All product creators can learn something from Jackbox Games’ user experiences

During this period of shelter-in-place, people have had to seek out new forms of entertainment and social interaction. Many have turned to a niche party series made by a company best known for an irreverent trivia game in the ’90s called “You Don’t Know Jack.”

Since 2014, the annual release of the Jackbox Party Pack has delivered 4-5 casual party games that run on desktop, mobile and consoles that can be played in groups as small as two and as large as 10. In a clever twist, players use smartphones as controllers, which is perfect for typing in prompts, selecting options, making drawings, etc.

The games are tons of fun and perfect for playing with friends over video conference, and their popularity has skyrocketed, as indicated by Google Trends. I polled my own Twitter following and found that nearly half of folks had played in the last month, though a full third hadn’t heard of Jackbox at all.

How do these games work?

There are more than 20 unique games across Jackbox Party Packs 1-6, too many to explain — but here are three of the most popular:

  • Fibbage: A twist on the traditional trivia game, players are asked to invent an answer to a question of obscure knowledge (e.g. “a Swedish man who works as a dishwasher receives disability benefits due to his unusual addiction to ____.”) Then all the invented answers are mixed in with the truth and players must select the real answer while avoiding fakes. You earn points for guessing correctly and for tricking other players (the answer is “heavy metal”).

Orca Security raises $20M Series A for its multi-cloud security platform

Orca Security, an Israeli cloud security firm that focuses on giving enterprises better visibility into their multi-cloud deployments on AWS, Azure and GCP, today announced that it has raised a $20 million Series A round led by GGV Capital. YL Ventures and Silicon Valley CISO Investments also participated in this round. Together with its seed investment led by YL Ventures, this brings Orca’s total funding to $27 million.

One feature that makes Orca stand out is its ability to quickly provide workload-level visibility without the need for an agent or network scanner. Instead, Orca uses low-level APIs that allow it to gain visibility into what exactly is running in your cloud.

The founders of Orca all have a background as architects and CTOs at other companies, including the likes of Check Point Technologies, as well as the Israeli army’s Unit 8200. As Orca CPO and co-founder Gil Geron told me in a meeting in Tel Aviv earlier this year, the founders were looking for a big enough problem to solve and it quickly became clear that at the core of most security breaches were misconfigurations or the lack of security tools in the right places. “What we deduced is that in too many cases, we have the security tools that can protect us, but we don’t have them in the right place at the right time,” Geron, who previously led a security team at Check Point, said. “And this is because there is this friction between the business’ need to grow and the need to have it secure.”

Orca delivers its solution as a SaaS platform and on top of providing work level visibility into these public clouds, it also offers security tools that can scan for vulnerabilities, malware, misconfigurations, password issues, secret keys in personally identifiable information.

“In a software-driven world that is moving faster than ever before, it’s extremely difficult for security teams to properly discover and protect every cloud asset,” said GGV managing partner Glenn Solomon . “Orca Security’s novel approach provides unparalleled visibility into these assets and brings this power back to the CISO without slowing down engineering.”

Orca Security is barely a year and a half old, but it also counts companies like Flexport, Fiverr, Sisene and Qubole among its customers.

Cockroach Labs scores $86.6M Series D as scalable database resonates

Cockroach Labs, the NYC enterprise database company, announced an $86.6 million Series D funding round today. The company was in no mood to talk valuations, but was happy to have a big chunk of money to help build on its recent success and ride out the current economic malaise.

Altimeter Capital and Bond co-led the round with participation from Benchmark, GV, Index Ventures, Redpoint Ventures, Sequoia Capital, Tiger Capital and FirstMark Capital. Today’s funding comes on top of a $55 million Series C last August, and brings the total raised to $195 million, according to the company.

Cockroach has a tough job. It’s battling both traditional databases like Oracle and modern ones from the likes of Amazon, but investors see a company with a lot of potential market building an open source, on prem and cloud database product. In particular, the open source product provides a way to attract users and turn some percentage of those into potential customers, an approach investors tend to favor.

CEO and co-founder Spenser Kimball says that the company had been growing fast before the pandemic hit. “I think the biggest change between now and last year has just been our go to market which is seeing pretty explosive growth. By number of customers, we’ve grown by almost 300%,” Kimball told TechCrunch.

He says having that three-pronged approach of open source, cloud an on-prem products has really helped fuel that growth. The company launched the cloud service in 2018, and it has helped expand its market. Whereas the on-prem version was mostly aimed at larger customers, the managed service puts Cockroach in reach of individual developers and teams who might not want to deal with all of the overhead of managing a complex database on their own.

Kimball says it’s really too soon to say what impact the pandemic will have on his business. He recognizes that certain verticals like travel, hospitality and some retail business are probably going to suffer, but other businesses that are accelerating in the crisis could make use of a highly scalable database like CockroachDB.

“Obviously it’s a new world right now. I think there are going to be some losers and some winners, but on balance I think [our] momentum will continue to grow for something that really does represent a best in class solution for businesses, whether they are startups or big enterprises, as they’re trying to figure out how to build for a cloud native future,” Kimball said.

The company intends to keep hiring through this, but is being careful and regularly evaluating what its needs are much more carefully than it might have done prior to this crisis with a much more open mind toward remote work.

Kimball certainly recognizes that it’s not an easy time to be raising this kind of cash, and he is grateful to have the confidence of investors to keep growing his company, come what may.

Sinch acquires SAP’s Digital Interconnect messaging business for $250M

M&A activity has generally slowed down in the weeks since the novel coronavirus took a grip on the world, but there have been some pockets of activity in the tech industry when the price is right or when the divestment/acquisition just makes sense.

The world of messaging brings us the latest development in that theme: SAP, the CRM and enterprise software giant, is selling its Digital Interconnect messaging business to Sinch, a Swedish cloud voice, video and messaging company.

Sinch said it is paying €225 million (around $250 million) on a cash and debt-free basis for the business, which has 1,500 enterprise customers that use it for various messaging services, such as the now-popular option of running “omnichannel” conversations with customers over SMS, push, email, WhatsApp, WeChat and Viber; and messaging technology for carriers.

The deal will give Sinch, based in Sweden, a bigger foothold in the US market — the Digital Interconnect business is headquartered in Silicon Valley — and more access to a trove of customers using the kind of messaging technology that Sinch develops and sells.

The significance here is that messaging continues to be a very popular and high-volume, but low-margin (or even no-margin in some cases), business. So it makes sense for Sinch to pursue a bigger strategy for more economy of scale, a trend that I think will continue to play out. As a case in point: Sinch has been on an acquisition spree in the last month, and other deals have included Latin American messaging provider Wavy ($119 million, announced March 26), and ChatLayer ($6 million, announced April 20).

“With SAP Digital Interconnect now becoming a part of Sinch, we build on our scale, focus and capabilities to truly redefine how businesses engage with their customers, throughout the world,” comments Oscar Werner, Sinch CEO, in a statement. “The transaction strengthens our direct connectivity globally. Plus, it enables us to expand and accelerate a range of business-critical services to mobile operators, including products for person-to-person messaging, reporting and analytics.”

The news caps off nearly a month of speculation that SAP was gearing up for a sale of the legacy unit as part of a bigger strategy to focus more squarely on its CRM and newer enterprise IT services. It comes amid a particularly challenging economic environment, and that’s before considering all the IT, security and other challenges companies were facing even before COVID-19. SAP also has other fish to fry. It acquired Qualtrics in November 2018 for $8 billion, spearheading a stronger move into employee and customer experience, surveys and research; and other SAP exits this year have included shuttering travel business Hipmunk, which was part of Concur (another acquisition made by SAP), back in January.

Between then and now SAP has also seen a very notable personnel change. Its co-CEO Jennifer Morgan stepped away from the company by mutual agreement with the board, leaving Christian Klein as sole CEO (the two had been in the co-CEO roles for only six months). At the time, the company said that the abrupt change — a mere 10 days between late-Friday announcement and departure — was in response to “the current environment [which] requires companies to take swift, determined action which is best supported by a very clear leadership structure.”

It would appear that this sale is an example of the kind of swift and determined action that the board was hoping to see.

SAP’s messaging unit has been around in one form or another for years. It became a part of SAP in 2010 as part of its acquisition of Sybase, but even before that Sybase acquired Mobile 365, which had developed the messaging technology that ultimately became SAP Digital Interconnect, back in 2006.

At the time, the messaging business was the primary part of Mobile 365, and Sybase paid $417 million for that company. In that regard, it might look like SAP is now selling it for a loss, although you could also argue that 15+ year-old technology in the fast-moving world of messaging would have depreciated at this point.

The business itself is very typical of messaging: huge volumes but not huge revenues.

In 2019, SAP said that the enterprise messaging business processed 18 billion messages, while its carrier services processed 292 billion carrier messages. The Bloomberg report that broke the news about the intent to sell the division said that it made $50 million in EBITDA and $250 million in revenue last year. But actually this is small relatively speaking: SAP altogether had revenues of nearly $30 billion in the same period. In other words, it’s an okay business but not really core to SAP and where it’s going. 

On the other hand, it’s a better fit for Sinch. The company originally spun out from low-cost IP calling company Rebtel, was then acquired by publicly-traded CLX, which subsequently rebranded its whole business as Sinch. It is a much smaller company than SAP — market cap of about $3.1 billion (30.82 billion Swedish krona), versus SAP’s market cap of $139 billion — but is squarely focused on messaging services similar to those that the former SAP division offers.

“SAP Digital Interconnect is a leader in its area showing profitable growth and reaching 99 percent of the world’s mobile subscribers. Looking at Sinch’s innovation and investment strategy in the area of cloud communication platforms, we welcome them as the new owner of SDI. Sinch is perfectly positioned to unleash further growth potential we see in SDI,” said Thomas Saueressig, member of the Executive Board of SAP SE, responsible for SAP Product Engineering, in a statement.

M&A continues on in the wider European region even while so much else has slowed down or stopped in the current market. This deal follows on the heels of Intel acquiring Israel’s Moovit for $900 million this week, and Avira in Germany getting acquired by Investcorp at a $180 million valuation several weeks ago.

Sleuth raises $3M Seed to bring order to continuous deployment

Sleuth, an early stage startup from three former Atlassian employees, wants to bring some much-needed order to the continuous delivery process. Today, the company announced it has raised a $3 million seed round.

CRV led the round with participation from angel investors from New Relic, Atlassian and LaunchDarkly.

“Sleuth is a deployment tracker built to solve the confusion that comes when companies have adopted continuous delivery,” says CEO and co-founder Dylan Etkin. The company’s founders recognized that more and more companies were making the move to continuous delivery deployment, and they wanted to make it easier to track those deployments and figure out where the bottle necks were.

He says that typically, on any given DevOps team, there are perhaps two or three people who know how the entire system works, and with more people spread out now, it’s more important than ever that everyone has that capability. Etkin says Sleuth lets everyone on the team understand the underlying complexity of the delivery system with the goal of helping them understand the impact of a given change they made.

“Sleuth is trying to make that better by targeting the developer and really giving them a communications platform, so that they can discuss the [tools] and understand what is changing and who has changed what. And then more importantly, what is the impact of my change,” he explained.

Image Credit: Sleuth

The company was founded by three former Atlassian alumni — Ektin along with Michael Knighten and Don Brown — all of whom were among the first 50 employees at the now tremendously successful development tools company.

That kind of pedigree tends to get the attention of investors like CRV, but it is also telling that three companies including their former employer saw enough potential here to invest in the company, and be using the product.

Etkin recognizes this is a tricky time to launch an early-stage startup. He said that when he first entered the lock down, his inclination was to hunker down, but they concluded that their tool would have even greater utility at the moment. “The founders took stock and we were always building a tool that was great for remote teams and collaboration in general, and that hasn’t changed… if anything, I think it’s becoming more important right now.”

The company plans to spend the next 6-9 months refining the product, adding a few folks to the five person team and finding product-market fit. There is never an ideal time to start a company, but Sleuth believes now is its moment. It may not be easy, but they are taking a shot.

IBM and Red Hat expand their telco, edge and AI enterprise offerings

At its Think Digital conference, IBM and Red Hat today announced a number of new services that all center around 5G edge and AI. The fact that the company is focusing on these two areas doesn’t come as a surprise, given that both edge and AI are two of the fastest-growing businesses in enterprise computing. Virtually every telecom company is now looking at how to best capitalize on the upcoming 5G rollouts, and most forward-looking enterprises are trying to figure out how to best plan around this for their own needs.

As IBM’s recently minted president Jim Whitehurst told me ahead of today’s announcement, he believes that IBM (in combination with Red Hat) is able to offer enterprises a very differentiated service because, unlike the large hyper clouds, IBM isn’t interested in locking these companies into a homogeneous cloud.

“Where IBM is competitively differentiated, is around how we think about helping clients on a journey to what we call hybrid cloud,” said Whitehurst, who hasn’t done a lot of media interviews since he took the new role, which still includes managing Red Hat. “Honestly, everybody has hybrid clouds. I wish we had a more differentiated term. One of the things that’s different is how we’re talking about how you think about an application portfolio that, by necessity, you’re going to have in multiple ways. If you’re a large enterprise, you probably have a mainframe running a set of transactional workloads that probably are going to stay there for a long time because there’s not a great alternative. And there’s going to be a set of applications you’re going to want to run in a distributed environment that need to access that data — all the way out to you running a factory floor and you want to make sure that the paint sprayer doesn’t have any defects while it’s painting a door.”

BARCELONA, CATALONIA, SPAIN – 2019/02/25: The IBM logo is seen during MWC 2019. (Photo by Paco Freire/SOPA Images/LightRocket via Getty Images)

He argues that IBM, at its core, is all about helping enterprises think about how to best run their workloads software, hardware and services perspective. “Public clouds are phenomenal, but they are exposing a set of services in a homogeneous way to enterprises,” he noted, while he argues that IBM is trying to weave all of these different pieces together.

Later in our discussion, he argued that the large public clouds essentially force enterprises to fit their workloads to those clouds’ service. “The public clouds do extraordinary things and they’re great partners of ours, but their primary business is creating these homogeneous services, at massive volumes, and saying ‘if your workloads fit into this, we can run it better, faster, cheaper etc.’ And they have obviously expanded out. They’ve added services. They are not saying we can put a box on-premise, but you’re still fitting into their model.”

On the news side, IBM is launching new services to automate business planning, budgeting and forecasting, for example, as well as new AI-driven tools for building and running automation apps that can handle routine tasks either autonomously or with the help of a human counterpart. The company is also launching new tools for call-center automation.

The most important AI announcement is surely Watson AIOps, though, which is meant to help enterprises detect, diagnose and respond to IT anomalies in order to reduce the effects of incidents and outages for a company.

On the telco side, IBM is launching new tools like the Edge Application Manager, for example, to make it easier to enable AI, analytics and IoT workloads on the edge, powered by IBM’s open-source Open Horizon edge computing project. The company is also launching a new Telco Network Cloud manager built on top of Red Hat OpenShift and the ability to also leverage the Red Hat OpenStack Platform (which remains to be an important platform for telcos and represents a growing business for IBM/Red Hat). In addition, IBM is launching a new dedicated IBM Services team for edge computing and telco cloud to help these customers build out their 5G and edge-enabled solutions.

Telcos are also betting big on a lot of different open-source technologies that often form the core of their 5G and edge deployments. Red Hat was already a major player in this space, but the acquisition has only accelerated this, Whitehurst argued. “Since the acquisition […] telcos have a lot more confidence in IBM’s capabilities to serve them long term and be able to serve them in mission-critical context. But importantly, IBM also has the capability to actually make it real now.”

A lot of the new telco edge and hybrid cloud deployments, he also noted, are built on Red Hat technologies but built by IBM, and neither IBM nor Red Hat could have really brought these to fruition in the same way. Red Hat never had the size, breadth and skills to pull off some of these projects, Whitehurst argued.

Whitehurst also argued that part of the Red Hat DNA that he’s bringing to the table now is helping IBM to think more in terms of ecosystems. “The DNA that I think matters a lot that Red Hat brings to the table with IBM — and I think IBM is adopting and we’re running with it — is the importance of ecosystems,” he said. “All of Red Hat’s software is open source. And so really, what you’re bringing to the table is ecosystems.”

It’s maybe no surprise then that the telco initiatives are backed by partners like Cisco, Dell Technologies, Juniper, Intel, Nvidia, Samsung, Packet, Equinix, Hazelcast, Sysdig, Turbonomics, Portworx, Humio, Indra Minsait, EuroTech, Arrow, ADLINK, Acromove, Geniatech, SmartCone, CloudHedge, Altiostar, Metaswitch, F5 Networks and ADVA.

In many ways, Red Hat pioneered the open-source business model and Whitehurst argued that having Red Hat as part of the IBM family means it’s now easier for the company to make the decision to invest even more in open source. “As we accelerate into this hybrid cloud world, we’re going to do our best to leverage open-source technologies to make them real,” he added.

The Good, the Bad and the Ugly in Cybersecurity – Week 18

The Good

It remains to be seen whether this presages something worse to come, but for now there’s welcome news for potentially hundreds of thousands of ransomware victims. A github user claiming to represent the operators of Shade ransomware this week not only announced that the group had ceased attacks since late last year but also publicly released 750,000 decryption keys along with decryptor software. Shade, Troldesh or Encoder.858 ransomware first started circulating in 2014 and has been a constant menace ever since, with several security vendors noting a sharp increase in Shade attacks over late 2018 and early 2019. It remains unknown at this time whether the release is what it appears to be, or whether the ransomware group have been compromised by rivals or are shifting their attention elsewhere. In either case, the decryption keys look to be genuine and the apparent demise of Shade ransomware is welcome news indeed.

The Bad

In these work from home times, we’re all relying on the security of our software more than ever, particularly when it comes to business meetings and conferences now being undertaken via teleconferencing apps. While Zoom’s troubles have been well-documented, less attention has been paid to Microsoft’s Teams. Turns out Teams had a major worm-like vulnerability that could have allowed a remote attacker to completely take over an organization’s Teams accounts and use it for lateral movement throughout the network. While the details are quite technical, the zero-click vulnerability could be exploited simply by sending an image or GIF to a victim. The attack succeeds as soon as the image is loaded in the viewer, and the victim would not even know they had been attacked, according to the researchers. The flaw was disclosed to Microsoft privately on March 23 and patched on April 20th. Needless to say, update immediately if you haven’t already.

In other news, attackers have been actively exploiting a zero-day flaw in the Sophos XG Firewall product, it emerged this week. A pre-auth SQL injection vulnerability (CVE-2020-12271) created a remote code execution (RCE) situation allowing attackers access to XG devices and exposing local usernames and hashed passwords of local accounts. The Asnarok Trojan was also seen used by the attackers on compromised devices. Sophos have pushed out a hotfix but users are advised to reduce the attack surface by disabling the HTTPS Admin Service and User Portal access on the firewall’s WAN interface where possible.

The Ugly

Maze ransomware crew are often featured in our Ugly section and this week is no exception as the gang’s “innovative” MO takes yet another odd turn. Their usual encrypt, exfil and leak tactic has a new twist as the group now claim to be turning down the chance to profit from one of their victims and insist instead that they have more altruistic motives. A statement from the group claims that they compromised state-owned Banco de Costa Rica (Banco BCR) in August last year and again in February this year, gaining access to the payment processing system and stealing 11 million credit card credentials, including 140,000 belonging to US citizens. So far, par for the course.

The twist comes in that the ransomware group claim not to have “blocked the work of the bank” as it would be “incorrect during the world pandemic”. However, they appear to be more concerned that the bank failed to both disclose the initial breach last year and to take the necessary action to secure the compromised systems. Maze claim that in February this year they were able to re-access the systems with ease and that the bank is culpable for its woefully lax security. The statement goes on to say that the Maze crew do not intend to sell the data but rather are “informing Banco BCR, media sources and regulators about the case.” The statement ends with a chilling threat, however. “We will also publish all the info…if we don’t receive any feedback. It mean that 11 million credit card numbers and other credentials will be published.”

It’s not clear what “feedback” the group are hoping for, but we wouldn’t be surprised if it amounted to a financial incentive not to leak. Seems like an easier way to make money than trading with criminals on the Darknet, anyway. Meanwhile, there is one thing we can agree on with the Maze ransomware operators if, indeed, their story is true: Banco BCR need to do better at security, and fast.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

In spite of pandemic (or maybe because of it), cloud infrastructure revenue soars

It’s fair to say that even before the impact of COVID-19, companies had begun a steady march to the cloud. Maybe it wasn’t fast enough for AWS, as Andy Jassy made clear in his 2019 Re:invent keynote, but it was happening all the same and the steady revenue increases across the cloud infrastructure market bore that out.

As we look at the most recent quarter’s earnings reports for the main players in the market, it seems the pandemic and economic fall out has done little to slow that down. In fact, it may be contributing to its growth.

According to numbers supplied by Synergy Research, the cloud infrastructure market totaled $29 billion in revenue for Q12020.

Image Credit: Synergy Research

Synergy’s John Dinsdale, who has been watching this market for a long time, says that the pandemic could be contributing to some of that growth, at least modestly. In spite of the numbers, he doesn’t necessarily see these companies getting out of this unscathed either, but as companies shift operations from offices, it could be part of the reason for the increased demand we saw in the first quarter.

“For sure, the pandemic is causing some issues for cloud providers, but in uncertain times, the public cloud is providing flexibility and a safe haven for enterprises that are struggling to maintain normal operations. Cloud provider revenues continue to grow at truly impressive rates, with AWS and Azure in aggregate now having an annual revenue run rate of well over $60 billion,” Dinsdale said in a statement.

AWS led the way with a third of the market or more than $10 billion in quarterly revenue as it continues to hold a substantial lead in market share. Microsoft was in second, growing at a brisker 59% for 18% of the market. While Microsoft doesn’t break out its numbers, using Synergy’s numbers, that would work out to around $5.2 billion for Azure revenue. Meanwhile Google came in third with $2.78 billion.

If you’re keeping track of market share at home, it comes out to 32% for AWS, 18% for Microsoft and 8% for Google. This split has remained fairly steady, although Microsoft has managed to gain a few percentage points over the last several quarters as its overall growth rate outpaces Amazon.

Defending the Enterprise | Igor Glik, Vigilance MDR Team Lead

As you might have gleaned from yesterday’s deep dive into a real-life NTLM brute force attack or our best-in-class results for MDR in MITRE’s 2020 ATT&CK evaluation, our Vigilance MDR team are a talented and dedicated crew. But what’s life like for a security analyst defending some of the world’s top enterprises? And how do you become a security analyst anyway? Igor Glik is a Vigilance Team Lead at SentinelOne. In this blog post, we go behind the scenes of Vigilance MDR and chat with Igor to get his unique perspective on how his team operates, the challenges they face and much more.

Igor has been with SentinelOne for the past 2.5 years. He joined as a security analyst at the Israeli site and after an outstanding year was promoted to manage the EMEA Vigilance team, SentinelOne’s MDR (Managed Detection and Response ) service. The team consists of a large group of analysts and threat researchers and works alongside the SentinelOne site in North America (Eugene, Oregon) to provide 24/7 coverage to its subscribers. 

Vigilance is provided in two tiers, Response and Monitor. The services are used by various customer segments: from a 500-employee company that lacks the proper manpower to monitor their endpoints and react to incidents to the largest enterprises on the planet with over 100,000 employees and dedicated SOC teams that want to augment their analysts with additional firepower.  

What Does A Regular Day Look Like at Vigilance?

Our team day-to-day is a combination of reacting to threats seen by customers and proactive work by the whole team in an effort to ensure customer safety with minimal friction to their user experience.

The team monitors millions of endpoints and handles tens of thousands of alerts each day. The average analyst in our team will handle between 500 to 1200 threats per working day. That allows only a few minutes to decide whether to escalate the threat to a higher tier or assign it a known classification and recommend action according to the team playbook. With each alert, we have to analyze all IOCs and decide whether further escalation is needed, whether we require an expert consultant, or whether the information we have is enough to make a final decision.

How Do You Train Someone to be an MDR Analyst?

We have developed a dedicated training method to teach analysts decision-making based on threat data received by the agent, and when to deep dive for additional data using tools such as our EDR solution or other forensic tools the team has.

Analysts are trained to identify anomalies and escalate unusual or complex incidents to higher tier teams dedicated to handling such incidents. 

A crucial part of handling a verified threat after classification is identifying the infection vector and containing the threat as fast as possible, isolating infected machines while protecting the client’s crucial assets.  

How Varied is the Work of an MDR Analyst?

Due to the nature of our job and the fear of “burnout” by analysts, we use several techniques to diversify team tasks, allowing team members to work in different roles and task types. In that way, a senior threat analyst can spend a day in the Tier 1 SOC position and get input on the front line action, and then rotate into threat research and other diverse tasks on other days.

Aston Martin’s Road to Zero Threats
SentinelOne’s Vigilance MDR Use Case

What Are the Most Common Cyber Incidents Vigilance Has Seen Recently?

I would say the most common attack vector would be thumb drives with various “USB” worms. Following that would be malicious documents received by email and usually resulting in an Emotet / TrickBot infection attempt.

From the APT perspective, we see a rise in attacks leveraging a vulnerable, usually unprotected and unpatched, machine within an organization, open to the outside world and the organizational network.

Attackers will always look for the weakest link in the chain, so while it is popular to discuss zero-day exploits, in real life we usually see the entry point in devices that were unprotected, with poor security configuration allowing the attacker to try and move laterally. Such attacks will usually be fileless and hard to discover with a signature-based solution

Can You Describe Some Incidents Where Vigilance’s Intervention Was Crucial?

Sure. One memorable incident I recall was a customer that suffered a breach from several unprotected machines. The attacker gained user credentials and was spreading laterally, and at some point, we had to isolate several hundred machines and wake the IT team in the middle of the night. Fortunately, since it was night time most users were unaffected, but such an incident usually requires user credentials replacement, which is a painful process for some customers.

Another memorable incident I have in mind is a potential customer that was performing a paid pentest as part of a technical review of our product. During that pentest an alert was raised. As a general policy, we never assume that an alert is related to the pentest and treat each alert as a real malicious attack. One of these suspicious alerts that we communicated to the customer was found to be unrelated to the pentest and was an actual attacker using a penetration framework against the customer. 

What Is A Common Source Of Cyber Incidents?

Many incidents start from an unsecured host: an endpoint that the client was unaware of in their inventory or that wasn’t installed with an endpoint protection agent for some reason or another.

Other causes of cyber incidents are lack of 2FA, obsolete software, obsolete Windows versions, unpatched systems and configuration errors like leaving RDP open with no MFA. Lack of network segregation without implementing a multi-layer security approach and no NLA is also a great starting point for an attacker.

How Has the COVID-19 Pandemic Affected Vigilance?

The COVID-19 situation has added some complexity to an already global distributed team, but I think since our starting point was already a team that is largely accustomed to either full or partial remote work, so the transition has not been too bad. As a company, SentinelOne has been very supportive in the transition, both globally to all teams but also specifically to our team’s unique needs.

We did an analysis of the team’s needs and how we could be affected by these changes to the work environment. This covered both the logistic part such as missing equipment, employee home set up, etc, and issues related to our work processes, such as how to replace the office interaction and face to face conversations with a virtual communication process.

So What Does Vigilance MDR Look For When Hiring?

During the last 12 months, we’ve invested in building strong fundamentals for the team of senior threat researchers and threat analysts and nowadays we are mostly left with junior Tier 1 positions, which can be a great entry-level position.  

Usually, the candidate must have some background and passion for the security world. For a Tier 1 Junior position, we do consider candidates with relatively short experience if we find their skillset appropriate for the team’s challenges and tasks.

We’d like to thank Igor for taking the time to talk with us about his role and the fascinating work of the Vigilance MDR team. If you’re interested in working with us at SentinelOne, check out our open positions here. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Microsoft makes it easier to get started with Windows Virtual Desktops

Microsoft today announced a slew of updates to various parts of its Microsoft 365 ecosystem. A lot of these aren’t all that exciting (though that obviously depends on your level of enthusiasm for products like Microsoft Endpoint Manager), but the overall thrust behind this update is to make life easier for the IT admins that help provision and manage corporate Windows — and Mac — machines, something that’s even more important right now, given how many companies are trying to quickly adapt to this new work-from-home environment.

For them, the highlight of today’s set of announcements is surely an update to Windows Virtual Desktop, Microsoft’s service for giving employees access to a virtualized desktop environment on Azure and that allows IT departments to host multiple Windows 10 sessions on the same hardware. The company is launching a completely new management experience for this service that makes getting started significantly easier for admins.

Ahead of today’s announcement, Brad Anderson, Microsoft’s corporate VP for Microsoft 365, told me that it took a considerable amount of Azure expertise to get started with this service. With this update, you still need to know a bit about Azure, but the overall process of getting started is now significantly easier. And that, Anderson noted, is now more important than ever.

“Some organizations are telling me that they’re using on-prem [Virtual Desktop Infrastructure]. They had to go do work to basically free up capacity. In some cases, that means doing away with disaster recovery for some of their services in order to get the capacity,” Anderson said. “In some cases, I hear leaders say it’s going to take until the middle or the end of May to get the additional capacity to spin up the VDI sessions that are needed. In today’s world, that’s just unacceptable. Given what the cloud can do, people need to have the ability to spin up and spin down on demand. And that’s the unique thing that a Windows Virtual Desktop does relative to traditional VDI.”

Anderson also believes that remote work will remain much more common once things go back to normal — whenever that happens and whatever that will look like. “I think the usage of virtualization where you are virtualizing running an app in a data center in the cloud and then virtualizing it down will grow. This will introduce a secular trend and growth of cloud-based VDI,” he said.

In addition to making the management experience easier, Microsoft is now also making it possible to use Microsoft Teams for video meetings in these virtual desktop environments, using a feature called ‘A/V redirection’ that allows users to connect their local audio and video hardware and virtual machines with low latency. It’ll take another month or so for this feature to roll out, though.

Also new is the ability to keep service metadata about Windows Virtual Desktop usage within a certain Azure region for compliance and regulatory reasons.

For those of you interested in Microsoft Endpoint Manager, the big news here is better support for macOS-based machines. Using the new Intune MDM agent for macOS, admins can use the same tool for managing repetitive tasks on Windows 10 and macOS.

Productivity Score — a product only an enterprise manager would love — is also getting an update. You can now see how people in an organization are reading, authoring and collaborating around content in OneDrive and SharePoint, for example. And if they aren’t, you can write a memo and tell them they should collaborate more.

There are also new dashboards here for looking at how employees work across devices and how they communicate. It’s worth noting that this is aggregate data and not another way for corporate to look at what individual employees are doing.

The one feature here that does actually seem really useful, especially given the current situation, is a new Network Connectivity category that helps IT to figure out where there are networking challenges.