CISA Gets It In Gear - Are We Ready To Go?
3–27–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday March 27th, and we’re going to talk about the big week that CISA has had here in the United States, and what we can do to learn from and leverage this significant uptick in activity.
Let’s dig in.
CISA Getting It In Gear
CISA, or the Cybersecurity & Infrastructure Security Agency, part of the Department of Homeland Security here in the United States, has just wrapped up a solid week of putting out messaging, tools, and programs to help the private sector get “left of bang.”
“Left of bang” is a term adapted from the US Marine Corp to frame what can be done before and after an attack. Things left of bang typically include awareness, prevention, pattern recognition and behavior analysis, early warnings, avoiding danger, etc.
In the cybersecurity context, this is a good shorthand for what we might typically call “proactive” cybersecurity - as opposed to Incident Response. This world includes activities like risk assessments, penetration testing, vulnerability scanning and remediation, etc.
CISA, and in particular Director Jen Easterly, is following on the heels of the recently released National Cybersecurity Strategy to put this message out, along with some tools.
Speaking to the Economic Club of New York this week, Easterly was quoted last saying:
“CEOs and board members have to embrace corporate cyber responsibility as a matter of good governance,” Easterly said. “Not as something the IT people worry about.”
CISA is helping companies do this through a few tools and programs, as well.
Importantly, CISA announced a Pre-Ransomware Notification Initiative this week. Designed to warn organizations that ransomware actors have gained initial access to their networks. CISA claims to have already notified “over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions,” and notes they have “confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.”
Is this something the teams at your portfolio companies would be ready to act on, should they get this warning?
Can your team focus on getting left of bang? Can they make use of information, intelligence, learning, or other things to push preparedness forward into action?
If not, it’s worth considering what and how you can help your team get left of bang here.
CISA is also rolling out their new Ransomware Vulnerability Warning Pilot (RVWP), a program designed to “proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks” - meaning CISA is out there scanning for the same sort of risks that the ransomware crews are exploiting, and then making notifications to the owners of those vulnerable systems in the hopes they can address the vulnerability before they are compromised.
Finally, CISA released an open-source tool this week called Untitled Goose, which helps “network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.” Due to the prevalence of these tools and platforms, this too has the potential to make a massive impact - if your teams on the portfolio side can put them to use and get the value from them.
I have to give CISA a lot of credit here - they’re really showing up with the tools, programs, and intel to help us secure our corporate assets.
The open question, of course, is whether we’re able to convert these opportunities into value creation by making the improvements before we get to bang. Left of bang is far preferable - but sometimes and some teams simply won’t make it. Mae sure that you’re giving your technical teams the support, awareness, and direction that they need to keep the rest of the business and your investments on the proper side of that equation.
Fundraising
It would seem that the market’s short memory has returned, with announced fundraising volumes bouncing back to a respectable $10.4B last week.
It’s possible that the turmoil in the financial sector will be short-lived, or that investors are simply deciding that there is going to be uncertainty regardless, and they need to get comfortable deploying capital into uncertain markets for the potential of a return, rather than the certainty of stagnation.
Regardless, it does feel like things are back flowing from a fundraising perspective, and we’re going to get close-but-not-quite to $200B level for the total Q1 2023 commitments, which is no small number.
You can find all the links below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://www.cybersecuritydive.com/news/cisa-director-urges-businesses-own-cyber-risk/645932/
https://www.cisa.gov/stopransomware/Ransomware-Vulnerability-Warning-Pilot
https://www.cisa.gov/news-events/alerts/2023/03/23/untitled-goose-tool-aids-hunt-and-incident-response-azure-azure-active-directory-and-microsoft-365