Search Results

by Christina Richmond , Rory Duncan MDR Market Consolidation Continues In the latest move in a wave of MDR market consolidation, Arctic Wolf has announced the acquisition of Cylance from BlackBerry for $160 million, with the deal expected to close in BlackBerry's fiscal Q4. This announcement comes amid a broader consolidation trend in the MDR market, marked by two other major deals slated for early 2025 closings: Sophos combining with SecureWorks and Trustwave joining forces with Cybereason. According to TechCrunch , the Cylance price tag represents a stark markdown from the $1.4 billion BlackBerry paid in 2018. The deal structure includes $80 million in cash at closing, another payment a year later, and approximately 5.5 million Arctic Wolf common shares. For a company acquired for $1.4 billion in 2018 to be sold for $160 million only six years later, some may see this purchase as "The Cylance of The Lambs". Others recognize that, while its market value has indeed been slaughtered during its time at Blackberry, it's likely the endpoint security vendor's technology will live on in some form at its new owner Arctic Wolf.   These consecutive deals signal a broader shift in the cybersecurity industry, where MDR providers are actively seeking to strengthen their technology stacks through strategic acquisitions. This consolidation wave isn't happening in isolation - it's directly tied to the industry's movement toward comprehensive security platforms. Market Impact: Platformization Takes Center Stage This acquisition isn't just about adding another tool to the toolbox. As Arctic Wolf's CPO Dan Schiappa explains in their official blog , "We're not a services company adding a new tool to its portfolio, or a tools company bolting on services to its products—we're a security operations company with an open platform." This distinction is crucial in understanding Arctic Wolf's strategic direction. The move reflects a broader industry trend toward comprehensive security platforms. With 95% of Arctic Wolf's SOC investigations involving endpoint telemetry, this acquisition positions them to address a critical security operations challenge. The integration of Cylance's AI-powered endpoint protection with Arctic Wolf's Aurora Platform promises to combine automated threat detection with human expertise. What's Coming Together The acquisition brings together several key components: Cylance's CylancePROTECT (EP), CylanceENDPOINT and CylanceOPTICS (EDR) products Arctic Wolf's Aurora Platform and Alpha AI capabilities Processing power for over 7 trillion security events weekly Integration expertise from nearly 1,000 SOC analysts Cylance has some great offerings - particularly its CylanceENDPOINT solution - but was part of a portfolio of products within Blackberry's security division - a self-described product company that also offered services. As recently as August 2024 , Blackberry released CylanceMDR Pro, a service based on the Open XDR platform. Blackberry talked about pivoting its focus to further develop its security services business, but perhaps it was a case of too little, too late? For Cylance, it appeared that it was stuck in a corporate organization that was either unwilling - or unable - to monetize its products and develop its business.   There is also the “Pure Play vs. IP-Led” argument to consider. Until this announcement, the vendor-agnostic “pure play” services companies like Arctic Wolf argued that breadth of endpoint telemetry creates a multiplicative detection effect; essentially that the whole is greater than the sum of its parts. IP-Led providers like Cylance (prior to its acquisition by Blackberry) argued for prevention first through superior EDR tools (most notably at the RSA Conference 2017). CrowdStrike has also used this messaging but launched Falcon Complete (its MDR offering) in 2018 recognizing earlier than Cylance that prevention goes a long way but wasn’t enough.   Arctic Wolf has committed to maintaining an open platform approach, continuing to support their existing integrations with more than 15 endpoint security vendors. This vendor-agnostic strategy sets them apart in an industry where many platforms resist integrating with competitors. Industry Perspective: Reading Between the Lines From a market dynamics viewpoint, this acquisition makes strategic sense but requires careful execution. Arctic Wolf's current limitation has been their homegrown EDR sensor's capabilities and the lack of a robust endpoint agent. The Cylance acquisition directly addresses these gaps, potentially creating a more integrated solution set for customers.   Cylance also brings a complementary channel play to Arctic Wolf’s partner business. With over 1,000 partners servicing the SMB market (as of 2019), Cylance benefited from Blackberry's strengths in the mobile applications security space that helped it develop in the commercial sector via resellers and MSPs. In channel-heavy regions such as EMEA, offering an MDR/SOC service is highly desirable for SME customers, but selling it at an affordable price remains a challenge. Pre-packaging, combined with automation tools will help, and Arctic Wolf has been providing integrations via its own Aurora platform for several years. It now also has the benefit of Cylance AI as part of its endpoint security toolkit. However, the real story here is about market evolution. The cybersecurity industry is witnessing a clear trend toward platformization, but with an important twist: customers, especially in the midmarket, prefer what could be called "iterative consolidation." They want to reduce complexity and vendor sprawl but aren't looking to put all their security eggs in one basket. This acquisition represents a pivotal moment in Arctic Wolf's evolution, but it also raises important questions about their existing partnerships. Two of the biggest IP-led MDR service providers - CrowdStrike and SentinelOne - are currently Arctic Wolf partners. The nature of these partnerships, particularly whether they're primarily resale agreements, could significantly impact Arctic Wolf's open platform strategy. There's a real possibility that these endpoint security leaders might reassess their relationship with Arctic Wolf now that it's becoming a direct competitor in the endpoint space. The success of Arctic Wolf's strategy will depend on several critical factors: how well they can balance integration with openness, how they maintain relationships with existing partners, and how they manage the transition from partner to competitor in the endpoint security space. While their commitment to an open platform is admirable, the practical challenges of maintaining deep integrations with direct competitors shouldn't be underestimated.   Acquisitions and mergers take time to execute well. The temptation to forge ahead with product development, feature changes, service modifications etc. is strong post-acquisition, but risks alienating existing Cylance customers. Arctic Wolf needs to carefully execute its Cylance integration plan, being cognizant of potential 'poaching' of worried customers during any transition phase, while weighing-up the implications of Cylance's existing strategic relationships. EDR and MDR are rapidly evolving markets, with new partnerships providing further competitive threats. In December, MDR provider SonicWall - already partnering with the likes of Sophos and SentinelOne - announced a partnership with leading vendor CrowdStrike, a move likely to bring further pressure on MSPs and MSSPs offering solutions in the SMB sector. Perhaps the biggest challenge ahead lies in the technical execution. Maintaining and evolving endpoint security solutions is notoriously difficult, requiring constant innovation to keep pace with emerging threats. With most of the original Cylance engineering team no longer with the company, Arctic Wolf faces the daunting task of R&D, engineering, and modernizing the Cylance tools. This isn't just about maintaining existing functionality – it's about evolving the platform to meet future security challenges while simultaneously integrating it into their broader offering. For Arctic Wolf, this move could be transformative, but success isn't guaranteed. The real test will be multifaceted: executing on their vision of combining Cylance's endpoint expertise with their existing security operations prowess, maintaining their open ecosystem partnerships, navigating complex competitive dynamics, and crucially, building an engineering team capable of modernizing and advancing the Cylance technology stack in an increasingly competitive endpoint security market.

“Cybersecurity pundits, experts, practitioners, startups, established vendors, service providers and a host of analysts and media will converge in San Francisco for the RSA Conference May 6-9, 2024 in San Francisco. The conference theme, ‘ The Art of Possible ,’ promises to explore innovation and creativity within cybersecurity, emphasizing collaborative efforts to tackle current challenges and anticipate future ones. Beyond the official theme, there’s always an uber thread coursing through the conference. What will that be? GenAI? Absolutely. Quantum cyber risk? You betcha. Will there be continued discussion on Zero Trust, Identity, Cloud Security? Why not? We haven’t solved those yet.” I agree. We’ll see all the above topics this year. In fact, I expect to hear a lot about each of these topics in the conversations I’m having with large well-known cybersecurity vendors and service providers like AT&T Cybersecurity, Lumen, Armis, Trellix, HPI, IBM, Optiv, and OpenText and the smaller, startup companies like AKA Identity, SafeLiShare, Salt Security. But in this list, I’ve named fewer than half of the companies I’ll meet with … Some of the companies I’ll be rubbing elbows with are in stealth mode trying to solve issues around cyber insurance, AI security and more.   The goal of an analyst is to watch the market, understand the next trends and the players that will shape those trends. To find these next movers and shakers is a bit of luck and science honestly. I rely on my network of contacts and friends in the industry to introduce me to worthwhile conversations. Here's a bite-sized preview of the just a few of the conversations I expect to have: AT&T Cybersecurity will perhaps share more detail on the long-awaited split from AT&T Business announced last November.  I hope Armis will give me terrific insights on Silk Security acquisition. I’ll catch up with Trellix’s CEO Bryan Palma and find out how the company is doing with its XDR journey (I found a lovely testimonial from Hawaiian-born MSSP Cyberuptive here ). It’s been a while since I’ve chatted with MicroFocus, now a part of OpenText. I hope to learn how the integration is going and where the company is headed with its CyberRes  project. I just chatted with the HPI team on their quantum compute firmware announcement and expect to expand my understanding when we meet for coffee.  AI Privacy will be the topic with SafeLiShare, API Security with Salt Security and I’ll definitely be talking identity with AKA Identity! Stay tuned for the wrap up blogs and vendor / service provider profiles after the show. I can’t wait to see everyone and talk shop in all areas of cyber!

AT&T and WillJam Ventures , a private equity (PE) investor, announced today the creation of LevelBlue , a   joint venture to form a new, standalone managed and professional cybersecurity services business. This is a long-awaited outcome, as mentioned in my recent blog , and one I believe is largely positive. As with any major shifts, there are some pitfalls to avoid. Staying true to the legacy AT&T Cybersecurity  offerings, LevelBlue will continue to offer managed security services (MSS), cybersecurity consulting, threat intelligence and security operations center (SOC) support. LevelBlue brings more than 1,000 employees globally to the venture, with AT&T retaining minority ownership and board representation in the new entity.   So, really, what’s different? AT&T retains some ownership and AT&T leadership continues to be involved. All of the MSS and cybersecurity consulting business move to LevelBlue. The AT&T IP backbone is still very much a part of the MSS and SOC capabilities. AlienLab threat intelligence remains core to the new company’s services but is renamed LevelBlue Lab. My take is that with this arrangement, AT&T frees up much-needed capital to continue innovation in its network, cloud infrastructure, artificial intelligence (AI), Edge and digital transformation services while investing in and recognizing that its cybersecurity business requires the greater care and feeding that a PE firm can offer. AT&T invested millions of dollars in building out its data lake, threat intelligence, the well-subscribed open threat exchange (OTX), and the acquisition of AlienVault which became an awarded platform for AT&T’s threat lab, USM sensor network and MSS offerings. To meet future challenges, new investment is needed. Ideally the joint venture will enable innovation and acquisitions to secure future technologies like AI, quantum computing, the internet of things (IoT), critical infrastructure and industrial technologies.   Net net: AT&T has been looking to sell or divest its cyber business for several years. This is a positive outcome for both AT&T and the cybersecurity tranche it built, acquired for, and invested in. But the proof – as always – is in the pudding. Management by a PE firm doesn’t necessitate greater investment or financial freedom. New partnerships and revenue streams will be necessary as LevelBlue separates its day-to-day business from AT&T. Some questions to consider with this event: what will the channel relationship be between AT&T and LevelBlue? Will AT&T sales receive compensation to sell services for the new entity? What is the long-term arrangement for use of the AT&T backbone and data lake? Are these perpetually embedded in LevelBlue?   I believe that current and future customers can be assured by the continuation of the global AT&T cybersecurity services underpinned by AT&T’s network and deep threat expertise now named LevelBlue. At the same time, AT&T must strive to migrate LevelBlue’s operations seamlessly to reduce customer attrition. Any bump in the road can cause customer concern. Hopefully, there is an arrangement for AT&T sales to still make money upselling LevelBlue at least in the near-term. This will ease the urgency of finding new revenue streams. I hope and expect to see some bold moves in the first year of business where security of and for the above-mentioned future technologies are top of mind. With these Investments I would love to see LevelBlue attract seasoned cybersecurity luminaries to drive its future forward. Short of these signposts the venture risks becoming a divestiture and not an investment into the cybersecurity industry AT&T has served so well for so long.   I will be tracking this event in the coming months. Briefings from LevelBLue, glowing testimonials from clients and evident investment will perpetuate my optimism about this next era for AT&T’s cybersecurity business .

By Christina Richmond, Richmond Advisory Group I've been following the buzz around this IBM-Palo Alto Networks partnership and related QRadar SaaS acquisition for a while. In some discussions, it’s blown out of proportion; in others, it’s downplayed. In my opinion, it’s a significant and positive development for both companies and their customers. There are a few key reasons why IBM and Palo Alto Networks chose to pursue this deal: IBM can focus on their most strategically important businesses, while Palo Alto Networks gains a valuable asset and customer base. Importantly, IBM retains and continues to service its existing on-prem QRadar customers that are not interested or able to migrate to SaaS. QRadar SaaS customers have the opportunity to benefit from an upgraded security operations product (Cortex XSIAM) and ongoing support for the QRadar SaaS portfolio until they are ready to migrate to the Cortex platform. Migration to the new platform is free for eligible QRadar customers who choose to pay a subscription for Cortex XSIAM, allowing Palo Alto Networks to generate additional revenue.            IBM can reinforce its position as a leading security services provider. With IBM Consulting Cybersecurity Services, transformation services will help customers enhance their security operations centers (SOCs) and overall cybersecurity posture, benefiting from Palo Alto Networks’ advanced technology. IBM’s managed security service (MSSP) capabilities can provide a fully managed solution for customers that need it. So, with all these positives, why is there so much debate in the media? Why are some customers concerned? Let’s break it down to understand the deeper benefits for all parties involved—Palo Alto Networks, IBM, and the customers. IBM At first glance, it might seem like IBM is selling off valuable assets just to raise cash for Research and Development (R&D). But there’s more to it than that. A quick history lesson: When IBM’s CEO Arvind Krishna laid out  his $1.2 trillion hybrid cloud growth strategy, many were skeptical. However, the Red Hat acquisition has proven successful, especially within IBM’s hybrid cloud consulting business. Similarly, in cybersecurity, Krishna emphasized that clients need more than just a platform—they need deep industry expertise. IBM has always been a leader in technology innovation and services, particularly in cybersecurity, where it consistently garners top industry accolades. Let’s not forget IBM’s three key pillars of growth: hybrid cloud, AI, and cybersecurity. Despite selling QRadar SaaS to Palo Alto Networks, IBM isn’t losing access to its customer base and will remain engaged by facilitating upgrades to Cortex XSIAM as part of the free migration services offered to eligible customers. Beyond migration, this allows IBM to continue adding value through critical transformational services, helping clients advance their cybersecurity operations with Cortex XSIAM. Additionally, IBM can broaden engagements to future-proof the enterprise with its AI and quantum technologies and services. We’ve seen this before: when IBM sold its PC business to Lenovo in 2004, or when it divested its Global Technical Services (GTS) business to Kyndryl, many doubted the move. But each time, IBM demonstrated a clear strategy and emerged stronger. This deal is another such opportunity, even if some naysayers haven’t caught on yet. Palo Alto Networks                 QRadar has long been a sought-after asset in the security information and event management (SIEM) market. While the relevance of traditional SIEM approaches has been debated in recent years, the current installed base for IBM’s SIEM is still substantial. Though the exact number of customers remains undisclosed, it’s significant. With this deal, Palo Alto Networks instantly gains access to thousands of enterprise SIEM customers that have yet to adopt Cortex XSIAM. Owning QRadar SaaS further elevates Palo Alto Networks as a leading cybersecurity vendor. Today, Palo Alto Networks is a strong player in security categories like network security, cloud security, endpoint security/XDR, and AI-powered threat detection and response. With Cortex XSIAM and QRadar SaaS, Palo Alto Networks now offers a full-featured SIEM & SOC Automation solution, putting it on par with, if not ahead of, competitors like Cisco (which recently acquired Splunk). Combined with its Unit 42 team’s advanced detection and response capabilities, Palo Alto Networks is well-positioned to compete directly with CrowdStrike as well. The Customer For existing QRadar SaaS customers, this partnership offers a unique opportunity to upgrade their security operations by migrating to Palo Alto Networks’ Cortex XSIAM platform. This move could modernize their security infrastructure using one of the industry’s leading platforms. If they are long-standing IBM customers, they’re already familiar with the value QRadar brings and may even have an MSSP (such as IBM, Kyndryl, or others) in place. However, due to various reasons, they may not have previously considered adopting a next-gen SIEM, but now Cortex XSIAM’s cutting-edge capabilities are made more accessible to them as part of the deal. Additionally, customers loyal to IBM can still rely on IBM Consulting Cybersecurity Services to support the migration process, manage their SOC, and provide the transformational services necessary to elevate their security operations. The Bottom Line The IBM and Palo Alto Networks deal has the potential to be a 1 + 1 = 3 situation for all parties. By collaborating, IBM’s cybersecurity consulting services and Palo Alto Networks’ Cortex XSIAM product increases value for customers, while continuing to offer alternatives to customers that aren’t ready to make the move. IBM should aim to maintain broad relationships with all QRadar clients, and it behooves them to offer competitive pricing to retain those customers. Palo Alto Networks, now a proven platform vendor, can benefit from IBM’s expertise in managed services and rely on IBM’s core services capabilities. As always, the proof will be in the results, but if all goes well, this deal has the potential to benefit all parties—especially the customers.

Notes from OpenText World, 2024 I was genuinely impressed with what I heard at OpenText World (Las Vegas, November 18-21, 2024) about their cybersecurity capabilities. It’s been about 18 months since they acquired Micro Focus, and they’ve clearly done a lot of integration work. More importantly, they’ve learned how to "speak cyber." The team includes some incredibly smart engineers and product managers from former Micro Focus product lines like Fortify, NetIQ, and ArcSight.    Not long ago, OpenText also acquired Pillr to strengthen their MDR (Managed Detection and Response) strategy. So, when Mark J. Barrenechea, their CEO and CTO, kicked off the conference with a message centered on “XDR as a service,” I thought, Yeah, they can pull this off.   A Healthy Dose of Analyst Skepticism   Let’s be real—conferences can sometimes feel like a Kool-Aid fest. You soak up the big ideas, but later, you have to dive into briefings, research, and discovery before forming a solid opinion. That said, I’ve been around the block enough to recognize when something has potential. And so far, I like what I see.   OpenText’s Evolution: The Fourth Wave   OpenText has long been synonymous with information management. In his keynote, Mark B. framed the company’s journey through four historical and future "waves," with cybersecurity firmly in the current and future-focused fourth wave. This aligns with their massive investments in AI tools, branded as “Aviators.”   OpenText's Cybersecurity and Content Management are closely intertwined.   Cyber threat detection and response and content management intersect in several meaningful ways, particularly as organizations manage increasing amounts of sensitive information and face evolving cyber threats. OpenText's cybersecurity vision for the fourth wave includes advanced threat detection, response capabilities, and AI-driven vulnerability analysis. The overarching theme of the OTW event—“Information Reimagined”—comes with a clear message:  Let the machines do the work .     In OpenText’s view, the cyber war is becoming a machine-to-machine struggle, moving beyond human-versus-machine battles. Of course, those of us following AI developments know we’re not quite there yet. Humans still play (and should play) a critical role. But I appreciate how OpenText is preparing for this shift. During an analyst warm-up session, someone speculated we’re just a couple of years away from this reality. Maybe. Either way, OpenText seems ready to embrace the future.   Cybersecurity Joins Center Stage   Towards the end of the keynote, Mr. Barrenechea devoted some time to cybersecurity. It’s not their entire business, of course—by my estimate, it’s about 20-21% of their revenue. That’s just an educated guess, pieced together from old revenue charts from the HP and Micro Focus days.   Still, cybersecurity is clearly a strategic priority for OpenText. They’ve invested in leadership, like Stephan Jou, Senior Director of Software Engineering  , who demoed their Threat Detection and Response dashboard. Jou’s pedigree includes co-founding Interset (a machine-learning cybersecurity firm backed by In-Q-Tel), which was eventually acquired by Micro Focus and then OpenText. It’s encouraging to see someone with deep cybersecurity experience driving this area.   By the way, did you know OpenText processes 2.1 billion events daily in their threat detection and response platform?   OpenText’s Cybersecurity Ecosystem   Think of what OpenText can ingest: asset discovery, endpoint, identity, network, and cloud telemetry. Their ecosystem includes partnerships with Microsoft, SAP, Google, AWS, and cybersecurity players like Palo Alto, CrowdStrike, and SentinelOne.      Think of what cybersecurity underpins in OpenText: information and content management across multiple business scenarios and the data orchestration layer, augmented by automation and artificial intelligence assistants (Aviators) and across all cloud environments.  (See image, “Our Vision for Information Management” below.)  A key message I heard at the conference was, “OpenText makes multi-cloud work." That resonates. Their tools are designed to support multi-cloud environments, and cybersecurity naturally plays a critical role in protecting those environments. As they build connectors, APIs, datasets, and platforms, cybersecurity is an integral piece of the puzzle.   A Glimpse of the Future   During a separate cybersecurity keynote, Mario Daigle (Vice President, Enterprise Cybersecurity) and Brent Jenkins (Director of Product Marketing) outlined how OpenText plans to stitch everything together into an iterative process of layered protection and adaptive response. One slide in particular caught my attention, offering a teaser of where the company is headed with cybersecurity.  (See image “OpenText Delivers A Layered Cybersecurity Defense” below.)   It’s still early days, but I like what I’m hearing. My process now is to dig deeper—schedule briefings, explore the roadmap, and see more demos of what’s built. But here’s the takeaway for you, whether you’re a buyer or a competitor: Don’t underestimate OpenText. Micro Focus brought OpenText a massive legacy customer base—some of the largest corporations in the world—many of whom stick with the tools they know and trust. If OpenText can effectively package and communicate what they have—and it sounds like they’re intent on doing just that—they’ll be a force to be reckoned with in cybersecurity.   Stay tuned for more.   PS   If you know me, you know I don’t write anything overtly negative. But if you really know me, you also know how to read between the lines.

By Carolyn Reuss Recently I’ve been talking to a lot of startups and small companies, and the cybersecurity awareness ranges from good citizen (oh, I want to do the right thing) to ostrich (oh, don’t slow me down). Early stage businesses run like the Wild West - on free or basic SaaS subscriptions from Canva to Carta to Quickbooks, add some software to the cloud, and at some point, they outsource or appoint someone to "deal with" IT. Unless you’re weaving baskets to sell at the general store, digital assets are integral to the success of any business.  So how can a small business get comfortable with the plethora of security guides, frameworks, and best practices as they apply to THEIR business?  Is hiring a cybersecurity expert the only viable solution? Current State In 2023, 41% of small businesses were the victims of a cyber attack, yet small businesses, including startups, don’t have cyber security expertise. Engaging a consultant is expensive, and some security service providers drive a company into a preset managed service package anyway. I've had many small and medium business (SMBs) tell me that their insurer, or maybe a customer, gave them a cybersecurity checklist, driving a flurry of one-time activity into a spreadsheet. Occasionally through this checklist, the COO might latch onto one angle - "we have encryption" or "we have started SOC2", so we're good, right? Basic cyber hygiene and on-going attack surface management is not a priority for an SMB. Yet, an organization’s attack surface is the strongest predictor of cyber incidents. Most don't track supply chain either, making the impact of broad issues like Change Healthcare's ransomware-based outage, log4j or SolarWinds hard to assess. Security Has to Understand the Industry A CISO recently told me that every industry he's been in thinks that they are a special snowflake, yet meeting security objectives requires the same jobs. He did admit that the key to success is in mapping these same cybersecurity jobs to that businesses' outcomes. Large Enterprises have a team to interpret cybersecurity into their business. Small businesses do not have cybersecurity expertise to make that translation, having to trust external consultants when they decide to tackle cyber risk. As an example, let's take one of the 16 sectors of critical infrastructure that the Critical Infrastructure Cybersecurity Agency (CISA) has defined, Healthcare, which has many small businesses from healthcare providers to pharma startups. The Change Healthcare ransomware attack affected 80% of hospitals' cashflow, and, 74% of hospitals reported that it directly impacted patient care. Managing risk includes understanding what operations can continue when single-threaded points fail, especially when the thread is a 3rd party+. It's not practical for a service provider to get to know a small business that intimately. Essential Critical Infrastructure Sectors Enter Artificial Intelligence (AI) AI is the new hammer for every nail, but it needs data to train it. AI-driven detection mechanisms have long been tested in enterprise IT settings because of the need to make sense of enormous amounts of data. However, it's unclear that data to train large language models (LLMs) to guide small businesses, accounting for their specific outcomes, is reliably available. NIST Cybersecurity Framework 2.0 Let's consider costs; the best data that I've seen on AI/LLM's efficiencies are Microsoft's large scale training of Security Co-pilot, which claims Security Operations Center efficiency gains of up to 60% (Detect & Respond). Now, as of April 1, any size business in some US regions can purchase Security Copilot at an hourly rate. The baseline recommendation of three "Security Compute Units" at $4/hour, that's over $2000 for one week of Microsoft's Security AI. For a business making $1M annually, that's probably more than half their security budget. We know that AI can be trained to help security analysts, can it help non-IT experts? Beyond Detect in IT, training AI/LLMs to help a small business Identify, Protect and Govern sounds even harder to map. Where is the data to translate cyber security to the specific industry of a small business? The Ultimate Cyber Assurance Having sat on many customer incident response calls, the caller typically starts with "I'm not sure if this is a breach" - and, often it wasn't! The caller just needed backup, and some assurance that they weren't missing anything. With LLMs being probabilistic, rather than deterministic, are we ready for AI/LLMs to back us up? Training LLMs to make cybersecurity easier to understand might help, but they need a lot of data. Data specific to the last mile, representing the context of a specific business, is hard. You can't automate for the "average" SMB. In this ongoing cybersecurity saga, the showdown between AI and human expertise unfolds, with SMBs stuck navigating a complex landscape fraught with risks, hyperbole and return-on-investment (ROI) uncertainties. No wonder there are so many small businesses opting for "ostrich". Left to fend for themselves in the digital frontier, small businesses will continue to be easy pickings. I predict that the number of small business victims will continue to increase until we have a solution that a small business owner can understand in the terms of their business. Author Bio: Carolyn is committed to making cybersecurity easier for cleantech, where a lot of companies are SMBs. You can also find her hiking around her home state of Colorado, home to many cleantech wizards and warriors.

Let's face it, comprehensive cyber insurance tailored to the unique challenges faced by small and medium-sized enterprises (SMEs) is a rare thing of beauty. I know of a few companies trying to crack the nut on this and just had a chat with Cowbell which warrants this “Conversation”. Cowbell has an interesting approach to cyber risk management and insurance coverage. One of the features that I find compelling is Cowbell’s emphasis on data-driven risk assessment. Right at the company’s inception, the Cowbell team started building out a risk pool – building the foundation for their patented risk rating factors, Cowbell FactorsTM. There are more than 38 million data points in the company's risk pool, which covers more than 90% of U.S. SMEs, and the company expanded to include UK data last year. Cowbell Factors aggregates and analyzes these data points and uses historic context to monitor how risk evolves against the threats facing each company. Once analyzed, every business is bench marked against its industry peers across 8 variables and assigned an aggregate rating. Understanding where a company’s cyber risk exposure lies in comparison to its industry enhances risk selection and insurance pricing. A lot of this data is pulled from the wild, using public data, but some they get from proprietary partners and even dark web scanners. Next, they leverage advanced AI and ML algorithms to conduct a comprehensive evaluation of each SME’s cybersecurity posture. This assessment considers things like the SME’s network security, data protection measures, employee training, and existing vulnerabilities. By gaining insights into the specific risks faced by each business, Cowbell ensures that its insurance policies are tailored to address the most pressing cybersecurity concerns. This all takes place before an SME client engages with Cowbell, so the company has a full view of each potential customer before they request a policy. Any business can request access to their Cowbell Factors - not just policyholders -  which also makes this an attractive public service to anyone who wants to understand if they are better, worse, or similarly prepared to thwart cyberattacks within their sector, compared to their peers. Cowbell customizes coverage options that can be adjusted based on changing threat landscapes and business needs. This can enable the often-overlooked SME community to protect their company against a wide range of cyber risks, including data breaches, ransomware attacks, business interruption, etc. Cowbell then goes a step further by offering proactive risk mitigation and assessment services to its policyholders. Through its Cowbell Insights platform, SMEs and businesses of all sizes get access to real-time threat intelligence, a risk report on their business, actionable recommendations, and cybersecurity best practices. Another interesting piece is Cowbell’s cybersecurity vendor marketplace, Cowbell RX, which offers policyholders preferred access and pricing to dozens of cybersecurity solutions, offered by reputable organizations that partner with Cowbell. This is especially crucial for an SME to strengthen defenses, mitigate potential cyber risks, and minimize the impact of costly cyber incidents. By combining insurance coverage with risk mitigation tools, Cowbell enables SMEs to take a proactive stance against cyber threats while also managing their loss ratios and bottom line. Cowbell is gearing up this year for advancement with new products, and industries. Cowbell is like other cyber insurers in working to simplify the claims process through its UI but goes a step further by offering cybersecurity experts who possess the expertise needed to assess the impact of cyber incidents accurately. But hey, this is a conversation and I want to hear from you. Please chime in and let me know what you think of Cowbell (be constructive and follow the rules here). And, let me know if there are other companies doing something similar I should check out. As always, before you join the discussion, please review the guidelines here.

I had the good fortune to be invited to the recent HP, Inc. Security Summit in NYC. I haven’t covered HP device security since the company was still attached to its other half, Hewlett-Packard Enterprise (HPE) prior to 2016. At the time of the separation, I followed the HPE Enterprise side of the house which ultimately led to the CSC/HPE merger (in 2017) and the creation of DXC.  Now, with the launch of my firm, Richmond Advisory Group, I get to dig deep into “Secure by Design” capabilities like those discussed at HP Inc’s Summit last week. The December 11, 2023 event was kicked off by Boris Balacheff, an HP Fellow and the Chief Technologist for Security Research. These security summits can often be light on actual security insights, but this one did not disappoint. We jumped right in with 5 key areas we would cover throughout the day’s event: 1.       Robust certifiable roots of trust 2.       Self-healing and resilience at scale 3.       Threat containment 4.       Zero trust and distributed security at scale 5.       Security across the device lifecycle The event covered business PC and printer (enterprise and large format) security, but in the interest of brevity I will focus on the PC segment and go-to-market business changes. There was much discussed in our 8-hour day and some of that was provided under non-disclosure (NDA). With over two decades of innovating security at the hardware level and a decade of building the HP Endpoint Security Controller into its PCs, the company understands that devices can and should be certified to boot only with validated firmware, should be aware enough to detect anomalous behavior at start up or during runtime usage, and should be able to detect, contain and self-heal the device when threats are present. Additionally, devices should be able to do this from cradle to grave. When done properly security by design inherently enhances a zero-trust journey. The feature that most impressed me was the security hypervisor that HP. Inc acquired through its Bromium addition in 2019, but this is in part because I was catching up on device security. According to Ian Pratt, ex-CEO of Bromium and now Global Head of Security for HP Personal Systems, micro-virtualization is a concept that enables an endpoint to secure itself “by design”. It relies on the built-in features of computer processors to isolate each untrusted user task, such as opening a browser tab, downloading a document, or clicking on a link. This capability was clearer demonstrated live in the session breakouts. What’s even more interesting to me is where HP, Inc. is headed with the security hypervisor: the security hypervisor can now attest to the state of the application, the fact that it is running on a particular machine and that the hypervisor is running in a given configuration, so that you know what you’re interacting with and you’re able to do that independent of the state of the rest of the system. The OS and the other applications in residence don’t matter to the attestation because the application in question is independent of them. This concept brings zero trust to a new level. While this is certainly not the full extent of a zero-trust journey, as zero trust discussions mostly center on network access and user identity access management, it highlights zero trust on the endpoint. The direction HP Inc is taking with the security hypervisor extends the security of individual applications running on the endpoint driving user confidence that you are talking to an application running in a secure fashion. This then is a “root of trust” with “highly reliable hardware, firmware, and software components” according to NIST’s Roots of Trust project. Broadening the zero-trust discussion, the security controller chip which is always on even when powered off now has a low-bandwidth, always-on network connection for remote management. There are many use cases for this feature: asset management, GPS location, remote lock, or wipe when recovery is not possible. Future use cases include real-time security alerts. Attackers are increasingly competent in avoiding Endpoint Detection and Response (EDR) provider detection and response by blocking communication with the cloud or corrupting the list of events sent to the provider. By making use of the always-on monitoring outside of the operating system we can avoid these kinds of attacks. HP, Inc. has been building the foundation of platform security into its business PCs and printers for years, but now is accelerating customer deployment, control, usage, and operational management. According to Balacheff, this takes endpoint security to a lifecycle approach. Customers realize that they need to not only establish trust on devices that they procure and deploy for their employees but that they need to maintain that trust through the life of the device through an initial environment from factory to decommissioning or redeployment, configurations, as well as auditing the hardware and firmware. From a business standpoint, HP is pivoting from a la carte offerings to a two-tier sales model, which includes Wolf Pro Security and Wolf Enterprise Security. Pro is targeted at the small and midsized business (SMB) market. The Enterprise package adds HP Sure Click Enterprise and HP Sure Access Enterprise) and is targeted at larger customers or customers that have a more mature security posture. These are available both bundled with HP hardware or with standalone software (for HP and non-HP PCs). Another subscription is the always-on connection (HP Wolf Connect) discussed above. Overall, it was great to reconnect with HP, Inc and to catch up on the advances the company has made in the last several years. Future secure by design is in good hands with the manufacturer and I expect some exciting news to come out at CES this week. But like any intentions, they are not realized until they are announced and delivered in the customer environment. The “proof is in the pudding,” as they say. I’m impressed with the engineering skill the team has amassed and the company seems to be fully integrated with Bromium’s capabilities and driving innovations forward as its own HP entity after what must have been a challenging separation from its sister company years ago. One piece of advice I’d offer is to continue to push for lock-step engineering, marketing and delivery of PCs and Printers. At the end of the day, an endpoint is an endpoint, and these two device sets need to sing from the same hymn book. While much of what is offered from a security perspective is the same, there are legacy names, and siloed businesses that could benefit from greater cross-pollination. I look forward to tracking this progress and to hearing from HP, Inc on its continued activities with AI, and standards and certification with NIST, and others.

As someone who’s researched, written about, and closely tracked the evolution of managed detection and response (MDR) and extended detection and response (XDR), I am not surprised by the current evolution and confusion we are witnessing in both these markets. I try to break down the net-net in the below. In the world of cybersecurity, Managed Detection and Response (MDR) and Extended Detection and Response (XDR) are distinct but related approaches. Legacy MDR focused solely on endpoints, lacking the capability to analyze other types of data. XDR initially evolved to address this limitation by considering a broader range of data sources like hybrid cloud, networks, and IoT devices. MDR started as an endpoint managed service but today, MDR providers also ingest a wide range of data, either natively or by integrating XDR. Net-net, over time, the line between MDR and XDR has become blurred with providers offering overlapping capabilities. This blur is further exacerbated by terminology like NDR (network detection and response), MEDR (managed endpoint detection and response), MNDR (managed network detection and response), and MXDR (managed extended detection and response)! In my book, any time a service provider monitors and manages a client’s environment through a security operations center (SOC) regardless of the telemetry it is a managed detection and response or MDR engagement. MDR involves continuous monitoring, curated threat intelligence, encryption, threat hunting, threat detection and response, and limited incident response capabilities. These services differ among providers, but they collectively contribute to an organization's cybersecurity defense. MDR and XDR offer a comprehensive analysis of an organization's infrastructure. Often, both centralize threat data in a user-friendly interface, and both now promise improved threat identification and response. XDR aims to simplify security toolsets and provide automated analytics, despite potential challenges such as disparate technology components leading to excessive noise. MDR addresses challenges presented by EDR and XDR by offering a managed service that handles the complexities of ongoing management and monitoring, by layering on human event analysis, alert triage, vulnerability management, remediation, and threat hunting and by providing automation playbooks for detection and incident response. So, which should you purchase? Like most answers in cybersecurity, “it depends”, but generally I would say “both”. One could say If you have a small security team and need extra eyes on glass watching your environment, choose MDR, or if you have a large security team and need to integrate multiple detection and response tools into a cohesive security operations system choose XDR. But the reality today is that any MDR provider worth its salt will be ingesting multiple telemetries and integrating multiple tools. The better question to ask is what should I look for in MDR/XDR? For this discussion I’m rolling these together into an MDR service, including native XDR. Hence, you should look for: Round-the-clock monitoring. A 24/7/365 SOC for continuous monitoring is now essential as threat actors don’t sleep. As broad and diverse a set of detection telemetry as possible. SIEM/SOAR integration (more on these separately in coming blogs). Multiple curated intelligence feeds. Built-in vulnerability management. Reactive and proactive threat hunting. Threat hunting generally encompasses reactive and targeted hunting when an issue is raised. Proactive threat hunting, on the other hand, can identify previously unknown, or ongoing and unremedied threats, within an organization's network thereby enhancing an organization's security posture. A good-sized bucket of incident response (including forensic analysis and remediation) hours (10+) that is aligned to deeper response (when needed and for additional cost). Deep capabilities in playbook automation that apply to your environment and custom playbook creation where it doesn’t apply. Hands on customer service. In coming blogs, my colleagues and I will delve more deeply into these technologies and XDR optimization specifically. Christina Richmond is the founder and principal analyst of Richmond Advisory Group a cybersecurity market research firm that provides strategic insights, advisory and market research services to cybersecurity vendors, service providers and the investment community. You can follow her on LinkedIn at Christina Richmond or on Twitter @RichmondAdvGrp.

Our quest for heightened threat visibility often involves navigating through a minefield of noisy security alerts. According to some reports, security analysts receive hundreds to thousands of alerts daily. Industry research indicates that a significant percentage of these are false positives, leading to the alarming reality that many analysts and managers ignore a substantial portion of them. But we think we need more data to provide improved insights into our environment. The conundrum is that we often do need more data, but we also need better methods to investigate it. This double-edged sword can increase noise and alert fatigue. Beyond an overwhelming volume of alerts, fragmented security functions contribute to a reactive overload for our operations teams which is compounded by the persistent talent gap and a lack of automation and orchestration. To tackle this predicament, we need to take a thoughtful and integrated approach not just across telemetry ingestion but across people, processes, and technology. We need to advocate for advanced threat detection and response solutions, particularly those leveraging machine learning and artificial intelligence. These technologies can cut through the noise, providing crucial context, reducing redundant analyst efforts, and enhancing the efficacy of incident response. Despite the promises of modern security tools and the treasure trove of logs they provide, the deficiency of diverse sources exacerbates alert cacophony, because while we have a vast amount of threat data, we don’t have exactly what we need. Abundant, deduplicated, and well-contextualized data can significantly improve our ability to identify and respond to security threats effectively. Therefore, we need to strive to access partnerships that offer comprehensive yet curated data and those that can help to automate the ingestion and enrichment processes. Inconsistent data management practices further contribute to the above cyber headaches. Standardizing formats and protocols, coupled with the automation of ingestion and enrichment processes, ensures consistency across the organization. Integrated security platforms add an extra layer of governance, enhancing security posture and contributing to a more focused cybersecurity strategy. This is where the adoption of a Security Orchestration Automation and Response (SOAR) platform, which provides a unified approach to integration and automation, can tackle many process aspects of data ingestion while also help overcome the hurdles in incident response. Security teams drowning in reactive tasks can also be limited by isolated security functions within organizations which can hinder broader visibility. Systematizing our teams’ communication between security functions is essential for seamless and effective threat investigation and response. Organized and streamlined functions can help to reduce alerts and rationalize processes. Meanwhile, the universal cybersecurity talent gap remains a significant hurdle, further prompting us to explore automation and training initiatives. Managed security services or outsourcing may offer a collective lifeline to address this ongoing challenge. An often overlooked but crucial thread is the significance of threat intelligence sharing among organizations. While we have discussed the challenges of alert fatigue, data noise, and the need for automation, it's imperative to delve deeper into the communal aspect of defending against cyber threats. Imagine a scenario where organizations, irrespective of their industry or size, actively share real-time threat intelligence. This collaborative approach forms a formidable line of defense against the ever-evolving landscape of cyber threats. When one entity detects a new threat or identifies a novel attack vector, sharing this intelligence promptly with others becomes an opportunity to serve the broader industry. Cyber adversaries operate with remarkable speed and agility. In this context, real-time threat intelligence sharing becomes a proactive measure, allowing organizations to stay one step ahead. The ability to quickly disseminate information about emerging threats empowers the collective defense mechanism, enabling others to fortify their defenses before the adversary strikes again. Threat intelligence sharing also plays a crucial role in breaking down silos that can exist between internal and external organizations. Externally, the cybersecurity landscape is a shared space, and the threats faced by one can have repercussions for many. By fostering a culture of mutually beneficial engagement, organizations contribute not only to their own security but to the security of the entire digital ecosystem. As we navigate the complexities of modern cybersecurity, let’s not underestimate the power of collaboration. Advocating for and actively participating in threat intelligence sharing initiatives can transform the cybersecurity landscape from a battlefield of isolated defenses to a unified front against cyber threats. The collective challenges of cybersecurity demand a united and strategic approach. By embracing shared threat intelligence, promoting integration and automation, fostering collaboration, addressing talent gaps, and prioritizing proactive measures, organizations can navigate the complexities of the cybersecurity landscape more effectively. It is a shared responsibility to cut through the noise, streamline operations, and fortify our defenses against evolving threats. By sharing insights, tactics, and threat indicators, organizations contribute to a shared defense that is more resilient, agile, and prepared to face the dynamic challenges of the digital age. Heightened threat visibility without increasing alert fatigue can be achieved with additional security data that is curated from our own tools and through a broader ecosystem of partners. If ingested and normalized using automation, orchestration, and machine learning capabilities we can streamline not only the amount of data we consume but reduce distraction across people and processes. These advanced threat detection and response solutions can cut alert noise, provide relevant context, and reduce both unnecessary analyst efforts while improving our incident response efforts. by Christina Richmond, Principal Analyst, Richmond Advisory Group