Here’s some notes on our briefing with Austin Murdock (Founder and CEO) and Rüya Barrett (Chief Marketing Officer) of SixMap. The briefing was organized by Leslie Kesselring and Donna Estrin of Kesselring Communications.

Key takeaways from our conversation:

• SixMap offers a cyber defense platform to give customers visibility of where attackers could target them. This is enriched with threat intelligence and the ability to take action to stop attacks. In terms of security category, SixMap’s offering is a continuous threat exposure management (CTEM) solution.
• SixMap is focused on the enterprise market, which it defines as globally-distributed organizations with 5,000 or more employees. Hence, organizations with complex IT infrastructures, multiple areas of IT responsibility, and many potential points of entry for attackers.
• Onboarding with SixMap is simple; it starts by providing your company name. SixMap uses its smarts to enumerate all associated entities, subsidiaries, acquisitions, and affiliated third parties across all locations. SixMap says this provides a picture of what is actually being defended, and replaces manual processes previously centered around spreadsheets, emails, and other types of coordination. Once the picture is known, SixMap discovers all internet-connected assets and devices, and scans all ports to look for exploitable vulnerabilities and misconfigurations. This map of potential compromise areas is enriched with SixMap’s global threat intelligence on threat actor activity. It offers various forms of remediation (SOC updates, solution blueprints), can validate that remediations were correctly implemented, and if agreed by the customer, can remotely auto-fix vulnerabilities with no action required by the customer.
• Giving customers the ability to take action based on visibility and intelligence is critically important to SixMap. It seeks to solve for the problem of too much data (overwhelming volumes, unclear impact) and not enough time (chasing low-value alerts, for example). SixMap says it has reduced actionable alerts by 99.9% in customer engagements.

For more, see SixMap.

Here’s some notes on our briefing with Lisa Matherly (Chief Marketing Officer), Anne Nielsen, and Jason Lamar (Senior Vice President of Product) of Cobalt. The briefing was organized by Caroline Wong (Chief Strategy Officer) who was unable to attend due to other meetings at RSAC.

Key takeaways from our conversation:

• Cobalt offers a marketplace for pentesting. Companies that want a pentest performed engage with Cobalt to find a best-fit pentester based on matching their description of the pentest engagement with the skills, capabilities, and expertise of the pentesters available via the Cobalt marketplace. Cobalt calls its offering Pentest as a service (PtaaS). We wrote a report for Cobalt back in early 2020 on PtaaS.
• Becoming a Cobalt pentester is a non-trivial exercise. It is very hard to get into the program. Cobalt says it has more than 400 trusted security experts (pentesters) in their community, and they work with thousands of customers.
• Based on the value organizations have obtained from Cobalt’s initial PtaaS offerings, Cobalt is being asked to offer complementary services, such as threat modeling, source code review, and LLM review. Getting another set of eyes plus an external perspective on source code, for example, enables the identification of security issues much earlier in the application development lifecycle. That’s good for everyone (except bad actors).
• Cobalt published its sixth annual State of Pentesting Report just before the RSAC 2024 conference. It presents data from two data sets – 4,068 pentests in 2023 and 904 responses from security practitioners to a survey run from mid-March 2024. As would be expected, AI features prominently in the report.

For more, see Cobalt.

Here’s some notes on our briefing with David Ratner (CEO) of HYAS Infosec. The briefing was organized by Dan Chmielewski of Madison Alexander PR. 

Key takeaways from our conversation and some subsequent research:

• David joined HYAS four years ago after the Series A funding round. David previously worked at several firms that we hadn’t heard of in 20 years – such as Software.com and Openwave. Wow, they were good days.
• As a principle for cybersecurity, David is more attracted to resilience than prevention. David said that all the major systems we rely on during daily life are built around resilence, while most cybersecurity strategies put prevention (stop and block) at the center. If resilience is embraced as the core principle in cybersecurity, then the consequential goal is minimizing the impact of any adversarial action. While David didn’t use the term (at least, according to our notes), the common sayings in cybersecurity of “assume breach” and “when not if” reflect the reality of the fundamental principle of resilience.
• HYAS offers three core offerings – Protect, Insight, and Confront.
• HYAS Protect is a protective DNS offering for the corporate environment, which leverages threat intelligence data in decisions on all DNS responses and queries. For example, if traffic to malicious domains, IP addresses or nameservers is detected – based on threat intelligence data – such traffic is blocked. This puts in place an internal defensive mechanism to stop users, devices and servers from interacting with known-bad infrastructure and thus preventing interaction with command and control infrastructure used by threat actors. If the infrastructure is atypical or abnormal based on usual DNS patterns, that too is highlighted – so decisions can be made on validity.
• HYAS Confront offers the same protections for production traffic, spanning data centers, cloud, multi-cloud, and hybrid environments. Based on continuous analysis of normal behavior, Confront detects when internal actors start acting badly or malicious external parties breach current security controls.
• HYAS Insight is different. It combines threat intelligence with investigation capabilities, so security and fraud investigation teams can identify where are attacks are coming from, map the threat actor’s infrastructure, and have better insight on how to respond. While security and fraud teams can run such a program themselves with HYAS Insight, HYAS also has a team of experts able to assist customers with investigations (HYAS Intelligence Services).
• HYAS is exploring how AI can be used by adversaries to power threat campaigns. They have released a proof of concept for AI-synthesized, polymorphic, and fully autonomous malware, along with another proof of concept for how LLMs can be exploited by a polymorphic keylogger that evades EDR detection. See EYESPY and BlackMamba for details.

For more, see HYAS Infosec.

Here’s some notes on our briefing with Kris Anderson (Director, Product Management) and Matthew Blair (Analyst Relations Manager) of Trend Micro. Matthew organized the briefing. 

Key takeaways:

• Trend Micro is a large vendor with a diverse and extensive range of cybersecurity products and services. It was never the intent to have an exhaustive discussion.
• Kris’s team is responsible for the product management of multiple Trend tools including endpoint security; extended detection and response; attack surface and risk management; and zero trust.
• Blended multi- and cross-channel phishing attacks are a growing problem for organizations, particularly when security tools are implemented in siloes and don’t correlate threat signals. For example, the validity of a communication is greatly increased when an email message is immediately followed by a Zoom call to confirm receipt and request immediate action. When this is a malicious chain of communication events, however, this socially engineered validity can result in great damage to an organization’s reputation and finances. Detection of these blended attacks and the use of deepfake video calls are current areas of investment for Trend Micro.
• Trend’s attack surface risk management offering currently works across endpoints, internet-facing assets, identity, applications and cloud assets, and assigns risk levels based on the likelihood of compromise and the potential business impact. Trend Vision One – Attack Surface Risk Management combines multiple product categories in a single offering, such as external attack surface management, vulnerability prioritization, and cloud security posture management. For more, see Trend Micro 
• With respect to AI and cybersecurity, Trend is interested in both angles: the use of AI for cybersecurity and cybersecurity for the use of AI. For the latter, think malformed requests, model drift, and prompt injection type of attacks. This, also, is an area of ongoing investment – as it was for most of the vendors at RSAC 2024.

For more, see Trend Micro.

Here’s some notes on our briefing with Michael Callahan (Chief Marketing Officer) of Salt Security. The briefing was organized by Jordan Steffan of ICR Lumina.

Key takeaways from the briefing:

• Salt was founded six years ago with a focus on API security.
• APIs are a big deal, given how frequently they are used by applications to share information. Michael said that some companies see 4-5 billion API calls/month – a massive number – and the challenge is to be able to detect the bad calls.
• When Salt engages with a potential customer, many say they don’t even know what APIs they have. This is partly due to loose governance around API creation, lack of documentation, rapid change cadences, and ongoing app modernization. Hence, discovery of what is represents the first port of call for many customers. Optics and visibility first, control and oversight second.
• As APIs are discovered, Salt’s toolkit analyzes APIs for similarities. One reason for this is to highlight areas for rationalization of the number and diversity of APIs, thus driving standardization and reducing the API attack surface / threat scope.
• Salt’s toolkit also continually analyzes APIs for deviation from policy, such as the absence of up-to-date documentation.
• Michael demonstrated how a developer can use ChatGPT to write an API for a system, based on declaratives around requirements, etc. Within seconds of giving the prompt, a new API was written. While powerful, Michael’s point was that generative AI used for API development will greatly expand the number of APIs in use, and thus cross-API differentiation, and thus an increased attack surface / threat scope.

• Salt’s AI engine – called Pepper (as in, salt and pepper) – is used across the Salt platform for continuous discovery, posture analysis, and threat detection. Salt says Pepper is an “exhaustive investigator” in the discovery phase, even finding undocumenting APIs and those embedded in microservices. In  the posture analysis / assurance phase, Pepper analyzes for “deviations from security best practices and highlight[s] insecure configurations.” And in the behavioral threat protection phase, Pepper looks for the abnormal, anomalous, suspicious, and potentially malicious exploits and attacks.

For more, see Salt Security.

Here’s some notes on our briefing with Priyadarshi (PD) Prasad (co-founder and CPO), Himanshu Shukla (co-founder and CEO), and Jimmy Phipps (Regional VP of Sales, East) of LightBeam. The briefing was organized by the LightBeam team. 

Key takeaways from the briefing:

• LightBeam was founded in 2020. Its co-founders worked at Nutanix before starting LightBeam together. The company recently had an oversubscribed Series A funding round which netted $17.8 million for expanding go-to-market initiatives and continued investment in building out the product.
• LightBeam is focused on shining light / discovering / making visible the sensitive data held within organizations. In our research programs, lack of awareness of what data exists is a common theme (e.g., see Figure 16 in our report Privacy Compliance in North America: Status and Progress in 2023), so this is a massive area of concern in a world increasingly denoted by data privacy and data protection regulations.
• LightBeam sees data security, privacy, and governance as a coherent / unified play, not a disconnected one. Its platform addresses all three areas in a unified way, which means that organizations have the opportunity to reduce the number of disparate systems for each of these areas. For example, when sensitive data is found (discovered), the platform also includes compensating controls to address data security risks, such as redaction and anonymization. For authorized individuals, redaction can be temporarily reversed on demand.
• The LightBeam product is offered as an on-premises or private cloud solution, not a public cloud service. This is important within highly regulated industries, such as financial services and healthcare, that want control over where their data is stored, indexed, analyzed, processed, etc. Many of LightBeam’s current clients are in these and related industries, and the company has seen nearly 300% growth over the past year in customers led by these industries.
• LightBeam includes capabilities for customers / consumers to initiate a data subject access request (DSAR) from a portal. LightBeam pulls together the requested data, based on its previous data discovery for any given person, using entity matching and correlation to differentiate between individuals. The DSAR is completed using automation, not manual effort, and is therefore both less costly to perform and much more responsive to consumer requests.
• Another automation enabled by LightBeam is reporting on who has access to sensitive data in any given system. This helps with ensuring access rights are correctly defined and implemented, and trimming access rights wherever possible to reduce inadvertent data leaks.
• LightBeam’s first use case is for the detection of sensitive data. Building on this base are additional use cases, such as the detection of intellectual property – and the establishment of appropriate controls to stop malicious and unauthorized access. The business value, therefore, is measured as the value of the reduction of data breaches due to proactive corrective action flowing from deep visibility.

For more, see LightBeam.

Here’s some notes on our briefing with Paul Mander (GM, Optery for Business) of Optery. The briefing was organized by the Optery team. 

Key takeaways from the briefing and some additional research:

• Optery has been in business for four years. There’s a consumer play and a business play. Paul is the GM of the business side.
• The key idea behind Optery is the removal of unwanted, unwarranted, or excessive personal data held across the internet, most of it due to surreptitious data sharing agreements between a site where an individual has an account or presence and a host of data aggregators and brokers. This sharing of data results in the creation of personal and sensitive data sets on individuals – name, address, contact details, etc. – being more widely available than what the individual has directly authorized. Optery says they find an average of more than 100 profiles per person.
• On the consumer side, individuals can sign up to Optery’s service for free. Optery periodically scans for personal data held by data broker companies (at over 330 sites at the time of the briefing) – and can scan on demand for a consumer, too. If data that the individual wants to control is located on any sites they haven’t authorized, Optery will send removal requests on behalf of the individual. While there is no fee for periodic scanning, there is a fee for instantiating the data removal process. Pricing for removal is graduated by the number of sites and the approach taken by Optery. See Optery’s site for consumer pricing and details, including the list of data broker sites covered by removal requests (depending on pricing tier).
• On the business side, Optery thinks about employee PII as an “attack surface” – that the ability for someone to gain knowledge about employees based on data they / their business hasn’t authorized for release and aggregation, creates opportunities for assessing weaknesses for cyberattacks (e.g., phishing, BEC, voice phishing) and physical attacks (it’s an increasingly dangerous world). Within the growing realm of data privacy regulations and compliance mandates that cover an increasing set of companies, being proactive about data removal from unauthorized sites reduces this attack surface. 
• We really liked the idea of proactively reducing the amount of unauthorized data available on individual and employees – data that can be used to build profiles for cyberattacks (such as phishing) or physical threats (if they know where you live, they can harass / stalk / harm you … or your family for use as leverage against you).

For more, see Optery.

Here’s some notes on our briefing with Eric Andrews (VP, Marketing) of Securiti. The briefing was organized by Eric. 

Key takeaways from the briefing and some subsequent research:

• Securiti has been in business for almost five years.
• Their key focus is driving convergence around data, so that it can be used for making decisions (“data intelligence”). Eric said that the senior leaders they speak with are particularly vocal on the pain / problem of disconnected data, because it makes important aspects of running a business much more difficult, e.g., shaping understanding, enabling cross-team collaboration, and making decisions.
• The emergence of generative AI and its impact on the creation of more unstructured data has made the problem of disconnected data worse.
• Securiti has created a knowledge graph for creating an overall understanding of what data is available inside the organization, where it is located, who has access to it, and which regulations are applicable. Eric talks about this as the underlying platform for Securiti and its customers, on top of which multiple use cases can be built. Securiti doesn’t create an aggregated store of all data in the organization; rather it creates a graph of all data while leaving it where it is and subject to the access controls already established.
• “Shadow AI” is the next frontier of “shadow something” in organizations. It is easy for people / groups to use whatever AI systems they want. It is harder for organizations to have guardrails, oversight, and where necessary, control.
• Securiti announced an LLM firewall the week before RSAC (see press release) – well, actually three firewalls in one product. See the diagram below (the flow runs right to left and back again). The Securiti LLM Firewall protects three processes of using prompt-based LLMs – the initial prompt, the retrieval of data, and the release of data to the requesting user / process. The initial prompt must traverse the prompt firewall, and this blocks threats such as prompt injection, the inclusion of sensitive data in prompts, and attempts to bypass security guardrails. The retrieval firewall ensures that only data the user has access to is used in formulating an answer to the prompt, redacts sensitive data, and checks for data poisoning. Finally, the response firewall does a final check before data is presented to the user / process to redact sensitive information and prevent the release of toxic content or prohibited topics.

• Securiti published a report on securing generative AI applications, which explores the threat to generative AI and LLMs and where its firewall plays.
• Securiti has a much broader set of product capabilities for data discovery, intelligence, and governance. We didn’t have time to explore the full product set.

For more, see Securiti.

Here’s some notes on our briefing with the Cohesity team: Frank Sessions (Head of Analyst Relations), Sheetal Venkatesh (Director of Product Management), and Chris Hoff (Product Marketing Lead). The briefing was organized by the analyst relations team at Cohesity. 

Key takeaways from the briefing and some subsequent explorations:

• Cohesity was founded 10 years ago. The company focuses on providing ways for organizations to manage, secure, and drive insights around their secondary data. This means data that is backed up, rather than primary / production data. Cohesity is highly focused on how organizations can drive insights off their secondary data – rather than it just ROTting over time.
• Cohesity has more than 4,000 customers and serves 42% of the Fortune 100. In February, the company announced a definitive agreement to merge with the data protection business part of Veritas, creating a joint company with deep strengths in data security and management. Once the merger closes, the combined entity will have more than 10,000 customers and 3,000 partners.
• Cohesity Data Cloud is a service for capturing, managing, securing, and protecting a customer’s secondary data. It includes capabilities for backup and archival, threat scanning, data masking, eDiscovery, and (much) more. Cohesity says that its offer of a unified platform for data management and security reduces costs for organizations by 50% and enables much faster recovery times in the case of a cyberattack. 

• Cohesity Gaia is a new AI agent that works across the data a customer stores in the Cohesity Data Cloud. It is the next generation of insight-driven capabilities that Cohesity has created. Gaia combines LLM technology with retrieval augmented generation (RAG) technology, the latter of which searches for customer-specific content in order to provide context to a prompt. Both the context and prompt are then passed to the LLM for generating an answer. The early use cases are around legal and compliance matters, e.g., what happened in case X?, but support for additional use cases is coming. For more on Gaia, see Cohesity’s white paper.
• Cohesity wrapped a bus and at least three taxis for the show. They seemed ever-present whenever we left the underground show floor.

For more, see Cohesity.

Here’s some notes on our briefing with Christopher Strand (Chief Risk and Compliance Officer). The briefing was organized by Liz Youngs of Trier and Company.

Key takeaways:

• Cybersixgill offers automated threat intelligence solutions drawing on data collected from the clear, deep and dark webs. Their website puts it this way: Cybersixgill covertly extracts data in real-time from a wide range of sources, including limited-access deep and dark web forums and markets, invite-only messaging groups, code repositories, paste sites and clear web platforms.
• Cybersixgill’s approach delivers threat intelligence as more than just a threat intel feed. It aggregates data in a data lake, enabling the addition of context to newly curated data, which is aimed at helping security defenders make better informed decisions on mitigations and responses. 
• If you are a Cybersixgill customer, you can receive threat reports for your vertical industry periodically (depending on your service level). This is a written report to provide analysis and context. It is complementary to the context-rich threat intelligence data.
• The company is investing in building out the conceptual framework of a risk intelligence approach. Threat intelligence is part of this framework, but not the whole story anymore. Risk intelligence is a long-term play for Cybersixgill. Christopher has written a couple of blog posts on this topic – see part 1 and part 2.
• In terms of risk intelligence, the big idea is moving beyond threat intelligence only to incorporate vulnerability intelligence (identifying and prioritizing), attack surface intelligence (gap identification for defense fortification), third-party intelligence (assessing security posture of supply chains and third-parties), and regulatory intelligence (sector/industry-specific regulations). It is, therefore, a much more holistic view of risk beyond adversary intent, capabilities, and techniques.
• See also our write up on Cybersixgill’s State of the Underground 2024 report.

For more, see Cybersixgill.