eclypsium has spent $25 million to secure its equipment supply chain. • TechCrunch

As the enterprise device supply chain grows increasingly global and fragmented, organizations are increasingly challenged to secure hardware and software from suppliers. According to the European Union Cyber ​​Security Agency, an EU agency that contributes to the Union’s cyber policy, 66 percent of cyber attacks targeted vendor code in 2015. It’s 2021.

Fighting these attacks is not an easy task – but Yuriy Bulygin is going. He is the founder of Eclipseium, a cloud platform that provides protection against device hardware, firmware and software exploits in enterprise environments and public sector environments.

Reflecting investor confidence – or simply demand for supply chain security solutions – Eclipsium today raised the company’s war chest by participating in a $25 million Series B round led by Ten Eleven Ventures, along with Global Brain’s KDDI Open Innovation Fund and J Ventures. About 50 million dollars. Bullijn said the capital will be used to expand Eclipsium’s production capacity, support current sales efforts and expand headcount from 80 people to nearly 100 by the end of the year.

“A number of macro-level trends are driving demand for the Eclipsium solution, and therefore make it the right time to raise funding to enable accelerated growth,” Buligin told TechCrunch in an email interview. “The global supply chain is increasingly complex, which means that the hardware and firmware components of finished devices can be sourced from vendors around the world – all of which increase the risk and complexity of device security. Additionally, the White House’s continued focus on… building resilience in the US supply chain around the world It has brought new attention to the risks in the global economy, as well as increasing the interest of government agencies in Eclipse solutions.

Before starting Eclypsium, Buligin spent nearly a decade at Intel, where he led security risk analysis and research into software and hardware vulnerabilities and exploits. Buligin became Senior Director of Advanced Threat Research at McAfee before co-founding CHIPSEC, an open source platform security assessment framework.

In founding Eclipsium, Bulligin sought to build a service that would help companies avoid the “trap” of relying on device manufacturers and traditional end-to-end security management tools—in his own words. While some startups, like Finite State, offer firmware-based supply chain security for connected devices, Bullijn argues that this level of protection is an afterthought that applies to most cybersecurity vendors.

The assertion should be taken with a grain of salt – Buligin has a product to sell, obviously. But all else being equal, it’s true that supply chain attacks are on the rise globally. In the year According to a 2022 study by Venafi, a machine identity management firm, 82% of chief information officers believe their organizations are vulnerable to cyberattacks targeting their supply chains. The report notes that the shift to cloud-native development, along with the increased speed of DevOps processes, has made the challenges associated with securing supply chains even more complex.

“The number and complexity of modern devices requires devices developed by different manufacturers – all firmware and software installed on these devices – and requires special skills to identify compromised devices and protect them from further compromise,” Buligin said. “Because firmware plays a critical role in enabling and protecting our technology supply chain, many traditional security vendors have accidentally added ‘firmware-specific features’ to their products. However, firmware security is not an add-on.”

Eclipseium supports hardware including PC and Mac, servers, “enterprise-grade” network devices, and Internet of Things devices. Using the platform, organizations can view and control their fleet of devices as well as their network infrastructure without installing client software. Firmware orchestration capabilities allow security teams to go one step further, tapping Eclypsium to discover, analyze and deploy “unexpected” – and potentially malicious – software modules embedded in hardware published by device manufacturers.

“Organizations are turning to zero-trust principles to protect their device fleets and operations. As such, the default position is to avoid trusting systems and users until they can be clearly proven.” [yet] “Each device represents a complex system of computers with their own embedded code and operating systems — each developed by multiple vendors,” Buligin said. “For device authentication to be truly successful, organizations need to understand all hardware and software code, from code embedded in devices and provided by manufacturers to operating systems and applications. Embedded software and firmware code are the most fundamental and privileged software that runs on each device.

Buligin was tight-lipped when asked about the size of Eclipse’s customer base, and declined to disclose any specific revenue figures. But Bulijin He did Voluntary said that a third of the company’s clients are Fortune 2000 companies, and Eclypsium has several US federal government contracts.

The pandemic has brought many organizations into a remote-first, work-from-anywhere, own-device environment, accelerating the need to adopt defense models and principles that do not rely on perimeter defenses. The most notable change is the move to zero trust principles at the application and device level. Growing recognition of the need to provide multi-layer protection for devices, including the operating system, embedded software and firmware, and hardware layers has increased interest in supply chain… solutions like Eclipse for devices.

As funding like Eclypsium shows, the cybersecurity bubble may be starting to deflate — but not burst. Cybersecurity startups raised a record $29.5 billion in venture capital in 2021, more than doubling the $12 billion raised in 2020, a record number held as unicorns, according to data from financial advisory firm Momentum Cyber. And according to Crunchbase, venture capital dollars invested in cyber startups will reach $6 billion in Q1 2022.