Tech Disruptors by Bloomberg Intelligence | SentinelOne and Fragmented Endpoint Security

Bloomberg Intelligence Senior Analyst Mandeep Singh talks to SentinelOne COO, Nicholas Warner, about how SentinelOne is disrupting a fragmented endpoint security market.

SentinelOne and Fragmented Endpoint Security | Tech Disruptors by Bloomberg Intelligence: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Mandeep Singh:
Hello and welcome to the Tech Disruptors Podcast hosted by Bloomberg Intelligence. In this podcast series, we talk with CEOs and management teams about their views on disruption and how it’s driving their decision making and strategy. My name is Mandeep and with me today is Nick Warner, CEO of Sentinel one. Nick, welcome to the podcast.

Nick Warner:
Thanks. It’s great to be with you.

Mandeep Singh:
Great. So, look, I mean, you guys reported results, fourth-quarter results, very impressive. Topline growth of 120%. And when you look at Gartner or one of these third-party providers, they claim that you probably have one of the most complete products in the EDR segment, but maybe we can start off with just how you see as the addressable market because EDR to me as an analyst is a new segment. This industry was traditionally antivirus and endpoints and now every company that I follow either says XDR or saw and they have different solutions and I’m sure there is a selling motion around it. But I’m curious in terms of how you see the addressable market for SentinelOne, given that you’ve gone public recently.

Nick Warner:
When we’re viewing our addressable market and doing so in traditional terms, relying on analysts’ estimations of different parts of the market, even as we sit today pre the acquisition that we just announced of Attivo Networks.

Mandeep Singh:
I think, yeah, we’ll talk about it.

Nick Warner:
And I think our estimation of our existing TAM before we are now announcing our acquisition into identity security is really 48, 48 billion in terms of traditional viewing of the total dollars at stake. And the reason it’s so large is really for us EDR and XDR are subsuming multiple sectors of cybersecurity. So when you think about traditional endpoint security, that’s about a $16 billion TAM. But then you think about security analytics, saw orchestration and response. That’s another call it 16 billion. And then it operations and management. That’s another say 16 billion. All together. All told, about 48 billion. And really what’s happening is that there is this generational shift away from traditional tools in each of those areas on-premise, signature-based, brittle approaches, appliance-based software that across the board what’s happening and truly has accelerated in the last couple of years with the work from home revolution that took place at the beginning of 2020 is really a move and a rush to cloud-native, cloud-based solutions. And from a timing perspective, are entrants in a broadway into the market was really perfectly timed in that what we represent is a truly extensible platform that can do elements of IT operations. We inherently do orchestration and security automation and obviously, our claim to fame is around endpoint security and visibility. I would also add, though, that typically what we see, especially in a deal-by-deal basis, is that the dollars are underrepresented because they are viewing it through the traditional existing technology spend.

Nick Warner:
And typically we find customers are more than willing to spend more on advanced and far more powerful and effective solutions like SentinelOne. So we feel like those dollars as big as that TAM is, actually is underrepresented. The last thing I would leave you with is as we announce this acquisition of Attivo network for us, there is an identity protection TAM of probably 4 billion that we now are playing in as well. So all told, it’s an enormous market and it’s definitely a market from a technology perspective that’s undergoing a pretty incredible revolution in the last few years. A lot of it is borne by the attack landscape really accelerating and taking epically for in terms of advanced technology being deployed by malicious actors, people working from home, the collapse of the traditional network, the rise of cloud workloads, and really the consumerization of applications and. Hardware. So this idea that really has taken root and is absolutely mainstream now is you need to protect and inspect at the point of execution whether or not that’s a laptop, a mac, a PC, a virtual machine, or a cloud workload. And all of those things really represent just a total changing of the guard as it relates to cybersecurity, which was in a lot of ways constructed around this physical notion of a network. And that is now all a thing of the past.

Mandeep Singh:
All right. So you mentioned so many things, so I probably will go over it one by one. You know, look, when we look at security, obviously, there are different vectors. And the reason why this space comes across as very fragmented is that there is some new vector that people will discover. It becomes a vulnerability point and then somebody will try to solve the problem. And that’s why you’ve got so many new companies that keep coming up. And the VC side is also funding a lot of these companies. But I guess coming back to SentinelOne and their value proposition like Microsoft claims that they have bundled security with their office suite. So in terms of your selling motion, how are you going out there and competing with somebody like Microsoft? And maybe if you can hone in on what your kind of focus customers are, is it the small and midsize or enterprise customers?

Nick Warner:
Yeah, I think the first thing I would say about a bundled approach and I think this probably will resonate with all of our listeners when is the last time you got something that was truly great for free? And in my experience, it’s the answer is never. And I think today, especially with the urgency and severity around cybercrime and cyberattacks, no one wants to settle for. The second best as it relates to our focus is enterprise accounts. And I think if you look at our results, our success there are growing success there. And momentum really bears out in terms of our financial results. Customers that are over 100,000 are our customers that are over $1,000,000 of are. Those are growing even faster than our overall hyper-growth as a business. But to be clear, this is part of the power of our technology that we built is by building in a lot of automation and autonomy into the technology itself. We’ve taken very advanced technology and we’ve made it incredibly easy to consume. So we have thousands of small and mid-sized customers. We have hundreds and hundreds and hundreds of very large customers using our technology.

Nick Warner:
And it’s really about democratizing advanced technology to better balance the scales against the adversaries and attackers who themselves are deploying very advanced techniques and technology against companies that really in the past several years, it has become totally clear that they really had been outgunned and out-innovated against their existing security stacks. So, you know, I think if you talk to a SentinelOne customer or partner, what they’ll tell you that is the biggest differentiation between us and others, even from a modern or Next-Gen perspective, is the level of automation and AI that we’ve layered into the product. So we don’t require, you know, dozens of security experts to care, feed and babysit the technology and to respond to alerts or incidents that we’re flagging. Our technology really has a high level of orchestration and remediation built into it, and that really has enabled organizations to vastly up-level their technology stack without having to make an enormous investment. And oftentimes it would be an untenable investment in all sorts of security experts to care and feed for this advanced technology platform.

Mandeep Singh:
So so maybe on that point, are organizations that are using SentinelOne at depth at this point of time? Are they just using SentinelOne or they’re using multiple security providers and you happen to be one of them? I’m curious because CrowdStrike also claims they focus on enterprise customers and their results also speak for themselves. So curious how we should think about it in terms of both doing well.

Nick Warner:
Yeah, well, one interesting industry fact is that the average large enterprise has 50 to 60 security vendors. And if, like me, you hear that go, wow, that’s how on earth do they manage all of those? I think if you talk to those large customers, they ask themselves that question every day. That’s the opportunity that presents itself really for companies like ourselves and a couple of other select companies that are that are doing advanced things from. A technology perspective is that there is an incredible need for consolidation of technology elements in cybersecurity. So that’s why if you looked at really what’s happened with our technology, it’s doing a lot more than just replacing antivirus. It’s doing a lot more than just replacing first wave EDR or visibility vendors. There has been. For all too long a real need to get away from having dozens and dozens of security vendors that are overlapping. Because what ends up happening and this is a very real thing in cybersecurity from a practitioner perspective, is this notion of alert fatigue. One incident will send off like 20 or 30 different alerts. What ends up happening is it’s like the old tale of the boy who cried wolf is that if you get too many alerts, you end up ignoring them, and then you end up missing the one valid one in the noise that all these different products that are stepping on each other’s toes are flagging in the account. So a lot of times less is more. And you want something that can really tie in all of the data, apply advanced algorithms to the data that’s being collected and intelligently flag at the right time if something malevolent is happening in your network or on your end-users machines. And that’s really been our that’s our focus as much as anything. Now, all of that said, there’s absolutely still a need for other security elements in the stack. There’s identity and access management providers. There are email security vendors. So there’s always going to be elements and products from other security vendors. But as far as really focused threat detection and response, that’s what we specialize in.

Mandeep Singh:
So I guess since you mentioned, you know, the solution is based on AI and there’s a lot of automation in that. I mean, CrowdStrike claims that, you know, they have a single agent architecture and they’ve been doing this much longer. And we know I really get better as you provide more data to the algorithm. So would it be fair to say that they probably have a head start when it comes to this AI-based approach compared to where you guys are right now?

Nick Warner:
Well, I think what you said is totally accurate, that they’ve been doing it longer, but we think that that’s a hindrance, not a help, because what it means is and what’s so important to this type of technology is the data fabric that sits underneath in the back end. So when you’re collecting all this data, how efficient can you be at scanning, collecting, saving, and then applying algorithms against the data? And if you look at a company say like a CrowdStrike that’s over a decade old, that’s built on data elements that now are very long in the tooth. And by if you’re leveraging things like Splunk. Splunk was a product 15 plus years ago. That was long before this data revolution. Splunk was not built in a cloud-native world. And so one major advantage that Sentinel one has as a quote-unquote newer vendor, I mean, we’re nine years old. We’ve been active in the market for about five or six years in terms of commercial success. But we feel like we have much more advanced technological underpinnings behind the scenes because frankly, we’re built on a more modern stack. I think another really important consideration is our acquisition of Scalar, which was a data analytics firm about a year ago, which we have subsequently totally replaced our back end data lake to one that’s powered exclusively by Scalyr. That was a really, really pivotal moment for us from a technology perspective because what that has powered us into is this notion of XDR, the ability to ingest other security vendors, data sources and do it at scale. And we could only do that had we replaced our back end with a modern, extensible, and internally owned data analytics technology. And that’s what that’s what we pulled off in the last several quarters. So really, really important. Back in consideration. I think on the front end, what we feel like we built is a much more automated solution. So, you know, a lot of times I think what we’ll hear customers describe CrowdStrike as is a managed service. And so it’s it’s a sensor-based platform that then is overseen by human operators. And for us that inherently is brittle. Humans can’t scale infinitely, but machines can. And so what we try to architect and build is a much more automated platform that could make autonomous decisions powered by machine learning. And we built-in remediation capabilities from an architectural perspective. What that means, I think the simplest way I can describe that is. Our software that runs on systems is much more of a smart agent rather than a passive sensor. And a lot of EDR vendors, including our public company peers, really have an architecture that’s a passive sensor that’s collecting data, and then they’re doing data, data hunting in the cloud. We’re doing it autonomously on the endpoint.

Nick Warner:
And the advantage to that is really twofold. The first is time to detect radically faster milliseconds or single digit seconds, rather than minutes or hours for human operators to sift through the data and figure out what’s going on. And the second thing is you have a much more durable level of protection because you’re not reliant on sending data to a cloud, a cloud platform, having human operators view that data and then sending your response out in a race against the clock. We’re doing all of what we do at machine speed, and that’s super important. When you think about modern attacks, how long does it take for ransomware to detonate and execute on a machine? Milliseconds or seconds. So you don’t want to insert humans into that detection process because they literally won’t be able to to beat the speed of a machine. And so I think that bears out in in testing the customers do. It definitely bears out in Gartner’s coverage where we were ranked number one in in use case applications for for company types A, B and C, which means advanced companies, mainstream companies and also conservative companies as it relates to security spend in that critical capability section of Gartner’s most recent coverage of our space, we were ranked number one in all three, and that really just speaks to having an advanced technology platform that’s also super effective, autonomous and easy to use.

Mandeep Singh:
Yeah, no, that makes a lot of sense. So maybe one last thing on the technical aspect of it. You mentioned cloud workloads as well as edge devices. If you had to, you know, kind of explain to an investment audience, which one do you think is a bigger opportunity and why?

Nick Warner:
I would say cloud workloads and what we’re seeing is really a massive, massive, massive shift away from internally built software applications that DevOps lifecycle taking place within an organization in a data center. And now a lot of that is taking place in cloud workloads. And then subsequently those applications live and reside in public clouds. And what’s inherent in that is this notion of from a DevOps perspective, you really can run a lot faster, but when you’re running really fast, what ends up happening is security gets left behind and forgotten about. And what we’re now seeing and certainly in the last year we’ve seen this is a lot of organizations are waking up and realizing what’s going on here. You know, 80% of our applications are living in cloud platforms on which we really haven’t deployed meaningful security. So back to your earlier question around the total addressable market, that cloud workload protection market, we’re still in the very early innings of a nascent phase of and that is not a technology or a security product replacement sales motion that is these platforms are totally unprotected and now they need to apply threat detection and security into those platforms. So we feel like that market is going to play out over the next several years. It will be as large or larger than that traditional endpoint security market, and we’re very much a part of that conversation.

Mandeep Singh:
So CrowdStrike did share their ARR coming from cloud workloads. I think they mentioned around 200 million run rate, something like that. Anything that you can share around what portion of your revenue is coming from cloud workloads right now?

Nick Warner:
I mean, I think what we broke out is our server and cloud workload business had grown ten X from the prior year. We’re not breaking out yet individual ARR metrics for that, but we are extremely pleased with how fast that business is growing. And again, that market is massive. I think one thing that the right perspective to keep in mind as it relates to the overall opportunity as in threat detection and this part of cybersecurity, which frankly is the most important part of cyber security, is that it’s such a big market. This is not a winner takes all market there. There is and will be room for a couple of leading vendors. And we have a lot of respect for the platform that CrowdStrike built. And I think in terms of how we view ourselves, we view ourselves as a more modern, orchestrated platform that really provides better protection. But it is a market that there when you talk about the amount of oxygen for vendors, there’s definitely room for a couple of leading vendors. I think at the end of the day, what we live and breathe competition from a vendor perspective all day long. But the perspective that we had sent, the one never lose is that our true competitors are the adversaries, and they’re not bound by corporate politics. They’re not bound by marketing budgets. We always have to innovate, stay on point, stay true to ourselves in terms of relentlessly pushing ourselves forward from an innovation perspective to battle our true competitors, which is the adversary and. Sadly, those competitors aren’t going anywhere any time soon.

Mandeep Singh:
Yeah. No. And just, I guess on the results. One more question. So clearly, investors are focused on, you know, the selling motion and the high sales and marketing intensity. And this quarter there was a notable improvement in terms of just the free cash flow metric. So how do you think about your sales cycle and maybe in terms of visibility like do you think the sales cycle has shortened given the heightened threat environment or just any characterization around the sales cycle and just overall selling motion with regards to partners or anything else that you want to add there?

Nick Warner:
Yeah, I think a wise strategic decision that we made a few years ago was to be 100% partner-focused. And what I mean by that is not just your traditional security resellers, but we invested early, both from a go-to market perspective, but also from a technology platform perspective in being able to build a product that would resonate with strategic partners, partners like MSSP, you know, managed security service providers, MDR, managed,detect and respond providers, IR firm’s, incident response firms, and we’ve over the last couple of years become the platform of choice for those providers. What we get from that is in that sales motion. These are not competitive sales motions. These are fast-moving, fast closing business deals that when we do a partnership with a managed service provider, we within months get deployed out to all of their customers. They don’t do competitive bake-offs and evaluations, etc… And so what we get is a really efficient sales motion. As we’ve announced really interesting partnerships with the likes of Mandiant, CRO, KPMG, you know, Alvarez and Marcel by Bea and others all around the world. Those incident responders are utilizing one’s platform as they’re responding to breaches around the world.

Nick Warner:
What we’re seeing is about a 90% conversion from when we get deployed in an incident response motion to becoming a paid sentinelOne customer. And we’re also seeing average sales cycles of under 60 days from start to finish there. So that’s another super-efficient way to go to market and to be relevant and inserted at a customer at the exact right time. And then if we combine that with this flywheel we built with our traditional security resellers, it really lets us punch well above our weight in terms of having a few hundred plus enterprise focus sellers here, as well as what we feel like is a world-class SMB and Insight sales team. But we combine that with the thousands of sellers from our security partner community around the world, and it just gives us incredible reach and scope. And I think what’s what’s really encouraging is we’re seeing that that investment we made a couple of years ago, it’s playing out in our results now as our as you mentioned, our triple-digit hyper-growth continues and we’re able to get more efficient at the same time, which is super rare in the industry.

Mandeep Singh:
Got it. So let’s get into some rapid-fire questions and you can keep your answers brief so that we can wrap it up in the next 10 minutes. Any misconceptions about SentinelOne that you want to clear with investors?

Nick Warner:
I think the first misperception that we battled up and through our IPO was that we didn’t have a lot of enterprise customers. And I think what now folks realize is we’re a public company and you view computer financials. You know, a majority of our business, 70 plus percent of our business is coming from enterprise deals. And in fact, that share internally is growing even faster. That part of our business is even growing faster than our macro hyper-growth.

Mandeep Singh:
Got it. What is one technology or trend that you are most excited about over the next 12 months or next few years?

Nick Warner:
I think the technology trend around automation is really exciting because as I mentioned in a previous question, from a security perspective, the fact that for a lot of times for pretty good reasons, enterprises have 50 or 60 different security vendors, let alone products that they have to stitch together. And even if with next-gen solutions that do more, let’s say that collapses down to 20 or 30 different security tools within an environment, the ability with XDR, the promise of XDR being able to orchestrate. With other security vendors. That is a really exciting notion, and that’s something that has started to bear out with our partnerships with the likes of Okta, with Zscaler. The fact that we can help orchestrate response actions within those platforms as well, that’s really exciting.

Mandeep Singh:
So Okta is not a competitor after your acquisition yesterday of Attivo?

Nick Warner:
Correct. Our acquisition of Attivo is is is really laser-focused on two areas. The first is identity-based deception technology, which really targets insider threats. And then secondly, threat detection and response for identity, the likes of Okta or even something like a cyber arc that’s much more of an identity and access management platform. So you purchase and use that framework and then you would use Sentinel One’s Attivo modules to monitor the health of your identity within your network, wherever that may be. That could be thousands or hundreds of thousands of machines around the world monitoring and making sure that credentials aren’t stolen. They’re not abused, they’re not misused. We’re focused on the threat detection part of it, which is a super important part of that market.

Mandeep Singh:
Got it. And so what are the assumptions that you have made about the future and what could go wrong with those?

Nick Warner:
Well, you know, I think what is always a pressing need within organizations is to show your value. For better or for worse, security is a cost center, not a profit center. And I think making sure that security stays top of mind, it’s not just good for our business. It’s really good for the health of business, period, because, you know, when you’re running a business, let’s say you’re some type of hardware manufacturer or you’re a retail or retail organization. Let’s say your medical organization, let’s say you’re an IT yourselves. The biggest, most existential threat that exists today is cyber attacks that can cripple and take down your network. We have seen organizations that literally were taken offline for a week, two weeks. Business can absolutely grind to a halt. That is the thing that worries me the most about this. In some ways, it’s a wonderful, interconnected world, but that is the inherent risk. And so what we’re always making sure we’re doing is staying top of mind and topical so we can get access to that budget. So businesses can. Retain uninterrupted operation. And really, at the end of the day, that’s what cybersecurity is all about, is enabling business continuity and expansion and making sure that the digital world we live in is safe.

Mandeep Singh:
What impact has COVID 19 pandemic had on your business?

Nick Warner:
You know, I think the biggest catalyst from a technology perspective was this work from home revolution, the force of digital innovation that took place in two weeks in March of 2020. Really what it led to from a cybersecurity perspective is the wholesale elimination of antiquated approaches that really were around. Well, most of our employees work behind firewalls. They’re there within physical offices. And so we can try to layer in protection that way. That was, you know, the notional thinking back then. That all got blown up at the beginning of 2020. And that change is permanent. If you look even now and you look at any employee survey information, the vast, vast, vast majority of employees and organizations are realizing that hybrid work is here to stay. And what that means is there just has to be a totally different way of approaching cybersecurity and you need to do security at the point of execution, which is really what. SentinelOne is all about protecting on the device, on the cloud workload, on that virtual machine as opposed to old, antiquated approaches that that leverage things like firewalls, etc., that are all going away permanently.

Mandeep Singh:
Down to the last two. So what is the most important metric of your business success?

Nick Warner:
Our top-line growth.

Mandeep Singh:
Okay. And I guess one last thing I wanted to ask you was just around your view of consolidation in this space. So if you can keep it brief. Yeah, I think we can wrap it there.

Nick Warner:
I mean, consolidation is absolutely happening. I think back to what I mentioned before around orchestration, I think this idea that folks are going to be able to rely on a single or only a handful of security vendors for all their needs. That’s probably not going to happen if we can collapse that average number of vendors that provide security to an organization, if we can cut that in half and then that remaining half, you have a modern XDR platform like SentinelOne providing all of the data ingestion, analysis and orchestration. That’s a true modern technology architecture that I think would be extensible and help protect folks into the next decade and beyond.

Mandeep Singh:
Great. Anything else that we haven’t talked about, which is important to The SentinelOne story?

Nick Warner:
No, I think we covered a lot. And I want to thank you again for the time. I enjoyed it.

Mandeep Singh:
Great. Thank you so much. And thanks to our listeners. We look forward to releasing this episode soon as well as doing our future episodes. So thanks again for your time and we wish you the very best and congrats on all the success.

Sonix has many features that you’d love including collaboration tools, powerful integrations and APIs, advanced search, automated subtitles, and easily transcribe your Zoom meetings. Try Sonix for free today.

(function(s,o,n,i,x) {
if(s[n])return;s[n]=true;
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”https://sonix.ai/widget.js”,”https://sonix.ai/widget.css”);

The Original APT: Advanced Persistent Teenagers

Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full blown data breach. But few organizations have a playbook for responding to the kinds of virtual “smash and grab” attacks we’ve seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world’s biggest corporations on edge.

Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world’s largest technology companies, including Microsoft, NVIDIA, Okta and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims the hackers ended up publishing any information they stole (mainly computer source code).

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as:

-targeting employees at their personal email addresses and phone numbers;
-offering to pay $20,000 a week to employees who give up remote access credentials;
-social engineering help desk and customer support employees at targeted companies;
-bribing/tricking employees at mobile phone stores to hijack a target’s phone number;
-intruding on their victims’ crisis communications calls post-breach.

If these tactics sound like something you might sooner expect from spooky, state-sponsored “Advanced Persistent Threat” or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn’t seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media.

ADVANCED PERSISTENT TEENAGERS

This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

“There is a lot of speculation about how good they are, tactics et cetera, but I think it’s more than that,” said the CXO, who spoke about the incident on condition of anonymity. “They put together an approach that industry thought suboptimal and unlikely. So it’s their golden hour.”

LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques.

“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. “With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in.

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. “These guys were not leet, just damn persistent.”

HOW DID WE GET HERE?

The smash-and-grab attacks by LAPSUS$ obscure some of the group’s less public activities, which according to Microsoft include targeting individual user accounts at cryptocurrency exchanges to drain crypto holdings.

In some ways, the attacks from LAPSUS$ recall the July 2020 intrusion at Twitter, wherein the accounts for Apple, Bill Gates, Jeff Bezos, Kanye West, Uber and others were made to tweet messages inviting the world to participate in a cryptocurrency scam that promised to double any amount sent to specific wallets. The flash scam netted the perpetrators more than $100,000 in the ensuing hours.

The group of teenagers who hacked Twitter hailed from a community that traded in hacked social media accounts. This community places a special premium on accounts with short “OG” usernames, and some of its most successful and notorious members were known to use all of the methods Microsoft attributed to LAPSUS$ in the service of hijacking prized OG accounts.

The Twitter hackers largely pulled it off by brute force, writes Wired on the July 15, 2020 hack.

“Someone was trying to phish employee credentials, and they were good at it,” Wired reported. “They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.”

Twitter revealed that a key tactic of the group was “phone spear phishing” (a.k.a. “voice phishing” a.k.a. “vishing”). This involved calling up Twitter staffers using false identities, and tricking them into giving up credentials for an internal company tool that let the hackers reset passwords and multi-factor authentication setups for targeted users.

In August 2020, KrebsOnSecurity warned that crooks were using voice phishing to target new hires at major companies, impersonating IT employees and asking them to update their VPN client or log in at a phishing website that mimicked their employer’s VPN login page.

Two days after that story ran, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued their own warning on vishing, saying the attackers typically compiled dossiers on employees at specific companies by mass-scraping public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. The joint FBI/CISA alert continued:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

Like LAPSUS$, these vishers just kept up their social engineering attacks until they succeeded. As KrebsOnSecurity wrote about the vishers back in 2020:

“It matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.”

“And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.”

“Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization.”

SMASH & GRAB

The primary danger with smash-and-grab groups like LAPSUS$ is not just their persistence but their ability to extract the maximum amount of sensitive information from their victims using compromised user accounts that typically have a short lifespan. After all, in many attacks, the stolen credentials are useful only so long as the impersonated employee isn’t also trying to use them.

This dynamic puts tremendous pressure on cyber incident response teams, which suddenly are faced with insiders who are trying frantically to steal everything of perceived value within a short window of time. On top of that, LAPSUS$ has a habit of posting screenshots on social media touting its access to internal corporate tools. These images and claims quickly go viral and create a public relations nightmare for the victim organization.

Single sign-on provider Okta experienced this firsthand last month, when LAPSUS$ posted screenshots that appeared to show Okta’s Slack channels and another with a Cloudflare interface. Cloudflare responded by resetting its employees’ Okta credentials.

Okta quickly came under fire for posting only a brief statement that said the screenshots LAPSUS$ shared were connected to a January 2022 incident involving the compromise of “a third-party customer support engineer working for one of our subprocessors,” and that “the matter was investigated and contained by the subprocessor.”

This assurance apparently did not sit well with many Okta customers, especially after LAPSUS$ began posting statements that disputed some of Okta’s claims. On March 25, Okta issued an apology for its handling of the January breach at a third-party support provider, which ultimately affected hundreds of its customers.

My CXO source said the lesson from LAPSUS$ is that even short-lived intrusions can have a long-term negative impact on victim organizations — especially when victims are not immediately forthcoming about the details of a security incident that affects customers.

“It does force us to think about insider access differently,” the CXO told KrebsOnSecurity. “Nation states have typically wanted longer, more strategic access; ransomware groups want large lateral movement. LAPSUS$ doesn’t care, it’s more about, ‘What can these 2-3 accounts get me in the next 6 hours?’ We haven’t optimized to defend that.”

Any organizations wondering what they can do to harden their systems against attacks from groups like LAPSUS$ should consult Microsoft’s recent blog post on the group’s activities, tactics and tools. Microsoft’s guidance includes recommendations that can help prevent account takeovers or at least mitigate the impact from stolen employee credentials.

Our Take: SentinelOne’s 2022 MITRE ATT&CK Evaluation Results

Released March 31, 2022, the MITRE Engenuity ATT&CK® Evaluations covered 30 vendors and emulated the Wizard Spider and Sandworm threat groups. For the third year in a row, SentinelOne leads the test which has become widely accepted as the gold-standard test for EDR capabilities.

What are Wizard Spider and Sandworm?

Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since August 2018 against a variety of organizations, ranging from major corporations to hospitals, and deploying tools such as Ryuk and TrickBot.

Sandworm is a destructive Russian threat group that is known for carrying out notable attacks such as the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks. According to MITRE, these two threat actors were chosen based on their complexity, relevancy to the market, and how well MITRE Engenuity’s staff can fittingly emulate the adversary. MITRE Engenuity tested our product, Singularity XDR, evaluating both detection and protection.

How Did SentinelOne Perform on the MITRE Engenuity ATT&CK® 4th Evaluation?

Let’s let the data answer that question:

  • SentinelOne delivered 100% Protection: (9 of 9 MITRE ATT&CK tests)
  • SentinelOne delivered 100% Detection: (19 of 19 attack steps)
  • SentinelOne delivered 100% Real-time (0 Delays)
  • SentinelOne delivered 99% Visibility: (108 of 109 attack sub-steps)
  • SentinelOne delivered 99% – Highest Analytic Coverage: (108 of 109 detections)
SentinelOne’s MITRE ATT&CK Results Explained

Autonomous Protection Instantly Stops and Remediates Attacks

SentinelOne Singularity delivered 100% protection across operating systems with the fastest threat containment.

Security teams demand technology that matches the rapid pace at which adversaries operate. MITRE Protection determines the vendor’s ability to rapidly analyze detections and execute automated remediation to protect systems.

MITRE Engenuity ATT&CK for Wizard Spider and Sandworm covered 109 different sub-steps. Overall Detection is the total number of attack steps detected across all 109 sub-steps. Overall Protection measures how early in the attack sequence the threat was detected so that subsequent steps could not execute. Both are important measurements and are indicative of a strong endpoint detection solution. The graph below shows the 2022 participating vendors’ overall detection and protection performance.

SentinelOne’s Overall Detection And Protection Performance

SentinelOne delivered the fastest protection. With its real-time protection, Singularity XDR provided the MITRE ATT&CK Evaluation with the least amount of permitted actions in the kill-chain for attackers to do damage. The ATT&CK results reveal our commitment to preventing and protecting against every possible threat and keeping our customers safe from most adversaries.

The Most Useful Detections are Analytic Detections

Analytic detections create context and actionable alerts. SentinelOne Singularity XDR delivered the highest analytic coverage.

Analytic detections are contextual detections that are built from a broader data set and are a combination of technique plus tactic detections. This produces a detailed view of what took place, why, and how. Having access to high-fidelity, high-quality detections saves operator time, maximizes response speed, and minimizes dwell time risk.

SOC teams often find themselves with too many alerts and not enough time to investigate, research, and respond. Alerts for the sake of alerts become meaningless: unused and unnoticed. Pinpointed alerts that are actionable with pre-assembled context maximize EDR effectiveness and use.

SentinelOne Singularity XDR console used in the MITRE Engenuity ATT&CK 4th Evaluation

SentinelOne’s patented Storyline technology percolates every event happening in real-time, providing a fulling indexed, prefabricated map for each alert. All this work happens on the agent side, resulting in a massive advantage compared to technology or teams that try to figure out what happened after everything happened – when it’s too late. The power of autonomous cybersecurity is that it happens in real-time, where and when the action is taking place, on the attack surface itself.

According to MITRE Engenuity’s published results, SentinelOne recorded the highest number of analytic detections for this year’s evaluation and the last three years out of all participants in this evaluation.

Visibility Ensures That No Threats Go Undetected

SentinelOne delivered Complete Detection with Zero Delays (covering 19 of 19 attack steps, and 108 of 109 attack sub-steps).

Visibility is the building block of EDR and is a core metric across MITRE Engenuity results. In order to understand what’s going on in the enterprise as well as accurately threat hunt, cybersecurity technology needs to create a visibility aperture. The data needs to be accurate and provide an end-to-end view of what happened, where it happened, and who did the happening regardless of device connectivity or type.

During the ATT&CK Evaluation, the TTPs used by Wizard Spider and Sandworm were grouped into 19 attack steps and SentinelOne Singularity detected all of them. This allows a comprehensive view of the entire enterprise, minimizing incident dwell time and reducing risk.

Detection Delays Undermine Cybersecurity Effectiveness

Singularity XDR had zero delayed detections.

Time plays a critical factor whether you’re detecting or neutralizing an attack. Organizations that want to reduce exposure need to have real-time detections and automated remediation as part of their security program.

A delayed detection during the evaluation indicates that the EDR solution uses a legacy approach, and requires a human analyst to confirm suspicious activity due to the inability of the solution to do so on its own. The solution typically needs to send data to the cloud for more investigation, to sandbox solutions to give their verdict or other 3rd party solutions. Aside from the time lag that this necessarily involves, it relies on humans to respond quickly, resulting in a window of opportunity for the adversary to do real damage.

Adversaries operating at high speed must be countered with machine speed automation that’s not subject to the inherent slowness of humans. Real-time detections translate to faster response and reduced risk to your organization.

SentinelOne’s automated AI approach delivered 100% real-time detection with zero delays.

Simplicity Drives Effectiveness and Reduces Risk

Singularity XDR summarized two days of testing into nine campaign-level alerts.

More signal and less noise is a challenge for the SOC and modern IR teams who face information overload. Rather than seeing alerts on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, cybersecurity teams benefit from a solution that automatically groups data points into consolidated alerts: A solution with a sweet spot on an axis where the number of false alerts is low and the true positives are accurate and pinpointed. This reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of responding to alerts.

​​Consolidating hundreds of data points across a 48-hour advanced campaign, SentinelOne correlated and crystallized the attack into one complete story. SentinelOne provides comprehensive insights within seconds rather than having analysts spend hours, days, or weeks correlating logs and linking events manually.

SentinelOne Singularity XDR summarized two days of testing into nine campaign-level console alerts, showcasing the platform’s ability to correlate, contextualize, and alleviate SOC burdens with machine speed.

SentinelOne Consolidated All the Data Points Into Nine Campaign-level Alerts

Why SentinelOne? Why Should It Matter To You?

The results from all four years of the ATT&CK Evaluations highlight how the SentinelOne solution maps directly to the ATT&CK framework to deliver unparalleled detection of advanced threat actor Tactics, Techniques, and Procedures (TTPs). Organizations can immediately benefit from exceptional protection and detection capabilities and autonomous and one-click response options to stop and contain the most advanced cyberattacks.

As evidenced by the results data, SentinelOne excels at visibility and detection and, even more importantly, in the autonomous mapping and correlating of data into fully indexed and correlated stories through Storyline™ technology. The superior visibility, actionable context, and the ability to defeat adversaries in real-time sets Singularity XDR apart from every other vendor on the market.

To learn more about SentinelOne’s results on the fourth round of MITRE Engenuity ATT&CK® evaluations, visit: https://www.sentinelone.com/lp/mitre/.

#1 Again. The XDR Leader.
SentinelOne leads in the latest MITRE ATT&CK Evaluation with 100% prevention

The Good, the Bad and the Ugly in Cybersecurity – Week 13

The Good

This week’s good news comes to us via the FBI and “Operation Eagle Sweep”. This international effort included partners in Nigeria, Australia, and Japan. Operation Eagle Sweep was focused on multiple BEC (Business Email Compromise) operations across the globe. These schemes generally involve attackers inserting themselves into email (or similar) communication chains, with the aim of diverting legitimate transactions towards non-legitimate destinations. The United States Department of Justice stated that a total of 65 individuals had been arrested across all participating countries as well as in Canada, South Africa and Cambodia. Overall, the operation uncovered a multi-million dollar fraud operation, with estimates of the total impact being around $51 million.

This serves as a solid reminder that BEC attacks are still a common form of business fraud and that despite everything else that’s going on in the cyber realm right now, it remains important to defend against them. Controls like MFA (multi-factor authentication) and strong user-education policies can go a long way towards curtailing the impact of these attacks.

The Bad

On March 31, Apple released an out-of-band security update for macOS Monterey, watchOS 8.5.x, along with iOS and iPadOS 15.4.x. This release is accompanied by Apple’s posting of multiple security advisories which document the updates and associated CVEs.

In particular, CVE-2022-22674 is an out-of-bounds write flaw in the Intel Graphics Driver while CVE-2022-22675 is specific to an out-of-bounds read issue in the AppleAVD media decoder. Both flaws could potentially allow an attacker to execute arbitrary code with kernel privileges. Apple has indicated that these flaws may be being actively exploited in the wild.

In other vulnerability news earlier this week, exploit code for the Spring4Shell vulnerability (CVE-2022-22965) was spotted in-the-wild. Since that time, multiple PoC exploits have appeared on Github as well.

The associated flaw is specific to Spring MVC and WebFlux when coupled with JDK 9x. The Spring Framework improperly processes PropertyDescriptor objects. This results in a state which can be capitalized upon by an attacker to execute arbitrary code.

Spring has released updates for relevant versions of the Spring Framework. We encourage all to take the time to audit their environment to ensure minimal exposure to Spring4Shell.

The Ugly

There is a good chance that there will be Ukraine-themed entries here for the foreseeable future. The situation is intense, complex, and expanding continually. This week, SentinelLabs disclosed details around a newly discovered, destructive, wiper malware dubbed “AcidRain”.

According to SentinelLabs’ findings, the initial attack on Viasat KA-SAT modems occured on February 24th, 2022. The malware itself is an ELF MIPS malware designed specifically to wipe this subset of modems and routers.

Thus far, AcidRain appears to be the seventh wiper malware associated with the situation in Ukraine. Despite the specific targeting, it also appears as though spillover from this attack rendered nearly 6,000 Enercon wind turbines in Germany unable to communicate for control or remote monitoring.

There are notable similarities between AcidRain and certain VPNFilter plugins, discussed in the SentinelLabs post in further detail. Readers are encouraged to review the post as well as the release from Viasat for more details.

Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill

On Tuesday, KrebsOnSecurity warned that hackers increasingly are using compromised government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies. Today, one of the U.S. Senate’s most tech-savvy lawmakers said he was troubled by the report and is now asking technology companies and federal agencies for information about the frequency of such schemes.

At issue are forged “emergency data requests,” (EDRs) sent through hacked police or government agency email accounts. Tech companies usually require a search warrant or subpoena before providing customer or user data, but any police jurisdiction can use an EDR to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death.

As Tuesday’s story showed, hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. After all, there are roughly 18,000 distinct police organizations in the United States alone, and many thousands of government and police agencies worldwide.

Criminal hackers exploiting that ambiguity are enjoying remarkable success rates gaining access to the data they’re after, and some are now selling EDRs as a service to other crooks online.

This week’s piece included confirmation from social media platform Discord about a fraudulent EDR they recently processed. On Wednesday, Bloomberg published a story confirming that both Apple and Meta/Facebook have recently complied with fake EDRs.

Today, KrebsOnSecurity heard from Sen. Ron Wyden (D-Ore.), who said he was moved to action after reading this week’s coverage.

“Recent news reports have revealed an enormous threat to Americans’ safety and national security,” Wyden said in a statement provided to KrebsOnSecurity. “I’m particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals.”

“I’m requesting information from tech companies and multiple federal agencies to learn more about how emergency data requests are being abused by hackers,” Wyden’s statement continues. “No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed. Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.”

Tuesday’s story showed how fraudulently obtained EDRs were a tool used by members of LAPSUS$, the data extortion group that recently hacked Microsoft, NVIDIA, Okta and Samsung. And it tracked the activities of a teenage hacker from the United Kingdom who was reportedly arrested multiple times for sending fake EDRs.

That was in March 2021, but there are similar fake EDR services on offer today. One example can be found on Telegram, wherein a member who favors the handle “Bug” has for the past month been selling access to various police and government email accounts.

All of the access Bug is currently offering was allegedly stolen from non-U.S. police and government email accounts, including a police department in India; a government ministry of the United Arab Emirates; the Brazilian Secretariat of Education; and Saudi Arabia’s Ministry of Education.

On Mar. 30, Bug posted a sales thread to the cybercrime forum Breached[.]co saying he could be hired to perform fake EDRs on targets at will, provided the account was recently active.

“I am doing LE Emergency Data Requests for snapchat, twitter, ig [Instagram] and many others,” Bug wrote. “Information we can get: emails, IPs, phone numbers, photos. Account must be active in the last week else we get rejected as shown below. Have gotten information only on Snapchat, Twitter and IG so far.”

An individual using the nickname “Bug” has been selling access to government and police email accounts for more than a month. Bug posted this sales thread on Wednesday.

KrebsOnSecurity sought comment from Instagram, Snapchat, and Twitter. This post will be updated in the event they respond.

The current scourge of fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for privileged subscriber data. In July 2021, Sen. Wyden and others introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.

The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.