 Ransomware Marketplace Report, and in their report, it showed the top two industries targeted by ransomware in the third quarter where health care number one and automotive, too. I know Brian could talk forever about that automotive attacks. One of the things that was interesting to me is in the report, it also showed by a large margin, small businesses are being attacked or are not attacked, targeted by these ransomware actors to the tune that under 10 employees was eight percent, 11 to 100 employees was thirty one percent. And companies that had one hundred and one to a thousand employees, forty one percent were targeted. So in this episode, we’re going to kind of talk about these things and let’s teed up and get raid in. So, Tim, our first question, what is cyber liability insurance and why do some people think that they don’t need it?

Well, I think people let’s let’s take the second part of that, I think to the extent that people think they don’t need it, it’s because they’re not really aware of the full breadth of what cyber insurance does. Or maybe even worse, they’re not fully aware of the vulnerabilities that they might have and the the consequences of having a cyber event back to the coverage. If if people think about cyber insurance at all. And that’s a big hit, even getting people to think to know that such a such a product exists and it’s relatively new cyber insurance compared to other types of insurance that you might be more familiar with. But it’s been available for years. I think the the the problem becomes as people think about it, they think about that’s insurance that has something to do with helping protect or helping when personally identifiable information is compromised.

And think about the data breaches that used to make the headlines more frequently than maybe they do. And so companies that are either smaller or in industries like auto and manufacturing that might think, jeez, I don’t have health care records, I don’t have financial records, I don’t maybe even take credit cards, maybe I don’t need cyber insurance. They’re missing now. And we’re going to talk a lot about ransomware. You know, the ransomware events that we see sometimes don’t involve a compromise of data and certainly the motivation by the threat actors isn’t to get at data. They just want to corrupt your system, essentially hold it hostage and extort money out of it to get it back. Right. So that means that a whole new universe of potential victims is opened up. So you don’t have to be in health care necessarily. You don’t have to be in finance. You don’t have to be in real retail to suffer. A cyber and cyber insurance can not only kind of pay for the costs associated with the ransomware attack. Maybe even more importantly, we have access to professionals, the whole network of companies that will come in, whether it’s helping pay the ransom, which nobody likes to do but sometimes is necessary, more importantly, doing forensics and back up. And to the extent that you need, you know, reputational damage and marketing, all of that combined is is part of a cyber insurance solution.

So are you seeing that ties in nicely into the next question, why are ransomware attacks increasing in the public eye? Because when when I met with some people from SentinelOne and we did a podcast about a month ago, the speaker that we had, he was like, yeah, this is way more prevalent that the media is letting on. Why? Why is it so in in the news now and why are so many different businesses reporting? Is it because they don’t have to? What do you kind of see? And along those lines?

Yeah, so if we think about what I’ll call the traditional data breach, which is a compromise of personally identifiable information, so Social Security numbers and health care records, the kind of things that people can associate with with their own identity, the most states have rules around the protection of that data. And when that data is compromised, most of the time there’s an obligation to report that there are some exceptions to that rule. But most of the time that has to be reported. Ransomware, on the other hand, doesn’t always involve those pieces of data and there isn’t a requirement that it be reported. So oftentimes it is, but a lot of times it doesn’t make national news unless the victim is a, you know, name brand or doesn’t even make local news, unless it’s an organization that’s key to the community. And sometimes it is. It’s a school or other it maybe even a town. But if it’s a you know, what I call a regular manufacturing type of risk type of account, that doesn’t always make the headlines, even if the event itself is detrimental to that organization.

And it to some extent. Right. These are these are events that people would prefer obviously don’t happen to them. And so when they if they don’t have to report it publicly, they tend not to. But living in my world or dealing with what we deal, these are everyday occurrences that are happening more and more frequently and happening to virtually every industry and every size organization in any industry.

You can name one to pull in gym for help on this one, Jim. He talks about like branding and how some companies like, you know, just don’t want it to be public. Are you seeing with some of the questions, are you that we talked about, are you seeing Piers, you know, secretly asking, like, for advice or input from other things? Because as we’ve had on a previous podcast, our own health care system had a near miss. So are you seeing kind of leeriness when it comes to stuff like this?

Well, from a health care perspective, you have the regulatory environment that you have to be conscientious of, and there’s reporting laws and rules around that. And so the deliberation internally when to declare the legal term breach has significant consequence. So that’s where a company like Spectrum Health or any really any company that has cyber insurance needs to be in communication with their legal department, needs to pull on their liability insurance provider because declaring that formally has significant financial impact to an organization.

Do you sorry I didn’t answer your question.

No, no, no, no, no, no, that’s not what that means, is a lot of companies are tight lipped about when it happens that there’s that internal deliberation to determine were we actually compromised to the extent of declaring something a breach, did we lose control of EPP or PII or PCI data sensitive data that’s in some way regulated? And if that’s the case, then you have to be very conscientious about the way you go about collecting evidence, proving that evidence was or wasn’t compromised, and then ultimately reporting if it was.

So, Tim, how much do you think the recent decision by government to start regulating some of these ransomware payouts? Do you think it’s going to kind of shine a light on more of these incidences? Because people are going to have to be more transparent for fear of like, you know, a penalty from the US government.

Yeah, we don’t necessarily look at that as necessarily new. There is always been protocols around whether or not ransom could be paid and but that tends to be fairly limited.

And and there’s what we would call the Office of Foreign Asset and Control, which is part of the Treasury Department, which simply regulates there are, you know, bad actors. And the easy, easiest ones to think about are terrorist. Right. There are individuals that it’s simply illegal for a U.S. company to pay money to even when it’s a ransom.

So that guideline was to remind individuals of that. And there are protocols in place and we certainly follow protocols where if the ransom can be tied back to one of those actors, it would not be paid. But that’s actually pretty hard to do in a very, very limited likelihood. Most of the activity that we see in that ultimately is affecting our customers. And society doesn’t tie back to one of those actors or it would be. Very difficult to tie it back to one of those actors, and so then the decision whether to pay ransom or not, at least for our customers, rests with our customers. And I don’t think any of our customers that has gone through one of these relishes the idea that they’re going to pay a ransom doesn’t even matter the amount. It just doesn’t feel right to pay somebody who is, you know, essentially got your system locked up. So what happens is, you know, in our case, we will put them in touch with, you know, who said forensic investigators that are helping them do essentially a triage in a ransomware. You know, can you bring the system back up online on your own without paying the ransom? Right. That ought to be the first course of action. And sometimes that’s successful. Ransoms aren’t always paid. In fact, they’re usually not paid for ransom.

And so if you can bring in your system back online, that’s usually in everybody’s best interest. But there are times when that’s hard to do or there’s a decision that has to be made that’s partly financial. It’s partly, you know, depending on the organization that the company is in, if they’re a health care provider, for example, can you deliver patient services if your systems are corrupted or not? And so, you know, it may take longer to bring the system back online kind of organically than to pay the threat actor. And so the in our case, the insured will make that decision with input from experts as to kind of what’s the best course of action or what’s the viable course of action. But it comes down to kind of a financial equation. It comes down to how long is the organization going to be? And sometimes these you know, even when paying the ransom, it may take some time to bring the system back online. So it’s, you know, can you be out for days, weeks? And what’s the economic impact to that? What’s the reputational impact to that? What’s the harm that that might cause customers or employees and so on? So there’s a lot that goes into, you know, whether the ransom is paid or not.

Brian, you had a good question. Yeah, my question is, Jim, you touched on the idea of what the difference between a breach and an incident, as you know, and when certain data is exfiltrate filtrated. So in today’s term, a lot of ransom is targeted not just to encrypt and lock up computers, but first to get some data out. Right, because they understand that people have backups, you know, and now it’s well, we can release this. And that’s where you see some issues. But there’s been a lot more conversation around the idea that if this threat actor is sanctioned, right, if this group that ransom the box or the company is sanctioned, you can’t pay that that ransom. But to be able to solve that equation, to figure out is this really a sanction, you know, you could take one form of ransomware that’s used by multiple different threat actors. Right. And trying to figure out, is this a sanction that time? And I think it affects both the enterprise, the insurance company, everybody, because the longer it takes to figure that out, where maybe it was X amount of money, but to be down for X amount of time cost, even that X plus Delta could be more money. And in the long run, you look at some of these very large fortune, five hundreds, some that have been in the news this year, the longer they’re down, I mean, that’s especially in the third quarter of this year when everyone’s was getting back rolling, you saw some of the best numbers out of manufacturing. If you were hit during that period of time, boom. It just it trickles all the way back to your supply chain. So my question is more. You know, with the amount of time that it takes to investigate, is that rule or when you look at that rule, the obligation to do it and to be able to solve it. Does that does it help or actually not help the companies or the insurance companies to have to prove that out?

And how do you make that call, Jim? Where to put him on the spot behind your ear?

I mean, but you had this situation and you’ve had to make tough decisions based on the information that you have, which may or may not be accurate. How what are you thinking in that situation? Pass the buck up the chain of command?

No, we actually did create guidance for our senior leaders. It’s a framework for making the decision around a lot of different threats. Ransomware is one of them, but it asks a series of questions and attribution is one of those questions. Do we attribute this back to a sanctioned actor? Is it obvious? What’s the timeline around restoration? What’s the likelihood of restoration? All those questions weigh into that decision, Hopper. And ultimately, it’s not my call. We make recommendations and then it’s the business leadership that has to make that call. But ultimately, we want it to be an informed decision. And that’s where we would reach out and have conversations with our insurance provider, potentially law enforcement, depending on the circumstances, internal counsel, external counsel, some of our managed security service provider expertise would weigh in on that. And all of it is really around making that informed and wise business decision. It seems odd, but it is a business transaction at that point. And you’re dealing with somebody who treats it as a business transaction. So removing the emotion of the moment from the the the ultimate decision that sometimes has to be made very quickly. I don’t ever want to be in that situation. I’m thankful that we haven’t done. But I know that a lot of companies have to face that. And it’s pretty when you’re talking about paying the ransom. A whole series of other controls have failed. And there’s going to be a lot of questions that have to be answered around how those failed, why they failed, why you can’t back up or restore from backup and things like that. So all of that has to be set aside for the moment to make that decision around pay or not to pay.

One thing I was going to throw out there and Tim, you look at the different verticals and you had health care in automotive as the two heavily targeted. If if I was a threat actor and really understood what the supply chain is. Right. Not just the supply chain. When you look at technologies such as solar winds, I’m talking supply chain. Get down to the tier two and tier three tier ones in automotive that don’t have great security and have never even had the conversation of, well, what do we do when this happens? Right. If you get down and you could just shut down a tier two, don’t even talk about exfiltration of data. You don’t even have to report it as a breach. If you could just go ahead and shut them down, that it’s not about not having enough steel or enough components. It’s that bolt supplier. It’s this supplier. That’s what would make GM, Ford, Toyota and Honda scream. Right.

And in you’re seeing that across the board, tens of thousands of dollars a minute for downtime if you shut down one of the OEMs and the refactoring lineup if you go ahead.

I’m sorry.

How do you have that conversation, right, because you have done this with, you know, with multiple partners, how do you calmly explain to someone in that situation to where you have a couple of choices? You can make that business decision to pay the ransom or not pay the ransomware. But it could have, like you and I talked about in the podcast prep meeting, that might be more costly. So can you talk about that? How do you convince them?

Sure. Sure. And I think I just want to make a comment to what Jim said.

Right. You know, best practices to have a plan in place before such an event happens. Right. Have an incident response plan. Practice it like any plan. The actual facts on the ground in the chaos of this never really play out or seldom play out exactly the way you planned. But having had the plan, having put it in place is far better than having no plan and not having thought about it. Who needs to be informed who makes the decisions? Who needs to be at the table to help make those decisions that mapping out beforehand should be done by everybody, regardless of what industry and regardless how big you are. And it’s, you know, cliche to say it’s not if, but when. But you ought to be thinking about it’s not if, but when. Right. You’re going to have one of these events and hopefully you won’t. But better to you know, if we look at, you know, solar winds and then the organizations, that it can be compromised. Right. If it can happen to organizations like that, it can happen to you no matter who you are. Right. No one. But to get back to your question. Right. In terms of that and from an insurance standpoint, it’s interesting and I didn’t really comment on this before, but from just from economics, most cyber insurance policies will fund, you know, the ransom if that becomes, you know, becomes necessary.

But they’re also going to pay for what we would call the Zougam loss. Right. So the amount of downtime and the amount of money that you would have made for this incident is likely to be covered under your cyber insurance policy, whether you pay or not. So to some extent. There’s really not a financial motivation one way or another from an insurance side, right? You could pay the ransom, but you might if you don’t, you might have a greater income loss. So in terms of the decision to the customer, which again, is up to them, it should be an informed decision. And that’s why it’s, you know, having the forensic investigators that we bring to the table. But they work for the customer. They don’t work for us. They work for the customer. So they’re going to make an objective, sober recommendation. They do this every day. Yes, it’s chaotic and stressful and anxiety-ridden for the customer. But these are professionals that do this. And often it’s you hate to say it, but it is a business on the threat actor side. And often it’s the same threat actor or a common group. And the forensic specialist that we bring in actually may have worked on cases with those same threat actors several times over. So they’re actually in a pretty good position to kind of gauge the odds, right? Yeah, these guys are serious.

These guys may be less sophisticated depending penetrate these guys. We can negotiate the ransom down to X instead of why they do this for a living. And unfortunately, there are enough of these events taking place that they’ve got a lot of practice under their belt. So they’re usually able to really do a pretty good job of knowing, hey, here’s here’s the reality. You can try to back up and let’s do that. It might take this amount of time or if you need to be up faster, you might pay. But sometimes paying doesn’t get you up faster. Right. And so you have to do what you have to do. This negotiation, which is, you know, show us that you can actually bring the system back. Right. Because you don’t want to pay a ransom. And then the bad guys, you know, just go away and you’re still stuck. Right. So you have to get what we would call, like a proof of life. Right. Can you give me some of the decryption keys will prove that you’re you know, you’re good. You not only can do it, but you’re honoring your word. And you go through this negotiation and you bring a little bit of the system back online and then and then you go from there.

It’s a good Segway, Alan, I’m going to bug you for a minute from the threat intel perspective, how. Like, how do you hope that, right, because, you know, the scenario that Tim talks about, the more information that you can give him, the better that your ads can be and whether it’s successful or not successful. What are you seeing? Are you changing some of your tactics, so to speak, when it comes a threat until.

So the you know, when you’re looking at a traditional attack, we’re looking at worms or rats or whatever.

Normally we have acronyms, but we’re sorry this. If you’re looking for remote access, Trojan or Worm is just a worm.

You’re generally looking and providing indicators of attacks that have already happened, that people can go on throughout hunting missions and try and find.

Well, that does. You don’t need that with ransomware, because when the ransomware hits, you know, it’s the ransomware. And you know what? Ransomware it is because they advertise it in big, bold letters and they’re in their ransom note.

So there there are a few things that we’re doing a little bit differently. One is we’re certainly trying to help be more proactive. But the other thing that we’re trying to get our clients to do, and in general the Internet in general is engage in more threat hunting. So when you look at how ransomware has evolved from two thousand fifteen sixteen to today, when we look at ransomware in 2015 16, it’s kind of like knocking over a liquor store, right? You’re running a smash, you grab the money out of the register and you leave. Ransomware today is more like Ocean’s Eleven, but with a lot uglier cast. These are not attractive people behind the keyboard. They are just they’re super ugly and but but they it’s a much more complicated attack because you don’t just land in the network, encrypt the first machine you see and get out.

You land in the network. You have to gain the accesses you need because when they encrypt systems and I think a lot of people don’t understand this amount of ransomware attack, they’re not encrypting a single computer, a dozen computers. It’s hundreds, if not thousands of computers at a time. And they order to do that. You need to get the right access. And the network add to that the extortion component of it, where we now are tracking 20 plus ransomware variants that maintain extortion sites takes a while to steal that data and it take that long. We’ve seen attacks as quick as six hours, but we’ve also seen some of the attacks that last for several days to several weeks between initial entry and ransomware. So now what we encourage people to do is look for the indicators of moving around the network. So you’re looking for things like cobalt strike, you’re looking for things like Slive, or you’re looking for things like add, find the tools Mimecast, the things that the ransomware actors are using to move around the network looking for exfiltration of large files because they’re generally not subtle about it. They’re like, oh hey, here’s a whole bunch of files. Let’s just send them all off to our server as quickly as possible, often using FTP. And the fact that there are still companies that allow FTP to leave their network freely annoys the heck out of me.

But that’s a whole other story. So that’s what we’re encouraging, is more of that threat, having more of that proactive looking, because by the time the alert that they’re in, in your network shows up in your SIM and makes it to the SOC, analysts are off late. You want to be on you want to be I don’t want to say on the offensive because that has a completely different connotation. But you want to be proactive in going after and finding those indicators that that that ransomware hackers on your network. And we’ve gotten much better as a company. And I think in general, security companies have gotten much better at freely sharing these indicators. Used to be that, oh, I have ransomware indicators, I’m going to keep those to myself so our customers have them. But now, like SentinelOne has an amazing blog that they publish all kinds of fantastic indicators. Even FireEye is now getting more public with sharing indicators and things like that. But the old guard, Symantec, McAfee, et cetera, have come around and and there’s much more information sharing which helps make everybody better. Yeah, you just have to know where to go look and pull it down. So in some ways, it, unfortunately, becomes information overload, I guess.

Aaron, can I ask him a question? Yeah. So we’ve been talking a lot about technical controls, Tim. Maturity of program. Right. We mentioned having a plan, exercising, rehearsing that plan.

All of those things really are reducing the risk from a cyber liability insurance perspective. Can you know, we can’t maybe talk specifically about the secret sauce for travelers, but what are some of the things that an organization should be looking at to move that risk needle substantially in light of some of the threats that we’re facing?

Well, there’s not a single answer, of course, right, but just if you take the technology for a second, right. You know, not having you know, and it’s you know, we’re talking still in in in covid era. Right. And we saw, you know, many companies just had to shift to more work workers remote. And so not having open remote desktop protocol or RTP. Right. Which doesn’t have to be open. And there’s other ways to configure your network. Right. That’s a that’s a vulnerability that we see get exploited, not having multifactor authentication turned on in your for administrative access and for remote access, which is not necessarily either hard to do or expensive, depending on what you’re already running from a technical standpoint and then having an endpoint protection and a response, having an EDR solution. And, you know, those are the technical the common things that we in this industry kind of shake our head, particularly for companies of any substance, to say, geez, why wasn’t that control in place? Or or what often happens, unfortunately, is they think the control is in place and it just isn’t it across the network. But all of that combined gets to what I would call the soft things right. In terms of employee training. And and and frankly, even before you get to employee training, having a leadership team that takes the management of data security and network security seriously and and resources it and funds it. And that happens when you know, more awareness of the significance of these issues, both in term, you know, from the economic standpoint and just, you know, the reputational happens. But having a culture around cybersecurity and information security is as important, if not more so, than the technical controls. And you don’t get the technical internal controls unless you have that culture around that the place in the first place.

So you implied that the bad guys know your environment better than you do?

I don’t know if I applied it, but I but I will suggest that, you know, and it’s interesting because that’s good if I could talk about that a little bit.

And it’s often and, you know, sometimes I think your listeners may hear or will say, you know, there are certain organizations that are being targeted. And sure, that’s true in the sense of, I think, how we would ordinarily use that term. More frequently, what we see is it’s not so much in a. Company or Noriko’s nations that’s being targeted and frankly, you know, many of these threat actors, if not most of them, are overseas, as Allan described them, right behind the keyboards. They’ve never even heard of some of the year in the organization. Never heard of the state you’re in. Right. And so it’s not a personal thing.

They’re targeting the vulnerability right there, targeting. Can I get in? Once in, then they’re doing more reconnaissance and laying low for longer. They’ve gotten smarter about that, trying to corrupt the data, look at the data, and not just to harness the data, but to try to then say, OK, how much do we think that this organization might pay? Right. And so if they know we’re not right about that, they’re not going to ask you for the same amount of money because they know you can’t pay. Right. Right now, they’d rather be in a bigger organization that has deeper pockets or at least that they perceive as deeper pockets. But if they’re in an organization where they think they might get one hundred thousand two hundred thousand or pick a number. Don’t ask for that because they want to get paid and go about and going to the next target, and it’s it’s a business, right? So they’re their cost of a customer acquisition, which we might you know, it’s not how they talk about it, but that’s really what’s the motivation, right. If they can get a new target, make a quick hit and get out, they’re happy to do that. And so but part of that is not so much targeting the customer. Ahead of time, knowing we’re going to go after X. We’re going after you, it’s they know that there are vulnerabilities, they send out malware, malware corrupts through of the vulnerability. Then they figure out, OK, who do we have? They’re going to do about it. Right. That’s really often what’s the case. So they’re not coming. They’re not looking at a list and saying today we’re going to go after company X, Y, Z, it’s today, Company X, Y, Z got infected. Let’s now take the money out of them.

I think Putin’s point sometimes it’s not even they find the vulnerability, it’s what what what access they can buy on the underground market. So there are all these cottage industries that have sprung up to support ransomware after some one of the big ones is shelling and selling shell access. That’s another one to try and say three times selling you shell access to on underground forums that that that is really revived as an industry. And so for a couple grand, you buy access to a company that’s worth ten million dollars, that a couple of grand turns into one hundred thousand dollars. Again, when you talk about, in effect, customer acquisition, as Tim said, that’s a really good return on your investment. If I can, for two thousand dollars, I can buy access to a company. I get in. I deployed my ransomware and I get a two hundred thousand dollar or more ransom from it. Then it was a really good investment and I didn’t even have to do anything. I just handed over some bitcoin, which unfortunately they have in spades right now.

So I’m going to shift gears a little bit because we talked about some rather depressing stuff, so let’s let’s talk about how we can, like, affect change and some of the things that we can do a little bit differently. That’s what’s nice about having Jim here is Jim. Jim has helped build a program from scratch. So seeing different policies change different negotiations with insurance companies somewhat. Talk a little bit about reputation. Right, because sometimes the insurance companies get like a bad rep. Right. So the example that I often use is a couple of years ago and Jim knows this, I actually think Jim is the one that pointed this one out, is a Catholic health care system in California was breached. And then obviously, as the breach is going on, they’re figuring out what they’re doing. They’re contacting the cyber insurance company to say, hey, we need help paying this. Then all of a sudden the insurance company comes in. They do their investigation. There’s there’s not even due diligence. Right. And obviously, insurance is also a business. So they have that little clause saying, hey, well, you didn’t even, you know, beat the bear meat to the bare minimum. So we’re not paying now that health care system is on the hook. From from the outside looking in, it looks like, oh, my gosh, the insurance companies are a bad guy, they’re they’re not paying they’re not living up to their end of it. But that’s not quite the case. So what are some of the things that insurance companies can do when they’re talking with Jim about like what’s happening before, what you can do to, like, lower your costs? What are some of those hidden things that a lot of people don’t realize? Insurance, so insurance companies do.

Was that question for me? Yeah, that was for you. OK, I thought so, but yeah. Yeah, so, so, so certainly everybody has every carrier has their secret sauce or not.

So secret sauce. Right. In terms of a the standards that have to be met in order to qualify for coverage. Right. And and that may vary depending on the industry and certainly the size of the organization. But, you know, in my experience, it’s very, very, very rare that. Anybody would kind of deliberately misrepresent, right, and short of a deliberate misrepresentation is really the only circumstances where they’re likely to be any kind of argument coverage, right. You in good faith say here’s our controls and we we and our competitors will look at those controls and make a decision as to whether we want to offer you coverage. And then obviously not all coverage is the same. Larger organizations buy more coverage as a general rule, kind of true of any line of insurance. But the better the controls are right. And we can work with those customers not only directly ourselves, but with other business partners, whether it’s whether it’s SentinelOne or we have a relationship with Symantec that also help people understand kind of what are the controls in place, technical and and non-technical kind of her organizations that look like them.

Right. In an industry segment or in a size, the better controls you have kind of like kind of like any other line of insurance. Right. The better. You know, if you’re a good driver, you get better rates than if you’re a bad driver. And in the cyber insurance world, it’s not really any different. Right. You got bad controls. You might pay more or get less coverage. Or if they’re really bad, maybe you’ll be denied coverage. But but that’s kind of true of any insurance. And cyber is no different in that regard.

So, Jim, what advice what advice do you have, because obviously we’ve matured the program over the years, what are some advice you could give the listeners that go along with the things that Tim’s talking about?

What’s worked for us is to have a dialogue, have a conversation, and then the other thing is to be transparent and honest, it seems, and it seems obvious, right? It’s intuitive to say we’re going to be honest and have that conversation, but it’s really important in this particular decision. Framework insurance is just another control of risk at the end of the day.

And if you’re layering your controls, your risk controls properly and making good decisions around which technical controls the extent that those technical controls are deployed and managed, being able to prove that you’ve got a good coverage with the control. Multifactor authentication is a perfect example of that. You don’t have some rogue and point sitting on the Internet directly without MFA. Those are the things you need to be honest with your insurance brokers about to make sure that they understand the liability they’re accepting so that if something were to happen and you have to exercise that policy, you can specifically point to the area of weakness that hopefully you recognize before the compromise even happened, that you made a conscientious decision to say, look, this control isn’t where we want it to be. Here’s our plans to get it there, or maybe we’re OK with it. It’s too expensive to get it to that point. And that’s why we’re we’re engaging our insurance provider. But you have to have that conversation before the bad thing happens. But that’s getting back to knowing yourself, knowing your business, knowing where your areas of weakness are in terms of policy, procedural or technical controls and having that open and honest dialogue. And that’s where a partnership with someone like Tim and travelers are super important to to understand that changing landscape of threat, both from a business operations perspective, but then also from a control perspective and how much insurance you actually do need and what makes you comfortable in terms of that risk reduction benefit.

So if somebody came to you, Tim, and said, I want I’m going to have a layer to firewall between me and the Internet and I’m only going to do antivirus on my endpoints, please provide me cyber liability insurance.

And I’m a 10 million dollar a year manufacturer. What are you going to say to them?

Well, that’s that’s why there is a robust market of providers of cyber insurance.

And they may be a good candidate for for for want of somebody else. But every situation is different. And you make a point. Right, of of you know, and we write we have customers, as I said, in every industry, in every size.

And so so particularly as people listening this. Right. Eight, you know, even though I’ve said it and I’m going to continue to say, you know, all industries are vulnerable or have events and it really doesn’t matter the size it also is in.

The dynamic that we would require a a a company that makes a million dollars a year to have the same controls as somebody that makes 100 million dollars a year or that somebody OK. And so and the type of insurance they might buy is is it different or at least the amount. So so there but there’s within that segment of do you have good controls for who you are and if the answer is no. Right. And if you’re, you know, if you’re a large organization and you don’t have the appropriate controls for large organization, you may have trouble getting insurance. But that doesn’t mean that the you know, somebody who’s listening to this and saying, geez, I make a million dollars a year to make whatever it is right. That you can’t potentially have a cyber insurance solution, it’s just going to look different.

Brian, I know you’ve been holding holding on to that question.

Yeah, actually, I think this is really well, Jim, with where you are going. And then you kind of lobbed over a softball to Tim there and said, let’s take an auto manufacturer, which I love. You just brought it right back to the home state. But let’s let’s dive into that a little bit. When you said putting together, you know, depending on the size of the company, you’re going to have different, you know, purchase spend for your security, different things in place. And there’s so many different tools to buy from. And I think when you talk about the landscape and the number of vendors out there and the number of tools, that also becomes muddied. Right. And you look at the third party organizations that are actually evaluate or don’t evaluate to give their opinion on them. If you looked at automotive in general and I love the Phoenix Project because I I thought it did a great job of explaining how to simplify dev ops in terms of being able to do one piece for what is just in time production.

Right. And why it’s so important when you have Whipp work in progress not to get to the end and realize you have a quality problem. Right. That all goes into PFM. Right. Process failure mode analysis but DFM right design flaws remote in the auto’s. A really, really big on this today because if you’re going to go in and get supplier X to provide you a part, you go in and you first check off their DFM, their design failure, then you go in for their PFM here. Right. And that’s a two year process from sourcing to when you watch. But DOMA reminds me more of the idea of the architecture that you build in from your security program, the things and the equipment and the vendors. Right. And the products you choose PFM is how you’re actually using them and applying them. Right. And as of right now, there is no GM that goes into every different location to figure out at the former premier are being applied from a security perspective. They spend loads of money going in to figure out if you’re doing it from a component production. But security is just starting to be that conversation right now. I think it’s more left to the insurance provider, like, are these guys doing it? A lot of these companies have just said we want to make sure our suppliers have cyber insurance. Fast forward a year to promote. If they don’t change or do something, they may not have it. So that’s like the first level is saying some checks and balances. But how do we and it’s not necessarily a question, but perspective on what you were saying. There really isn’t a standard to measure the security posture of all the different types of verticals out there and the different size of the companies. Right. And there’s so many different products, I think something that’s lost there.

But there are simple things that can be done, you know, like you were referring to from a defense of how you put those products in. But Tim, when you go in and look at that and say, OK, I’m looking at the products, how and then is there anything that says how the products are being used valuation wise? You said size of the company right at the end of the day. Like who? If you say no to someone, it sounds like there’s someone down the line that’s going to say yes to him. Well, let’s I think we can rephrase that question for him. That’s a little simpler.

How do you how do you gauge a company’s maturity? I mean, because all the stuff you’re talking about is maturity rate.

And Brian gets really loud, and I think I can appreciate it. No, no, no, no, no. I can I can answer both of those. I hope. Or at least give it a shot. Right. And and let me kind of start, Brian, with, I think where you were going.

And and it’s a positive development, but nowhere nearly as mature as it should be. But, you know, in terms of kind of who if a company will just it has maybe poor controls just for whatever that means. Right. Where is the motivation in the leverage to if they’re not right, assuming they’re aware of their controls and that’s part of the issue. But where is the leverage in society to get those controls to be better? Right. And there’s only so much insurance providers can do, right. First of all, we need you know, there’s a lot of customers don’t buy a lot of companies that don’t buy cyber insurance in the first place. But we are seeing more of, you know, organizations that fit somewhere in a supply chain or in a chain where they’re relying on other organizations and other organizations are relying on them, whether they’re in the auto industry or anywhere else, that the larger organization that, you know, they rely on is requiring controls to be not only by cyber insurance, but they’re doing more due diligence as part of vendor procurement to determine whether those controls are in place to their satisfaction and even whether so that’s happening. And that’s having a positive impact on lifting, kind of. Everybody’s posture or a lot of posture, but you’re back to your question, right? It’s still the there’s a lot of reliance on tools. For example, there’s third party data that that we use in our competitors use. So we might ask questions about, just as an example, what the PATCHIN cadence is. Right. So how frequently are you patching? And and and we have tools that will help us actually see that. Right. And so our customers actually patching with the frequency that they say or frequency that that we think they have, we can often see and help have a conversation with things like do you have open RTP remote desktop protocol? Right. And sometimes organizations are unaware that that was configured that way. And and we can help before an event takes place to say, look, there’s a controlled it’s important. Here’s why it’s important.

We suggest you do X, Y and Z shut shut that port or have a conversation as to why, if that’s potentially necessary, why it’s necessary, and what other mitigating factors that they have to reduce that exposure. So it’s a conversation that takes place. And again, not everybody has to have the same solution. But we have a lot of vendors that we use and a lot of expertise that we have in-house to help guide people towards the best practices. Right. Not only because they make better insureds for but it’s a good value add service that people can come to their insurance carrier and get access to to how to make their systems better. And sometimes that ends up pointing them in the direction of somebody like a SentinelOne with an EDR solution or or another solution.

Do you let’s let’s let’s as we’re getting towards the end here, I want to I want to talk about the future a little bit with all the things that you’ve talked about in with auditing and protection and all the current trends you’re seeing. And, Jim, chime in in a minute. Are do you really think we’re going to get to the point where insurance companies are going to at least want X, Y and Z and maybe X, Y and Z tools to help with that stuff? Right. Because if you’re if you’re paying out the money and you and I kind of talked about in the podcast a little bit, I mean, I know you can’t give exact numbers, but, you know the B word, right? Are we going to is twenty, twenty one the year that’s going to be well over a billion dollars in ransomware paid again. You don’t have to answer that like yelling at me, but you have to protect yourself as a business also. Right. So are we going to see in twenty, twenty one where you’re going to have to have seatbelts in the car or you use the smoke detector analogy? You’re going to have to have this before we even think about insuring you. So are we going to start seeing changes when it comes to cyber liability insurance?

Yeah, I think I think that’s already baked in. I think you’re already seeing that. And again, it may be it may be a tightening of controls. But but, you know, again, I don’t think cyber insurance is necessarily different than any other line of insurance. Right. There’s kind of minimum standards. And if we go to the property analogy, you know, it may be code to have sprinklers and and and so forth, but it’s partly because over time. Right, you wouldn’t be insurable if you didn’t have some of those controls in place, depending on who you are. So cyber is not different. And and since the since cyber has been in existence or cyber insurance has been in existence, there’s always been some standard that has to be met in order for somebody to qualify for insurance. Now, that said, right prior to the fairly dramatic, very dramatic increase in ransomware trend over the last 18, 24 months and even in the last six months, those standards were probably a little bit looser then than they may be in twenty one. I think that’s that’s a fair statement. But it’s not that standards themselves are new. It’s just it’s just probably becoming a little bit more or more mandatory to enforce the minimum standards being raised undoubtably, particularly for the types of vulnerabilities that correlate directly to ransomware, such as R.S.V.P. and MFA and so forth, which we talked about.

Jim, what are you seeing for 20, 21 on your side to help in regards to stuff like that? Are you going to see that fundamental change? I know a lot of times we have the marketing jargon like EHI and Security 2.0, but is it really that it really feels like it’s that time to wear us in the security industry have to start taking that extra step?

You know, I go back and forth on that and Tim and Alan and Brian can probably weigh in on this one as well. I almost feel like the yes, it’s it’s a tool question, but it isn’t a tool question. It’s a people question. It’s your you can deploy the best EDR, but if there isn’t anybody to respond to the alerts. In a timely manner, you might as well not even have the EDR if you don’t understand your environment well enough to know where that alert just came from, to be able to effect a response, you might as well not even have the EDR. So I. I see. And maybe this is a little bit biased, but in twenty one it’s going to be a shoring up of the fundamentals. Do you have an inventory, do you know when something connects to your environment. Do you have a team that’s capable. Have you trained them. Have you set expectations for them. Do you have a leadership team in place that’s able to make good risk decisions around where you spend the limited amount of capital? You have to lower the risk to the business from a cyber threat? I think that’s those are the basic blocking and tackling pieces that we’ve been pushing on for a long time.

And what I think the threat actors have done is exploited those softer areas to find the weaknesses within our businesses and exploit them and make money off of it. I don’t see it changing from that perspective. The weaknesses are still going to be exploited. There’s still going to be attempts made to find those weaknesses. I think because we’re seeing an increase in the visibility, the news is catching more and more of these government laws and regulations are mandating reporting. All of that is just simply putting pressure on businesses that don’t see this as a high enough risk to actually take action to motivate some form of action. And that’s a good thing, right? That’s raising the tide for all of us. And the more we have from a business perspective looking into these threats, the more conversations we’re having around what effective controls are. How do you build a team? What is leadership within the security program look like? Those are all good things that are going to mature the entire industry as a whole and will get better at responding to these threats.

Excellent, Alan. I’ll save I’ll save Brian to the last just in case we have to dangle the ears and cut them off. All of it.

Alan So along those lines, what do you what do you see in twenty, twenty one look like from the threat intel side?

Well, I think I think you’ve hit on an important point.

We’ve been talking for thirty years about how important the basics are. Good vulnerability management, kaching, don’t click on links that you don’t know, etc. and we still haven’t been able to get that right.

And I don’t know, unfortunately, that that’s going to change. And in twenty, twenty one, I do think we need to do a better job of celebrating people that get it right. Like if you run a really great vulnerability management program and you don’t do all the things that we’ve been telling you that you should do for thirty years, nobody invites you to give a talk at Black Hat. Nobody invites you to give a talk at at RSA because it’s not sexy and it’s not cool. But it’s actually really, really hard to do that, especially in a complex organization. One of the things that I am encouraged by is that we’re seeing more security teams that are have greater involvement in the business in general, like we’re not sitting in a dark corner in a room somewhere. We’re actively engaged with with with the rest of the business. And that helps, you know, that I think we’ve moved on from where the Department of Know, and now we’re getting better at being the the department of. Let me understand what you’re trying to do. And we’ll come up with a solution which is a little bit longer than the Department of Know. But it works better. It becomes more effective if you’re if you’re integrated in business unit. I do think because I think everybody in security is against government regulation, but I do think that the government has a role to play. And this is probably a little controversial. So feel free to edit it out.

But no, you’re right.

I do think the government does have a role to play in going after the bad guys. Like, you know, the ransomware actors don’t meet the legal definition of the definition of terrorist, but they do colloquially we would think of them as as sort of terrorist activities. And they’re certainly making a lot of illegal money. And I’m not saying we need to drop a drone on anybody but or have a consequence today. But but we do need to know. We have whole groups that engage in Sydney and see an activity and we should be trying to do a better job of taking down their infrastructure. And I don’t think businesses should do that because it’s too easy to get it wrong. But I think resources, government agencies have the ability to do that. And I think there should be more of that. We saw a little bit of that, obviously, with the trick. But takedown by both Microsoft and Cyber Command, unfortunately, that didn’t go quite as well as we hoped. But I think more of that activity does need to happen because we’re not. Going to get everybody to agree on or on the steps they need to take, I mean, we can’t even get people to agree not to get cyber insurance. So certainly not the government says, here’s our recommendations, go and do it.

And then the other thing I think is we need to expand our definition of what’s considered critical infrastructure. So I think like schools, which are heavily hit by ransomware, that needs to be because schools are never going to have enough money to have an effective security program or hire the people who are able to maintain and actually keep those people for more than a couple of years before they can go off and make more money, probably sometimes double somewhere else. So having more involvement in in helping protect schools and things like that, I think is also going to be important.

Well, the good news is you and I will be talking next month to go into a little bit deeper dive on threat intel. So that’s a good Segway. Thank you, NIB’s. Bring it. Bring us home. But don’t but don’t go too much on a tangent.

I’m going to try not to, but I’m going to take this back to when you look at insurance, take car insurance, for example. Right. When I was growing up, I got this car, had a seatbelt, had an airbag, had all these tools in it. But there was nobody monitoring the driver. And within about a less than a year, I was uninsurable in the management, stepped in my father and I was no longer allowed to drive. Fast forward to today. And now insurance companies can actually put on tools to monitor how hard you push on the brakes, how often you push on the brakes, how many times you’re going over the speed limit, which if that was back in place, then there would have been a lot more monitoring of what would have been deemed inappropriateness which spiked my insurance and caused me to lose that. And some of what we talked about today, and I say all this for the listeners out there that aren’t in security and this is essentially what we’re talking about is building things with the right tools in place. But then also, Jim, like you mentioned, from a people perspective, are the people actually using the tools? Are they being used properly or are you putting the right systems in place and following those? Right. And then, Tim, you touched on that. Those are the things you’re looking for. And I think collectively, companies and management in those companies should also should also start to respect that even more. Right. Both from the business side for the insurance companies and the business, the Derand and also the other businesses that they support. And I think it’s a collective conversation that you’re hearing more of it talked about and hopefully less finger pointing because you still you still do see a lot of that going on. And for people that don’t understand the infosec world, something gets it in the news and their assumption automatically is that somebody there did something wrong or blame this.

So it’s great to get on and talk with people from both sides of the house, the insurance side, the threat intel side. You know, the guys have feelings to write him and look at. That’s right. He came dressed up. He has a button up shirt on. You know, I felt better.

You could tell I’m the insurance guy right now. I would expect nothing less from an insurance.

And for the final two seconds, I’ll throw on like the the buttoned up sweater just to make him feel more appropriate.

Now, it’s OK.

It’s more or born with these blue blazers on and you know, they don’t come off easy.

So, Allen, do you have the baby yota back there too to hold up? Hold on. I was going to get to that point since we’re winding things down. Let me get to that for a second. I want to say a big, big thanks, Tim. Thanks a lot. Mike and Tracy, you guys were awesome as well. I know that sometimes insurance isn’t sexy or fun, but I really think we had some great conversations today. I really appreciate the donations that you guys did. I want to say thanks to the Snead’s for getting SentinelOne one to help out with this. And actually this idea was a golfing idea. So kudos to him. And then, Alan, thanks a lot to you and the recorded future team. We’ll get a chance to dig in a little deeper in the threat intel and some of the things that you guys do next month. It brings me to the prices that I’ll give away. I’m not going to give them away right now because we’re out of time. But Allen did have a baby Yoda. So recorded future. Besides, you want a generous donation, donated this awesome baby yota, which is now all real goo for the people that don’t want to Mandalorian.

And then we’ve got to give a shout out to actor because we actually have a microphone similar to Gemini’s and a boom stand. And then finally, Active has a gift card in the last of the Christmas presents, and Tim, I’m sorry, you have to wear jackets because otherwise you could wear have a nice hashtag.

I would I might be willing to make an exception, you know. Hey, there. They’re actually next, next, next next time you have me on, I will wear that shirt. Howzat. Excellent.

I think it would look good on your jacket personally.

That’s right. It’s a little bit of, you know, business professional and fun. So I very much appreciate all you guys this time.

It’s been it’s been a crazy year. I thank you for everyone’s support, all the listeners, all of the different sponsors that helped to make this stuff happen. So to everyone, have a safe and fun holiday and we’ll have some exciting stuff for you in twenty, twenty one.

Is anybody?

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Audio to text transcription just got more accurate. Sonix is the best automated transcription service online. Use Sonix to simplify your audio workflow. Sonix converts audio to text in minutes, not hours. Sonix can make your life a whole lot easier. Do you have a lot of background noise in your audio files? Here’s how you can remove background audio noise for free.

Manual audio transcription is tedious and expensive. Sonix’s automated transcription is fast, easy, and accurate. Imagine a world where automated transcription just works. Sometimes you don’t have super fancy audio recording equipment around; here’s how you can record better audio on your phone.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2020—it’s fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

(function(s,o,n,i,x) {
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”//sonix.ai/widget.js”,”//sonix.ai/widget.css”);

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

OneTrust nabs $300M Series C on $5.1B valuation to expand privacy platform

OneTrust, the four-year-old privacy platform startup from the folks who brought you AirWatch (which was acquired by VMmare for $1.5 billion in 2014), announced a $300 million Series C on an impressive $5.1 billion valuation today.

The company has attracted considerable attention from investors in a remarkably short time. It came out of the box with a $200 million Series A on a $1.3 billion valuation in July 2019. Those are not typical A round numbers, but this has never been a typical startup. The Series B was more of the same — $210 million on a $2.7 billion valuation this past February.

That brings us to today’s Series C. Consider that the company has almost doubled its valuation again, and has raised $710 million in a mere 18 months, some of it during a pandemic. TCV led today’s round joining existing investors Insight Partners and Coatue.

So what are they doing to attract all this cash? In a world where privacy laws like GDPR and CCPA are already in play, with others in the works in the U.S. and around the world, companies need to be sure they are compliant with local laws wherever they operate. That’s where OneTrust comes in.

“We help companies ensure that they can be trusted, and that they make sure that they’re compliant to all laws around privacy, trust and risk,” OneTrust Chairman Alan Dabbiere told me.

That involves a suite of products that the company has already built or acquired, moving very quickly to offer a privacy platform to cover all aspects of a customer’s privacy requirements, including privacy management, discovery, third-party risk assessment, risk management, ethics and compliance and consent management.

The company has already attracted 7,500 customers to the platform — and is adding1,000 additional customers per quarter. Dabbiere says that the products are helping them be compliant without adding a lot of friction to the building or buying process. “The goal is that we don’t slow the process down, we speed it up. And there’s a new philosophy called privacy by design,” he said. That means building privacy transparency into products, while making sure they are compliant with all of the legal and regulatory requirements.

The startup hasn’t been shy about using its investments to buy pieces of the platform, having made four acquisitions already in just four years since it was founded. It already has 1,500 employees and plans to add around 900 more in 2021.

As they build this workforce, Dabbiere says being based in a highly diverse city like Atlanta has helped in terms of building a diverse group of employees. “By finding the best employees and doing it in an area like Atlanta, we are finding the diversity comes naturally,” he said, adding, “We are thoughtful about it.” CEO Kabir Barday also launched a diversity, equity and inclusion council internally this past summer in response to the Black Lives Matter movement happening in the Atlanta community and around the country.

OneTrust had relied heavily on trade shows before the pandemic hit. In fact, Dabbiere says that they attended as many as 700 a year. When that avenue closed as the pandemic hit, they initially lowered their revenue guidance, but as they moved to digital channels along with their customers, they found that revenue didn’t drop as they expected.

He says that OneTrust has money in the bank from its prior investments, but they had reasons for taking on more cash now anyway. “The number one reason for doing this was the currency of our stock. We needed to revalue it for employees, for acquisitions, and the next steps of our growth,” he said.

Thoma Bravo to acquire RealPage property management platform for $10.2B

The busy year in M&A continued this weekend when private equity firm Thoma Bravo announced it was acquiring RealPage for $10.2 billion.

In RealPage, Thoma Bravo is getting a full-service property management platform with services like renter portals, site management, expense management and financial analysis for building and property owners. Orlando Bravo, founder and a managing partner of Thoma Bravo, sees a company that they can work with and build on its previous track record.

“RealPage’s industry leading platform is critical to the real estate ecosystem and has tremendous potential going forward,” Bravo said in a statement.

As for RealPage, company CEO Steve Winn, who will remain with the company, sees the deal as a big win for stock holders, while giving them the ability to keep investing in the product. “This will enhance our ability to focus on executing our long-term strategy and delivering even better products and services to our clients and partners,”  Winn said in a statement.

RealPage, which was founded in 1998 and went public in 2010, is a typical kind of mature platform that a private equity firm like Thoma Bravo is attracted to. It has a strong customer base with more than 12,000 customers, and respectable revenue, growing at a modest pace. In its most recent earnings statement, the company announced $298.1 million in revenue, up 17% year over year. That puts it on a run rate of more than $1 billion.

Under the terms of the deal, Thoma Bravo will pay RealPage stockholders $88.75 in cash per share. That is a premium of more 30% over the $67.83 closing price on December 18th. The transaction is subject to standard regulatory review, and the RealPage board will have a 45-day “go shop” window to see if it can find a better price. Given the premium pricing on this deal, that isn’t likely, but it will have the opportunity to try.

IBM snags Nordcloud to add multi-cloud consulting expertise

IBM has been busy since it announced plans to spin out its legacy infrastructure management business in October, placing an all-in bet on the hybrid cloud. Today, it built on that bet by acquiring Helsinki-based multi-cloud consulting firm Nordcloud. The companies did not share the purchase price.

Nordcloud fits neatly into this strategy with 500 consultants certified in AWS, Azure and Google Cloud Platform, giving the company a trained staff of experts to help as they move away from an IBM -centric solution to choosing to work with the customer however they wish to implement their cloud strategy.

This hybrid approach harkens back to the $34 billion Red Hat acquisition in 2018, which is really the lynchpin for this approach, as CEO Arvind Krishna told CNBC’s Jon Fortt in an interview last month. Krishna is in the midst of trying to completely transform his organization, and acquisitions like this are meant to speed up that process:

The Red Hat acquisition gave us the technology base on which to build a hybrid cloud technology platform based on open-source, and based on giving choice to our clients as they embark on this journey. With the success of that acquisition now giving us the fuel, we can then take the next step, and the larger step, of taking the managed infrastructure services out. So the rest of the company can be absolutely focused on hybrid cloud and artificial intelligence.

John Granger, senior vice president for cloud application innovation and COO for IBM Global Business Services, says that IBM’s customers are increasingly looking for help managing resources across multiple vendors, as well as on premises.

“IBM’s acquisition of Nordcloud adds the kind of deep expertise that will drive our clients’ digital transformations as well as support the further adoption of IBM’s hybrid cloud platform. Nordcloud’s cloud-native tools, methodologies and talent send a strong signal that IBM is committed to deliver our clients’ successful journey to cloud,” Granger said in a statement.

After the deal closes, which is expected in the first quarter next year subject to typical regulatory approvals, Nordcloud will become an IBM company and operate to help continue this strategy.

It’s worth noting that this deal comes on the heels several other small recent deals, including acquiring Expertus last week and Truqua and Instana last month. These three companies provide expertise in digital payments, SAP consulting and hybrid cloud applications performance monitoring, respectively.

Nordcloud, which is based in Helsinki with offices in Amsterdam, was founded in 2011 and has raised more than $26 million, according to PitchBook data.


The Good, the Bad and the Ugly in Cybersecurity – Week 51

The Good

This week, law enforcement in India arrested over 50 individuals in Delhi based on their ties to a global call-center scam operation.

It is alleged that the individuals involved scammed over 4,500 victims out of more than $14 million. The aggressive scammers would contact their victims via phone and proceed to extort funds from them in the form of bitcoin (BTC) or gift cards. The scam involved telling victims that their personal details had been found at a crime scene or that their banking details were being used in some illegal activity. The attackers would then inform the victims that the only way to ‘safeguard’ their money was to transfer funds to specific bitcoin addresses or to buy and transfer gift cards.

Investigators from the Delhi Police Cyber-Crime Unit (pictured below) were able to trace scammed funds from victims in the USA and other countries back to the group in India. The cybercrime unit have also dismantled 25 other scammy call-centers this year. Let’s have a round of applause for these guys!

There’s also some good news associated with the ongoing SolarWinds situation. FireEye, in cooperation with Microsoft and others, have implemented a “kill switch” to prevent ongoing operation of the SUNBURST malware. According to their public statement:

“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.
“This killswitch will affect new and previous SUNBURST infections…However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.”

We encourage all to keep up to date with the SentinelOne blog for ongoing details around SolarWinds.

The Bad

SystemBC, discovered in 2018, has become a prolific presence in the armoury of attackers across the spectrum of sophistication. Initially, the tool was used to obfuscate or mask command and control traffic by way of SOCKS5 proxies. Early on, the tool was seen in tandem with many financially-focused campaigns involving banking trojans.

This week brought wider attention to the use of SystemBC after it was found to be used in conjunction with common ransomware attacks. According to the recent reports, well-established groups (e.g., Egregor, Ryuk) are using SystemBC for deployment purposes, complementing the use of other commodity malware such as Zloader, BazarLoader & Qot.

These more recently discovered implementations expand the scope of the tool. Attackers can now leverage SystemBC as a persistent backdoor with near-RAT-like levels of functionality. More importantly, it allows for redundancy in the attackers methods of persistence. Attackers will often utilize SystemBC alongside Cobalt Strike and similar frameworks. This opens up more options for post-exploitation activity and, again, can strengthen persistence.

One of the main takeaways from this is the ‘layered approach’ that modern attackers are taking. Just as we encourage a layered, defense-in-depth approach to enterprise security, threat actors are similarly looking at multi-pronged strategies such that if one delivery method fails or payload is detected, they have a different version that they hope won’t be.

Proper cyber hygiene, EDR and strong cloud workload protection are crucial, but as always, these incidents serve to remind us that these controls must also be properly maintained and properly configured.

The SentinelOne Singularity Platform is capable of autonomously detecting and preventing artifacts and behavior associated with SystemBC.

The Ugly

The most impactful story of the week goes to the SolarWinds compromise. In short, SolarWinds provides a host of IT services for a far-reaching set of global customers. This includes management and monitoring of servers, endpoint systems, database management, help desk service systems, and just about anything else you can imagine in that domain. Moreover, their client base is a ‘who’s who’ of high-value targets. As a direct result of this breach, it has already been confirmed that the United States Treasury, Department of Commerce, the Department of Homeland Security and FireEye were also compromised.

A joint-statement from the FBI, ODNI, and CISA was issued on December 17 confirming the scope and apparent origin of the attacks. In addition, CISA released a highly-detailed NCSA Alert AA20-352A) on December 17th, which covers the more technical side of the attack including Indicators of Compromise (IoCs) and links to associated resources. The alert also documents the specific versions of malicious SolarWinds Orion products observed in association with the attack.

Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.

SentinelOne has released new hunting packs for Deep Visibility, allowing for specialized queries against IOCs associated with these events. We encourage all to keep up to date with the situation as it develops. Our team will continue to update the dedicated blog and resources as needed.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

UiPath files confidential IPO paperwork with SEC

UiPath, the robotic process automation startup that has been growing like gangbusters, filed confidential paperwork with the SEC today ahead of a potential IPO.

UiPath, Inc. today announced that it has submitted a draft registration statement on a confidential basis to the U.S. Securities and Exchange Commission (the “SEC”) for a proposed public offering of its Class A common stock. The number of shares of Class A common stock to be sold and the price range for the proposed offering have not yet been determined. UiPath intends to commence the public offering following completion of the SEC review process, subject to market and other conditions,” the company said in a statement.

The company has raised more than $1.2 billion from investors like Accel, CapitalG, Sequoia and others. Its biggest raise was $568 million led by Coatue on an impressive $7 billion valuation in April 2019. It raised another $225 million led by Alkeon Capital last July when its valuation soared to $10.2 billion.

At the time of the July raise, CEO and co-founder Daniel Dines did not shy away from the idea of an IPO, telling me:

We’re evaluating the market conditions and I wouldn’t say this to be vague, but we haven’t chosen a day that says on this day we’re going public. We’re really in the mindset that says we should be prepared when the market is ready, and I wouldn’t be surprised if that’s in the next 12-18 months.

This definitely falls within that window. RPA helps companies take highly repetitive manual tasks and automate them. So for example, it could pull a number from an invoice, fill in a number in a spreadsheet and send an email to accounts payable, all without a human touching it.

It is a technology that has great appeal right now because it enables companies to take advantage of automation without ripping and replacing their legacy systems. While the company has raised a ton of money, and seen its valuation take off, it will be interesting to see if it will get the same positive reception as companies like Airbnb, C3.ai and Snowflake.

VMware Flaw a Vector in SolarWinds Breach?

U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks.

On Dec. 7, 2020, the NSA said “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”

VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3, and said it learned about the flaw from the NSA.

The NSA advisory (PDF) came less than 24 hours before cyber incident response firm FireEye said it discovered attackers had broken into its networks and stolen more than 300 proprietary software tools the company developed to help customers secure their networks.

On Dec. 13, FireEye disclosed that the incident was the result of the SolarWinds compromise, which involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for users of its Orion network management software as far back as March 2020.

In its advisory on the VMware vulnerability, the NSA urged patching it “as soon as possible,” specifically encouraging the National Security System, Department of Defense, and defense contractors to make doing so a high priority.

The NSA said that in order to exploit this particular flaw, hackers would already need to have access to a vulnerable VMware device’s management interface — i.e., they would need to be on the target’s internal network (provided the vulnerable VMware interface was not accessible from the Internet). However, the SolarWinds compromise would have provided that internal access nicely.

In response to questions from KrebsOnSecurity, VMware said it has “received no notification or indication that the CVE 2020-4006 was used in conjunction with the SolarWinds supply chain compromise.”

VMware added that while some of its own networks used the vulnerable SolarWinds Orion software, an investigation has so far revealed no evidence of exploitation.

“While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation,” the company said in a statement. “This has also been confirmed by SolarWinds own investigations to date.”

On Dec. 17, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released a sobering alert on the SolarWinds attack, noting that CISA had evidence of additional access vectors other than the SolarWinds Orion platform.

CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).”

Indeed, the NSA’s Dec. 7 advisory said the hacking activity it saw involving the VMware vulnerability “led to the installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.”

Also on Dec. 17, the NSA released a far more detailed advisory explaining how it has seen the VMware vulnerability being used to forge SAML tokens, this time specifically referencing the SolarWinds compromise.

Asked about the potential connection, the NSA said only that “if malicious cyber actors gain initial access to networks through the SolarWinds compromise, the TTPs [tactics, techniques and procedures] noted in our December 17 advisory may be used to forge credentials and maintain persistent access.”

“Our guidance in this advisory helps detect and mitigate against this, no matter the initial access method,” the NSA said.

CISA’s analysis suggested the crooks behind the SolarWinds intrusion were heavily focused on impersonating trusted personnel on targeted networks, and that they’d devised clever ways to bypass multi-factor authentication (MFA) systems protecting networks they targeted.

The bulletin references research released earlier this week by security firm Volexity, which described encountering the same attackers using a novel technique to bypass MFA protections provided by Duo for Microsoft Outlook Web App (OWA) users.

Duo’s parent Cisco Systems Inc. responded that the attack described by Volexity didn’t target any specific vulnerability in its products. As Ars Technica explained, the bypass involving Duo’s protections could have just as easily involved any of Duo’s competitors.

“MFA threat modeling generally doesn’t include a complete system compromise of an OWA server,” Ars’ Dan Goodin wrote. “The level of access the hacker achieved was enough to neuter just about any defense.”

Several media outlets, including The New York Times and The Washington Post, have cited anonymous government sources saying the group behind the SolarWinds hacks was known as APT29 or “Cozy Bear,” an advanced threat group believed to be part of the Russian Federal Security Service (FSB).

SolarWinds has said almost 18,000 customers may have received the backdoored Orion software updates. So far, only a handful of customers targeted by the suspected Russian hackers behind the SolarWinds compromise have been made public — including the U.S. Commerce, Energy and Treasury departments, and the DHS.

No doubt we will hear about new victims in the public and private sector in the coming days and weeks. In the meantime, thousands of organizations are facing incredibly costly, disruptive and time-intensive work in determining whether they were compromised and if so what to do about it.

The CISA advisory notes the attackers behind the SolarWinds compromises targeted key personnel at victim firms — including cyber incident response staff, and IT email accounts. The warning suggests organizations that suspect they were victims should assume their email communications and internal network traffic are compromised, and rely upon or build out-of-band systems for discussing internally how they will proceed to clean up the mess.

“If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network,” CISA warned. “In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.”

Finding Strength Through Core Values & Culture

As we near the end of what has been a disruptive and challenging year for all, I think it’s important to recognize the strength people have shown. I’ve watched my fellow Sentinels rise to the occasion every single day, go above and beyond to make sure their teams and peers are successful, find brilliant solutions to endless obstacles, and show generosity to a degree that makes my heart feel like it might explode. But while I am amazed every day by the professionalism and compassion around me, I’m not surprised. Everything I’ve seen this year confirms what I’ve always known about SentinelOne: we have a truly and undeniably remarkable culture.

As it turns out, my coworkers feel the same way. This week we were recognized by Comparably with awards for Best Company Culture, Best CEO, and as a Best Company for Diversity. These awards are based on anonymous survey results from employees, which means I’m not alone in feeling pride and appreciation for our incredible culture. That culture has developed out of a commitment to our core values and to working as one global team. As noted in Forbes, “employees want a meaningful mission, a core set of values, goals, and priorities that guide the team.” We’ve worked hard to define each of those areas, and then make them a reality by leading with transparency and respect above all else.

Our core values are simple, and are a true representation of who we are and what we believe:

Trust – We strive to be dependable and conduct ourselves with utmost integrity in every situation.
Accountability – We hold ourselves to a high standard of reliability in our words and actions.
Collaboration – We are OneSentinel; we function and succeed as a global team.
Relentlessness – We act with unwavering purpose and determination in everything we do, no matter how big or small.
Ingenuity – We find innovative ways to take on difficult problems and markets, and we embrace diverse perspectives and solutions.
Community – We work together as a team to achieve more, we consider how our words and actions will affect others, and above all we are kind to one another.

When we identified and distilled our core values, a lot of the work happened from the bottom up. We knew that our values wouldn’t be an accurate reflection of the company if our employees weren’t part of the process. But our CEO, Tomer Weingarten, was also actively engaged in the process and made sure our values reflected the spirit in which the company was founded. He has committed to modeling those values in every interaction and decision – even our product embodies our values. Natalia Peart said it best:

“culture is… strengthened based on how well everyone from the top-down lives and breathes the culture each day. When companies are challenged, the culture grows at the speed of trust.”

Our leaders live and breathe our values, trust their teams, and most importantly, they are trustworthy. Employees need to trust their leaders, period. When leaders understand that, and act on it… amazing things happen.

Speaking of wild and wonderful things, there’s a little bit of alchemy that happens when you combine our core values. When you blend trust with respect and collaboration, you get an inclusive community that prioritizes diversity. You get a company that understands the magic of diverse teams, ideas, and perspectives. That said, we have a lot of work ahead of us (and a lot of ideas!) around continuing to create a diverse, equitable, and inclusive environment. But I think our employees of color see that SentinelOne is committed to that work, and feel safe, seen, and supported. Innovation is in our DNA, and I know as a company we will use that skill to build diversity and inclusion into everything we do. And along the way, we just might create a better workplace and future.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security