The report’s key findings include the following: 

• Cyber range solutions provide an effective method of upskilling cybersecurity personnel: Classroom training is limited in teaching critical cybersecurity defensive techniques. Adding the gamification elements that cyber ranges offer increases knowledge retention, builds reactive event muscle memory, and provides necessary realism training through live-fire ranges.  
• Cyber ranges are changing the landscape of cybersecurity education: Certification courses have limitations in practically applying curricula. Cyber ranges offer real-life exercise training with a virtually limitless array of attack defense and proof of concept scenarios. Cyber ranges push past the theoretical to the practical.  
• Cyber ranges available for all sized organizations and budgets: The cyber range market offers 58 providers ranging from large in-house platform deployments to cloud service models.  
• Cyber ranges rapidly evolve: First-generation cyber ranges were mostly cybersecurity labs that teach through step-by-step instructions. Users no longer want that experience; they desire the gamified versions where they solve challenges and have a hacker’s point of view.  
• Cyber ranges improve first responder effectiveness: Cyber range training improves memory retention by 75%, compared to 5% through traditional learning methods. 

Participants of this report represent startup and scaleup vendors that subjected their cyber range platforms to 200 points of company and product evaluation scrutiny. This report is a buyer’s guide for organizations seeking a cyber range solution. 

The six vendors scored in the report include: 

• Aries Security 
• ATCorp 
• Cloud Range 
• CYBER RANGES 
• Field Effect 
• Security Innovation 

These vendors represent 10% of the known commercial cyber range solution providers. 

The difference between last place and first place was 12%, with the average score reaching 86%. Two vendors—Cloud Range and CYBER RANGES—achieved best-in-class. However, all participating vendors offer strong cyber range solutions.  

Final Thoughts

To learn more about the cyber range market, check out my report Cyber Range Solutions: Market Landscape, February 2024. I would love to hear how you have leveraged cyber ranges to improve training; drop me a line here to share your thoughts. If you want to keep up with my blogs on related IT security issues, go here. 

The post Which Are the Top Cyber Range Solutions? appeared first on Datos Insights.

WAAPs can address bot detection, application security, API protection, DDoS mitigation, firewall, and many other aspects of PCI DSS. The figure below is an abstract view of how a single integrated solution, such as a such as a WAAP solution, can address many risks to the payment card ecosystem. 

PCI DSS 4.0, published on March 31, 2022,  is one of the most important and impactful releases to date. This release addresses some of the most critical architectural, control, and design risks organizations face when accepting and processing payment card transactions. It requires compliance with 64 new requirements by March 31, 2025. Thirteen require compliance immediately for organizations opting for version 4.0 assessments.

However, some good news is that they’re related to improved documentation. The broad scope of this release has caused 90% of PCI DSS decision-makers to be concerned with meeting the deadline.

This version marks the first time PCI allows an organization to decide how best to comply with the standard. However, the burden of proof will be on the organization to demonstrate the effectiveness of its approach. PCI has also moved from snapshot control compliance to continuously monitoring security posture to prove risk management effectiveness and outcomes. Cybersecurity and fraud management are emerging as a fused discipline as an acknowledgment that the two are inexorably linked. This release will challenge organizations to transform their current approach to protecting cardholder data and focus on risk outcomes, not passing assessments. 

PCI DSS version 4.0 allows organizations to phase compliance over two years in three stages. Owing to the complexity of changes, the PCI Council allows one more year than previously for versions 2.0 to 3.0. The first stage is effective now and includes 13 new requirements that must be included for all organizations accessing version 4.0 of the required PCI DSS Report on Compliance or Self-Assessment Questionnaire. Stage 2 takes effect on March 31, 2024, upon the retirement of the current 3.2.1 version. Beginning April 1, 2024, all assessments must be under PCI DSS 4.0. The third and final stage requires the 51 best practices in place by April 1, 2025.

To learn more about how WAAPs can aid in complying with the PCI DSS version 4.0, check out my latest report, Understanding and Preparing for PCI DSS 4.0. I would love to hear how you intend to comply with the new version of PCI DSS; drop me a line here to share your thoughts. If you want to keep up with my blogs on related IT security issues, go here.

The post Are WAAPs the Answer to Complying With PCI DSS 4.0?  appeared first on Datos Insights.

BlackBerry’s IoT technology is used in 235 million (June 2023) cars. Blackberry (formerly Research in Motion) was founded in 1984 in Ontario, Canada. The company has made an impressive transition from an interactive pager and smartphone provider into a top-40 global cybersecurity company. 2023 revenue is US$656 million, with 64% coming from cybersecurity. Its US$1.4 billion acquisition of Cylance Inc. mostly comprises its cybersecurity business. 

The company faces challenges, including the increased cost of selling cybersecurity vs. IoT solutions, two customers that account for more than 10% of its receivables, and US$371 million in debt interest and principal payments. Gross revenue for cybersecurity solutions declined by 23%. Presently, the cost of cybersecurity sales consumes 42% of respective revenue. Separating cybersecurity and IoT businesses makes a lot of sense, but ultimately, this analyst believes that BlackBerry will need to exit the IoT business to really focus on the higher-margin cybersecurity business. 

What’s Next?  

The company appointed John J. Giamatteo, the head of its cybersecurity business, as CEO, a precursor of company focus. Mr. Giamatteo has a rich background in cybersecurity, including time spent at McAfee and AVG Technologies.  

BlackBerry’s endpoint protection products are generally well-liked in the market. BlackBerry sold off substantially all non-core patents in March 2023 for US$170 million in cash and a royal agreement that could bring upwards of US$900 million, so it will have some money to invest. With the right direction, this company could be a top 20 cybersecurity vendor in the next three years. 

Contact me here to share your thoughts on BlackBerry’s future. If you want to keep up with my blogs on related IT security issues, go here. 

The post BlackBerry Realigns to Focus on Cybersecurity appeared first on Datos Insights.

The predictions aligned neatly into an A-to-Z listing of 31 categories ranging from API protection to zero-trust architectures. But what were the top 10? A surprise to no one, AI-related predictions were number one. However, it balanced as either evil AI or good AI. Ransomware, although number two, was 25% points lower in importance. With this year being an election year, election fraud was number three. You can see the others below. 

Companies from which I gathered predictions included Check Point Software Technologies Ltd., ColorTokens Inc., Critical Start, CrowdStrike, CyberArk, Cybereason, Cybersixgill, Darktrace, F5, Field Effect, Google Cloud, Imperva, KnowBe4, McAfee, NordVPN, NortonLifeLock, Optiv, Outpost24, Palo Alto Networks, Proofpoint, Rapid7, ReliaQuest, Secureworks, Securonix, SentinelOne, Skybox Security, SonicWall, Sophos, Splunk, ThreatX, Trend Micro, WatchGuard Technologies, ZeroFox, and Zscaler.

Contact me here to share your 2024 cybersecurity predictions. If you want to keep up with my blogs on related IT security issues, go here. 

The post What Is the Cybersecurity Crystal Ball Telling Us? appeared first on Datos Insights.

Integrating governance, risk, and compliance (GRC) monitoring and reporting within cybersecurity has evolved from spreadsheets to a new generation of artificial intelligence (AI)-driven risk and compliance management platform, CyberGRC. These platforms provide cross risk-channel insights into cyber risk, allowing CISOs to perform impact-based risk decisioning. Risk channels include conventional enterprise business functions as well as third- and fourth-party risk that is often overlooked. CISOs will now have a purpose-built solution to perform actionable business intelligence, making data-driven decisions to create cyber resilience. The evolution of GRC to CyberGRC adoption makes this a 2024 top-ten pick for Datos Insights.  

CyberGRC provides a holistic view of an enterprise’s cyber risk posture, emphasizing investment priorities and returns on reduced risk investment. These platforms evolved primarily to address the need for solutions specifically tailored to cybersecurity risk and compliance, in contrast to the capabilities embedded in monolithic enterprise GRC platforms. GRC solutions tailored to organizations that want to prioritize cyber threat posture have reignited the low-growth (albeit historically steady) GRC market.  

Many solutions claim to provide CyberGRC. However, solutions such as Axio’s Axio360, Diligent’s Cyber Risk Scorecard, and MetricStream’s CyberGRC offer comprehensive approaches to CyberGRC that reduce enterprise risk and lower the cost of regulatory change while providing boards of directors with actionable risk intelligence.  

Datos Insights sees CyberGRC as an imperative growth enabler. Solutions that integrate generative AI to make risk decisioning smarter, faster, and more predictive will garner the lion’s share of market growth. 2024 will see CyberGRC solutions introduce expanded risk decisioning for AI, blockchain, cloud computing, and third-party risk.  

Maintaining a market lead requires these solutions to emphasize cyber resilience in an assumption-of-breach operating model that participating in the digital economy necessitates. CyberGRC changes the paradigm from avoiding risk to thoughtfully taking risks to achieve greater rewards.  

Contact me here to share your thoughts on the evolution of CyberGRC. To learn about the top 10 trends that will shape fraud, AML, and cybersecurity around the globe in 2024 and beyond see the Datos Insights’ report, Top 10 Trends in Risk, 2024: Unleashing Innovation Against the Rising Threat Landscape.

The post Tomorrow’s CISO Needs Tomorrow’s GRC Solution appeared first on Datos Insights.

European Payment Services Directive (PSD2)

PSD2 mandates banks to share customer financial data with authorized third-party providers (TPPs) through secure APIs. Entered into force on January 12, 2016, this directive is one of the earliest to call attention to the need for API security. PSD2 is supplemented by regulatory technical standards on strong customer authentication and common and secure open standards of communication, as well as guidelines on incident reporting and security measures for operational and security risks. Beginning September 14, 2019, payment service providers must legally comply. I expect API security to have increased emphasis within PSD2 based on its 2023 evaluation report, where adoption has only partly been realized owing to fragmentation in the quality of application programming interfaces (APIs) and deficits in data sharing. European regulators will want to turn this around.

Federal Financial Institutions Examination Council (FFIEC) 

In June of 2021, the FFIEC issued the Architecture, Infrastructure, and Operations booklet, part of the series of booklets comprising their Information Technology Examination Handbook (IT Handbook). Within this booklet, the FFIEC addresses how covered entities should protect APIs, including authorization, authentication, and encryption of private, public, and third-party APIs. The booklet calls out that security needs for APIs should be assessed and implemented to mitigate risks of exposing sensitive customer or entity information, referencing the guidance provided by the OWASP API Security Project.

In August 2021, the FFIEC issued additional API protection directions within the Authentication and Access to Financial Institutions Services and Systems guidance. This guidance identifies the inventorying of APIs, effective mitigating controls for credential and API-based authentication, and secure management of API passwords.

National Institute of Standards and Technology (NIST) Special Publication 800-204

NIST SP 800-24 – Security Strategies for Microservices-based Application Systems is an analysis of multiple implementation options available for core features and configuration options in architectural frameworks, develop security strategies that counter threats specific to microservices and enhance the overall security profile of the microservices-based application. This publication goes into depth on core API protection practices. Its importance is underpinned by many regulations referencing NIST as an accepted security baseline to comply with rules and regulations.

ISO/TS 23029:2020 Web-service-based Application Programming Interface (WAPI) in the Financial Services Standard

This ISO standard, published in February 2020, defines the framework, function, and protocols for an API ecosystem that will enable online synchronized interaction. Specifically, the document defines a logical and technical layered approach for developing APIs, including transformational rules. Sets out considerations relevant to an API ecosystem’s security, identity, and registration. Specific technical solutions will not be defined, but they will be referenced in the context of specific scenarios for guidance purposes. Like NIST, ISO standards are commonly called out in rules and regulations to achieve compliance.

OWASP API Security Project

Inaugurated in 2019, the OWASP API Security Project is an initiative by the OWASP Foundation to provide software developers and security assessors with strategies and solutions to understand and mitigate APIs’ unique vulnerabilities and security risks. The latest version of the OWASP API Security Top 10 in 2023 highlights APIs’ top ten security risks that organizations should follow to protect APIs from cyberattacks. This new release added five new risks covering broken object properties, unrestricted resource consumption, server-side request forgery, lack of protection from automated threats, and unsafe consumption of APIs. OWASP has become a de facto standard for protecting APIs and is referenced by rules and regulations.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS version 4.0 explicitly includes considerations for API security within its standard. An API would come into the PCI DSS scope for any organization hosting an API interface to receive or transmit cardholder account data. Requirement 6.4.2 of PCI DSS standard version 4 calls for the continuous detection and prevention of web-based attacks. The solution would include an automated technical solution to protect public-facing web applications, including APIs. Requirement 6.3.2 calls for the security of bespoke software, including libraries and APIs.

Personal Financial Data Rights Rule (Proposed)

The Consumer Financial Protection Bureau (CFPB) proposed a rule in October 2023 that would accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data. The proposed rule requires establishing and maintaining interfaces to receive and respond to requests for covered data. Screen-scraping is no longer an accepted method; APIs have replaced it. The shift to APIs requires conformity with security specifications, including access credentials, following information security specifications in section 501 of the Gramm-Leach-Bliley Act. Organizations covered by CFPB must ensure that data security practices are adequate to safeguard covered data. API security practices and solutions are key to complying with CFPB.

U.S. Treasury Department API Guidance

In July 2018, The U.S. Treasury Department issued a report addressing the core principles outlined in Executive Order 13772 in February 2017. Of particular importance is for financial entities to move away from screen-scraping to more secure access methods to reduce cybersecurity and fraud risks that can occur when consumers provide login credentials to access fintech applications. The report calls out the need to transition to an API method of instantaneously and safely transferring data.

Final Thoughts

Plenty of motivation exists to protect APIs; however, regulators and standards bodies have upped the motivation. Regulations and standards go hand-in-hand. Referencing an authoritative standard is a sound practice to ensure compliance with a regulation. I don’t expect the light to stop shining on APIs, as 2024 will likely bring more regulatory scrutiny around API use and security. One way you can check your regulatory and standards preparadness is to look into Cequence’s free API security assessment. Contact me here to share your thoughts on API security rules and regulations. If you want to keep up with my blogs on related IT security issues, go here.

The post Regulations and Standards Shine a Much-Needed Light on the Need for API Security appeared first on Datos Insights.

First, a little about VMware for context: VMware was founded in 1998 by five graduate students at the University of California Berkeley. VMware innovated how organizations architected IT enterprises. The company’s virtualized cloud computing technology revolutionized many aspects of application design and infrastructure deployment and management. 

In 2004, EMC acquired VMware for US$625 million, or over US$1 billion in today’s dollars. In 2007, EMC sold 15% of the company in an IPO; that pre-Broadcom acquisition created a market cap of US$61.52 billion. In 2015, EMC was acquired by Dell Technologies for US$67 billion in cash and stock. In 2022, Broadcom announced its intent to acquire VMware for US$61 billion. The consummation of this deal on November 22, 2023, ended up at US$69 billion after adding US$8 billion in assumption of debt. The 18 months that the acquisition dragged was caused by seeking legal clearances from approximately 12 countries and the EU.

Broadcom is no stranger to large acquisitions, as evidenced by its US$18.9 billion acquisition of Computer Associates in July 2018 and its US$10.7 billion acquisition of Symantec in 2019. Once Broadcom adds the US$28.39 billion in debt to fund the VMware acquisition and its US$8 billion in assumed debt to its existing US$41.2 billion outstanding debt, it will carry US$77.59 billion in debt versus the combined Broadcom and VMware annual revenue of US$46.05 billion. This level of debt will likely cause Broadcom to look for ways to streamline operations, reduce its global workforce, and divest certain businesses. This analysis may already be underway, as Reuters reported on November 29, 2023, that End-User Computing and Carbon Black are under strategic review.

So, what is Carbon Black? It is a cloud-native endpoint protection company that VMware acquired on October 8, 2019, in an all-cash deal worth US$2.1 billion. At the time of the acquisition, Carbon Black generated US$241 million in annual revenue from 5,339 customers. Under VMware, Carbon Black likely grew at less than 10% CAGR. 2022 is estimated at $320 million. Using a multiple value of 7.5x, Carbon Black is likely worth a little more than its 2019 sale price or $2.4 billion.  

In a crowded endpoint protection market, Broadcom may meet resistance in finding buyers at a higher multiple. Since the VMware acquisition, Carbon Black has come under increasing competitive pressure from Palo Alto Networks, SentinelOne, CrowdStrike, and Field Effect. Carbon Black’s product is generally well regarded, but many competitors point to replacing or winning major deals from Carbon Black. I suspect the uncertainty of the Broadcom sale will create headwinds in Carbon Black’s growth. 

Broadcom has likely already reached this conclusion and sees this as the right time to sell off this cybersecurity product asset, especially when it has competing products from Symantec’s endpoint protection products. 

Integrating Carbon Black and Symantec would be difficult owing to their vastly different software architectures. Culturally, there would be no way to integrate Carbon Black with Symantec; they have been bitter rivals for years. Broadcom has also crafted Carbon Black as an independent business unit, making it an easy play to spin off. Broadcom could use the nearly US$3.5 billion Carbon Black could fetch to reduce debt with a marginal impact on its annual revenue. 

Now may be the time to give Carbon Black a new lease on life. But Broadcom shouldn’t wait long. The recently announced layoffs of thousands of VMware employees are likely spooking Carbon Black employees, and competitors could easily poach great talent. 

Contact me here to share your thoughts on the potential sale of Carbon Black. If you want to keep up with my cybersecurity company news blogs, go here.

The post Does Broadcom’s Acquisition of VMware Put Carbon Black in Play? appeared first on Datos Insights.

SentinelOne’s problems became apparent on June 1, 2023, when it was announced it would lay off 5% of its 2,100 global workforce following a weak announced forecast. The company hopes to achieve US$40 million in savings from these layoffs and other planned spending cuts. SentinelOne’s over 11,000 customers, US$500 million annual recurring revenue (ARR), and extensive 6,000 channel partner network will fit many PE firm investments theses. SentinelOne will need to attract new customers to thrive. About 1,000 customers have an ARR of US$100,000, or a fifth of its total ARR. Using simple math, SentinelOne’s remaining customers generate US$40,000 annually. In the last year, SentinelOne added 2,500 new customers, worth approximately US$100 million. Acquiring and onboarding these many customers can strain any company and increase costs.

The acquirer must consider several critical factors, including the integration of US$772 million in acquisitions (Attivo, Scalyr) and how they have or have not been monetized, the health of their channel, account churn, the emergence of lower-priced endpoint security providers, and its sizable, accumulated deficit. This analyst expects the selling price to be around US$26 to US$28 a share, making a projected sale price of US$7.5 to US$8.1 billion. Insight Partners, a PE firm, controls 47.7% of SentinelOne’s voting shares, and Redpoint Ventures holds 22.9%, making a sale to a PE firm not so crazy. We cannot rule out a cybersecurity company to make a run at SentinelOne; in August 2023, Reuters reported that Wiz (US$10 billion valuation) said it was considering a bid to acquire the company. Shortly after the announcement, SentinelOne ended its exclusive partnership. So, it became apparent that the deal would not happen.

Whoever acquires SentinelOne must make painful decisions to return it to profitability while counteracting current market headwinds.

Contact me here to share your insights on SentinelOne. If you want to keep up with my blogs on related IT security issues, go here. 

The post What does the Future Hold for SentinelOne? appeared first on Datos Insights.

Okta made a wise investment in adding Uno’s design-centric password manager Peek-a-boo to its portfolio to help users with one-click login, social password recovery through trusted contacts, customized and easy password sharing, and a secure vault to store private keys, credit card details and addresses. Parteek started Uno in the aftermath of his email being hacked.

Okta, founded in 2009, is a public (NASDAQ: OKTA) US$1.3 billion company based in San Francisco, California, with 6,000 employees. Uno’s Peek-a-boo product should experience substantial growth among Okta’s 18,000 customers. This acquisition has much to like, especially considering Okta’s design of consumer-first solutions such as Okta Personal. This acquisition loudly announces Okta’s intention to enter the consumer market in a big way.

Uno’s technology and development team will advance the development of Okta’s free password manager that allows users to securely store, save, and autofill passwords for all their personal apps across multiple devices. On the Okta side, Okta Personal allows consumers to generate strong, unique passwords for all their apps in one place and streamline the login process by auto-filling credentials in both apps and browsers.

Contact me here to share how you feel about Okta acquiring Uno. If you want to keep up with my blogs on cybersecurity news, go here.

The post From Lady Gaga to Password Secrets appeared first on Datos Insights.

• ICBC Financial Services was the affected entity 
• The ransomware operator, LockBit, reported ICBC paid a ransom, though the amount is undisclosed 
• The ransomware attack exploited a Citrix vulnerability referred to as Citrix Bleed 
• Cybersecurity firm MoxFive was retained to help ICBC recover from the attack and resume business  
• On October 10, 2023, Citrix released a security bulletin regarding the vulnerability 
• ICBC is still recovering affected systems 
• U.S. Treasury and Repo financing trades were completed on November 9, 2023 
• The attack made BNY Mellon collateral damage since it is the sole settlement agent for Treasury securities; BNY Mellon was forced to use manual processes to individually clear trades 
• ICBC’s head office made an emergency US$9 billion capital infusion to cover uncleared trades; BNY Mellon was forced to loan ICBC money to clear the trades as they could transfer money to settle 
• ICBC head office and other domestic and overseas affiliated institutions were not affected 
• ICBC executives from China made an emergency trip to New York to claim the market and reassure clients of its financial services business 
• ICBC requested customers clear their trades elsewhere, resulting in direct business loss and financial impacts    

ICBC was not the only organization to succumb to the CitrixBleed vulnerability. The aircraft manufacturer Boeing, the Emirati logistics company DP World, and international law firm Allen & Overy also experienced Citrx Bleed exploits. This vulnerability is largely left unpatched by thousands of organizations worldwide.

Over the past three years, LockBit has extorted over US$91 million from organizations. ICBC has not disclosed that it paid the ransom. One can assume, if paid, that it was sizable. LockBit likely took notice of the press this event caused and will use that to its advantage when planning future attacks.

On November 17, 2023, LockBit struck Chicago trading company Alphadyne Asset Management. According to financial information on its website, the company had about US$24.5 billion in assets as of June 30, with US$480.7 million of net capital. It also had credit lines from affiliates of US$450 million and the ability to borrow overnight funds from an affiliate. What if LockBit had hit a larger treasury market participants?

The irony of the largest Chinese bank experiencing a cyberattack is not lost on this analyst, nor is the common refrain that yet another major cyberattack is caused by an unpatched vulnerability. Calls for transparency in cybersecurity practices and resiliency of participants in the US$26 trillion treasury market are heard loud and clear across Wall Street.

Contact me here to share your concerns over treasury market resiliency. If you want to keep up with my blogs on related IT security issues, go here.

The post How Is ICBC in the Aftermath of a Ransomware Attack?  appeared first on Datos Insights.

LockBit has been unleashing ransomware attacks against critical infrastructure sectors, including financial services, since 2020. Members of LockBit, primarily from Russia, could cause China to view this as a state-sponsored attack against its financial systems.

To appreciate the enormity of ICBC is to look at its firmographics. ICBC has US$3 trillion in assets, US$207 billion in annual revenue, 440,000 employees, and 16,000 branches in nearly 60 countries. Using the Datos Insights model of estimating IT security spending by banks, ICBC is spending over US$500 million annually on IT security. Considering its size, one must ask: If ICBC can experience a ransomware hit with seemingly unlimited IT security resources, are any banks safe?

The following are the impacts to ICBC:

• Disruptions to core banking systems
• Disruptions to U.S. Treasury trading
• Damage to reputation
• Lower customer confidence
• Collateral impacts on trading and clearing partners

There was no way this attack has gone unnoticed by regulators. On the first banking day following the attack, Depository Trust & Clearing Corp. reported that the value of Treasury securities not delivered to fulfill a trade contract rose to US$62.2 billion, up from US$25.5 billion the previous day.

Other impacts, including fines levied by regulators, may also be on the table in the learnings aftermath of the forensics investigation if it is found that ICBC did not follow IT security standards. The ICBC New York branch is subject to the supervision and regulation of the New York State Department of Financial Services, which has the authority to impose fines and sanctions for violations of state and federal laws. The current regulatory climate does not favor organizations deemed deficient in IT security controls or customer protections. The impact of this attack is not restricted to ICBC; other banks, such as BNY Mellon, have been forced to settle trades with ICBC manually and may push regulators to look closely at the bank. ICBC was forced to inject US$9 billion into its U.S. unit to help BNY Mellon resolve its unsettled trades.

Should we be considering this systemic risk or too big to fail? This analyst believes the attack represents a systemic risk as BNY Mellon is the sole settlement agent for Treasury securities. The ICBC attack ostensibly placed the Treasury market under a stress test that had not previously been conducted. ICBC’s access to the electronic settlement platform, TreasuryDirect, for U.S. Treasury securities will remain suspended until an independent third-party can attest to the fact that the attack has been resolved.

This attack sent jitters throughout the securities market in light of ICBC acting as the broker of record for many hedge funds and other market participants. So concerning was this attack that U.S. Treasury Secretary Janet Yellen even made a public announcement the following day that the attack did not interfere with the market for U.S. government debt. China holds over US$800 billion in U.S. Treasury securities. Is this event a harbinger of what could happen if the attack occurred before ICBC could clear its treasury trades? If so, the story could have been very different.

If other ransomware attacks against large organizations are a measure, ICBC may recover core systems in weeks, if not months. ICBC hired a cybersecurity incident investigation team that worked through the weekend to discover the full scope of the attack. They will be scrutinized during their recovery to explain their IT security precautions and methods to protect customer data and settlement operations.

The Treasury market may have just dodged a bullet for now, but what about next time?

Contact me here if you wish to discuss systemic risk to the U.S. banking system. If you want to keep up with my blogs on related IT security issues, go here.

The post World’s Largest Commercial Bank Fights Off Ransomware Attack, Showing No Bank Is Safe appeared first on Datos Insights.

Over the past five days, customers of MGM properties—including Bellagio, the Cosmopolitan, Luxor, Mandalay Bay Resort and Casino, MGM Grand, New York-New York, and other properties across the U.S.—have all experienced outages of varying degrees. On September 12, while customers were tweeting that MGM casino and hotel property’s technology was still inoperable, the malware research collective VX-Underground reported that MGM was a BlackCat affiliate victim.

ScatteredSypder claimed it socially engineered the MGM helpdesk by impersonating an IT employee using the information gleaned from their LinkedIn profile. Ironically, two hacker conferences, Black Hat and DEF CON, were held just weeks before at Mandalay Bay. One could almost imagine ScatteredSpyder thinking it would be bad karma to attack these hotels during the world’s preeminent hacker conference.

BlackCat’s Ransomware-as-a-Service emerged in November 2021. Blackcat’s specialty is a double extortion approach with countermeasures to avoid detection and threat hunters. After wreaking havoc on dozens of organizations, the FBI released a flash report on April 22, 2022, detailing the indicators of compromise associated with this ransomware-as-a-service.

BlackCat operates like an advanced software design firm by releasing named products (e.g., Sphynx), programming in Rust, and providing product documentation and release notes. BlackCat’s ability to morph its tradecraft and weapons of attack into increasingly stealthy methods has attracted affiliates like ScatteredSpyder.

Two weeks before the MGM attack, Caeser’s experienced a social engineering attack by ScatteredSpider on an outsourced IT support vendor. The Wall Street Journal reported that Caesars paid half the requested US$30 million ransom to continue operations. MGM refused to pay, opting to switch to manual processes for ten days. The Financial Times reported that ScatteredSpyder allegedly breached the security at MGM’s casinos, originally planning to manipulate the slot machines’ software and recruit mules to gamble and milk them. When that failed, they reverted to a ransomware attack as they had been in the system for five days.

Now, back to the central question: Did one casino paying ransom lead to another being attacked? This analyst believes that to be true. Ransomware operators have economic models targeting certain industries, such as healthcare. Why? They always pay. Around this attack, three additional casinos were hit by ransomware attacks. Casinos are now on ransomware operators’ radar.

This attack underscores the need for cyber resilience, incident response planning, cyber hygiene, and a board-level understanding of crisis management. But in this case, humans let the ransomware operators in. To learn how to harden humans against attacks, check out Datos Insights’ report by my colleague John Keddy, Ransomware: Harden the Humans, Not Just the Infrastructure, March 2023.

The post Did Caeser’s Entertainment Paying a Ransom Lead to MGM Resort’s Ransomware Attack? appeared first on Datos Insights.

The company, number 30 on the Fortune 500 list, created a stand-alone cybersecurity business one year after acquiring Alien Vault in 2018 for US$600 million and rolling in its managed security and consulting business. This analyst estimates AT&T’s cybersecurity business employs 850 and generates US$225 million annual recurring revenue or 0.1875% of AT&T’s overall business.

AT&T’s cybersecurity business offers a robust portfolio of products and services, including cybersecurity consulting, endpoint security, network security, managed security services, and threat detection and response portfolio. Its cybersecurity business focuses predominantly on the U.S. market, as AT&T generates less than 4% of its revenue internationally. Its cybersecurity business is generally well-regarded by over 2,000 customers and has won several awards. However, its overall rank in the cybersecurity vendor stack isn’t even in the top 50 by revenue.

In March 2022, on the precipice of closing its Warner Media transaction with Discovery, Inc., AT&T announced an updated investment strategy focusing on 5G and fiber technologies, focusing on the DNA of its core products and services. Its cybersecurity business was not mentioned in its strategic business or growth plans.

AT&T will generate US$20 billion in free cash flow in 2023, so it can afford to hang on to its cybersecurity business. However, it is unlikely to invest the billions required to make it a player in the cybersecurity market. AT&T is unlikely to want to maintain the status quo with any of its businesses, especially when it holds US$143.2 billion in debt on its balance sheet. AT&T has been raising cash, as evidenced by its sale of a 30% stake in DirecTV to private equity firm TPG for US$1.8 billion and receiving US$40.4 billion in cash from its sale of Warner Media.

In February, Reuters News reported that AT&T retained Barclays Plc to determine market interest and solicit potential bids for its cybersecurity business. TPG could be a buyer of this business as AT&T has an existing relationship, and TPG has past and active investments in other cybersecurity companies, including Delinia, McAfee, Onfido, and Tanium. TPG could acquire AT&T’s cybersecurity business to merge with its Forcepoint US$2.45 billion investment (October 2, 2023), where there is little overlap, many synergies, and a need to build its commercial business back up.

In today’s cybersecurity investment climate, I see a seven-times multiple or a $1.6 billion valuation of AT&T’s business—well within TPG’s investment thesis. I wouldn’t discount an interesting foreign cybersecurity company like ATOS’ Eviden spinoff to find investors to fund an acquisition as it tries to rebuild its business and make a bigger mark in the U.S. market. One thing has become clear: scale is everything, and size matters to survive in the cybersecurity market. A private equity firm acquisition also makes sense where certain core portfolio components can be shed to companies needing services or products, but not both.

Finding buyers will be slow as more nimble and advanced cybersecurity solutions enter the market, so deciding to buy legacy or emergent tech weighs heavy on investors’ minds. Whether this deal happens tomorrow or next year, this analyst believes it is the logical course for AT&T to sell its cybersecurity business.  

To learn more about cybersecurity vendors, stay tuned to my blog. Contact me here to share which cybersecurity vendors you want me to profile. If you want to learn about emerging vendors, check out my 2023 Black Hat conference and exhibition and my recent report, Black Hat 2023: Insights From Startup City.

The post Is AT&T Shopping its Cybersecurity Business? appeared first on Datos Insights.

Rumors started when Reuters reported hiring investment bank Goldman Sachs Group in February to explore its future. Those rumors have reignited in earnest with Rapid7’s announcement in August that it would lay off 18% (or nearly 500) of its employees as part of a corporate restructuring plan.

The restructuring plan savings, estimated at US$24 million to US$32 million, may not be enough to make a difference. Rapid7 has posted a net loss every year since its inception: US$124.7 million (2022), US$146.3 million (2021), and US$98.8 million (2020). As of June 30, 2023, the company had an accumulated deficit of US$953.4 million.

In September, the company announced it would raise US$260 million in a private placement of senior notes. Currently, Rapid7 has two existing convertible debt notes for US$234.2 million and US$520.9 million, due in 2025 and 2027, respectively. Their current placement would put them over US$1 billion in debt.

The company’s stock is trading just below the US$50 share, up from its US$16 IPO price. Its current market cap is slightly below US$3 billion. Its 52-week range has widely fluctuated from US$26.48 to US$59.33 a share, but significantly off its US$140 pandemic share price.

Rapid7’s product portfolio is organized into six areas: incident detection and response, cloud security, vulnerability risk management, application security, threat intelligence, and security orchestration and automation response. All areas face significant competition, especially in its extended detection and response, security information and response, security orchestration and automation response, vulnerability management, and threat intelligence segments.

Competitors such as CrowdStrike, Exabeam, Palo Alto Networks, Qualys, Securonix, Splunk, and Wiz have been nipping at Rapid7 for years. Evidence that competition may be affecting growth is that total revenue increased by US$23.0 million in the three months ended June 30, 2023, compared to the same period in 2022. The US$23.0 million increase in revenue (only) consisted of a US$900,000 increase from new customers.

Rapid7 has to find a way to attract new customers. Rapid7’s over 11,000 customers, US$751 million annual recurring revenue, and brand recognition make it an attractive target for a private equity firm with expertise in turning around non-profitable cybersecurity companies. The obstacles are significant: a legacy of unprofitability, over US$1 billion in debt, and an inability to generate revenue from new customers.

Shareholders, employees, and debt holders may be ready to change ownership to right this once-bellwether cybersecurity company. This analyst believes private equity firms will want to discount the sale price based on the obstacles to turning this company around, causing a vast disagreement in valuation. An auction event is likely the best way forward for the sale of this company.

The post What Is the Future of Rapid7? appeared first on Datos Insights.

Cisco came in strong on its offer and insisted on an agreement where Splunk would not solicit or entertain any shopping offers. However, the Splunk board could cancel the Cisco agreement if another company made a bonafide superior offer. If Cisco exits the deal or an anti-trust injunction arises, it will cost the company US$1.478 billion. If Splunk wants out of the deal to pursue a superior offer, it will cost the company US$1 billion.

This analyst believes a competitive offer would need to exceed US$32 billion. IBM, Microsoft, and Google may have that kind of money and a large enough security business, but this analyst doesn’t see where it makes sense for these companies to offer to acquire Splunk. Cisco is one of the few companies where acquiring Splunk makes sense.

Cisco will need to do some house cleaning at Splunk to align with its financial model, where it has been profitable over the past ten years. Since its inception, Splunk has incurred net losses yearly, resulting in an accumulated deficit of US$4.05 billion. Splunk has bet its future on costly cloud services that require continual infrastructure investments. Splunk’s US$3.099 billion in debt exceeds its annual revenue. Splunk recently executed layoffs, including an announcement that it would reduce its global workforce by 4%, but that is a drop in the bucket of what will be required to right this company. Ultimately, Splunk was getting in over its head and needed an acquisition to have a future. Cisco is acquiring a company with over US$7 billion in deficit loss and debt.

Cisco sorely needs Splunk, and Splunk needs Cisco. Cisco has been missing the central data analytics engine to pull its firewall, extended detection and response, intrusion prevention system, and other network security defenses into a cohesive threat protection platform. Merging these companies will be messy; competitors will target them, and customers will impatiently wait for the new product roadmap. But, when it is all done, Cisco will be a force to be reckoned with, and Splunk’s technology will survive.   

The post Did Cisco Save Splunk? appeared first on Datos Insights.