The “So What?” of SBOMs
2–20–2024 (Tuesday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, February 20, 2024, and we’re coming back to full inboxes after President’s Day in the US and Family Day in Canada. Welcome back.
While some of us may have enjoyed the long weekend, news broke yesterday that quite a few global law enforcement agencies had been busy over the holiday taking down ransomware gang LockBit - more on that at the end, because we’ve got a bit of a less exciting topic to cover first.
The “So What?” Of SBOM, With a LockBit Kicker
As Ivanti continues to battle uphill (and upstream and whatever metaphor you want to use), there was news this week from security researchers at GreyNoise that Ivanti appears to have introduced a backdoor into one of their tools - Endpoint Manager - in 2021, and guised it as a security fix, when, in reality, it was an obfuscated back door slotted into a relatively obscure library known as csrf-magic.
At the same time, last week Ivanti is being criticized by another firm, Eclypsium, for their use of outdated libraries in their Pulse Secure appliances, including a version of Linux that is 11 years old and hasn’t been supported since November of 2020.
This follows the criticism from Ivanti’s handling of similar issues by Watchtower last week, and now it’s being reported that the “number of vulnerable libraries that are cumulatively susceptible to 973 flaws, out of which 111 have publicly known exploits.”
There’s plenty of technical analysis available in the article, and the optics of the numbers certainly aren’t great, but Eclypsium, in their write up, asserts that “This is a perfect example as to why visibility into digital supply chains is important and why enterprise customers are increasingly demanding SBOMs from their vendors."
But is it?
Let’s talk about SBOMs, or Software Build of Materials, for a minute. Let’s say you had a complete list of the underlying components in this Ivanti device, or any other piece of networking equipment in your enterprise. Do you have the people on your team to do this level of deep, line-by-line analysis of every update or code change? When you find that a tool is using an out-of-date library with vulnerabilities, but updating that library will break the tool, what are you going to do?
The push towards SBOMs seems, to me, misdirected. I would ask this: would having this information lead us to make different decisions? Better decisions? Look - if you’re still buying Ivanti gear after the run they’ve had, I don’t think you’re going to change your mind. And, if you looked this deeply at any of their competitors, you’d likely find similar issues.
The talent required to extract value out of SBOM is extremely rare, expensive, and hard to come by. Makes total sense if you’re the NSA or a similarly high performing, low error tolerance organization. Most of us aren’t running companies like that, and don’t have the talent or capacity to make sense of this data. It just becomes noise, and that’s something we have enough of already.
On a brighter note, news broke yesterday, Monday 2/19, that a consortium of international law enforcement agencies have seized the infrastructure of notorious ransomware gang LockBit, striking a material blow to not only this organization and their affiliates, but continuing to put pressure on other ransomware operators.
The message is clear - that if you’re a big player in this space, you’ve got a big target on your back, and while they may move slowly, these agencies are not ignoring your crimes. They’re just building their case.
Fundraising
From a fundraising perspective, an interesting week in a couple of regards. From a blockbuster fund perspective, we see TPG raised $12b for its ninth flagship private equity fund (below target), plus $3.6b for its second health-focused fund (above target).
At the same time, VC firm Foundry Group announced that it won’t raise another fund, and will instead invest the rest of its existing fund and then shut down. For those not familiar, Foundry Group is an 18-year-old venture firm with nearly $3.5 billion in assets under management, and comes at an interesting time, as the firm announced a $500 million fund last year.
Foundry has invested in more than 200 companies and nearly 50 venture firms.
We also saw an article in the Financial Times this week noting the risk of “backlash” against Private Equity. The FT lays out three key points. “First, chatter about a backlash is (yet another) sign that years of cheap money have created bubbles. Second, the sector’s leaders need to learn from financial history about what not to do when faced with protest. Third, insofar as the private equity world is trying to refashion its image and social contract, this is contributing to subtle-but-important shifts in how we imagine capitalism.”
How this will play out on balance sheets is yet to be seen, but outgoing Calstrs chief investment officer, warned that while “it’s great [private equity funds] make money for our retirees — who are teachers — and for other funds . . . they need to also share the wealth with the workers of those companies and with the communities they invest in”. For someone with $327B under management, this is advice that we likely would do well to heed. And it’s not new - the same articles about backlash were being written in 2007 (and we all remember how that turned out, no?).
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.labs.greynoise.io/grimoire/2024-02-what-is-this-old-ivanti-exploit/index.html
https://thehackernews.com/2024/02/ivanti-pulse-secure-found-using-11-year.html
https://www.wired.com/story/lockbit-ransomware-takedown-website-nca-fbi/
https://techcrunch.com/2024/02/13/foundry-group-is-shutting-down-and-wont-raise-another-fund/
https://www.ft.com/content/651321e2-abf7-465b-89d6-49b1b0117142
https://www.bloomberg.com/news/articles/2007-03-11/a-backlash-against-private-equity