Firmware is everywhere. Your security should be, too

There’s no longer any doubt that threat actors are actively exploiting vulnerabilities in device software and firmware — this as opposed to more traditional applications like web browsers. 

And, an increasingly complex global supply chain only increases risk. Vulnerabilities can be introduced at any level. 

“Software and firmware inside devices is the most fundamental and privileged code,” said Yuriy Bulygin, CEO of Eclypsium. “If infected or tampered with, it can provide adversaries a foothold into an organization’s infrastructure, evading detection for long periods of time and even causing permanent damage to device infrastructure.”

For device security or zero-trust principles to be truly effective, organizations must understand all layers of hardware, firmware and software code, he said. To bolster the Eclypsium platform’s capabilities in this area, the company today announced an infusion of $25 million in a series B round. 

Today’s complicated supply chain “has created an attractive and rapidly growing playing field for threat actors, whose goal is to achieve maximum detrimental impact across many organizations at once,” said Bulygin.

Ever-growing attack surface

The IBM 2022 Cost of a Data Breach Report provided one of the first analyses of supply chain security, revealing that nearly one-fifth of organizations were breached due to a software supply chain compromise. 

Government agencies around the world are increasingly issuing warnings and mandates — for instance, the White House OMB memorandum on enhancing supply chain security. Device software and firmware account for almost a quarter of known exploited vulnerabilities published by the Cybersecurity and Infrastructure Security Agency (CISA).

Bulygin pointed out that the Conti and TrickBot ransomware groups often target endpoint firmware and Russian state actors wipe endpoints and SATCOM satellite terminals. 

Numerous breaches use network, VPN and security equipment built by almost every vendor as initial access vectors, he said, and critical servers are compromised via remote management interfaces like iLOBleed. Also, botnets infect IoT devices and malware targets vulnerable OT systems.

“An increasingly complex global supply chain means that finished devices may have hardware and firmware components sourced from vendors around the world, all of whom add to the risk and complexity of securing a device,” said Bulygin. 

Build trust in devices

Existing companies offering software supply chain security tools include Synopsys, Chainguard, Cycode, Aqua Security and Veracode. 

Eclypsium’s entrance and rapid growth is indicative of increased demand; Bulygin said its offering is unique from other security solutions that only focus on the application layer.

“Whereas, devices and device-level software and firmware is the most fundamental, privileged and unprotected attack surface,” he said, “and malicious exploitation has long shifted to this layer.”

He pointed out that Eclypsium already serves many Fortune and Global 2000 companies, and its platform is used by U.S. government agencies. It was also recently added as the first product to secure hardware, firmware and software supply chain to the CISA Continuous Diagnostics and Mitigation (CDM) Approved Products List. 

The platform mitigates supply chain risks in an automated way, rather than just discovering and highlighting them, said Bulygin. Users can: 

• Inventory all IT equipment with all hardware components, as well as firmware and software shipped with devices.
• Create and verify bills of materials. 
• Discover devices that have been infected by implants or compromised in the supply chain. 
• Identify supply chain vulnerabilities.
• Deploy software and firmware updates across entire multi-vendor device fleets. 

Fundamentally, this allows users “to build trust in their devices and their hardware and software supply chains,” said Bulygin. 

Security makes financial sense

For example, financial services vendors are prime targets for threat actors at all levels. First Financial, a New Mexico credit union with assets over $800 million and more than 85,000 members, is certainly not immune to this.  

“New attacks at the firmware level, like iLOBleed implants in servers and FinSpy bootkits in endpoints, are getting news exposure almost daily,” said Steve Coffey, First Financial’s VP of IT. 

Seeing new firmware-focused attacks, the company’s IT team recently homed in on supply chain security. Their first question was whether their existing tools had visibility and effectiveness in the sub-OS areas of their systems (where firmware lives), according to Coffey.

His team’s research found that there were significant visibility and protection gaps at the device and firmware level — and it wasn’t just powerful nation-states doing the attacking. 

Because firmware is everywhere, First Financial needed to cover endpoints like laptops and desktops, as well as numerous network devices and servers, said Coffey. They would also need to cross organizational boundaries between security and operations teams. 

Eclypsium’s platform allows them to stay ahead of low-level threats and have a layered tool “from which we can extract more and more security value as we grow,” he said. Also, they are prepared for auditors asking for evidence of firmware protections, which can happen at any time given the increased threat levels facing credit unions. 

Enhanced capabilities, research

The new funding round brings Eclypsium’s total raised to $50 million. The company will use the new money to expand its product capabilities, accelerate sales momentum and conduct supply chain security research, said Bulygin. 

Since its series A in 2018, the company has quintupled its headcount and experienced 35 times revenue growth, he said. It has also seen 13-fold growth in its customer base. 

The newest round was led by Ten Eleven Ventures, with participation from Global Brain’s KDDI Open Innovation Fund (KOIF) and J-Ventures, along with Andreessen Horowitz, Madrona Venture Group, Alumni Ventures, AV8 Ventures, Intel Capital, Mindset Ventures, Oregon Venture Fund (OVF), Translink Capital and Ubiquity Ventures.