Taking stock

The five-alarm fire caused by the Log4j security vulnerability shows no signs of getting under control. It’s safe to say that enterprise tech is aware of the problem, but it’s much more difficult to say whether everyone understands the extent to which they could be affected.

The race is definitely on to deal with Log4j. Developers and administrators continued to furiously patch affected systems this week as malicious hackers started to flood the world with exploits in hopes of stumbling upon vulnerable systems. But finding specific types of software that need fixing inside an average corporation is a far more daunting task than it might sound.

• The average enterprise company is running 464 custom applications, according to McAfee, and even smaller companies could have several dozen.
• That doesn’t even include software from vendors: Dutch researchers published a list of thousands of software products that were vulnerable to Log4j.
• There’s an entire sector of enterprise software designed to help companies find software they might not have known was running on their network, often called asset discovery.
• That’s because the cloud era has made it so easy for developers inside companies to experiment with applications that can be easily forgotten when that developer takes a better job elsewhere, as recent supply-chain attacks have shown.

But this is a marathon as well as a sprint. Companies have no choice but to patch everything in their arsenal that might be affected by this vulnerability, which some security experts believe could cause problems for years.

• Patching that software once it has been found is not always a straightforward task; in many cases it must be taken offline, which means critical business applications will likely be affected.
• After releasing the first patch for Log4j, the Apache Software Foundation was forced to release a second patch that buttoned up some holes that were still left open by the first patch.
• The first reported exploits using the vulnerability installed cryptocurrency mining software on vulnerable systems, which is generally taken as a sign that relative amateurs are on the make.
• Kevin Beaumont, who has been tracking Log4j as head of Arcadia Group’s security operations center, reported Wednesday that exploit activity was decreasing as the “spray and pray” approach brought diminishing returns.
• But the more sophisticated actors are just getting warmed up.

So enterprise tech is far from out of the woods. While there’s a larger conversation to be had about how security efforts should tackle open-source projects, as we discussed on Monday, that’s unlikely to be the short-term fix companies are looking for.

• The Log4j disaster is likely to increase calls for companies to maintain a “software bill of materials,” which the Biden administration recommended as part of its cybersecurity order earlier this year.
• This would theoretically speed up the process of responding to future vulnerabilities, but there are lots of holes in this approach that industry experts such as Qualcomm’s Alex Gantman find problematic.
• Expect to hear more about one of the buzziest buzzwords in security circles: “zero-trust” principles, which could theoretically help companies respond to grave threats such as Log4j by making it easier to isolate and lock down infected systems before they spread throughout the company.

There’s a parallel here, between companies that depend on cloud services and companies that depend on security vendors or consultants when things go wrong. While those customers should demand accountability from their vendors, in the end, they are responsible for their own uptime. If there was ever a wake-up call for companies who have treated information security as an afterthought while growth hacking their way to fame and fortune, this might be it.

— Tom Krazit

A MESSAGE FROM CLARI

When your customers win, your revenue team wins. Creating a culture of obsessing over your customer’s success can ensure you don’t leave revenue on the table. Watch this episode of Club Revenue, as Splunk’s VP of Sales, Christine Gilroy reveals her best tactics for structuring a sales team dedicated to continued customer success.

Learn more

This week on Protocol

Extreme chips: Protocol’s Max Cherney got a chance to tour one of Intel’s most important chip factories in Hillsboro, Oregon, where the company perfects the designs it will later produce in mass quantities. Check out his report on Intel’s plans for EUV lithography, which is theoretically “precise enough to hit your thumb with a laser pointer from the moon.”

Financial corner

Sysdig picked a good week to announce a new $350 million funding round that values the container security company at $2.5 billion. (Yes, we realize the deal was obviously in the works for some time.)

Noname also timed its announcements well: Its API vulnerability detection service could also be valuable in a post-Log4j world, and it now has $135 million in new funding valuing the company at $1 billion.

Airtable raised a huge $735 million Series F roundas collaboration software startups stay hot, with Salesforce helping to boost its valuation to $11 billion.

App integration services like SnapLogic are also hot, as they’re a major priority for companies that have grown quickly over the last few years, and a new $165 million funding round values the company at $1 billion.

Dbt Labs is looking for a new funding roundto build out its open-source data analytics tool that could value the company at $6 billion, according to Forbes.

Cockroach Labs raised $278 million in a Series F funding round that values the cloud database company at $5 billion.

Around the enterprise

Bloomberg took a close look at the Log4j mess, particularly at the collaboration between Alibaba and the Apache Software Foundation as they scrambled to patch the bug. It included this incredible detail: The vulnerability appears to have sat there undetected since 2013.

Some of Kronos’ HR software tools could be down for “weeks”after a ransomware incident. It’s not clear whether the incident was related to the Log4j fiasco.

Joshua Burgin left AWS this week. Protocol reported earlier this year that Amazon CEO Andy Jassy overruled an internal recommendation to fire the AWS executive over discrimination and harassment claims.

Another week, another AWS outage. After Protocol recommended that AWS customers run more of their applications out of US-West-2, its supposedly stable Eastern Oregon data center, that region suffered brief “connectivity issues” Wednesday morning. So, that’s awkward.

The party appears to be over for most enterprise cloud software stocks that enjoyed a surge of investment amid the pandemic cloud boom, as investors finally realize those companies won’t grow nearly as quickly in the future.

A MESSAGE FROM CLARI

Club Revenue on Nasdaq digs into the strategies driving revenue growth at the highest performing companies. Tune in as Clari’s CMO Cornelius Willis interviews innovative revenue leaders to learn their tactics for building sales teams that drive unmatched success for their customers.

Learn more