Meet the Client Workshop | What Can We Learn From A Security Executive?

SentinelOne recently hosted a “Meet the client workshop” with security and marketing professionals, providing them with a rare opportunity to speak with a security executive in a “safe” environment. Our guest for the day was Les Correia, Director – Global Information Security – Architecture, Engineering and Operations at Estée Lauder. Les has a long and distinguished career in IT and security, and he shared with the forum some of his professional insights regarding security products acquisition.

image of meet the client

Increasing Awareness Among CISOs, Executives

Les noted that the executive view of security is changing. Board members and Executives are more involved than ever and the CISO role has become quite a tricky business position, with differing priorities – such as risk versus availability – and principles dictating many of a CISO’s decisions.  The turnover of CISOs is also very rapid, and security executives must take great care in recording their decision process in order to be able to justify it in case things go south.

Day to Day Challenges in Cybersecurity

Les reiterated the lack of skilled manpower to conduct all security engineering, security operations, new product evaluations, threat and risk management roles. This creates massive workloads on personnel and leaves only limited bandwidth for dealing with current and new technologies.

Future Trends in Enterprise Security

Les noted the current trend of quickly migrating all possible technologies and functions to the cloud, whether that be applications, storage, or entire data centers. This rapid push entails better controls to manage risk, both on premises and in the cloud. Also, a global, distributed organization must be able to support a large workforce working in numerous locations. That means Identity, Privacy, Segmentation and other management technologies come to the forefront. Les also noted that the risk from unaccounted IoT devices continues to be a real concern.

Evaluating Enterprise Security Products

When considering new products, security personnel must first look at how the product contributes to the improvement of overall security or reduction of risk. Other considerations include ease of use, vendor roadmap alignment, interoperability and integration with existing products, automation, and financial drivers. A new security product must not, in any way, interfere with operations or revenue generation of the business.

How to Win With Security Executives?

The key is consistency and professionalism throughout the buying cycle. From the first approach to the demo, PoC (Proof of Concept) and deployment, responsiveness is highly regarded. All the sell cycle stages should deliver a positive experience, moving the process forward. A good initial demo is really key to progressing to a full-on PoC.

Security Products: The Acquisition Process

Les defines his process as one that starts with identifying needs, defining the business case, then securing the budget. The next stage involves scoping the market for solutions, and reading market reports, sometimes just to draw up a shortlist from the multitude of solutions on the market. From the shortlist, the next stage is to try and define what criteria a demo or PoC must meet in order to be considered successful.

Consulting with peers and considering references like Gartner Peer Reviews can help narrow the shortlist down to the final contenders before a PoC and reaching a go/no-go decision on a particular solution.

As for the PoC process itself, it must be well defined with realistic KPIs and requirements on both ends. No enterprise will allow full security testing on a real network or endpoint, so we need to figure out how to demonstrate the effectiveness of the technology in a lab environment. That means using real malware along with compatibility testing in a pilot production environment.

It is actually better to test it in an isolated environment using identical hardware models and software versions. Deviance between the testing environment and the production environment is asking for false positives and screw-ups when you roll your product out to the client at a later date, and that kind of result can remain in the collective memory and taint the reputation of the vendor for many years ahead.

Tests don’t have to be perfect, but what does have to be perfect is the responsiveness of the PoC team. Responsiveness shows vendor’s commitment and professionalism. Clients will use the same test scenarios on all vendors and will quantify and compare results, but many times the differences are not huge and the decision is down to which vendor offers better service or responsiveness. 

image of Les Correia and Migo Kedem

Remember that the PoC is not a full-time job, so the PoC will take time to complete as the people running it are simultaneously busy with their daily chores. Les advises security vendors not to ignore documentation. It’s critical to show the technical depth of the product, and good documentation eases the burden on busy IT and security professionals dealing with your product.

Another driver is of course cost. Some excellent products will cost too much over time, and hence will be passed over for a less capable product with better ROI. One should continue to explore products that lessen the load by combining features that enable consolidation. Even a fantastic product is not enough on its own – it has to fit the organization’s budget and needs, and it has to be compatible with other systems in the organization.

Les has formulated a well-defined process of evaluating security products. He has shared his insights in an e-book, which you can download for free here.

What Not to Do When Approaching Security Executives?

image of Les Correia at sentinel one meetup

Cold calls are the worst. Cold email could work, depending on the availability and load. Most executives will visit one of the large industry shows for insights – e.g. Black Hat or RSA as well as some of the smaller cons.

Aggressive marketing is a turn-off, so is badmouthing the competition. Similarly, don’t over sell your product. Don’t promise to solve ALL the customers’ cyber problems. Focus on tangible benefits and provide a roadmap to cover future needs and improvements. 

Wrapping Up…

We are grateful to Les for sharing his experience and all the participants for their contributions. The meetup was a rare opportunity to bring together two distinct populations: security practitioners and the people who market to them and try to sell them security products. We believe that such open, transparent and honest dialogue is crucial in improving the relationships between vendors and clients and, ultimately, will help us all deliver better security.  


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

CTO.ai’s developer shortcuts eliminate coding busywork

There’s too much hype about mythical “10X developers.” Everyone’s desperate to hire these “ninja rockstars.” In reality, it’s smarter to find ways of deleting annoying chores for the coders you already have. That’s where CTO.ai comes in.

Emerging from stealth today, CTO.ai lets developers build and borrow DevOps shortcuts. These automate long series of steps they usually have to do manually, thanks to integrations with GitHub, AWS, Slack and more. CTO.ai claims it can turn a days-long process like setting up a Kubernetes cluster into a 15-minute task even sales people can handle. The startup offers both a platform for engineering and sharing shortcuts, and a service where it can custom build shortcuts for big customers.

What’s remarkable about CTO.ai is that amidst a frothy funding environment, the 60-person team quietly bootstrapped its way to profitability over the past two years. Why take funding when revenue was up 400% in 18 months? But after a chance meeting aboard a plane connected its high school dropout founder Kyle Campbell with Slack CEO Stewart Butterfield, CTO.ai just raised a $7.5 million seed round led by Slack Fund and Tiger Global.

“Building tools that streamline software development is really expensive for companies, especially when they need their developers focused on building features and shipping to customers,” Campbell tells me. The same way startups don’t build their own cloud infrastructure and just use AWS, or don’t build their own telecom APIs and just use Twilio, he wants CTO.ai to be the “easy button” for developer tools.

Teaching snakes to eat elephants

“I’ve been a software engineer since the age of 8,” Campbell recalls. In skate-punk attire with a snapback hat, the young man meeting me in a San Francisco Mission District cafe almost looked too chill to be a prolific coder. But that’s kind of the point. His startup makes being a developer more accessible.

After spending his 20s in software engineering groups in the Bay, Campbell started his own company, Retsly, that bridged developers to real estate listings. In 2014, it was acquired by property tech giant Zillow, where he worked for a few years.

That’s when he discovered the difficulty of building dev tools inside companies with other priorities. “It’s the equivalent of a snake swallowing an elephant,” he jokes. Yet given these tools determine how much time expensive engineers waste on tasks below their skill level, their absence can drag down big enterprises or keep startups from rising.

CTO.ai shrinks the elephant. For example, the busywork of creating a Kubernetes cluster such as having to the create EC2 instances, provision on those instances and then provision a master node gets slimmed down to just running a shortcut. Campbell writes that “tedious tasks like running reports can be reduced from 1,000 steps down to 10,” through standardization of workflows that turn confusing code essays into simple fill-in-the-blank and multiple-choice questions.

The CTO.ai platform offers a wide range of pre-made shortcuts that clients can piggyback on, or they can make and publish their own through a flexible JavaScript environment for the rest of their team or the whole community to use. Companies that need extra help can pay for its DevOps-as-a-Service and reliability offerings to get shortcuts made to solve their biggest problems while keeping everything running smoothly.

5(2X) = 10X

Campbell envisions a new way to create a 10X engineer that doesn’t depend on widely mocked advice on how to spot and capture them like trophy animals. Instead, he believes one developer can make five others 2X more efficient by building them shortcuts. And it doesn’t require indulging bad workplace or collaboration habits.

With the new funding that also comes from Yaletown Partners, Pallasite Ventures, Panache Ventures and Jonathan Bixby, CTO.ai wants to build deeper integrations with Slack so developers can run more commands right from the messaging app. The less coding required for use, the broader the set of employees that can use the startup’s tools. CTO.ai may also build a self-service tier to augment its seats, plus a complexity model for enterprise pricing.

Now it’s time to ramp up community outreach to drive adoption. CTO.ai recently released a podcast that saw 15,000 downloads in its first three weeks, and it’s planning some conference appearances. It also sees virality through its shortcut author pages, which, like GitHub profiles, let developers show off their contributions and find their next gig.

One risk is that GitHub or another core developer infrastructure provider could try to barge directly into CTO.ai’s business. Google already has Cloud Composer, while GitHub launched Actions last year. Campbell says its defense comes through neutrally integrating with everyone, thereby turning potential competitors into partners.

The funding firepower could help CTO.ai build a lead. With every company embracing software, employers battling to keep developers happy and teams looking to get more of their staff working with code, the startup sits at the intersection of some lucrative trends of technological empowerment.

“I have a three-year-old at home and I think about what it will be like when he comes into creating things online,” Campbell concludes. “We want to create an amazing future for software developers, introducing automation so they can focus on what makes them such an important aspect. Devs are defining society!”

[Image Credit: Disney/Pixar via WallHere Goodfon]

Chronosphere launches with $11M Series A to build scalable, cloud-native monitoring tool

Chronosphere, a startup from two ex-Uber engineers who helped create the open-source M3 monitoring project to handle Uber-level scale, officially launched today with the goal of building a commercial company on top of the open-source project.

It also announced an $11 million investment led by Greylock, with participation from venture capitalist Lee Fixel.

While the founders, CEO Martin Mao and CTO Rob Skillington, were working at Uber, they recognized a gap in the monitoring industry, particularly around cloud-native technologies like containers and microservices. There weren’t any tools available on the market that could handle Uber’s scaling requirements — so like any good engineers, they went out and built their own.

“We looked around at the market at the time and couldn’t find anything in open source or commercially available that could really scale to our needs. So we ended up building and open sourcing our solution, which is M3. Over the last three to four years we’ve scaled M3 to one of the largest production monitoring systems in the world today,” Mao explained.

The essential difference between M3 and other open-source, cloud-native monitoring solutions like Prometheus is that ability to scale, he says.

One of the main reasons they left to start a company, with the blessing of Uber, was that the community began asking for features that didn’t really make sense for Uber. By launching Chronosphere, Mao and Skillington would be taking on the management of the project moving forward (although sharing governance for the time being with Uber), while building those enterprise features the community has been requesting.

The new company’s first product will be a cloud version of M3 to help reduce some of the complexity associated with managing an M3 project. “M3 itself is a fairly complex piece of technology to run. It is solving a fairly complex problem at large scale, and running it actually requires a decent amount of investment to run at large scale, so the first thing we’re doing is taking care of that management,” Mao said.

Jerry Chen, who led the investment at Greylock, saw a company solving a big problem. “They were providing such a high-resolution view of what’s going on in your cloud infrastructure and doing that at scale at a cost that actually makes sense. They solved that problem at Uber, and I saw them, and I was like wow, the rest of the market needs what guys built and I wrote the Series A check. It was as simple as that,” Chen told TechCrunch.

The cloud product is currently in private beta; they expect to open to public beta early next year.

ZenHub adds roadmapping to its GitHub project management tool

ZenHub, the popular project management tool that integrates right into GitHub, today announced the launch of Roadmaps. As you can guess from the name, this is a roadmapping feature that allows teams to better plan their projects ahead of time and visualize their status — all from within GitHub.

“We’re diving into a brand new category which is super exciting and we’re really starting to think not only about how forward-thinking software teams are managing their software projects but how they’re actually planning ahead,” ZenHub co-founder Aaron Upright told me. “And we’re really using this as an opportunity to really evolve the product and really introduce now a new kind of entrant into the space for product roadmapping.”

The product itself is indeed pretty straightforward. By default, it takes existing projects and epics a team has already defined and visualizes those on a timeline — including data about how many open issues still remain. In its current iteration, the tool is still pretty basic, but going forward ZenHub will add more advanced features, like blocking. As Upright noted, that’s just fine, though, because while the main goal here is to help teams plans, ZenHub also wants to give other stakeholders a kind of 30,000-foot overview of the state of a project without having to click around every issue in GitHub or Jira.

Upright also argues that existing solutions tend to fall short of what teams really need. “Smaller organizations — teams that are 10, 15 or 25 people — they can’t afford these tools. They’re really expensive. They’re cost-prohibitive,” he said. “And so oftentimes what they do is they turn to Excel files or Google spreadsheets in order to keep track of their roadmap. And keeping the spreadsheets up to date really becomes a complex and really a full-time job.” Yet those tools that are affordable often don’t offer a way to sync data back and forth between GitHub and their platforms, which results in the product team not getting those updates in GitHub, for example. Because ZenHub lives inside of GitHub, that’s obviously not a problem.

ZenHub Roadmaps is now available to all users.

Seismic acquires Percolate to expand its marketing tools

Seismic is announcing that it’s acquiring Percolate in a deal that it says is combining “two essential pillars of the marketing technology stack.”

It sounds like the two companies aren’t direct competitors, but they offer related tools: Seismic helps companies create and manage the content they use in sales and marketing, while Percolate expanded from a social media publishing tool to a broader suite of software for managing the marketing process.

As part of the acquisition, Percolate CEO Randy Wootton is joining the Seismic team, where he will continue to lead Percolate, and where he will report to Seismic CEO Doug Winter. The combined company will have a headcount of more than 800 people.

“Both of our companies endeavor to foster better alignment between marketing and sales and improve the buyer/seller interaction, resulting in accelerated deals and pipeline for our customers,” Wootton said in a statement. “Combining with Seismic allows Percolate to provide even more capability to our customer base and more value to the marketing ecosystem.”

The financial terms of the acquisition were not disclosed. Percolate raised a total of $106.5 million from investors including GGV Capital, Sequoia Capital, Lightspeed, Slow Ventures, Lerer Hippeau and First Round Capital, according to Crunchbase.

Seismic, meanwhile, raised a $100 million investment at a $1 billion valuation last year.

Amperity acquires Custora to improve its customer data platform

Amperity announced today that it’s acquiring another company in the customer data business, Custora.

Amperity co-founder and CEO Kabir Shahani told me that Custora’s technology complements what Amperity is already offering. To illustrate this point, he said that customer data tools fall into three big buckets: “The first is know your customer, the second is … use insights to make decisions, the third is … activate the data and use it to serve the customer.”

Amperity’s strength, Shahani said, is in that first bucket, while Custora’s is in the second. So with this acquisition (Amperity’s first), the existing Amperity technology will become the Amperity Customer 360, while Custora is rebranded as Amperity Insights.

The products can still be used separately, but Custora CEO Corey Pierson argued that they’re particularly powerful together.

“The stronger you actually know your customer, the stronger you have your customer 360 profile, the better those insights are,” Pierson said. “When we sit on top of Amperity, every insight we produce is more valuable to our customers.”

Shahani said Pierson and the rest of his team will be joining Seattle-based Amperity, with Custora’s New York office becoming the combined company’s East Coast headquarters.

The financial terms of the acquisition were not disclosed. According to Crunchbase, Custora previously raised a total of $20.3 million in funding.

What is Mimikatz? (And Why Is It So Dangerous?)

What if we were to tell you that there was a magical tool that could greatly simplify the discovery and pillaging of credentials from Windows-based hosts?  This tool would be a welcome addition to any criminal’s toolbelt, as it would also be for pentesters, Red Teamers, black hats, white hats, indeed anyone interested in compromising computer security. Now, what if we told you it was FREE and already built into many of your favorite tools and malware campaigns/kits/frameworks?  Sounds exciting right!?

But then you probably already know that this is no wish list or some private NSA hacking tool, but the well-established mimikatz post-exploitation tool. In this post, we take a look at what mimikatz is, how it is used, why it still works, and how to successfully protect endpoints against it.

image of what is mimikatz

What is Mimikatz?

The mimikatz tool was first developed in 2007 by Benjamin Delpy. So why are we writing about mimikatz today? Quite simply because it still works. Not only that, but mimikatz has, over the years, become commoditized, expanded and improved upon in a number of ways. 

The official builds are still maintained and hosted on GitHub, with the current version being 2.2.0 20190813 at the time of writing. Aside from those, it is also included in a number of other popular post-exploitation frameworks and tools such as Metasploit, Cobalt Strike, Empire, PowerSploit and similar.  

image of mimikatz resources

These tools greatly simplify the process of obtaining Windows credential sets (and subsequent lateral movement) via RAM, hash dumps, Kerberos exploitation, as well as pass-the-ticket and pass-the-hash techniques.

image of mimikatz in use  

Mimikatz consists of multiple modules, taylored to either core functionality or varied vector of attack. Some of the more prevalent or utilized modules include:

  • Crypto
    • Manipulation of CryptoAPI functions.  Provides token impersonation, patching of legacy CryptoAPI
  • Kerberos
    • “Golden Ticket” creation via Microsoft Kerberos API
  • Lsadump
    • Handles manipulation of the SAM (Security Account Managers) database.  This can be used against a live system, or “offline” against backup hive copies. The modules allows for access to password via LM Hash or NTLM.
  • Process
    • lists running processes (can be handy for pivots)
  • Sekurlsa
    • Handles extraction of data from LSASS (Local Security Authority Subsystem Service). This includes tickets, pin codes, keys, and passwords.
  • Standard
    • main module of the tool. Handles basic commands and operation
  • Token
    • context discovery and limited manipulation

Does MimiKatz Still Work on Windows 10?

Yes, it does. Attempts by Microsoft to inhibit the usefulness of the tool have been temporary and unsuccessful. The tool has been continually developed and updated to enable its features to plow right through any OS-based band-aid. 

Initially, mimikatz was focused on exploitation of WDigest. Prior to 2013, Windows loaded encrypted passwords into memory, as well as the decryption key for said passwords. Mimikatz simplified the process of extracting these pairs from memory, revealing the credential sets. 

Over time Microsoft has made adjustments to the OS, and corrected some of the flaws that allow mimikatz to do what it does, but the tool continues to stay on top of these changes and adjusts accordingly. More recently, mimikatz has fixed modules which were crippled post Windows 10 1809, such as sekurlsa::logonpasswords.

image of mimikatz run in Powershell ISE

Mimikatz supports both 64-bit x64 and 32-bit x86 architectures with separate builds. One of the reasons mimikatz is so dangerous is due to its ability to load the mimikatz DLL reflexively into memory.  When combined with PowerShell (e.g., Invoke-Mimikatz) or similar methods, the attack can be carried out without anything being written to disk. 

How Widely Used Is Mimikatz Today?

Many prominent threats bundle mimikatz directly, or leverage their own implementations to pull credentials or simply spread via the discovered credential sets. NotPetya and BadRabbit are two huge examples, but more recently, Trickbot contains its own implementation for basic credential theft and lateral movement.

To get another idea of how prevalent the use of mimikatz is in real-world attacks one need only look as far as MITRE. While this list is by no means complete, it does give a good idea of how many sophisticated attackers (aka APT groups) are using this tool. This list is a true “Who’s Who” of scary threat actors involved in advanced targeted attacks: Oilrig, APT28, Lazarus, Cobalt Group, Turla, Carbanak, FIN6 & APT21 just to name a few.

image of mimikatz techniquesimage of attackers that use mimikatz

All these groups develop their own way to invoke/inject mimikatz so as to ensure the success of the attack and evade the endpoint security controls that may stand in the way. 

Cobalt Group, specifically, is a great focus point as they get their name from the use of the Cobalt Strike tool. Cobalt Strike is a collaborative Red Team and Adversary Simulation tool. As mentioned above, mimikatz is included as core functionality. Even more concerning is the ability to invoke mimikatz directly in memory from any context-appropriate process in which the Cobalt Strike beacon payload is injected. Again, this kind of ‘fileless‘ attack avoids any disk reads/writes, but it can also bypass many modern “next-gen” products that are not able to properly monitor very specific OS events/activities.  

Can Mimikatz Defeat Endpoint Security Software?

If the OS cannot keep up, can 3rd party security solutions defend against mimikatz attacks? That depends. The mimikatz tool creates a challenge for traditional endpoint security controls, aka legacy AV and some “next-gen” tools. As noted above, if they are not monitoring behavior in memory, or if they are not monitoring specific behaviors and events, they will simply not see or be able to prevent the attack.

It should also be noted that mimikatz requires Administrator or SYSTEM level privileges on target hosts.  This requires that attackers inject into a process with appropriate privileged context, or they find a way to elevate privileges that simply bypass some AV software solutions, particularly if those solutions are prone to whitelisting “trusted” OS processes.

How To Successfully Defend Against Mimikatz

As this in-the-wild case study shows, SentinelOne’s static and behavioral AI approach provides robust prevention and protection against the use of mimikatz. Even when injected directly into memory, regardless of origin, SentinelOne is able to observe, intercept, and prevent the behavior. Even more important, however, is that as a result, we also prevent the damage that mimikatz can cause. That is, the loss of critical credentials, data, and ultimately time and money is avoided as mimikatz cannot evade the SentinelOne on-device agent.

SentinelOne is able to stop mimikatz from scraping credentials from protected devices. In addition to other built-in protection, we have added a mechanism that does not allow the reading of passwords, regardless of the policy settings.  

Conclusion

The bottom line here is that mimikatz is a near-ubiquitous piece of the modern adversary’s toolset. It is used across all sophistication levels and against the full spectrum of target types and categories. Despite being developed over 12 years ago, the toolset continues to work and improve, and likewise, mimikatz continues to provide a challenge to ageing and legacy endpoint protection technologies. 

SentinelOne offers a best-in-class solution to handle all angles of mimikatz-centric attacks with behavioral AI and Active EDR.  There is simply no substitute for autonomous endpoint detection and response in today’s threat landscape. 

MITRE ATT&CK IOCs

Mimikatz {S0002}
Account Manipulation {T1098}
Credential Dumping {T1003}
Pass The Hash {T1075}
Pass The Ticket {T1097}
Private Keys {T1145}
Security Support Provider {T1101}
Cobalt Strike {S0154}


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The 7 most important announcements from Microsoft Ignite

It’s Microsoft Ignite this week, the company’s premier event for IT professionals and decision-makers. But it’s not just about new tools for role-based access. Ignite is also very much a forward-looking conference that keeps the changing role of IT in mind. And while there isn’t a lot of consumer news at the event, the company does tend to make a few announcements for developers, as well.

This year’s Ignite was especially news-heavy. Ahead of the event, the company provided journalists and analysts with an 87-page document that lists all of the news items. If I counted correctly, there were about 175 separate announcements. Here are the top seven you really need to know about.

Azure Arc: you can now use Azure to manage resources anywhere, including on AWS and Google Cloud

What was announced: Microsoft was among the first of the big cloud vendors to bet big on hybrid deployments. With Arc, the company is taking this a step further. It will let enterprises use Azure to manage their resources across clouds — including those of competitors like AWS and Google Cloud. It’ll work for Windows and Linux Servers, as well as Kubernetes clusters, and also allows users to take some limited Azure data services with them to these platforms.

Why it matters: With Azure Stack, Microsoft already allowed businesses to bring many of Azure’s capabilities into their own data centers. But because it’s basically a local version of Azure, it only worked on a limited set of hardware. Arc doesn’t bring all of the Azure Services, but it gives enterprises a single platform to manage all of their resources across the large clouds and their own data centers. Virtually every major enterprise uses multiple clouds. Managing those environments is hard. So if that’s the case, Microsoft is essentially saying, let’s give them a tool to do so — and keep them in the Azure ecosystem. In many ways, that’s similar to Google’s Anthos, yet with an obvious Microsoft flavor, less reliance on Kubernetes and without the managed services piece.

Microsoft launches Project Cortex, a knowledge network for your company

What was announced: Project Cortex creates a knowledge network for your company. It uses machine learning to analyze all of the documents and contracts in your various repositories — including those of third-party partners — and then surfaces them in Microsoft apps like Outlook, Teams and its Office apps when appropriate. It’s the company’s first new commercial service since the launch of Teams.

Why it matters: Enterprises these days generate tons of documents and data, but it’s often spread across numerous repositories and is hard to find. With this new knowledge network, the company aims to surface this information proactively, but it also looks at who the people are who work on them and tries to help you find the subject matter experts when you’re working on a document about a given subject, for example.

00000IMG 00000 BURST20180924124819267 COVER 1

Microsoft launched Endpoint Manager to modernize device management

What was announced: Microsoft is combining its ConfigMgr and Intune services that allow enterprises to manage the PCs, laptops, phones and tablets they issue to their employees under the Endpoint Manager brand. With that, it’s also launching a number of tools and recommendations to help companies modernize their deployment strategies. ConfigMgr users will now also get a license to Intune to allow them to move to cloud-based management.

Why it matters: In this world of BYOD, where every employee uses multiple devices, as well as constant attacks against employee machines, effectively managing these devices has become challenging for most IT departments. They often use a mix of different tools (ConfigMgr for PCs, for example, and Intune for cloud-based management of phones). Now, they can get a single view of their deployments with the Endpoint Manager, which Microsoft CEO Satya Nadella described as one of the most important announcements of the event, and ConfigMgr users will get an easy path to move to cloud-based device management thanks to the Intune license they now have access to.

Microsoft’s Chromium-based Edge browser gets new privacy features, will be generally available January 15

What was announced: Microsoft’s Chromium-based version of Edge will be generally available on January 15. The release candidate is available now. That’s the culmination of a lot of work from the Edge team, and, with today’s release, the company is also adding a number of new privacy features to Edge that, in combination with Bing, offers some capabilities that some of Microsoft’s rivals can’t yet match, thanks to its newly enhanced InPrivate browsing mode.

Why it matters: Browsers are interesting again. After years of focusing on speed, the new focus is now privacy, and that’s giving Microsoft a chance to gain users back from Chrome (though maybe not Firefox). At Ignite, Microsoft also stressed that Edge’s business users will get to benefit from a deep integration with its updated Bing engine, which can now surface business documents, too.

hero.44d446c9

You can now try Microsoft’s web-based version of Visual Studio

What was announced: At Build earlier this year, Microsoft announced that it would soon launch a web-based version of its Visual Studio development environment, based on the work it did on the free Visual Studio Code editor. This experience, with deep integrations into the Microsoft-owned GitHub, is now live in a preview.

Why it matters: Microsoft has long said that it wants to meet developers where they are. While Visual Studio Online isn’t likely to replace the desktop-based IDE for most developers, it’s an easy way for them to make quick changes to code that lives in GitHub, for example, without having to set up their IDE locally. As long as they have a browser, developers will be able to get their work done..

Microsoft launches Power Virtual Agents, its no-code bot builder

What was announced: Power Virtual Agents is Microsoft’s new no-code/low-code tool for building chatbots. It leverages a lot of Azure’s machine learning smarts to let you create a chatbot with the help of a visual interface. In case you outgrow that and want to get to the actual code, you can always do so, too.

Why it matters: Chatbots aren’t exactly at the top of the hype cycle, but they do have lots of legitimate uses. Microsoft argues that a lot of early efforts were hampered by the fact that the developers were far removed from the user. With a visual too, though, anybody can come in and build a chatbot — and a lot of those builders will have a far better understanding of what their users are looking for than a developer who is far removed from that business group.

Cortana wants to be your personal executive assistant and read your emails to you, too

What was announced: Cortana lives — and it now also has a male voice. But more importantly, Microsoft launched a few new focused Cortana-based experiences that show how the company is focusing on its voice assistant as a tool for productivity. In Outlook on iOS (with Android coming later), Cortana can now read you a summary of what’s in your inbox — and you can have a chat with it to flag emails, delete them or dictate answers. Cortana can now also send you a daily summary of your calendar appointments, important emails that need answers and suggest focus time for you to get actual work done that’s not email.

Why it matters: In this world of competing assistants, Microsoft is very much betting on productivity. Cortana didn’t work out as a consumer product, but the company believes there is a large (and lucrative) niche for an assistant that helps you get work done. Because Microsoft doesn’t have a lot of consumer data, but does have lots of data about your work, that’s probably a smart move.

GettyImages 482028705 1

SAN FRANCISCO, CA – APRIL 02: Microsoft CEO Satya Nadella walks in front of the new Cortana logo as he delivers a keynote address during the 2014 Microsoft Build developer conference on April 2, 2014 in San Francisco, California (Photo by Justin Sullivan/Getty Images)

Bonus: Microsoft agrees with you and thinks meetings are broken — and often it’s the broken meeting room that makes meetings even harder. To battle this, the company today launched Managed Meeting Rooms, which for $50 per room/month lets you delegate to Microsoft the monitoring and management of the technical infrastructure of your meeting rooms.

Workday to acquire online procurement platform Scout RFP for $540M

Workday announced this afternoon that it has entered into an agreement to acquire online procurement platform Scout RFP for $540 million. The company raised more than $60 million on a post valuation of $184.5 million, according to PitchBook data.

The acquisition builds on top of Workday’s existing procurement solutions, Workday Procurement and Workday Inventory, but Workday chief product product officer Petros Dermetzis wrote in a blog post announcing the deal that Scout gives the company a more complete solution for customers.

“With increased importance around the supplier as a strategic asset, the acquisition of Scout RFP will help accelerate Workday’s ability to deliver a comprehensive source-to-pay solution with a best-in-class strategic sourcing offering, elevating the office of procurement in strategic importance and transforming the procurement function,” he wrote.

Ray Wang, founder and principal analyst at Constellation Research says that Workday has been trying to be the end-to-end cloud back office player. He says, “One of their big gaps has been in procurement.”

Wang says that Workday has been investing with eye toward filling gaps in the product set for some time. In fact, Workday Ventures has been an investor in Scout RFP since 2018, and it’s also an official Workday partner.

“A lot of the Workday investments are in portfolio companies that are complimentary to Workday’s larger vision of the future of Cloud ERP. Today’s definition of ERP includes finance, HCM (human capital management), projects, procurement, supply chain and asset management,” Wang told TechCrunch.

As the Scout RFP founders stated in a blog post about today’s announcement, the two companies have worked well together and a deal made sense. “Working closely with the Workday team, we realized how similar our companies’ beliefs and values are. Both companies put user experience at the center of product focus and are committed to customer satisfaction, employee engagement and overall business impact. It was not surprising how easy it was to work together and how quickly we saw success partnering on go-to-market activities. From a culture standpoint, it just worked,” they wrote. A deal eventually came together as a result.

Scout RFP is a fairly substantial business, with 240 customers in 155 countries. There are 300,000 users on the platform, according to data supplied by the company. The company’s 160 employees will be moving to Workday when the deal closes, which is expected by the end of January, pending standard regulatory review.

NCR Barred Mint, QuickBooks from Banking Platform During Account Takeover Storm

Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse.

Part of a communication NCR sent Oct. 25 to banks on its Digital Insight online banking platform.

On Oct. 29, KrebsOnSecurity heard from a chief security officer at a U.S.-based credit union and Digital Insight customer who said his institution just had several dozen customer accounts hacked over the previous week.

My banking source said the attackers appeared to automate the unauthorized logins, which took place over a week in several distinct 12-hour periods in which a new account was accessed every five to ten minutes.

Most concerning, the source said, was that in many cases the aggregator service did not pass through prompts sent by the credit union’s site for multi-factor authentication, meaning the attackers could access customer accounts with nothing more than a username and password.

“The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” said the source, who added that he suspected a breach at Mint and/QuickBooks because NCR had just blocked the two companies from accessing bank Web sites on its platform.

In a statement provided to KrebsOnSecurity, NCR said that on Friday, Oct. 25, the company notified Digital Insight customers “that the aggregation capabilities of certain third-party product were being temporarily suspended.”

“The notification was sent while we investigated a report involving a single user and a third-party product that aggregates bank data,” reads their statement, which was sent to customers on Oct. 29. After confirming that the incident was contained, NCR restored connectivity that is used for account aggregation. “As we noted, the criminals are getting aggressive and creative in accessing tools to access online information, NCR continues to evaluate and proactively defend against these activities.””

What were these sophisticated methods? NCR wouldn’t say, but it seems clear the hacked accounts are tied to customers re-using their online banking passwords at other sites that got hacked.

As I noted earlier this year in The Risk of Weak Online Banking Passwords, if you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process.

Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

A screenshot of a password-checking tool that can be used to target Chase Bank customers who re-use passwords. There are tools like this one for just about every other major U.S. bank.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators, including Mint, Plaid, QuickBooks, Yodlee, and YNAB.

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor.

If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.

But beyond targeting customers for outright account takeovers, the data available via financial aggregators enables a far more insidious type of fraud: The ability to link the target’s bank account(s) to other accounts that the attackers control.

That’s because PayPalZelle, and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits. For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits  — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.

The temporary blocking of data aggregators by NCR brings up a point worthy of discussion by regulators: Namely, in the absence of additional security measures put in place by the aggregators, do the digital banking platform providers like NCR, Fiserv, Jack Henry, and FIS have an obligation to help block or mitigate these large-scale credential exploitation attacks?

KrebsOnSecurity would argue they do, and that the crooks who attacked the customers of my source’s credit union have probably already moved on to using the same attack against one of several thousand other dinky banks across the country.

Intuit Inc., which owns both Mint and QuickBooks, has not responded to requests for comment.

NCR declined to discuss specifics about how it plans to respond to similar attacks going forward.