PLATFORM SECURITY

Cerby Launches With World’s First Security Platform for Unmanageable Applications

Cerby | June 28, 2022

Cerby
Cerby officially launched today with the world’s first security platform for unmanageable applications and an approach that enhances security practices by empowering both employees and security teams. The Cerby Zero Trust architecture takes on the challenges of unmanageable applications in the shadow IT universe—technologies that are selected and onboarded by business units outside the purview and visibility of the IT department, or don’t support industry standards like SAML for authentication and SCIM for user provisioning. The Cerby offering is very different from other options on the market because it moves security automation capabilities into the hands of business users—in effect, it balances empowerment and autonomy with security and productivity.

The company, which has been operating in stealth mode since 2020, already has early customers—including Fox, L’Oréal, MiSalud, Dentsu, Televisa, and Wizeline—where the technology is used to address common application liabilities efficiently while facilitating collaboration. It also announced today $12 million in seed funding from Ridge Ventures, Bowery Capital, Okta Ventures, Salesforce Ventures and others, bringing total funding to $15.5 million.

“Our goal at Cerby is simple but sweeping: To increase productivity for enterprises by empowering employees to use the technologies they prefer while automating compliance and security,” said Co-Founder and CEO, Belsasar Lepe. “In this era of IT consumerization, employee choice and enterprise security are not mutually exclusive—with the right tools and strategies, they go hand-in-hand. When business professionals get real autonomy, security becomes everyone’s responsibility, rather than just one of many priorities for the IT department. The Cerby platform for unmanageable applications enables organizations to boost efficiency, comply with existing policies and reduce exposure to cyberattacks—it’s truly a win-win-win.”

Cerby’s enrollment-based platform combines proprietary technology, robotic process automation (RPA) and seamless integrations with identity providers like Okta and Azure AD. This powerful functionality enables the platform to understand commonly used SaaS applications in a business context, and automate security policies before they lead to breaches.

The scale of the problem is undeniable, in part because while employees choose the applications, they don’t pay for them. Analyst firms, such as Everest Group report that shadow IT spending represents 50% or more of the overall IT outlay in large enterprises. Meanwhile, teams preferring application autonomy are twice as likely to prioritize productivity over security.

Cerby’s own research confirms this trend. The company just commissioned its own study of this critical subject, and the preliminary findings show how much attitudes have hardened with regard to employee choices. The comprehensive study of over 500 business professionals in North America and the UK employed by companies with more than $100M in annual revenue, conducted in partnership with Osterman Research, reveals that a staggering 91% of respondents believe they should have full control over the applications they purchase. On a related note, 52% want the company or IT department to “just get out of the way,” and when employers disallow applications desired by end users, respondents say it will “negatively affect” the way work gets done.

To be clear, these perspectives are not emerging from a vacuum. More than three quarters of the companies surveyed, 78%, have policies in place regarding which applications employees can and cannot use, and just over half the respondents report knowledge or experience of particular applications being disallowed. These actions don’t necessarily go down well with employees: 68% ask for an alternative solution, preferably one that is stress-free and automated; 35% seek an alternative of their own, while stating that it negatively affects the way work is done; and 42% “demand a good reason” for the ban.

“We chose Cerby because we needed a secure and centralized place to manage access to our paid social accounts. “Because Cerby can seamlessly integrate with our organization’s single sign-on technology and also connect to the social platforms’ APIs, we are able to create organizational efficiencies by granting and removing access within one place. Additionally, the automated access removal of employees who have left the company provides a level of security we did not previously have.”

Nina Donnard, AVP, Paid Social, L’Oreal

The issue of unmanageable applications within the organization is particularly sensitive because it puts two forces—employee autonomy and corporate security—in direct conflict. The C-suite—enterprise CIOs, CMOs, CISOs—wants security to be frictionless; when security teams take a heavy-handed approach, they often end up blocking key applications and negatively affecting productivity. This encompasses three core problems, which are sometimes contradictory. They feature: Brand risk (including errors, cyberattacks, and fraud); non-compliance (corporate policy, contracts, and industry/government regulations); and inefficient processes (insufficient resources; inconsistent, error-prone access reviews; extraneous steps and wasted time).

Cerby steps into this chasm with numerous capabilities to plug security, compliance and productivity gaps. For example, end users can log in securely to any application, even those that don’t support SSO natively, store log-in data, and share this information securely with collaborators. At the same time, IT and security teams can set policy at the application, team, and company level. Throughout this process, Cerby is actively monitoring connected applications to ensure they are securely configured to meet corporate security standards for two factor authentication, password complexity and many other commonly missed security settings.

“I love that Cerby solves a problem every CIO faces: unmanageable applications,” said Yousuf Khan, Partner at Ridge Ventures and former CIO. “When non-IT employees use unauthorized applications, they might be gaining productivity, but they are also unlocking a Pandora’s box of security vulnerabilities. The pandemic only made it worse: 71% of users in the US now acquire their own applications to do their jobs. Cerby is the first solution I’ve seen that significantly reduces the risk of these unmanageable applications by applying zero trust principles and automating the entire application lifecycle. The best part of it is that it’s not a top-down, managerial edict: Employees become an active and motivated part of the solution. Business professionals get the power to choose their applications, productivity gets a boost, and the company ensures security and compliance–everyone wins. Other cybersecurity products demand enforcement; Cerby encourages enrollment. This is the best way to enhance employee trust and increase productivity.”

The technology is designed to help teams in diverse disciplines use the applications they choose while ensuring security. For example, marketing teams can now securely use any social platforms they prefer—Cerby provides a single place to add and remove access for employees and third-party agencies instead of signing into multiple social accounts and sharing passwords. In other fields, such as finance, Cerby provides an easy way for CFOs and their teams to securely manage access to bank accounts and credit lines without having to share passwords.

About Cerby
Cerby delivers the world’s first platform built to positively guide employees' security behaviors no matter which applications they use. We protect brands around the world, including some of the most recognizable businesses, by taking an approach that empowers both employees and security teams, using Zero Trust principles. Our proprietary technology uses robotic process automation to understand applications in a business context and automatically enforces security best practices before misconfigurations turn into breaches. Cerby is a must-have for technology executives and their teams to protect the brand, stay secure and increase productivity.

Spotlight

Cyber compliant does not necessarily mean cyber secure.  Compliance is the assurance that the cyber security program is in place, regulations are implemented and the plant is monitoring and tracking changes.  Compliance is the assurance of preparedness. In this video, Michael Martinez discusses why a mindset change is required that not only addresses the technology but also involves personal awareness and ownership of responsibility.


Other News
SECURITY AUDIT AND COMPLIANCE

NetWitness Launches Comprehensive XDR Offerings for Next Generation Security

NetWitness | June 08, 2022

NetWitness, a globally trusted provider of cybersecurity technologies and incident response, today announced NetWitness XDR, a family of products and capabilities delivering comprehensive detection and response on premise, in the cloud or as a hybrid of the two. This new offering and product architecture delivers the full range of deployment options enterprises seek today to meet their unique cybersecurity needs and use cases. NetWitness XDR delivers a robust set of capabilities enabling extended detection and response (XDR) and helping customers stay ahead of the most sophisticated cyber threats. These include: Unified collection, data, and visibility across multiple security layers Automatic enrichment of data using any technical or business source A wide toolset of detection technologies including, but not limited to, advanced behavioral analysis External and internal threat intelligence to identify known security risks and threat actors Truly insightful context, visualization, and investigation tools Threat hunting tools and methodologies to identify previously unknown threats Highly repeatable and measurable incident investigation and response processes A strong array of both automated and human response options “NetWitness has enjoyed the trust of some of the world’s most security sensitive organizations because of its unique ability to monitor the entire attack surface across the network, endpoint, cloud, IoT, logs and more,” said CEO of RSA and NetWitness, Rohit Ghai. “We have been delivering XDR capability to the market for several years and today we are delighted to announce new innovations in the platform and reintroduce it to the market as NetWitness XDR.” Under this new model, NetWitness XDR will be comprised of three main product lines that showcase its uniquely powerful support for all XDR use cases. NetWitness Platform XDR 12 is the newest major release of NetWitness Platform. This technology stack, typically deployed as customer-managed software or hosted by MSSPs, has been enhanced to focus on detection capabilities that identify threats faster and decrease their impact. The company’s new cloud-native SaaS version will be known as NetWitness Vision XDR and is currently in design preview. The third product line, NetWitness XDR Cloud Services, is a set of optional SaaS applications that take advantage of the cloud’s inherent elastic nature to deliver flexible and cost-effective components which can be used to augment either Platform XDR or Vision XDR. “Our network-forward approach allows us to stand out in this emerging space and highlights NetWitness XDR’s ability to detect across customers’ growing number of systems and devices. “We are embracing the belief that the best XDR must be consumable on prem, in the cloud, and hybrid.” Director of Product Management and Research, Kevin Bowers Developed initially in 1996, NetWitness began as a government-sponsored research project to inspect network packets for cyberthreats and tools to detect and respond to them. Since then, the technology has continuously evolved and been innovated to tackle today’s most complex attacks. NetWitness now features fully integrated components for network, log, endpoint and IoT detection and response that drive its threat intelligence and security orchestration platform, NetWitness Orchestrator. With its long history and global footprint, NetWitness XDR integrates directly with the world’s most critical and widely deployed tools, as well as many specialized and industry-specific solutions. NetWitness XDR will host demonstrations at its booth at RSA Conference this year for Platform XDR and Vision XDR. ABOUT NetWitness NetWitness, an RSA® Group Business, provides comprehensive and highly scalable threat detection and response capabilities for organizations around the world. The NetWitness Platform delivers complete visibility combined with applied threat intelligence and user behavior analytics to detect, prioritize, investigate threats, and automate response. This empowers security analysts to be more efficient and stay ahead of business-impacting threats.

Read More

SOFTWARE SECURITY

Noetic Cyber Delivers Platform Update to Bring Data Science into Cyber Asset Management

Noetic Cyber | June 06, 2022

Noetic Cyber, an innovator in Cybersecurity Asset Attack Surface Management (CAASM), today announced the availability of a new version of its Continuous Cyber Asset Management and Controls platform. The latest version of the Noetic platform is focused on delivering immediate time to value for security teams by identifying high priority security gaps and exploitable vulnerabilities, using innovative data science techniques. Since its public launch in July 2021, Noetic has been working with security leaders in the United States and the United Kingdom to help them reduce their growing attack surface and improve their cybersecurity posture. The challenge these cyber leaders often face is to understand cyber risk across complex environments, where assets can exist for a short period of time in public or private cloud platforms, as well as having to manage legacy on-premises workloads. To gain the insights needed to be effective, they need confidence in their data quality, full visibility across all assets and contextual intelligence to help prioritize decision making. "The continued innovation we are delivering reflects the expanding use cases we see across our customer base. "Security teams are putting cyber asset intelligence at the heart of their security programs and our ability to continuously adapt and respond to changing environments is critical to their success." Paul Ayers, CEO and co-founder, Noetic Cyber Delivering Immediate Time to Value Security teams need to know what assets they have, and understand which ones are creating the most cyber risk. Noetic is delivering innovative cyber asset intelligence to help customers assess their current cyber posture readiness and focus the security team's efforts on the highest priority activities. The Noetic platforms helps customers successfully do this with: External Cyber Asset Intelligence – Mapping industry data including CISA's Known Exploited Vulnerabilities catalog, MITRE ATT&CK® mitigations and others to provide greater context on asset risk and exposure. Coverage Gap dashboards –Helping security teams quickly identify common and easily resolved security coverage gaps. Support for ad-hoc security data – Many organizations keep important information on critical applications or security risks in spreadsheets. Noetic's new data ingestion capability supports importing ad-hoc data into the model. Simplifying and Extending Cyber Asset Management use cases The Noetic platform uses Graph database technology to map cyber relationships between assets. This innovative technology approach enables Noetic to navigate deep hierarchies and find hidden connections, providing the context to help security teams to make more informed decisions. The latest release of the Noetic platform builds on native Graph capabilities to deliver additional value such as: Understanding & improving data quality –Noetic's new data analytics feature automatically and continuously analyzes data for each different source for completeness and accuracy, providing a data quality score. Simplifying Graph queries – Noetic has adopted openCypher, a widely used open query language. Noetic has developed a graphical point-and-click UI to guide security analysts through the steps of creating powerful relationship-based queries with little or no training. Supporting Cloud and On-premises applications – Organizations need to protect assets across public and private clouds, as well as traditional on-premises networks. Noetic Outpost supports secure ingestion from behind the corporate firewall, and private clouds. "The challenge of identifying and managing assets in the context of cybersecurity has grown considerably in recent years," said Dr. Ed Amoroso, CEO of TAG Cyber. "Noetic's innovations are important as their ability to prioritize and automate helps security teams to focus on critical areas of cyber risk." About Noetic Cyber Noetic provides a proactive approach to cyber asset and controls management, empowering security teams to see, understand, fix and improve their security posture and enterprise ecosystem. Our goal is to improve security tools and control efficacy by breaking down existing siloes and improving the entire security ecosystem. Founded in 2019, Noetic is based in Boston and London.

Read More

DATA SECURITY

Flow Security Launches Next-Gen Data Security Platform Following $10 Million Seed Round

Flow Security | August 05, 2022

Flow Security today announced $10M in seed funding and launched the first data security platform that discovers and protects both data at rest and in motion. The funding was led by Amiti, with participation from GFC, Amdocs Ventures, and industry leaders such as CyberArk CEO Udi Mokady and Demisto CEO and co-founder Slavik Markovich. Enterprises of all sizes continue to make heavy investments in technology stacks as they transition to modern cloud application architectures. This new era promises many benefits, but has also led to significant data sprawl and major difficulties in securing data. With the widespread adoption of modern architectures, securing sensitive data such as PII, PHI, financial information, and intellectual property has become a near-impossible task. Flow Security helps organizations overcome these challenges by continuously mapping and detecting all data-related risks for an improved data security posture. Flow is the only data security platform that supports use cases including discovering and classifying data flows to external services, policy enforcement, automatic data-related threat modeling, and reducing data access permissions to the minimum. Flow has a growing customer base in highly-regulated markets such as e-commerce, fintech, healthcare, insurtech, and more. "Discovery, mapping and protecting data is usually a manual process, which is not effective in large organizations," says Nir Chervoni, Head of Data Security of Booking.com, "Automatic data mapping should consist of analyzing the actual payload, and not only its metadata. So far, Flow is the only company I've seen that provides that capability for multiple scenarios." "Security and data protection teams are struggling to keep up with the rapid pace of today, and Flow is making their lives exponentially easier," said Ben Rabinowitz, Managing Partner and Founder at Amiti Ventures. "We're thrilled to be a partner on this journey, and eager to help capitalize on this opportunity to give security teams the technology they need to become business enablers." "We've reviewed dozens of different data security tools lately, and we weren't satisfied with any of them. "But Flow's data-in-motion approach is a game changer. It took the platform a few days to map data-related threats that usually take months of manual work to detect." Ralph Pyne, VP of Security at NextRoll "Data security is not a new problem, but the challenges are changing and growing," said Jonathan Roizin, co-founder and CEO of Flow Security. "Organizations are moving at a record pace and quickly transitioning to the cloud and cloud-first applications. These transformations often make life easier, but they also make the jobs of security professionals even more difficult. With Flow, security teams are no longer forced to chase down information. It simplifies security and regulatory processes and bridges the gap between security and development teams." About Flow Security Flow Security revolutionizes data security with the first platform that discovers and protects data not only at rest, but also in motion. Founded in 2021 by Jonathan Roizin and Rom Ashkenazi, the Israel-based company is backed by Amiti, GFC, Amdocs Ventures, and market-leading angel investors.

Read More

SOFTWARE SECURITY

Bluum Launches Comprehensive Cybersecurity Offering to Schools

Bluum | June 14, 2022

Bluum, North America's leading education technology solutions provider, recently announced the launch of a comprehensive cybersecurity offering to schools. Cybersecurity needs and solutions for schools have evolved in recent years – even beyond those brought about by hybrid and remote learning – so Bluum responded with security solutions for people, processes and technology. According to the SecurityScorecard 2018 report, education ranks last out of 17 industries in terms of cybersecurity, demonstrating that a legacy solution that only includes a first-generation firewall and antivirus software has long been rendered obsolete. Since 2016, there have been more than 1,300 publicly disclosed attacks in the U.S., which averages out to more than one K-12 cyber incident per school day. More than three million students have been affected by cybersecurity breakdowns since February 2018, with education institutions spending an average of $2.73 million to address the impact of a ransomware attack. "With limited budgets, highly skilled IT personnel and time, K-12 organizations are hard-pressed to create a solid cybersecurity plan. "Cybersecurity is an incredibly technical and extensive area in IT that is rapidly evolving and needs to stay ahead of ever-evolving attack methods. Historically, school IT budget constraints have resulted in ineffective and outdated systems, so Bluum has developed comprehensive countermeasures to fill that void." Bluum Vice President of Product Strategy and Growth Andre Vashilko Whether cybersecurity incidents are caused externally or self-inflicted, Bluum can assist in preventative measures before, during and after the incidents and attacks. To get started, Bluum has debuted easy-to-use services to help schools assess their cybersecurity needs and identify immediate and future solutions. Vulnerability scans and penetration testing will detect critical areas of concern and exposure in the infrastructure, while a complementary customer survey will provide further insights into a school's specific needs. About Bluum Bluum empowers educators with technology solutions that improve learning and make it more accessible, assisting more than 27 million students grow and flourish.

Read More

Spotlight

Cyber compliant does not necessarily mean cyber secure.  Compliance is the assurance that the cyber security program is in place, regulations are implemented and the plant is monitoring and tracking changes.  Compliance is the assurance of preparedness. In this video, Michael Martinez discusses why a mindset change is required that not only addresses the technology but also involves personal awareness and ownership of responsibility.

Resources