Security

Booz Allen says former staffer downloaded employees’ personal data • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in Booz Allen Hamilton, cybersecurity, data breach, defense contractors, government contracts, SecurityNo Comments

U.S. government contractor Booz Allen Hamilton has disclosed that a former staffer downloaded potentially tens of thousands of employees’ personal information from the company’s internal network. The government and defense contractor said that one of its staffers, while still employed by the company, downloaded a report containing the personal information of “active employees as of March 29, 2021.” A copy of Booz Allen’s website archived in March 2021 said the company had 27,600 employees, many of which are contracted to U.S. government, military and intelligence agencies and hold high-level security clearances. The notice said that the report downloaded by the employee contained, “your name, Social Security number, compensation, gender, race, ethnicity, date of birth, and U.S. Government security clearance eligibility and status as of March 29, 2021.” Booz Allen said the report containing the personal information was “improperly stored on an internal SharePoint site,” but did not say what circumstances led to the discovery of the data, only that it “recently learned” of the staffer’s activity. The data breach notice, filed with the California attorney general’s office this week, said Booz Allen discovered the data exposure on April 14, 2022. The data breach notice said the now-former staffer acted “in direct contradiction” of the company’s policies, but that the company does “not believe that the individual intended to misuse any of the personal information in the report to cause harm to Booz Allen employees.” It’s not clear if the individual has been charged with any criminal offenses.

The US Securing Open Source Software Act of 2022 is a step in the right direction • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in Column, cybersecurity laws, EC Column, EC Cybersecurity, Government & Policy, open source security, SecurityNo Comments

Passionate about technology and open source software, Javier Perez is chief open source evangelist and senior director of product management at Perforce. Cybersecurity continues to be a hot topic. More and more organizations are getting hit by ransomware attacks, critical open software vulnerabilities are making news, and we’re seeing industries and governments coming together to discuss initiatives to improve software security. The U.S. government has been working with the tech industry and open source organizations such as the Linux Foundation and the Open Source Security Foundation to come up with a number of initiatives in the past couple of years. The White House Executive Order on Improving the Nation’s Cybersecurity without a doubt kick-started subsequent initiatives and defined requirements for government agencies to take action on software security and, in particular, open source security. An important White House meeting with tech industry leaders produced active working groups, and only a few weeks later, they issued the Open Source Software Security Mobilization Plan. This plan included 10 streams of work and budget designed to address high-priority security areas in open source software, from training and digital signatures, to code reviews for top open source projects and the issuance of a software bill of materials (SBOM). The Act directly addresses the top three areas of focus to improve open source security: vulnerability detection and disclosure, SBOMs and OSPOs. One recent government initiative regarding open source security is the Securing Open Source Software Act, a bipartisan legislation by U.S. Senators Gary Peters, a Democrat from Michigan, and Rob Portman, a Republican from Ohio. Senators Peters and Portman are chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee, respectively. They were at the Log4j Senate hearings, and subsequently introduced this legislation to improve open source security and best practices in the government by establishing the duties of the director of the Cybersecurity and Infrastructure Security Agency (CISA). This is a turning point in U.S. legislation, because, for the first time, it is specific to open source software security. The legislation acknowledges the importance of open source software and recognizes that “a secure, healthy, vibrant, and resilient open source software ecosystem is crucial for ensuring the national security and economic vitality of the United States.” Finally, it states that the Federal Government should play a supporting role in ensuring the long-term security of open source software.

India’s securities depository CDSL says malware compromised its network • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in cybersecurity, india, SecurityNo Comments

India’s leading central securities depository, Central Depository Services Limited, or CDSL, says its systems have been compromised by malware. On Friday, the securities depository said in a filing with India’s National Stock Exchange that it detected malware affecting “a few of its internal machines.” “As a matter of abundant caution, the company immediately isolated the machines and disconnected itself from other constituents of the capital market,” the filing said. CSDL said it continues to investigate, and that it has so far “no reason to believe that any confidential information or the investor data has been compromised” due to the incident. CDSL has not yet revealed the exact details of the malware. At the time of writing, the company’s website was down. The company declined to say if the two are related. Banali Banerjee, an agency spokesperson, said CDSL also declined to answer our other questions, including if the company stores logs that would allow it to determine what, if any, data was exfiltrated from its network. “We are working towards resolutions,” the spokesperson said. Mumbai-based CDSL claims to maintain and service nearly 75 million trader accounts — locally called demat accounts — of investors across the country. The company also counts Bombay Stock Exchange, Standard Chartered Bank, and Life Insurance Corporation among its significant shareholders. Founded in 1999, CDSL is India’s only publicly listed and the country’s second-largest depository after the National Depository Services Limited, or NDSL, the oldest securities depository. CDSL allows the holding of securities and their transactions in electronic form and facilitates trade settlements on stock exchanges. “The CDSL team has reported the incident to the relevant authorities and is working with its cyber security advisors to analyze the impact,” the company said in its stock exchange filing.

Ransomware is a global problem that needs a global solution • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in hackers, ransomware, SecurityNo Comments

This time last year, we were optimistic. It seemed like the tide was turning on ransomware after the U.S. government scored a handful of wins against the cybercriminals carrying out these increasingly damaging attacks: the Justice Department successfully seized $2.3 million in bitcoin that Colonial Pipeline paid to the DarkSide ransomware gang to reclaim its data, and months later it played a part in bringing down the notorious REvil ransomware gang. Our optimism was short-lived. Despite this action, 2022 looks set to top last year as the worst year on record for ransomware attacks; a recent report shows that attacks have increased by 80% year-over-year and that the cybercriminals responsible for these attacks have easily dodged low enforcement action by taking advantage of ransomware as a service, or by simply rebranding. “It’s clear that ransomware attacks are on the rise,” Matthew Prince, CEO of Cloudflare, tells ZebethMedia. “In September 2022, nearly one in every four respondents to our customer survey reported receiving a ransomware attack or threat, the highest month so far of 2022.” 2022 hasn’t just been the worst year for ransomware attacks statistically, it has also just been… the worst. While hackers last year focused on critical infrastructure and financial services, this year’s focus has been on organizations where they can inflict the most damage. An attack on the Los Angeles Unified School District saw Vice Society hackers leak a 500 gigabyte trove of sensitive data, including previous conviction reports and psychological assessments of students, while an attack on IT services provider Advanced left the U.K’s NHS scrambling after it was forced to cancel appointments and staff relying on taking notes with pen and paper. Perhaps the most devastating attack of 2022 came just weeks ago after attackers breached Australian health insurance giant Medibank and accessed roughly 9.7 million customers’ personal details and health claims data for almost half-a-million customers. Data stolen during the attack included sensitive files related to abortions and alcohol-related illnesses. These attacks don’t just demonstrate that ransomware is worsening. They also show that ransomware is a global problem and that global action is needed to fight back successfully. Earlier in November, the U.S. government started to take strides in the right direction, announcing that it will establish an International Counter Ransomware Task Force, or ICRTF, to promote information and capability sharing. “This is a global issue, so governments need to come together,” Camellia Chan, CEO and founder at cybersecurity firm X-PHY tells ZebethMedia. “That said, collaboration alone won’t provide a solution. It’s more than signing an agreement.” This is a viewpoint shared among the cybersecurity community: signing agreements and sharing intelligence is all well and good, but it’s unlikely to deter financially motivated cybercriminals that continue to reap the rewards of these attacks. To gain ground on cybercriminals that continue to achieve a high rate of success, governments need a fresh approach. Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021. The US government declared a regional emergency on May 9, 2021 as the largest U.S. fuel pipeline system remained largely shut down, two days after a ransomware attack. Image Credits: Jim Watson / AFP via Getty Images. “You can’t arrest your way out of the problem,” Morgan Wright, chief security advisor at SentinelOne, tells ZebethMedia. “There are numerous examples of both transnational criminal ransomware actors and nation-state actors being identified and indicted for various crimes. These offenders almost always live in countries with no extradition treaty with the country that has issued the indictments.” “One area I would like to see an increased effort is in the area of human collection of intelligence,” Wright added. “We need more penetration of state actors and criminal organizations. Too often, ransomware is viewed as a technical issue. It’s not. It’s human greed that uses technology to achieve an end goal.” This element of greed could also be targeted by increasing regulation of the cryptocurrency market, which many believe could be on the horizon following the recent collapse of FTX. Former CISA assistant director Bob Kolasky said that in order to discourage ransomware actors for good, governments need to reduce the financial instruments available for them to use. “This includes using regulatory pressure on the cryptocurrency market to make tracking and recouping ransomware payments easier,” Kolasky tells ZebethMedia, a view shared by others. “We need governments to take a bigger role in blocking cryptocurrencies, which is the enabler of attacker monetization strategies,” David Warburton, director of networking company F5 Labs, agrees, telling ZebethMedia: “While decentralized currencies, such as bitcoin, aren’t inherently bad, nor solely responsible for the ransomware epidemic we’re facing, there’s no denying they are a huge factor. “While control and regulation somewhat defeat the original intent of decentralized currencies, there’s no escaping the fact that without Bitcoin, ransomware simply wouldn’t exist,” said Warburton. But legislation wouldn’t work unless it’s a global effort, he said: “Many ransomware groups operate from countries which have no motivation to help those that are being targeted.” This is a problem that, like ransomware itself, has been worsened by Russia’s invasion of Ukraine, which has ended any cooperation between Europe, the U.S. and Russia on ransomware operations inside Russia. Jason Steer, chief information security officer at threat intelligence giant Recorded Future, said that this is an area that immediately needs more global government support. “The focus has significantly dropped off in 2022 due to Russia’s activities, where in fact many groups operate safely from,” said Steer. Even if governments joined forces to collaboratively fight the growing ransomware problem, it’s unlikely to have any immediate effect. Security experts expert no respite from ransomware as we enter 2023 as increasingly-savvy hackers exploit new attack vectors and continue to reap the financial rewards. “There are governments that are working to provide more support and resources. But it will never be enough,” says Wright. “Bad actors will always have the advantage, but we should make them pay in a significant way every time an attack is launched.”

Hive ransomware actors have extorted over $100M from victims, says FBI • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in hive, ransomware, Security, us governmentNo Comments

The U.S. government has warned of ongoing malicious activity by the notorious Hive ransomware gang, which has extorted more than $100 million from its growing list of victims. A joint advisory released by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services on Thursday revealed that the Hive ransomware gang has received upwards of $100 million in ransom payments from over 1,300 victims since the gang was first observed in June 2021. This list of victims includes organizations from a wide range of industries and critical infrastructure sectors such as government facilities, communications, and information technology, with a focus on specifically healthcare and public health entities. Hive, which operates a ransomware-as-a-service (RaaS) model, claimed the Illinois-based Memorial Health System as its first healthcare victim in August 2021. This cyberattack forced the health system to divert care for emergency patients and cancel urgent care surgeries and radiology exams. The ransomware gang also released sensitive health information of about 216,000 patients. Then, in June 2022, the gang compromised Costa Rica’s public health service before targeting New York-based emergency response and ambulance service provider Empress EMS the following month. Over 320,000 individuals had information stolen, including names, dates of services, insurance information, and Social Security numbers. Just last month, Hive also added Lake Charles Memorial Health System, a hospital system in Southwest Louisiana, to its dark web leak site, where it posted hundreds of gigabytes of data, including patient and employee information. Hive also targeted Tata Power, a top power generation company in India, in October. The joint FBI-CISA-HHS advisory warns that Hive typically gains access to victim networks by using stolen single-factor credentials to access organization remote desktop systems, virtual private networks, and other internet-facing systems. But CISA also warns that the ransomware group also skirts some multi-factor authentication systems by exploiting unpatched vulnerabilities. “In some cases, Hive actors have bypassed multi-factor authentication and gained access to FortiOS servers by exploiting CVE-2020-12812,” the advisory says. “This vulnerability enables a malicious cyber-actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.” The advisory also warns that Hive actors have been observed reinfecting victims that restored their environments without paying a ransom, either with Hive or another ransomware variant. Microsoft’s Threat Intelligence Center (MSTIC) researchers warned earlier this year that Hive had upgraded its malware by migrating its code from Go to the Rust programming language, enabling it to use a more complex encryption method for its ransomware as a service payload. The U.S. government shared Hive indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) discovered by the FBI to help defenders detect malicious activity associated with Hive affiliates and reduce or eliminate the impact of such incidents.

Palo Alto Networks is buying Cider Security for up to $300M • ZebethMedia

By zebethcontrolPosted on November 17, 2022Posted in application security, cider security, palo alto networks, SecurityNo Comments

More consolidation is afoot in the world of cyber security. ZebethMedia has learned from sources that Palo Alto Networks is going to be announcing the acquisition of Cider Security for $200 million in cash and a further $100 million in shares. The deal has been rumored for weeks, but we understand that investors have now been informed, and staff is also being looped in on the deal, which will be made official when Palo Alto reports its earnings later today. Palo Alto has not responded to our request for comment. Cider Security, based out of Israel, is one of a number of companies that focuses on application security, which includes not just technology to monitor malicious or suspicious activity around live applications in the cloud, but observability of the full ecosystem around those applications, specifically code deployments and other kinds of modifications and updates, covering code, CI/CD and the wider supply chain around those apps. The company had raised $44 million from investors that included Tiger Global and Glilot Capital Partners — representing a decent exit for them at a time when valuations are seeing a lot of pressure, and many investors (including Tiger) have made drastic mark-downs in some of their holdings. That’s not to say that prices are buoyant here: one source tells us that Palo Alto may well publicize this as a $200 million cash deal, with the $100 million share part disclosed later in order not to alarm the market. Palo Alto Networks currently has a market cap of close to $47 billion. Relatively speaking, while it has been hit, like other tech companies, by a dropping share price, it has seen significantly less volatility and decline than some of its more valuable, bigger, consumer-facing counterparts. The company has made a number of acquisitions over the years to expand its reach in the market, but this appears to be the first and only one in 2022 (the two most recent before this are Expanse and BridgeCrew, respectively for $800 million in 2020 and $156 million in 2021). Palo Alto already has a division that focuses on application security, which was in part formed by way of acquisitions. Evident.io, which it acquired in 2018 for $300 million, forms the basis of its Prisma Cloud business, which is focused on end-to-end application security. Cider will bring Palo Alto a product built from the ground up envisioning more holistic observability and communication between engineers and security teams. Notably, along with the rumors of this Cider deal, it had been reported that Palo Alto Networks had been eyeing up another application security startup, Apiiro Security; however, reports claim that PA “walked away” due to a much higher price tag of $600 million. Interestingly, Apiiro looks like it is set to go it alone for now: just earlier this month, it announced a $100 million round of funding. Cloud security, and application security specifically, continue to be hot areas in the enterprise IT world, not least because the high amount of network activity and systems exposure both make the space vulnerable to attacks. It was estimated to be a market worth some $6.2 billion in 2020, and it’s growing fast. We will upate this post as we learn more.

OpsHelm emerges from stealth to automatically correct your security blunders • ZebethMedia

By zebethcontrolPosted on November 17, 2022Posted in Enterprise, OpsHelm, Security, security opsNo Comments

There are so many preventable cybersecurity incidents each year if only you were aware of the problem. It could be the classic exposed Amazon S3 bucket or a firewall vulnerability. These are what many security experts might call rookie mistakes, but which hit companies all the time because of the sheer complexity tracking security along your entire IT stack. OpsHelm, an early stage startup from a group of long-time cybersecurity professionals, wants to strip away the complexity and automatically correct a lot of the most common security mistakes, the kind that can cause big problems if they go undetected. Today, the company emerged from stealth to make the product more widely available in a public beta with GA expected early next year. “What we’re trying to do is automate a lot of what’s currently a fairly manual, interrupt-driven workflow where security tools push an alert to you. And then you’ll have to go fix the problem that they’ve identified or decide whether it’s not an issue,” company co-founder and CEO Bill Gambardella told ZebethMedia. Prior to founding OpsHelm Gambardella was COO at Leviathan Security Group, and previously ran security at Sprout Social. His three other co-founders have similar pedigrees, and that means they have experienced these kinds of issues first hand that they are trying to fix with OpsHelm. He said what he and his co-founders saw was the same mistakes and issues occurring over and over again resulting in late night or weekend meetings to try and fix a problem that could have been preventable in the first place. OpsHelm dashboard Image Credits: OpsHelm “What I saw from both ends of that spectrum was that these little misconfigurations, little cloud problems, little cloud issues, somebody innocently committed at one point, cascading into big, big problems on let’s say, Saturday night, where we all were on an all-hands-on-deck call dealing with an incident. And then you need an expensive consultancy to help you clean it up. Not an ideal place to be, but it did keep happening over and over again,” he said. OpsHelm monitors your security landscape looking for those issues, and letting you know in a common communications tool like Slack or Microsoft Teams where you can accept or reject the fix, and whatever action you take, the system learns about how to handle it next time. Gambardella says this is not based on so-called best practices so much as learning from the environment in which your company is operating, and helping teams move on without a lot of discussion, while leaving room for auditing later if it’s required. “We’re trying to move away from ‘Here’s here’s an alert you need to go investigate, drop what you’re doing, and spend 15 minutes talking to people,’ to more of ‘at 3:04 pm Tim on the Ops team, said he is OK that this S3 bucket can be on the internet and publicly exposed,’” he said. Security ops can track all of this in an operations dashboard, and could still decide to talk to the person who green lighted the exception to find out if there was a justifiable reason for this particular action, but the idea is to empower people to deal with these issues in the moment. The very stealthy startup launched earlier this year, and has raised $1.3 million seed. The

Iran-backed hackers breached a US federal agency that failed to patch year-old bug • ZebethMedia

By zebethcontrolPosted on November 16, 2022Posted in CISA, iran, Log4j, Security, us governmentNo Comments

The U.S. government’s cybersecurity agency says hackers backed by the Iranian government compromised a federal agency that failed to patch against Log4Shell, a vulnerability fixed almost a year ago. In an alert published Thursday, the Cybersecurity and Infrastructure Security Agency said that a federal civilian executive branch organization (FCEB) was breached by Iranian government hackers earlier in February. CISA did not name the breached FCEB agency, a list that includes the likes of the Department of Homeland Security, the Department of the Treasury, and the Federal Trade Commission, and CISA spokesperson Michael Feldman declined to comment when reached by ZebethMedia. CISA said it first observed the suspected activity on the unnamed federal agency’s network months later in April while conducting retrospective analysis using Einstein, a government-run intrusion detection system used to protect federal civilian agency networks. The agency found that the hackers had exploited Log4Shell, a critical zero-day vulnerability in the ubiquitous open-source logging software Log4j, in an unpatched VMware Horizon server to gain initial access into the organization’s network with administrator and system-level access. This compromise happened even though CISA had ordered all federal civilian agencies to patch their systems affected by the Log4Shell vulnerability by December 23. Once inside the organizations’ network, CISA observed the threat actors installed XMRig, open-source crypto mining software that is commonly abused by hackers for mining virtual currency on compromised computers. The attackers also installed Mimikatz, an open-source credential stealer, to harvest passwords and to create a new domain administrator account. Using this newly created account, the hackers disabled Windows Defender and implanted Ngrok reverse proxies on several hosts in order to maintain their access in the future. The attackers also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated. It’s not clear for what reason the hackers targeted the U.S. federal agency. Broad access to an organization’s network can be used for both espionage as well as launching destructive attacks. CISA, which has not attributed the breach to a particular advanced persistent threat (APT) group, shared indicators of compromise (IOCs) to help network defenders detect and protect against similar compromises. CISA also said that organizations that haven’t yet patched VMware systems against Log4Shell should assume that they’ve already been breached and advises them to start hunting for malicious activity within their networks. The agency also urges organizations to keep all software up-to-date, implement , and prevent users from using known compromised passwords.

New code suggests Twitter is reviving its work on encrypted DMs • ZebethMedia

By zebethcontrolPosted on November 16, 2022Posted in Apps, dms, Elon Musk, encryption, Security, Social, TwitterNo Comments

Under Elon Musk, Twitter may be reviving a project that would bring end-to-end encryption to its Direct Messaging system. Work appears to have resumed on the feature in the latest version of the Android app, according to independent researcher Jane Manchun Wong, who spotted the changes to Twitter’s code While Musk himself recently expressed interest in making Twitter DMs more secure, Twitter itself had abandoned its earlier efforts in this space after prototyping an encrypted “secret conversations” feature back in 2018. Had the encrypted DM’s feature launched, it would have allowed Twitter to better challenge other secure messaging platforms like Signal or WhatsApp. But work on the project stopped and Twitter never publicly explained why — nor had it commented on the prototype Wong had also found being developed in the app years ago. Now, Wong says she’s seen work on encrypted DM’s resume, tweeting out a screenshot of Twitter’s code which references encryption keys and their use in end-to-end encrypted conversations. Another screenshot shows a “Conversation key,” which the app explains is a number generated by the user’s encryption keys from the conversation. “If it matches the number in the recipient’s phone, end-to-end encryption is guaranteed,” the message reads. In response to Wong’s tweets, Musk replied with a winking face emoji — an apparent confirmation, or at least what stands in for one these days, given that Twitter laid off its communications staff and no longer responds to reporters’ requests for comment. Unlike the other projects Musk’s Twitter has in the works, like a relaunch of the Twitter Blue subscription now due out later this month, end-to-end encryption is something that cannot– and should not — be rushed out the gate. Meta, for example, took years to fully roll out end-to-end encryption (E2EE) in Messenger, after having first tested the features in 2016. It wasn’t until this summer that Meta announced it would finally expand its E2EE test to individual Messenger chats. The company explained the delay to launch was, in part, due to the need to address concerns from child safety advocates who had warned the changes could shield abusers from detection. Meta also intended to use A.I. and machine learning to scan non-encrypted parts of its platform, like user profiles and photos, for other signals that could indicate malicious activity. Plus, it needed to ensure that its abuse reporting features would continue to work in an E2EE environment. In short, beyond the technical work required to introduce E2EE itself, there are complicating factors that should be taken into consideration. If Musk announces encrypted DMs in a compressed timeframe, it would raise concerns about how secure and well-built the feature may be. Plus, with Twitter’s 50% workforce reduction and the departure of key staff — including chief information security officer Lea Kissner, who would understand the cryptological challenges of such a project — it’s unclear if the remaining team has the expertise to tackle such a complex feature in the first place. Musk, however, seems to believe encryption is the right direction for Twitter’s DM product, having recently tweeted “the goal of Twitter DMs is to superset Signal.” And, in response to a user’s question about whether Twitter would merge with telecommunication or become a WhatsApp replacement, Musk responded simply that “X will be the everything app.” “X” here refers to Musk’s plan to transform Twitter into a “super app” that would combine payments, social networking, entertainment, and more into one singular experience. Last week, he spoke in more detail about his plans for the payments portion, suggesting Twitter could one day allow users to hold cash balances, send money to one another, and even offer high-yield money market accounts.

Akeyless secures a cash infusion to help companies manage their passwords, certificates and keys • ZebethMedia

By zebethcontrolPosted on November 16, 2022Posted in Enterprise, funding, secrets, Security, startup, StartupsNo Comments

Back in 2018, Refael Angel, a former security software engineer at Intuit, had an idea for a new approach to protect encryption keys — the random string of bits created to scramble and unscramble data — on the cloud. He met with Shai Onn and then Oded Hareven, with whom Angel had worked five years earlier, to look for signs of product-market fit. After finding it, the three co-founders together built a service for managing passwords, API keys and digital certificates, which evolved into a fully fledged business — Akeyless — over the course of the next several years. Today, Akeyless is thriving, Angel tells me — despite fierce competition from incumbents like Hashicorp Vault, AWS Secrets Manager and Google Cloud’s Secret Manager. Akeyless has customers across the retail, fintech, insurance and gaming sectors, among others, including Wix and Outbrain. And the company’s revenue has increased 350% over the past year. “The pandemic and resulting workforce trends, such as work-from-home initiatives, have only increased the need for employees to access corporate IT resources remotely and have accelerated the adoption of cloud technologies and increased the number of secrets needed,” Shai told ZebethMedia in an email interview. In software development, “secrets” refer to credentials like passwords and access tokens. “Similarly, the economic downturn and tech slowdown stand to only further encourage organizations to seek software-as-a-service-based solutions that offer faster deployment, low to zero maintenance, global auto-scalability, lower total cost of ownership and higher adoption rates.“ To lay the groundwork for future growth, Akeyless today closed a $65 million Series B round — $45.5 million in equity and $19.5 million in debt — led by NGP Capital with participation from Team8 Capital and Jerusalem Venture Partners. Bringing Akeyless’s total funding to date to $80 million, the new capital gives the company at least two and a half years of runway and will be put toward various sales, marketing, customer service and product development initiatives, Hareven said via email. “This will allow us to navigate the current economic climate and continue to provide our much-needed solution to the market,” he added. Akeyless’s co-founders attribute the startup’s success in part to the comprehensiveness of its product offerings. Akeyless both encrypts and signs the certificates, credentials and keys that organizations use to provide access to their systems, apps and data. The platform performs cryptographic operations using fragments of an encryption key that reside across different regions and cloud providers. The fragments are never combined — not even during the encryption and decryption process, Hareven claims — and one of the fragments is created on the customer side to ensure Akeyless has zero knowledge of the keys. An abstracted view of the Akeyless secrets management dashboard. Image Credits: Akeyless The core problem Akeyless attempts to tackle is what Hareven refers to as “secret sprawl.” As a company’s IT environment expands, so does the amount of passwords, API keys and certificates that the company uses to enable authentication between processes, services and databases, he notes. Those passwords and keys are found in code, configuration files and automation tools, introducing risk that could result in data breaches. According to a 2021 survey from code security platform GitGuardian, three code commits out of 1,000 expose at least one secret. GitGuardian estimates that app security engineers on average have to handle over 3,400 secrets occurrences. And in a separate report from Forrester published in the same year, developers revealed that 57% of their employers experienced a security incident related to exposed secrets within the past two years. Akeyless’s solution is centralizing secrets through plug-ins for existing IT, dev, and security tools and capabilities like disaster recovery, Hareven continued. Secrets stored by the platform are made accessible in all of a company’s environments. “While modern secret management solutions address the security challenges of [development] environments, many organizations are still forced to rely on siloed and disconnected tools for securing secrets in legacy environments,” Hareven said. “Our customers are expressing a need for the convergence of legacy tools to reduce risks and improve compliance across all environments and use cases.” Akeyless certainly occupies a large and profitable sector — Grand View Research predicts that the market for password management software will be worth up to $2.05 billion by 2025. But it’ll have to fend off rivals like Doppler, which recently raised $20 million for its platform to help companies manage their app secrets. Another challenge will be convincing holdouts to embrace secrets management as a discipline; according to one report, only 10% of organizations were using secrets management solutions as of 2019. If Akeyless’s co-founders have concerns, they didn’t show it. To the contrary, Hareven pointed to the team’s track record in cybersecurity — Onn’s previous security venture, Fireglass, was acquired by Symantec for $250 million — and noted that Akeyless is expanding, with plans to double its 80-person workforce by the end of next year. Hareven didn’t mention during our conversation, but Akeyless is also likely to benefit from the continued broader VC interest in cybersecurity. Venture capital investments in security startups eclipsed $13 billion this year, according to PitchBook data, up from $11.47 billion in 2020. “The fact that we are a software-as-a-service provider and free of the ‘on-premise technical debt’ of versioning and support makes our economics much more efficient, allowing us to respond faster to market needs and rapidly innovate,” Hareven said.