Post RSA 2023 Review of the Cybersecurity Landscape

Executive Summary

Current Market Perspectives

Overall, private capital flows into venture and growth-stage cybersecurity companies have fallen in parallel to broader market trends but are still tracking with pre-COVID norms. Early-stage activity has been especially robust, while growth-stage cyber deals are still being executed, often with some debt and/or structured terms.

Key Learnings from 2022

During a turbulent 2022, investors moved earlier, M&A buyers became more diversified, geopolitical factors motivated threat actors, and CISOs tightened budgets with a focus on streamlining security operations.

Emerging Threat Trends

Over the past several quarters, the industry has seen faster breakout times, more interactive intrusions, growing ransomware incidents, and a new wave of e-crimes brought on by greater usage of access broker services. Threat actors are focused on exploiting cloud migration trends by manipulating access points.

Securing the Software Supply Chain

There has been a 742% average annual increase in software supply chain attacks over the past three years, according to Sonatype. Software supply chain attacks make a system vulnerable everywhere a piece of software is deployed to, and with the proliferation of open-source components available to developers, attacks are targeting all sides of the supply chain from source code to third party distributors.

Zero Trust Identity Protection Becomes Table Stakes

Increasingly sophisticated and automated identity attacks are on the rise as more companies introduce hybrid work, IT modernization, and new digital experiences into their day-to-day operations. Decentralized identity orchestration as part of a comprehensive zero trust security strategy helps organizations cope with rising threats in an increasingly hybrid cloud environment.

Securing AI/ML Solutions an Emerging, Dynamic Challenge

Because AI/ML systems are designed to produce outputs after ingesting and analyzing large amounts of data, there are several organic security challenges not seen with other systems. Adversarial ML attacks have impacted tech companies including Google, Amazon, Microsoft, and Tesla, and Gartner research shows that security concerns are a top obstacle to enterprise adoption of AI.

XDR is Driving the Modernization of Security Operations

Gartner estimates that 40% of organizations will have deployed an extended detection and response (XDR) platform by 2027, up from 5% in 2021. By combining telemetry from multiple sources and applying analytics to detect malicious activities, XDR can enable timely, contextualized responses. This significantly reduces false positive alerts, enabling security teams to focus on correlated events that are more actionable.

Attackers Increasing Focus on Data Opportunities

Data theft during cyber attacks increased 11% YoY in 2022, and driving forces including compromised credentials, high volumes of vulnerable unstructured data sets, and unsecure data lakes and pipelines, are creating additional threat vectors for cyber criminals.

This document has been prepared by Lazard & Co., Limited ("Lazard") solely for general information purposes and is based on publicly available information which has not been independently verified by Lazard. The information contained herein is preliminary and should not be relied upon for any purpose. No liability whatsoever is accepted, and neither Lazard nor any member of the Lazard Group (being Lazard Ltd and its direct and indirect subsidiary and associated undertakings) nor any of their respective directors, partners, officers, employees, representatives or other agents is, or will be, making any warranty, representation or undertaking (expressed or implied) concerning the accuracy or truthfulness of any of the information, ideas, forecasts, projections or of any of the views or opinions contained in this document or any other written or oral statement provided in connection herewith or for any errors, omissions or misstatements contained herein or for any reliance that any party may seek to place upon any such information. Nothing contained in this document constitutes, or should be relied upon as, (i) the giving of financial, investment or other advice by, or the issuance of research by, Lazard, or (ii) a promise or representation as to any matter whether as to the past or the future. Lazard undertakes no obligation to provide the recipient with access to any additional information or to update or correct any information contained herein. Interested parties should conduct their own investigation and analysis of the matters and companies referenced herein. Nothing contained in this document constitutes, or should be deemed to constitute, an offer or solicitation for the purchase or sale of any security. You undertake to keep this document confidential and to not distribute it to any third party, or excerpt from or reproduce this document (in whole or in part), without the prior written consent of Lazard. Lazard, which is a regulated financial adviser, only acts for those entities whom it has identified as its client in a signed engagement letter and no-one else and will not be responsible to anyone other than such client for providing the protections afforded to clients of Lazard nor for providing advice. Recipients are recommended to seek their own financial and other advice and should entirely rely solely on their own judgment, review and analysis of this document. Lazard or other members of the Lazard Group (i) may have acted in the past, or act currently or in the future as adviser to some of the companies referenced herein, (ii) may receive fees in connection with any such advisory engagements, (iii) may at any time be in contact with such companies in order to solicit them to enter into advisory engagements, and/or (iv) may from time to time have made, and may in the future make, investments in such companies. By accepting this document, recipients agree to be bound by the terms and conditions set out above.

First, some current market perspectives…

Venture and growth flows plateau, showing some resilience: global venture and growth cybersecurity funding totaled $3.1B in Q1 ’23, which was down from $3.5B in the prior quarter, per Momentum Cyber data. This was a 52% YoY decline from Q1 ‘22’s $6.4B total, however, the past three quarters have each exceeded the $3.0B mark, which surpasses pre-COVID norms. Deal counts fell 48% YoY and have fallen for four consecutive quarters while reaching the lowest point since Q2 ‘20

Figure 1: Global private cybersecurity funding activity, Q1 ’20 – Q1 ’23

Source: Momentum Cyber

Larger deals include protection: a growing number of structured cyber deals are being executed, particularly at later growth-stages. With investors likely more hesitant to write $100M+ checks into businesses that last raised at lofty valuations during the pandemic, management teams are embracing flexible convertible structures and debt financings to extend runway and advance growth objectives while avoiding potential valuation penalties

Figure 2: Recent select structured cyber transactions

Sources: Press releases, deal announcements

Public valuations tied to cash flow generation: in the public markets, security software companies are being rewarded for profitable growth. Overall, there is a strong correlation between Rule of 40 percentages and EV/forward revenue trading multiples, particularly when excluding outliers Cloudflare (premium) and Absolute Software (discount)

Figure 3: Public cybersecurity company regression analysis

Note: Data as of 4/23/23 Sources: NASDAQ, Yahoo Finance, Lazard VGB Insights

Market leaders taking advantage of scale: Palo Alto Networks – the largest security software company by market cap – recently announced it will offer its cloud security software free for up to two years to new customers willing to change providers. The company is trading at near all-time highs with ~$57B of market value, and is on-track to potentially become the first $100B value cyber company (with Fortinet and Crowdstrike close behind)

Early-stage sees fewer fundings, higher valuations: recent DataTribe analysis revealed the Seed-stage cybersecurity market remains a relative strength despite seeing the lowest deal counts over the last decade; the Q1 ‘23 median pre-money valuation of $15.5M only slightly trails the all-time high of $15.8M observed in Q4 ‘22. The median Seed round size also marked a new all-time high of $4.5M in the quarter. Investors are likely becoming more selective and willing to reward perceived premium, end-to-end assets over single-point solutions, which could lead to a healthy consolidation of solutions through future M&A

Regulators increasing private sector security liability: the White House’s recent National Cybersecurity Strategy published in March called for increased public-private coordination, and notably for private enterprises, laid out plans to shift the burden of cybersecurity from software end-users to providers of products and services. While still nascent, companies could soon lose protections for selling products with vulnerabilities that should have been remedied prior to release

Sources: Palo Alto Networks, DataTribe, National Law Review

Figure 4: Select cyber fundings YTD 2023 (>$20M)

Sources: Pitchbook Data, Inc.

Figure 5: Select cyber companies by total capital raised ($M)

Sources: Pitchbook Data, Inc.

Highlights from RSA 2023

1. Key Learnings from 2022

Declining activity still in line with historical norms: 2022 was a tumultuous year for cyber, with record investment and M&A activity occurring in 1H ’22 before a steep drop-off in 2H ’22. M&A values in the first half of the year totaled $34B (not including Broadcom’s pending $61B acquisition of VMWare), compared to $16B in the second half. Overall, cyber financing and M&A activities remain on an upward trend compared to pre-COVID norms, as shown below:

- Capital raises: $18.5B (-39% YoY, +50% from 2020) in volume across 1,037 deals

95 deals >$50M executed
Risk and compliance was the most active vertical with 188 financings

- M&A: $50B (-37% YoY, +160% from 2020) in volume across 262 deals (only trailing 2021)

Managed security service providers (MSSP) were the most targeted with 46 deals

Figure 6: Top 10 sectors by total financing volume in 2022 ($M)

Source: Momentum Cyber

Investors moved earlier: consistent with broader venture and growth market trends, early-stage deal activity increased, while later-stage fundings declined sharply. Average deal sizes of Series C+ rounds fell 45%, compared to Seed and Series A stages rising 21% and 34%, respectively

Figure 7: 2022 cyber capital raises by stage

Source: Momentum Cyber

Buyer profiles became more diversified: the security buyer universe is expanding to include corporations operating outside of the security industry, sovereign wealth funds, and a diversified group of PE firms

M&A activity was driven heavily by PE buyouts, which totaled $27B across 26 deals, including Vista Equity Partners’ buyout of Securonix and KnowBe4, and Thoma Bravo’s acquisitions of SailPoint, ForgeRock, and Ping Identity

Global dispersion of capital and innovation: cyber innovation is becoming more global, with companies still burgeoning in traditional hotbeds like Israel and the US, as well as in emerging cyber markets including the UK and Australia

Notably, while Israeli startup funding fell 64% (to $3B) in 2022, Seed funding totals increased 65% YoY. Growth and later-stage (Series C+) deal counts fell 80%+, however, 2022 total activity mirrored 2020 levels (accounting for 2021 as an anomaly year)
The UK saw record cyber funding in 2022, led by rounds closed for Copper, Envelop, Qredo, Immersive Labs, Proov, and InfoSum. Over the past five years, the UK cyber market has grown faster than historical hubs including the US, Israel, China, and the EU

Views of CISOs: with tightening IT security budgets, CISOs are focused on how to better measure and monitor the activities going on within their organizations to ensure cost efficiency

BCG’s recent CISO study identified the following as the top priorities for InfoSec in 2023: 1) the rising frequency of known threats (ransomware), 2) managing cyber risk in the cloud, 3) keeping up with changing regulations, and 4) attracting and retaining cyber talent

Geopolitical forces reshaping the industry: cybersecurity is increasingly a critical aspect of national geopolitical resilience (both for governments and private companies)

The war in Ukraine has proven that in certain instances, there is clear collaboration between cyber criminals and national governments (i.e. Russia)
Private companies are being forced to step in and choose sides within the constructs of the geopolitical conflict (i.e. Microsoft assisting Ukraine with cyber-attack prevention)

Sources: Momentum Cyber, Boston Consulting Group, The Information, Dealroom.co

2. Summary of Threat Trends from Crowdstrike and Mandiant/Google Cloud

Adversaries are getting faster: adversaries are getting faster at breaking out (time it takes to gain access to the host and move laterally to other hosts in an environment). More than ever before, it’s critical to quickly begin investigations and remediate incidents once there is an endpoint detection

2022 breakout time: 84 minutes (down from 98 minutes in 2021)
Top 30% were under 30 minutes

Access brokers are booming: the popularity of access brokers – who sell access to compromised networks – among cyber criminals is increasing, with more than 2,500 advertisements seen in 2022, up 112% from 2021

Lowers the barrier of entry for criminals to enter systems, removing the requirement for them to acquire valid credentials themselves
Several brokers will sell in bulk, while others use a “one-access, one-auction” technique
Access methods have remained consistent, with actors abusing compromised credentials obtained by hackers or purchased in log shops on the dark web
80% of all breaches use compromised identities and 50% of organizations have experienced an active directory attack in the last two years

Moving beyond malware: adversaries are increasingly “living off the land,” pivoting from bringing their own malicious tools into an environment to leveraging tools that are prevalent on the host they are compromising (i.e. obfuscating activity as an admin user, leveraging PsExec, WMI, etc.)

Makes it increasingly challenging for organizations to detect because the adversary can blend in with general admin activities, which security teams try to avoid disrupting
Crowdstrike has seen a 50% YoY increase in interactive intrusions, defined as when human adversaries actively manipulate a host. The tech sector has been the primary target to date, as shown below:

Figure 8: Top 10 verticals by interactive intrusion frequency

Source: Mandiant/Google Cloud

Common ecosystems of access include:

Active intrusion supply chain compromises: in the SolarWinds supply chain compromise, a malicious software update provided Cozy Bear access to 18,000+ organizations
Exploiting open source repositories and trusted third-parties for credentials: Checkmarx found that one-third of software packages from the Python Package Index (PyPi) are vulnerable to a design feature that allows an attacker to automatically execute code when downloaded on a computer

Ransomware becoming more evasive: changes in global median dwell times (moment from break-in to recognition) show ransomware is becoming harder to detect. Additionally, NCC Group found that March '23 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% YoY

Ransomware attacks: increased from 5 days in 2021 to 9 days in 2022
Non-ransomware incidents: decreased from 36 days in 2021 to 17 days in 2022

Identity a primary attack node: actors are shifting away from the deactivation of antivirus and firewall technologies and log-tampering. Increasingly, actors are seeking ways to modify authentication processes and attack identities
Adversaries exploiting cloud migration trends: observed cloud exploitation cases grew by 95%; cases involving cloud-conscious actors nearly tripled from 2021. Threat actors primarily obtained initial access to the cloud by using existing, valid accounts, resetting passwords, or placing webshells or reverse shells for persistence after exploiting public-facing applications such as web servers
Attackers furthering same tactics: Crowdstrike observed threat actors consistently focusing on previously established attack vectors and components in 2022. Actors did this by: 1) modifying or reapplying the same exploit to target other similarly vulnerable products, and 2) leveraging the discovery process to focus on known vulnerabilities and circumvent patching by exploring other exploit vectors

Source: Mandiant/Google Cloud, Crowdstrike, Checkmarx

Figure 9: Select venture-backed companies addressing current threat trends

Sources: Pitchbook Data, Inc., Lazard VGB Insights

3. Securing the software supply chain

Pace and frequency of supply chain attacks on the rise: there has been a 742% average annual increase in software supply chain attacks over the past three years, according to Sonatype. Gartner predicts that by 2025, 45% of organizations globally will experience attacks on their software supply chains, a 3x increase from 2021. In 2022, supply chain breaches took 26 days longer to detect than the global average data breach lifecycle as the attack forms became more complex
Supply chains embedded with vulnerabilities: most large enterprises today outsource major components of their business operations to third-parties, and software suppliers are an easy target, as shown below:

Figure 10: Why risk is inherent to software supply chains

Source: Charlie Jones (Reversing Labs)

Growing list of high-profile incidents: there has been a string of notable software supply chain attacks since 2020, each with varying degrees of complexity:

Solarwinds was vulnerable across multiple parts of their environment:

Developer compromise: SunSpot attack on build infrastructure
Supply chain segments: Sunburst attack on Orion software package
Targeted customers: Malware payloads through TearDrop and RainDrop

Apache Log4J occurred due to reliance on a specific open-source package – this showed the impact that a single dependency can have within an application
CodeCov was similar to Solarwinds, demonstrating the ability to breach a supply chain without the use of malware of known vulnerabilities. This highlighted the need to protect secrets and proactively identify suspicious behaviors that can be introduced as a result of changes to a software package
IconBurst represented an emerging form of supply chain attack – malicious packages designed to infiltrate a network leveraging automation around package managers, and once installed, triggering cascading effects. These usually enter a system by deceiving developers with slight adjustments to common package names

Traditional EDR protections insufficient: enterprise endpoint detection and response (EDR) protections (firewalls, perimeter protections) are insufficient to stem these attacks; these tools help frame a picture of an attacker’s intent, but fail to provide front-line protection

Sources: Charlie Jones (Reversing Labs), Aqua Security

Why we should be concerned about software supply chain attacks…

The risk scale with supply chain attacks is much higher than when components of a physical supply chain are compromised. Software supply chain attacks make a system vulnerable everywhere a piece of software is deployed to, potentially reaching tens to hundreds of thousands of systems

In most cases, the compromised software is running on higher privileges (i.e. Solarwinds) while also being malicious. Many third-party products require privileged access, and this negates the effectiveness of a traditional firewall

Most third-party products also require frequent communication between a vendor’s network and the vendor’s software product located on a customer network
Additionally, the breadth of component sourcing options available to developers far exceeds those associated with hard-asset supply chains:

Source: Lazard VGB Insights

…and how to think about securing them….

To properly secure a supply chain, IT departments need to source high-quality components from fewer sources. Once a piece of software is inside an organization’s system, it is challenging to resolve a vulnerability

More than one year since the onset of the Log4J exploitation, 62% of companies are still downloading Log4J-infected packages unwittingly. This reflects the proactive approach required for organizations to be aware of – much less defend against – the range of possible vulnerabilities within their supply chain

Figure 11: Steps to secure the software supply chain

Sources: Rao Lakkakula (JPMorgan Chase), NIST, Charlie Jones (Reversing Labs)

In summary, software supply chains are high-risk threat vectors, and organizations are realizing the need to systematize their process of building a bill of materials and consolidating their artifact procurement data across all sources (open-source and commercial). Below are some of the venture-backed businesses enabling greater supply chain hygiene and resiliency:

Figure 12: Select venture-backed companies addressing software supply chain protection

Sources: Pitchbook Data, Inc., Lazard VGB Insights

4. Zero trust identity protection becomes table-stakes

MFA only one component of identity security: 78% of organizations are using multi-factor authentication (MFA) for identity and access control (up from 28% in 2017). Yet, increasingly sophisticated and automated identity attacks are on the rise as more companies introduce hybrid work, IT modernization, and new digital experiences into their day-to-day operations. Notably, 82% of these attacks still involve some form of human element
Identity at the center of a zero trust strategy: disparate identities are causing technical debt and identity-related breaches as IT leaders struggle to address sprawl. Gartner has found that 60% of organizations have over 21 disparate identities per user, and predicts that by 2024, a true global, portable, decentralized identity standard will emerge in the market to address business, personal, social and societal, and identity-invisible use cases. Reducing the identity attack picture requires a unified approach, complemented by zero trust principles to gain a 360-degree view of users and their access types:

Figure 13: Unified approach to identity security

Sources: Dave Taku (RSA)

Decentralized orchestration creates flexibility: identity orchestration creates a secure and flexible integration framework that enables organizations to seamlessly connect and manage digital assets across disparate multi-cloud environments. Even while creating more friction for users, decentralized orchestration provides for greater protection in a hybrid cloud world and removes the single point of failure issue that can setback a centralized identity management approach, as outlined in Figures 14 and 15

Figure 14: Decentralized identity orchestration overview

Sources: IdRamp, Indicio, PingIdentity, Gartner, SailPoint

Figure 15: Centralized vs. decentralized identity management

Sources: Fractal

Passwordless authentication: lastly, passkeys are moving into the mainstream as a tool of choice to manage access across devices. Put simply, passkeys enable a user to sign in to a site using the same method they use to unlock their device (FaceID, TouchID, etc). Post-RSA, Google announced the launch of passkeys for Google accounts, enabling users to synchronize all their devices through the cloud using cryptographic key pairs, and allowing them to sign-in to websites and apps using the same biometrics or screen-lock PIN they use to unlock their devices. This makes it more challenging for bad actors to access users’ accounts remotely, as physical access to the user’s device is required

Sources: Google, TechCrunch

Below are some emerging identity and access management providers drawing support from venture and growth investors:

Figure 16: Select venture-backed companies addressing zero trust identity protection

Sources: Pitchbook Data, Inc., Lazard VGB Insights

5. Securing AI/ML solutions an emerging, dynamic challenge

Deloitte survey results show cybersecurity vulnerabilities of AI/ML solutions are among the top three security concerns of major countries including China, Germany, the US, France, and Australia
There are three primary relationships involving cybersecurity and AI/ML – in this section, we will primarily focus on the first of the three outlined below by NIST:

Cybersecurity of AI tools: lack of robustness and the vulnerabilities of AI models and algorithms
AI to support cybersecurity: AI used as a tool/means to create advanced cybersecurity (i.e. by developing more effective security controls) and to facilitate the efforts of law enforcement and other public authorities to better respond to cybercrime
Malicious use of AI: malicious/adversarial use of AI to create more sophisticated types of attacks

When examining how to layer security protections into AI/ML systems, it’s important to separate AI as the “super-set” and ML as the “sub-set” as outlined below:

Figure 17: Basics to AI/ML for cyber use cases

Sources: Diana Kelley (Cybrize)

Because AI/ML systems are designed to produce outputs after ingesting and analyzing large amounts of data, there are several organic security challenges not seen with other systems:

Figure 18: Unique security vulnerabilities of AI/ML systems

Source: MIT Sloan

Given these broad vulnerabilities, it is necessary to conduct comprehensive diligence on the solution provider to ensure the model development and management practices follow a security-first approach

Figure 19: Security diligence questions to ask AI/ML vendors

Source: Crowdstrike

AI/ML Threat Landscape

The industry is seeing growing threats from adversarial ML attacks – over the last several years, tech companies including Google, Amazon, Microsoft, and Tesla, have all had their ML systems tricked, evaded, or misled

Gartner AI research shows that security concerns are a top obstacle to enterprise adoption of AI, tied for first place with the complexity of integrating AI solutions into existing infrastructure
IBM found that of more than 7,500 global businesses, 35% of companies are already using AI, up 13% from last year, while another 42% are exploring it. However, almost 20% of companies say that they were having difficulties securing data and that it is slowing down AI adoption

The vast majority of attacks seen today are “low-end” attacks – i.e. a human inputting repetitively into a ML system until they breach the boundary conditions for a model and successfully defraud/attack a system. It’s becoming increasingly easier to launch adversarial AI attacks, making red-teaming exercises critical to risk mitigation
There are four primary types of ML attacks being regularly observed:

Figure 20: Common adversarial ML attacks and possible remediations

Sources: Excella, VentureBeat, Dataconomy, Secure Systems Group

While still a nascent market, security solutions for AI and ML systems are likely to be in high demand as both consumer and enterprise use cases of these tools continue to proliferate. An early indicator of this was HiddenLayer – an early-stage, Austin-based ML protection platform – winning the RSA 2023 Sandbox innovation competition against an impressive slate of well-funded companies operating in more mature cyber verticals (i.e. Endor Labs, Astrix Security, Pangea, Valence Security, SafeBase)

Figure 21: Select venture-backed companies securing AI/ML systems

Sources: Pitchbook Data, Inc., Lazard VGB Insights

6. XDR is Driving the Modernization of Security Operations

At a macro level, modern organizations face an array of security operations challenges driven by three primary factors, with data being the common denominator underlying each:

Figure 22: Security operations plagued by a data problem

Source: Elastic

This problem set requires an analytics-based solution for the modern security operations center through XDR. While not required, SecOps teams integrating XDR with traditional SIEM (security information and event management) and SOAR (security orchestration, automation and response) point solutions are best positioned to fully-protect their IT environment
The promise of XDR is to combine telemetry from multiple sources, apply analytics to detect those malicious activities, and enable confident and timely responses. This significantly reduces false positive alerts, enabling security teams to focus on correlated events that are actionable
Gartner estimates that 40% of organizations will have deployed an XDR platform by 2027, up from 5% in 2021. Adoption will likely be as a supplement to traditional EDR solutions; a recent Enterprise Strategy Group study revealed that 84% of surveyed organizations believed their current EDR provider could deliver a highly effective XDR solution

Figure 23: How XDR supplements SIEM and SOAR tools

Sources: Elastic, Barracuda Networks, Crowdstrike, Cybereason, Enterprise Strategy Group, Secureworks

There are two approaches to XDR delivery: native/proprietary and open. As shown below, open XDR has more appeal for security practitioners who take a best-of-breed approach to building a security stack from multiple providers. Native XDR tools are best suited for those seeking vendor consolidation and homogeneity across the stack

Figure 24: Open vs. native XDR solutions

Source: Crowdstrike

XDR adoption ultimately remains restricted by misconceptions around how it differentiates from traditional EDR tools. A joint VMWare/Forrester study of over 1,200 global IT decision-makers found that 75% of security leaders are still in a discovery phase evaluating XDR, and are driven by a wide range of motivating factors:

45% agreed that there is no clear, standard industry definition of XDR, which delays adoption
79% of non-users said improved speed and accuracy of threat detection is needed for their organizations. Of the users that have already adopted XDR, improved speed and accuracy of threat detection was one of their top five drivers for doing so
75% of XDR adopters found increased ROI to be the top business benefit of XDR. XDR adopters also reported a 14% increase in ROI as a result of adoption
83% of XDR adopters agreed that the automation and repeatability of XDR can complement other tools in the security tech stack. 75%, with this figure rising to 91% among more mature adopters, agreed that XDR enables their team to skip some of the tedious, repetitive detection engineering work they would otherwise have to do

Below are some innovative venture and growth-stage companies delivering innovative XDR tools to compete against incumbent market leaders such as Palo Alto Networks, Cisco, and Crowdstrike

Figure 25: Select venture-backed companies delivering XDR solutions

Sources: Pitchbook Data, Inc., Lazard VGB Insights

7. Attackers increasing focus on data opportunities

Data theft on the rise: Mandiant’s “M-Trends 2023” report found that in 40% of intrusions in 2022, adversaries prioritized data theft, up from 29% in 2021. Intellectual property and espionage-related goals, along with financial and extortion motivations, were top influencing factors behind the incidents
Unstructured data especially vulnerable: 90% of all ransomware attacks exfiltrate data, and even minimal amounts of data loss can bear significant consequences to business and financial operations (public disclosures, notification to clients and authorities, identity monitoring, brand and reputational damage). On average, 80% of data within the enterprise is unstructured – including images, text, audio, video, documents – and companies on average leverage at least 14 informal content repositories, making these data sets a priority target for attackers
Financial implications continue to grow: in 2022, the average cost of a data breach reached a record high of $4.3M, according to IBM and the Ponemon Institute research. Experts estimate that average costs could reach $5M in 2023

For the twelfth consecutive year, the healthcare industry saw the highest data breach costs. In 2022, the healthcare industry paid an average of $10M for a data breach, up 9.4% YoY

Compromised credentials a driving factor: compromised credentials, such as compromised business emails, facilitated 19% of all data breaches. There has been a concerning upward trend of breach costs inflicted by compromised third-party vendors
Cloud data lakes and pipelines vulnerable: in a data lake, access control is more challenging because data is stored using the object storage model. Each file object can contain a large amount of data with a wide range of different properties, and the data is usually unmanaged and available to anyone across the enterprise

An emerging form of data lake attack is to target vulnerable versions of no-code, open-source extract-transform-load (ETL) software applications – one of the most commonly used tools for populating data lakes

Cryptographic assets as the next frontier: exponential growth of cryptographic assets is creating mounting challenges for organizations attempting to fully control their security landscape

There is a new possible remediation: centralized decentralized security (“CeDeSec”) operations

The concept is for identity and access management teams to embrace centralized control and decentralized enforcement
Delivers innovative approach to traditional cryptographic key management
Enables secrets management to be brought under security team’s umbrella
Provides organizations with comprehensive visibility, control, and compliance
This requires sensitive data to reside locally; for example, key management for Oracle should be stored in Oracle databases, and avoid exposure to global networks

Sources: Entrust, Mandiant, Okera, DarkReading, UpGuard, KeyFactor

In summary, data theft will continue to be a growing inspiration for threat actors, requiring organizations to invest in security and encryption tools to protect data as it is ingested, stored, and moved through pipelines. Without a traditional network perimeter, the cloud requires additional capabilities to reinforce; several providers delivering cloud-specific data security solutions are highlighted in Figure 26: