CyberGRX Tag

CyberGRX Closes $20M Series B Funding to Accelerate Growth of World’s First Third-Party Cyber Risk Exchange

  |   Portfolio News, The Latest

 

Bessemer Venture Partners Leads Series B Round with Participation from Existing Investors; Funding Comes on Heels of Launch of CyberGRX Exchange

 

Business Wire | April 18, 2017 | 8am ET

 

DENVER – April 18, 2017 – CyberGRX, the provider of the most comprehensive third-party cyber risk management platform, today announced that it has raised $20 million in Series B funding led by Bessemer Venture Partners (BVP). CyberGRX’s existing investors also participated in the round, including Aetna Ventures, Allegis Capital, ClearSky, GV (formerly Google Ventures), MassMutual Ventures, Rally Ventures, TenEleven Ventures and several other strategic investors. CyberGRX will use the funding to accelerate adoption of the CyberGRX Exchange, the world’s first global third-party cyber risk management (TPCRM) exchange.

As enterprises’ digital ecosystems grow and become increasingly interconnected, the volume and complexity of security and resiliency risks from third parties, including contractors, vendors, partners and customers, only grows. According to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees. At the same time, the third-party cyber risk management process is largely driven by sharing spreadsheets and trusting unvalidated assessments. Built in partnership with the chief security and risk officers from some of the world’s largest companies, including Aetna, ADP and MassMutual, the CyberGRX Exchange brings massive efficiency to this process while providing boardroom-level information about real-time cyber risk exposure across an enterprise’s entire ecosystem of third parties.

“For an enterprise today, managing cyber risk requires visibility into the extended network of vendors who store information about us,” said David Cowan, the BVP partner joining CyberGRX’s board of directors. “The CISO’s we surveyed overwhelmingly look to CyberGRX to help them identify, assess and remediate cyber risks in their extended networks.”

Launched in March 2017, the CyberGRX Exchange is designed to make it simple and cost effective for enterprises to get up-to-date, comprehensive, one-click access to their third parties’ cyber risk assessments. It is purpose-built to transform companies’ third-party cyber risk management processes from a compliance-based to a risk management-based approach. For third parties, the CyberGRX Exchange is designed to make it easy to complete one updated cyber risk assessment and share it with their many upstream partners. The CyberGRX Exchange delivers standardized assessments, actionable analytics, remediation management and real-time threat intelligence updates to enterprises and their third parties, enabling them to mitigate risk, reduce costs and manage process complexity.

“There’s a simple question at the heart of third-party cyber risk: which vendors, partners, suppliers or contractors pose the biggest threat to my organization?” said Fred Kneip, CyberGRX CEO. “The answer isn’t usually as simple because it’s constantly changing. We’ve developed the world’s first and only global third-party cyber risk exchange, which will continuously answer that question and provide actionable recommendations and the tools for companies to effectively manage that risk.  This capital from Bessemer Venture Partners and our existing investors will help us scale the business around the CyberGRX Exchange to meet growing demand from enterprises and third parties who’ve grown tired of the status quo. The relationships we have with key investors, customers and design partners puts CyberGRX in the pole position to be the new industry standard for third-party cyber risk management.”

Founded by former CISO’s and risk officers and backed by world-class investors, CyberGRX partners with some of the most trusted names and brands in cybersecurity. With this investment, David Cowan joins the CyberGRX board of directors. Also forming part of the board are: Bob Ackerman, founder and managing director at Allegis Capital; Jay Leek, managing director at ClearSky; Mark Hatfield, founder and general partner at TenEleven Ventures; Stuart McClure, CEO at Cylance and Fred Kneip, CEO at CyberGRX.   

For more information on CyberGRX or to join the CyberGRX Exchange, please visit https://www.cybergrx.com/.

About CyberGRX 

CyberGRX provides the most comprehensive third-party cyber risk management platform to cost-effectively identify, assess, mitigate and monitor an enterprise’s risk exposure across its entire partner ecosystem. Through automation and advanced analytics, the CyberGRX solution enables enterprises to collaboratively mitigate threats presented from their increasing interdependency on vendors, partners and customers. Based in Denver, CO, CyberGRX is backed by Allegis Capital, Bessemer Venture Partners, Blackstone, ClearSky, GV (formerly Google Ventures), MassMutual Ventures, Rally Ventures, TenEleven Ventures and several other strategic investors. For more information, visit www.cybergrx.com or follow @CyberGRX1 on Twitter.

 

Contact:

 

Ted Weismann

fama PR for CyberGRX

(617) 986-5009

CyberGRX@famapr.com

 

 

Read More

China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity

  |   Portfolio News, The Latest

 

 Customers of managed security service providers, website of U.S. trade lobby group targeted in separate campaigns
Dark Reading | Jai Vijayan | April 6, 2017

An unknown number of managed service providers and their customers are victims of a massive, global cyber espionage campaign by a China-based threat actor that this week was also fingered in another attack against a U.S. group involved in lobbying around foreign trade policy.

News of the campaigns coincides with Chinese President Xi Jinping’s first official visit to the U.S. to meet with President Trump. It suggests that cyber-enabled espionage out of China continues to be an issue, despite a September 2015 agreement between the U.S and Chinese governments not to support or engage in such activities.

“Even as IP-focused cyber-espionage has reduced since the Xi Jinping-Obama agreement, big business will continue to be targeted, if nothing else than for the influence they hold over governments,” warns Hardik Modi, vice president of threat research at Fidelis Cybersecurity.

Fidelis was one of the organizations that this week disclosed new cyber espionage activity by APT10, a well-known China-based advanced threat group that is also known as Stone Panda. The other warning about the APT10 group’s resurgent activity, after a period of relative quiet, came from PwC UK and BAE Systems.

‘TradeSecret’ campaign against National Foreign Trade Council

The Fidelis report involves “TradeSecret,” the company’s name for a targeted and strategic campaign directed at the website of the National Foreign Trade Council (NFTC), a trade lobby group representing some of America’s largest companies.

According to Fidelis, its security researchers in February discovered a reconnaissance tool called “Scanbox,” previously associated with China government-sponsored threat actors, embedded on specific pages of the NFTC site. Among the infected page were those that NFTC board members used to register for meetings.

The malware was configured to infect the systems of anyone that visited the pages and to collect credential and session information and also system-level data that could later be used in phishing attacks or for exploiting specific vulnerabilities. It’s unclear how the APT10 group initially breached the site in order to embed Scanbox on it.

“Scanbox is a robust framework that can include a variety of reconnaissance modules,” Modi says. It can, for instance, be used to determine the software running on a target system, the type and version of antivirus on it, and other details. “In some instances, it has been known to serve up a JavaScript keylogger that can be used to grab credentials that the target enters on the page,” he says.

NFTC members have been major contributors to the dialogue around the new U.S. trade policy framework being developed by the Trump Administration. It is highly likely the APT10 group will use data that Scanbox collected to craft targeted attacks against them.

‘Cloud Hopper’ campaign against MSPs

Meanwhile, in a separate advisory, PwC and BAE Systems warned about a systematic and widespread APT10 campaign they have dubbed “Cloud Hopper” to steal data from an unknown, but most likely large, number of organizations.

What makes the campaign scary and highly scalable, according to the two organizations, is the APT10 group’s tactic to target companies via their managed service providers, rather than directly.

 

Multiple MSPs have been hit since late 2016 and their infrastructure has been used to gain access to the networks of their customers. Typical attacks have involved APT10 gaining access to a MSP network, looking for customers that match its interests, and then breaking into their networks using the MSP’s legitimate access.

The China-based group has then been extracting data from the victim’s network, putting the data into compressed files, sending it back to the MSP network and from there to servers controlled by APT10.

The investigations by BAE and PwC show that the campaign is focused on extracting intellectual property and other sensitive data from organizations. “APT10 is known to have exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks, and those of their customers, to stealthily move this data around the world,” the two companies said in their report.

The Cloud Hopper campaign is a classic example of the evolution of third-party cyber risk, says Fred Kneip, CEO, CyberGRX. It takes advantage of the implicit trust that many organizations place on their cloud service providers and other third parties that they do business with.

“Although attacks via third parties are the second biggest source of security incidents, most organizations do not have a consistent process to help them understand which partners pose the most risk to their organization,” Kneip says. Organizations need to truly understand their residual risk from each third party, and perform their own validation of key controls as opposed to relying on self-assessments, he says.

“Customers need to ask relevant questions of their provider as to how they achieve customer segmentation and segregation,” advises Jim Reavis, executive director of the Cloud Security Alliance. “Customers also need to understand their own responsibilities and in many cases it is their job to add data protection controls like encryption or to use the provider’s logging capabilities to monitor access to their own cloud instances.”

Meanwhile, campaigns such as Cloud Hopper also highlight the need for cloud service providers to perform segmentation at multiple levels, including networks, users, applications and data, to mitigate the fallout from a data breach, Reavis says. “No company can prevent all breaches, but systems should be designed so that a single breach impacts a maximum of one customer.”

John Pescatore, director of emerging threats at the SANS Institute said that attacks targeting cloud service providers are nothing new. Edward Snowden’s leaks showed the US government was targeting IT service providers as far back as 2013. And attacks on Google and others in subsequent years have shown that Chinese threat actors have been doing the same for some time now, he says.

“The bigger suppliers are pretty good at protecting themselves, but they are rarely the low cost providers,” Pescatore says.  “All too often obtaining [specific security] certifications are all the lower cost providers have to show in order to win competitions,” he says. “There has been talk in the IT service provider industry association of raising the bar, like has been done in the UK, but not much movement forward.”

Read More

Exclusive: Blackstone-Backed Network for Cyber Risk Launches Today

  |   Portfolio News, The Latest
 
Fortune | Jeff John Roberts | 7:40 AM Pacific

Financial firms have long used rating agencies like Moody’s or S&P to judge the risk of bonds. Now, companies that face risk from cyber attacks—which these days is almost everyone—have a tool to do the same.

On Wednesday, CyberGRX unveiled a platform that acts as a clearinghouse for cyber risk. Developed by a group of blue chip security pros from companies like Blackstone and Aetna, CyberGRX promises to make the process of flagging cyber dangers from their vendors dramatically more efficient.

The risk posed by vendors has been top of mind for many companies ever since the infamous hack on Target (TGT, +0.40%) in 2013, which saw attackers compromise the computer systems of Target’s HVAC supplier in order to steal credit card information from 40 million customers.

According to Jay Leek, the former chief security officer of Blackstone, the idea for a clearinghouse came about because companies spend enormous amounts of time filling out check-lists to assess the security risks posed by their vendors. Many of Blackstone’s portfolio companies, for instance, were all conducting the same compliance tests to see if vendors—which can include anyone from software giants like Salesforce (CRM, +0.86%) or Workday (WDAY, +0.65%) to catering companies—had programs in place to defend against cyber-attacks.

This process, says Leek, resulted in a lot of duplicated efforts and security officers spending their time on checklists rather than on mitigating cyber dangers.

In response, Leek and others realized the approach was to build what they call a “third party global cyber risk exchange” that will let companies assess vendors in the same way banks rely on ratings agencies to assess bonds. Leek likens it to performing cyber-risk by means of a Turbo Tax method, rather than doing it by hand.

“The inherent efficiency of the CyberGRX Exchange eliminates the waste in today’s approach—largely based on sharing spreadsheets—in a way no one in the market does. For the first time, companies will know which of their third parties pose the greatest risk to their organizations,” says Fred Kneip, CyberGRX CEO.

The process has been in the works since last year when CyberGRX raised $9 million from investors that include Allegis Capital, Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures), and MassMutual Ventures.

To building process has relied on what CyberGRX calls its “design partners” like Aetna, and their existing dossiers of tens of thousands of vendor reports.

Now, the tool is ready for primetime as CyberGRX (GRX is for global risk exchange) invited other companies to take part. Here is how CyberGRX described it in a release announcing the news:

Built in partnership with chief security and risk officers from Aetna, Blackstone, MassMutual, ADP and other large companies with a combined network of more than 40,000 companies in their digital ecosystems, the CyberGRX Exchange brings together enterprises and their third parties and creates massive efficiency to a process that has largely been driven by sharing spreadsheets and trusting unvalidated self-assessments.

While the plan will provide a way for big companies to speed up their cyber risk assessments, it will also help hundreds of thousands of vendors who currently must wait for a cyber seal-of-approval before they can start providing their services.

As for the risk assessments the platform provides, those are compiled from the reports provided by the member companies but also from a host of outside signals. These include threat reports from security companies as well as news reports from Thomson Reuters and others.

The other advantage of the service, according to CyberGRX, is that it will continually update the security profiles of all the companies on the exchange. This means companies will no longer need to rely on an annual checklist system to confirm a vendor can still be trusted.

The idea for a cyber risk clearinghouse is not a new one. According to Leek, S&P tried unsuccessfully to come up such a service way back in 2006. Goldman Sachs(GS, +0.23%), meanwhile, tried to create a risk standard with Moody’s in 2015 but was likewise unable to pull it off.

If CyberGRX is a success, its backers say the service could save companies billions in legal and compliance costs, and allow security executives to devote far more time to threat mitigation rather than bureaucratic measures.

The new service may also jumpstart the market for cyber-insurance, which has been expanding in light of the ongoing number of high profile data breach incidents. But that is far from mature—in large part because of a lack of information on how to price cyber risk.

Article found here: www.fortune.com

Read More

WSJ | CyberGRX Emerges With $9M to Set Standards for Security Risks

  |   Portfolio News, Series A, The Latest

By Deborah Gage  |  July 14, 2016 7:30 a.m. ET

Logo_TheWSJ

One of the hardest places for companies to protect from cyberattacks is the holes opened by companies closest to them—their partners, customers and vendors.

The most famous case may be Target Corp., which lost data on 40 million debit and credit accounts along with personal information for as many as 70 million customers after hackers penetrated its network in 2013 by stealing the credentials of a Target refrigeration contractor.

Target’s chief executive and its chief information officer resigned, and a proxy adviser, Institutional Shareholder Services, urged that seven of Target’s 10 board members be ousted for failing to protect the company.

In an effort to avoid similar problems and to set an industry standard for assessing security risks, venture capitalists and several large companies—some named and some not—have banded together to form CyberGRX, a startup that has been in the works for more than 18 months. GRX stands for Global Risk Exchange.

The Denver-based company has raised $9 million in a Series A round led by Allegis Capital and includes numerous other investors and advisers.

Some of them—including Aetna Chief Information Security Officer Jim Routh, MassMutual Chief Information Risk Officer Sri Dronamraju and Blackstone Chief Information Security Officer Jay Leek—are helping CyberGRX design a software platform and business processes that will guide companies in assessing their own security risks and the risks of their partners.

“If you’re shopping for a home, you can go to Zillow and there are countless homes, but you’re probably going to hire a home inspector to look at the piping and make sure there are no foundational issues,” said Chief Executive Fred Kneip, who previously headed security for the investment management firm Bridgewater Associates. “So let’s understand how you think about the core components of a cybersecurity program and its levels of maturity and effectiveness.”

Allegis Capital founder Bob Ackerman said he has been thinking about the problem since at least 2014 and couldn’t find companies on the market with a comprehensive enough approach. A Blackstone portfolio company, Optiv Security LLC, is also working on CyberGRX because its customers are concerned about third-party security risks, Mr. Ackerman said.

The challenge with current cybersecurity assessments is that they are labor-intensive, expensive and prone to disagreements over what questions should be asked and how they should be phrased, according to CyberGRX’s founders.

fred

Photo: CyberGRX’s Fred Kneip.

Fortune 500 companies generally have thousands of partners and may only evaluate the most important ones, although “you don’t have to be a big partner to represent a significant cyberrisk,” Mr. Ackerman said.

Companies may be loath to admit they have risks. “If it’s self-reported, no one will say I don’t have [a password rotation policy],” said GV General Partner Karim Faris, an investor, although even asking the question can spark a company to get one.

Mr. Faris said CyberGRX’s success will depend on its ability to figure out the most effective set of questions that will work across a wide range of companies and balance those with on-site visits where inspectors know what to home in on.

Mr. Leek said CyberGRX relies on the strength of its relationships with chief information security officers at global companies who are collaborative, understand security risks and agree with CyberGRX’s approach.

CyberGRX expects to release a product in early 2017. Founders say a standard security assessment could provide a foundation for other industries, like cyber insurance.

Investors who participated in the funding include Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures) and MassMutual Ventures along with several individuals and unnamed strategic investors.

Board members include Mr. Ackerman, Mr. Kneip, Mr. Leek, TenEleven Ventures founder Mark Hatfield, ClearSky Power & Technology Fund Managing Director Alex Weiss and Cylance CEO Stuart McClure.Logo_cyberGRX

Find more @

http://www.wsj.com/articles/cybergrx-emerges-with-9m-to-set-standards-for-security-risks-1468495804

Read More