Systemic Risk: Aggregators, Big Data, and Big Risk
6–5–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, June 5th, and it feels like we’re headed into a busy stretch. Wishing you balance as we turn to the end of school, start of vacation season, and the need to still keep everything moving forward on the work front.
This week: aggregators, big data, and big risk. Let’s dive in.
Systemic Risk: Aggregators, Big Data, and Big Risk
News coverage this past week focused on a rash of ransomware attacks leveraging an exploit in a managed file transfer application called MOVEit.
Depending on whom you believe, this is either the work of the Cl0p ransomware gang, or a new threat actor.
Regardless, however, the impact is significant. Researchers are citing a “double digit number” of organizations, including financial companies and US government agencies.
While the details of the vulnerability and response are interesting, the thread that’s really worth following is the pattern of exploiting systems that both aggregate data and are used across large enterprises.
We saw this as far back as the SolarWinds attack in 2020, and also with the Kaseya breach in 2021. We’ve seen threat actors continue to look for and exploit these type of systems in 2022 and 2023, including the GoAnywhere Managed File Transfer solution, and Accellion.
Why are we seeing so much activity in this space? The answer is really quite simple: these tools are used by lots of big customers and they have lots of data, the exact two things that threat actors look for when picking victims.
So - what does this mean for those of us building businesses? A few thoughts:
First of all, this is a good reminder that in addition to hardware inventory, we also need to maintain strong software inventory capabilities to ensure we know what we’re running in our environment.
Second, you should ensure you’re not only able to patch these pieces of hardware and software, but also able to receive alerts and updates when they become available. The trick about zero day vulnerabilities is that they are previously unknown, and discovered out of band. Therefore, the updates happen out of band, and you may not be made aware of them without some effort.
Finally, we can start to use some mental models that might limit the impact of future events like this. The notion of “assume breach” underlies newer concepts like “zero trust,” but we don’t have to get stuck in buzzwords to make progress.
Instead, we can think about basic capabilities like network segmentation, not putting these tools on the network edge or making them publicly accessible, and then enforcing data retention policies that limit the amount of data and duration of data retention so that if a breach does occur, the blast radius is contained.
For example, you could set the appliance to automatically purge content after two weeks, or four weeks, or whatever feels like a balance between business requirements and risk tolerance.
We should assume that threat actors are going to continue to look for these “high ROI” opportunities, because - just like us - they are financially motivated and always looking for efficiencies.
We need to use technology tools to continue to run our businesses, but we need to continue to do so in a thoughtful, deliberate, and intentional way that manages the risk down to levels that we find acceptable.
Fundraising
Moderate week of fundraising news, coming in just a few million shy of $11B. Worth noting, however, a couple of China-related activities, given our discussion last week of China’s cyber efforts.
New funds include a $4B raise from Primavera Capital Group (a Chinese PE firm) as well as Baidu’s new $145M VC fund on AI-generated content startups.
This all comes during the same week as coverage here in the US detailed all the US leaders who’ve made trips to China recently (including Elon Musk, JPMorgan’s Jamie Dimon, and Apple’s Tim Cook - along with a previously secret trip from CIA Director Bill Burns).
At the same time, Canadian PE investors are stopping new investments in China, including CDPQ, The Ontario Teachers’ Pension Plan, and the British Columbia Investment Management Corp.
Military leaders from the US, Canada, and China continue to clash around Freedom of Navigation activities in the Taiwan Straight, including accusations against China of “unsafe interactions” - with a Chinese warship crossing in front of a US destroyer.
Sometimes this is just noise, but sometimes, these macro factors really are all interrelated, and worth paying attention to. Let’s not forget the CHIPS Act, and China’s ban on Micron Electronics, plus all the challenges around 5G. There’s certainly a lot going on.
You can find all the links to the stories we covered in the links below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://twitter.com/GossiTheDog/status/1665618882957127681
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
https://purplesec.us/accellion-data-breach-explained/
https://www.axios.com/2023/06/03/us-companies-china-politics
https://www.ft.com/content/95d6eb38-6add-4558-93e9-bdd00af24f5d
https://www.pionline.com/pension-funds/british-columbia-investment-management-hits-pause-china-deals