📡 Cybersecurity Innovation Pulse #18: NIST CSF v2; Acoustic Attacks; CloudSec Mkt. $62.9B by 2028; Big Tech's Love for Rust; DARPA's AIxCC; 15+ Security Product Announcements
Covering Aug. 3rd - Aug. 10th of 2023
Welcome to Issue 18 of the Cybersecurity Innovation Pulse! I'm Darwin Salazar, your guide to the dynamic world of cybersecurity innovation. Each week, I deliver the latest on product launches, groundbreaking innovations, strategic collaborations, and other developments at the intersection of innovation and cybersecurity. If you find value in these updates, consider becoming a paid subscriber for access to our archive and exclusive posts. Subscribing ensures you receive these insights directly, saving time and keeping you ahead of the curve.
Introduction
As par for the course, this week has been bursting with blockbuster news, and it's still not over yet! From startups emerging from stealth and securing funding to a wave of GenAIxSecurity product announcements, M&A rumors, and significant government initiatives… you get the point. With Hacker Summer Camp in full swing, the industry is abuzz with news. In this issue, I'll cut through the noise to deliver the truly cutting-edge and industry-shifting news that matters. Enjoy!
Top Stories
NIST Unveils New Version of Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has released a new version of its widely adopted Cybersecurity Framework (CSF). If you’ve worked in cybersecurity for any amount of time, you’ve probably come across the NIST CSF. The updates include the addition of a 6th function, “Govern”. The guidance states that “Govern is in the center of the wheel because it informs how an organization will implement the other five Functions”. Source
Cloud Security Market to Reach $62.9 Billion by 2028
The global cloud security market, currently valued at $40.7 billion, is projected to reach $62.9 billion by 2028, growing at a compound annual growth rate (CAGR) of 9.1%, according to a recent report by MarketsandMarkets.
Acoustic Attacks: AI's Role in Audio Snooping
A recent study revealing that AI can identify passwords by the sound of keys being pressed, with 90% accuracy, has raised new concerns about audio snooping. Pretty effing wild. This finding not only underscores the evolving nature of security threats but is also a stark reminder that as technology advances, so does the way in which attackers manipulate these technologies. If you’d like to dig into the details of an acoustic attack and how you can defend yourself against it, check out this post by the folks over at Sophos.
OWASP Releases Top 10 for Large Language Models (LLMs)
The Open Worldwide Application Security Project (OWASP) has unveiled the industry's first standard for LLMs, identifying the top 10 most critical vulnerabilities. This guidance is designed to assist developers and security professionals in safely implementing LLMs within the enterprise and applications. Prompt Injection ranks as the #1 vulnerability that the AI security community is concerned about. The fact that LLMs have received a “Top 10” list so quickly reflects the seriousness of the issue and the rapid adoption of LLMs in the enterprise. Kudos to all 500+ contributors, especially Steve Wilson of Contrast Security, who led the effort. Source
Google and Microsoft Adopt Rust for Security
It seems that both Google, Microsoft and many other leading tech co’s are turning to the Rust programming language for its comprehensive security features. Rust's "memory safety" features prevent common errors like buffer overflows, which can lead to vulnerabilities. Unlike some other languages, Rust enforces strict rules at compile time, catching potential errors before execution. This proactive approach minimizes memory-related bugs, often exploited by attackers. Source
DARPA Sponsors Competition for AI Innovation and Cybersecurity
The Defense Advanced Research Projects Agency (DARPA) is sponsoring a two-year competition called “AI Cyber Challenge (AIxCC)” to foster innovation in AI and cybersecurity. The purpose of the challenge is to drive the creation of new AI-based security solutions to enhance national security and defense. Anthropic, Google, Microsoft, OpenAI, and OpenSSF will all help the participating teams in developing their solutions. AIxCC will be split into two phases, over the next two years, and will be held at DEF CON. Source
Security Product Innovation
Dropzone AI has launched its autonomous AI agent designed to investigate security alerts. Along with the launch, the company has raised $3.5 million in seed funding led by Decibel Partners. The AI agent aims to automate the investigation process, providing a more efficient response to security threats. Of course, the efficacy and accuracy of the solution haven’t been tested against an industry benchmark because one doesn’t exist yet so it’s hard to evaluate the solution from the outside. However, when I think about the future of cybersecurity, it is clearly fine-tuned autonomous security agents that have been trained through tens of thousands of different scenarios and are given the agency to act on their own (and a human somewhere in the loop). Source
Sweet Security has introduced a new runtime management solution for cloud environments. The solution leverages eBPF among other technologies to help detect and stop attacks on cloud workloads at runtime. The startup also highlights that it has a very light footprint and doesn’t eat up the compute resources which is often an issue with agent-based solutions. While the solution sounds solid, what stands out to me the most is the founding team which includes the former CISO of the Israeli Defense Forces (IDF) and also the investors that contributed to the startup’s $12M recent seed round. With all this momentum, it’ll be interesting to see the impact they have over the coming years. Source
Protect AI has acquired Huntr.dev and unveiled a bug bounty platform specifically targeting AI and ML. The CEO of Protect AI, Ian Swanson, states that this will be “the highest paying AI/ML bounties available to the hacking community”. Source
NetSPI has introduced a specialized penetration testing tool tailored for AI and ML systems. This solution helps pinpoint, examine, and fix vulnerabilities in ML systems like large language models and offers practical recommendations/guidance. Source
SandboxAQ has released a new meta-library designed to assist developers in implementing post-quantum cryptography. This library provides a collection of tools and resources to help developers navigate the complex landscape of quantum-resistant cryptographic algorithms. SandboxAQ is definitely a company everyone should be keeping their eye on as they’re doing amazing work and are backed by industry titans. Source
StepSecurity has launched its GitHub Actions Security Platform which helps defend against CI/CD attacks that leverage GitHub Actions. Source
TrustedSec has launched its Impede Detection Platform, a security solution designed to detect and respond to threats in real-time. The platform leverages machine learning and behavioral analytics to provide more accurate threat detection. Its features include attack validation commands and an attack simulation sandbox. Source
Tenable has launched ExposureAI which will be embedded into their One Exposure Management Platform. The solution essentially leverages Generative AI to translate natural language into queries to help users ask pinpointed questions about their asset inventory without constructing robust queries. Source
CyberSixgill has introduced new AI capabilities to its threat intelligence platform, CyberSixgill IQ. These enhancements aim to provide more accurate and actionable insights into emerging threats by correlating threat intelligence to an organization’s asset inventory and business context. source
Abnormal Security has introduced CheckGPT, a new tool designed to detect and combat AI-driven email threats such as WormGPT. CheckGPT leverages advanced and in-depth algorithms to identify malicious emails generated by AI. Plenty more details about what the solution is doing under the hood in this SiliconAngle post.
Thales has partnered with Google Cloud Platform (GCP) to provide AI-powered data discovery and classification powered by GCP’s Vertex AI. Source
AttackIQ has expanded its security testing offerings with its “Flex” and “Ready” solutions which will focus on small and medium-sized businesses (SMBs). The new products aim to democratize security testing, making it accessible to a broader range of organizations while dispelling the notion that adversary emulation is reserved for “mature” organizations. Source
GitHub has updated its Copilot tool to notify developers when its code suggestions match code found in a public repository. This feature enhances transparency and helps developers with building secure apps. Source
Microsoft's Azure Firewall has received a security upgrade through integration with Illumio. This enhancement aims to provide more robust protection for cloud workloads, reflecting the growing importance of securing cloud environments as businesses continue to adopt cloud services. Source
More News
Check Point buys Perimeter 81 for $490M to enhance its security tools for hybrid and remote workers
Rubrik acquires data security startup Laminar for reported $100M+
How to leverage large language models without breaking the bank
Ermetic releases CNAPPgoat open source project for assessing multi-cloud security
Conclusion
And that's a wrap for this week, folks! With DEF CON pending, next week’s issue is bound to have more blockbuster news. I’ll be on the ground soaking up all the latest research and catching up with friends. If you see me, say hello!
Lastly, your feedback is the fuel that keeps this newsletter going, so don't hesitate to let me know what you loved, liked, or would like to see improved. If you found value in this issue, why not share it with a friend or consider becoming a paid subscriber? Each week, I sift through over a thousand headlines to bring you the most impactful stories that are driving innovation in cybersecurity. Your support lets me know that this work is making a difference.