TCP #70: Horizontal Security; Icebergs; and Product News
Security Product News | Dec 18th, 2024 - Jan. 7th, 2025
Welcome to Issue 70 of The Cybersecurity Pulse! I'm Darwin Salazar, PM at Monad and former Detection Engineer. Each week, I explore the latest security product innovation and industry news. Stay ahead of security trends and themes by subscribing below to receive weekly digests directly to your inbox. Share with a friend if already sub’d! 📩
The easiest way to secure your applications
Whether you’re just starting on your AppSec journey or need to replace ineffective, siloed controls, Jit enables you to prioritize the real risks and empower developers to deliver secure code faster. Our platform makes all of your code and cloud security scanners feel like one, prioritizes the vulnerabilities that matter, and delivers real-time feedback directly into existing dev workflows.
Welcome to the first issue of 2025! I hope you all had wonderful holiday break and were able to enjoy some downtime with your loved ones.
Reflecting a bit on 2024, it was an amazing year. Lots of growth on all fronts including with my writing. Last year, I published 61 pieces with over 150K total views across the newsletter and my work at Monad. We also grew our community from 1969 subscribers to 4433, a 125% increase.
While vanity metrics are a great short-lived dopamine boost, what matters most to me is the fulfillment I find in researching and staying up to date on all the latest required to write TCP.
That said, thank you for your continued support and feedback which has turned TCP into a community favorite amongst builders, founders, and investors. This year will continue to include our staple weeklies with many more opinionated posts on certain domains and winning GTM tactics.
Very much looking forward to continuing to grow with you all and I wish you nothing but the best in this new year! Here's to an amazing 2025 🥂
Now, let's cyber! 🕺🏽
Picks of the Week🎯
Don’t Trust Vendor Claims About Getting 100% On The MITRE ATT&CK Evaluations 🌶️🌶️🌶️
If everyone gets a 1st place trophy then aren't they all just participation trophies? If you've been on "Cybersecurity LinkedIn" for any time than you've probably seen vendors doing the victory lap stating they've scored 100% on the MITRE ATT&CK evaluation and that they're the best solution on the market.
To me, it's always smelled like marketing fluff and in this post, Forrester's Allie Mellen breaks down why that's partly true. Of course, this is not to say that the evaluation doesn't serve a purpose, but it should be taken with several grains of salt. I'm sure there are several vendors that have scored 100% but still have customers getting popped by attackers using the tactics + techniques covered in the ATT&CK framework.
This is a master class by
on what's to come next for security data storage and analytics platforms. Many SIEMs, including "next-gen" SIEMs still fall short of the scaling + performance need of security teams. This often leads to high costs and trade-offs on retention and what data to ingest.In the post, Jack talks about why Apache Iceberg may change the game and Amazon's adoption of it via S3 Tables will accelerate adoption.
2025 Cloud Security Predictions: Trends to Look Out for
Wiz recently released their predictions for the year and they are:
1. Federated models will dominate cloud security operations
2. Horizontal security will replace vertical silos
3. Leveraging (and protecting) AI will be essential for security
4. Supply chain security will be a top concern
5. Identity takes center stage in cloud security
6. Nation-state threats will drive innovation in defense strategies
Of all, I think #1, #3, and #5 will be the biggest the biggest themes of the year. AI adoption will only increase and there's a seismic shift going on now that enterprise's cloud strategies are maturing. Both of these are a huge cause for increased focus on identity, especially, non-human identities.
Tenable CEO Amit Yoran Passes at 54
This is a very tragic loss for the security community. From the reactions I've seen on LinkedIn and in inner-circles, Amit was an exemplary leader and an even better human being. The world and our industry is a much better place because of him. RIP Amit and prayers to his loved ones 🙏
Why Big Data Will Rule Cybersecurity in 2025
In this podcast interview, Founder and CTO of Palo Alto Networks, Nir Zuk, discusses how he's thinking about security in 2025 and the role big data will play for vendors and enterprises alike.
Product News 📰
Before we jump into the specific domains, I quickly wanted to highlight Wiz's new integration page and the stellar job they've done with their partnership network. It's easy to build an API integration that pulls/sends data from/to another app, but what Wiz has done is much grander and deeper.
They’ve built bi-directional use cases that enhance the user experience and value received by the mutual customer they share with their integrating partner. This requires much more strategy and collaboration with the security ecosystem and Wiz has done this extremely well.
Proud to be a part of the program via Monad! Huge kudos to Oron, Daphna, Annam and the rest of the team!
Application Security
Veracode Buys Package Analysis Startup From Phylum
Veracode has acquired Phylum, a software supply chain security company and the 2022 Black Hat Innovation Spotlight competition winner. Phylum focuses on malicious package detection/prevention and is trusted by orgs like Chipotle, U.S. Air Force and Rad Security. Acquisition amount is undisclosed.
Identity Security
1Password acquires Trelica to extend its cybersecurity capabilities
Trelica is a solution that focuses on discovering shadow IT + SaaS Apps. This is a great pick up by 1Password as they're already heavily integrated with all kinds of apps.
Seems like 1P will marry Trelica's capabilities with their Extended Access Management product which was unveiled last May and enables SSO + provides control over login requests.
Security Operations
CyTwist Launches Solution to identify AI-Driven Cyber Threats
CyTwist, a player I haven't had the chance to dig into, recently released a detection engine focused on detecting AI-generated malware. This is of course a problem space that has boomed tremendously over the past couple of years.
I'll have to read up more on this, but sounds cool on paper.
More SecOps product news ⬇️
Quantum Security
SandboxAQ Raises $300 Million at $5.3 Billion Valuation
I think SandboxAQ is the future of all things AI + Quantum security. Been tracking them since they spun out of Alphabet and they've only picked up momentum.
The linked Bloomberg segment is certainly worth a watch though not solely focused on security.
Interested in sponsoring TCP?
Let's Grow Together!🫱🏽🫲🏻
Sponsoring TCP not only helps us continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of over 4,600 CISOs, practitioners, founders, and investors across 100+ countries 🌎
Bye For Now!
That’s all for this week… ¡Nos vemos la próxima semana! 👋🏽
Re: MITRE: any generalized framework or assessment is only as good as the honesty an organization brings to it. I believe ATT&CK was built for good, but like any assessment tool, it's been hacked (pun intended) so it benefits vendors for sales purposes rather than helping orgs focus on fixes.