5 Cyber Security Challenges Facing CISOs in the Age of COVID-19

A survey of more than 270 cybersecurity professionals published in late June by the host of the Black Hat Conference found that 80% believe the pandemic will lead to significant changes in cybersecurity operations, and only 15% believe that security operations (SecOps) and threats will return to “normal” levels once the COVID-19 pandemic subsides. Here are some details on what we’re seeing and what CISOs are dealing with, for better or worse.

1. Increased Threat to Enterprise Systems & Data

The Black Hat survey found that nearly 95% of security professionals believe that the COVID-19 crisis increases the cyber threat to enterprise systems and data, with 24% saying the increased threat is “critical and imminent.” The FBI backs that up: in April, the Internet Crime Complaint Center (IC3) reported that it was seeing a 300% spike in cybercrime since the beginning of the pandemic. During a webinar hosted by the Aspen Institute, Tonya Ugoretz, the deputy assistant director of the FBI’s Cyber Division, said that the IC3 was receiving between 3,000 and 4,000 cybersecurity complaints each day: a major jump from pre-pandemic levels of about 1,000 daily complaints.

But who—and what—are the crooks targeting? Are they after the legions of new Work From Home (WFH) end users? That might make sense on the face of it: after all, a survey of end users working for small businesses found that after the pandemic hit, more than two-thirds of employees—68%—reported that they had begun to use their own computers for work. Only one-third of them—34%—reported that they had received instructions on how to securely use their personal laptops, tablets, and smartphones to do so. That’s a recipe for a nightmare, given many businesses’ lack of visibility into endpoints touching their networks. … unless, that is, they have adequate Endpoint Protection and Response (EDR) tools: tools that provide not only visibility into the threats coming in, but which automatically mitigate them via artificial intelligence agents that learn to spot malicious behavior and kick off kneecaps before threats strike.

Cybersecurity for the remote workforce
Every threat. Every device. Every second.

Without such tools, no one knows what could be happening on those personal machines, any of which may be processing company data and/or accessing the corporate infrastructure. For example, a survey from Kaspersky found that 33% of respondents admitted to visiting adult websites on their personal PC—as in, the ones they also use for work. Unfortunately, that’s how cybercrooks catch victims, committing crimes such as stealing payment card details or tricking users into installing malware—including ransomware.

But how is targeting end users new? It’s not, says SentinelOne CISO Chris Bates. The criminals are targeting end users, but they’ve always done that, he points out, pandemic or no pandemic. The problem is that businesses lack visibility into what’s happening on their endpoints: in other words, they don’t know what’s happening on all those laptops, tablets and smartphones that are now touching their infrastructure. “We’re seeing two things: one, a mass transition to WFH, and those businesses don’t have the visibility they need to catch threats; and two, the level of access is too broad,” Bates says. “For example, with VPNs [virtual private networks]: they don’t have the visibility or tool set to defend a distributed workforce like that.”

Not-so-secure business computers being scrambled up with WFH means a bigger attack surface, Bates says. It creates “a lot more noise” that strains companies’ threat detection systems, and “that noise can cover up actual attacks,” he says. Being able to separate static from true threat is actually one of the biggest selling points for SentinelOne’s ActiveEDR, which can distinguish between all the random bugs and other noise that wastes human security analysts’ precious time as they get sent on wild forensic goose chases.

2. Where Do You Put Your Security?

According to Nicholas Bloom, an economist at Stanford University, an estimated 26% of the US labor force can’t work remotely. The flip side of that coin: 74% of the country’s labor force can. Obviously, the pandemic means that the way that people consume information from enterprises has changed. All the communication we used to do, and the way we’ve always sold products, has changed. Everything has to be done on the web, and everything therefore has to be secured.

But where? Where do you secure that data? Do you put security on premises, off-premises, in the cloud, on the physical devices themselves? Those choices have implications, according to Migo Kedem, SentinelOne Senior Director of Products and Marketing. For example, if you have an EDR solution that relies on cloud connectivity to make a detection, any given threat has that much more dwell time—i.e., time during which an attacker enjoys free rein in an environment. That’s not good.

That leaves end devices as the logical place to put security, Kedem says, and that’s where SentinelOne focuses its ActiveEDR technology: technology that tracks and contextualizes everything on a device and which identifies malicious acts in real-time, automating the required responses to shut them down. “All security has to be on the user device,” he says. “Why should you care? Because it’s the only defense mechanism you have, locally. If users are connecting from home, via WiFi, you don’t have anything you can trust.”

For CISOs, that’s a “big, big problem,” Kedem says. The pandemic hit, and many, many organizations were unprepared. Even those corporations that were already in the cloud still had islands of internal servers, he points out, and many had to choose between compromising on security versus productivity. “It’s a hard discussion for CISOs to have,” he says. CISOs are often between a rock and a hard place: often, you’re the “No-No” man or woman: No, it’s not secure. No, we have to block this. No, we have to block that. But when it comes to productivity, CISOs can’t say no all the time. They have to say “Yes, let’s do it, but let’s secure it.”

“For the business to really grow, and to grow well, everyone’s working from home,” Kedem says. “It’s back to basics for CISOs. Whenever they have a service that they can’t secure properly, but that’s generating for the business, they have to say, ‘How do we take that risk?’ If it’s ‘No,’ that’s going to lead to a clash with the CEO and other executives.”

The path to “Yes”: secure the end devices that are being used by masses of new WFH staff.

3. Getting Sucked Into the RDP Security Hole

Another repercussion of the spike in WFH: the rise of RDP brute-force attacks since the onset of the pandemic. In March, Shodan, the search engine for Internet-connected devices, began tracking an uptick in the number of devices exposing RDP to the internet. That makes sense, notes Shodan founder John Matherly, given how many organizations are moving to remote work. In April, Kaspersky reported the same thing: namely, that the number of Bruteforce.Generic.RDP attacks had “rocketed across almost the entire planet” since March.

Poorly configured RDP servers make a tempting target. Microsoft’s proprietary protocol is one of the most popular application-level protocols for accessing Windows workstations or servers. With the rise in RDP comes a fresh batch of potential targets, which has led to an increase in cybercriminal activity as crooks try to exploit the situation to attack corporate resources that “have now been made available (sometimes in a hurry) to remote workers,” notes Kaspersky’s Dmitry Galov.

These aren’t just phishing attacks going after end users’ credit card details. These are attacks coming for the crown jewels: not only all of an enterprise’s data, but also whatever ransom the extortionists can get out of paralyzed companies. Jarred Phipps, SentinelOne Sales Engineering Lead, says that all the big ransomware attacks these days are coming in via RDP. Ransomware, in fact, is where most cybercrime is pivoting, he says. You can see the attraction: Bitcoin, the currency these crooks demand, is both valuable and keeps crooks safer from being tracked, given that it doesn’t involve traceable wire transfers. In addition, the extortionists are well aware that these days, insurance companies will pay the ransom.

These attacks aren’t likely to stop anytime soon. If you must use RDP servers, hopefully your SOC or MDR is brushing up on how to harden those servers: after all, misconfigured RDP servers are a major Achilles heel. To help with that work, earlier this month, SentinelOne released an eBook on Understanding Ransomware in the Enterprise, a comprehensive guide to helping organizations understand, plan for, respond to and protect against this widespread threat.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

As far as RDP vulnerabilities such as BlueKeep or Mimikatz go, this is where the ability to stop a zero day makes a crucial difference. There’s just no substitute for autonomous protection in today’s threatscape, whether there’s a pandemic raging or not. In one case study of stopping Mimikatz, for example, SentinelOne stopped an attack from infecting machines and from spreading further across a client’s network, despite the fact that the attempt to compromise these machines via RDP was using valid scraped credentials, says SentinelOne’s Igor Glik.

4. Perils of Shifting to the Cloud

Everybody is, understandably, trying to shift SecOps to the cloud, according to SentinelOne’s Bates and Phipps. A global survey of 750 IT professionals conducted by the market research firm Vanson Bourne on behalf of Barracuda Networks confirms this: the survey found that 51% of respondents are either in the process of deploying or expect to move off of VPNs to embrace software-defined wide area networks (SD-WANs) that scale better to access distributed cloud applications. Just under a quarter—23%—had already deployed an SD-WAN as of early June.

Unfortunately, some companies don’t know how gnarly the move is. “It’s a lot more than putting stuff in AWS [Amazon Web Services],” Bates says. “They’re porting their old stuff into the cloud, but it’s definitely the same old stuff, just in a different data center.

What they might be missing, Phipps says, is the greater security implications required by the systems architecture design of cloud. “They’re not thinking security, let alone advanced security,” he says. If they’re trying to figure out how to apply security after the fact, they’re basically redesigning. SentinelOne is seeing many companies now facing that challenge—consequently, it’s also seeing increased demand for its Cloud Workload Protection product. Purpose-built for containers, including managed or unmanaged Kubernetes systems, the product delivers SentinelOne’s patented Behavioral AI and autonomous response capabilities across all major Linux platforms, physical and virtual, cloud native workloads, and containers, providing cyber threat prevention, detection, response, and hunting. Its prey includes both malicious files and live attacks across cloud-native and containerized environments, offering advanced response options and autonomous remediation.

In some cases, the different architecture in the cloud means that the way you do security has to evolve. Vulnerability assessment is one example: Before the move to the cloud, you would walk into a data center. You’d have servers to count and applications to assess: Do they need to be patched? In contrast, servers are dynamic in the cloud, where they’re made up of a set of code. A given server may live a day, an hour, or a minute before it scales down. As business needs change, developers constantly change those recipes.

Kubernetes Security Challenges, Risks, and Attack Vectors

Joe Knape is Director, Digital Transformation & Strategy/Agile Delivery/Enterprise Architecture/Cloud at Infoedge LLC, a management consultancy. He agrees with what everybody else in the space is saying: More companies are moving more rapidly to the cloud because they realize that digital transformation has to happen faster, mostly due to WFH mandates. That, and the fact is that for smaller, brick and mortar businesses, nobody’s walking through the door. Those businesses have got to provide other services, digitally or virtually. They used to knock on the gate at Bob’s Junk Yard & Auto Parts to pick and pull parts, but if Bob wants his business to survive, he’s had to make his inventory digital and put it online. “That’s where COVID’s pushing things,” Knape says.

Here’s the thing, though: does Bob’s have the skill set within its ranks? “As far as security is concerned, especially in case of rapid movement, [change] is  mostly around people,” Knape says. “Do your people have the skill sets to do the job? Depending on which companies we’re talking about—as in, how deep their security posture was pre-pandemic—the answer is, ‘Probably not.’”

5. Brand-new Skills Shortages

Cloud security skills—#SecDevOps—are just one of at least two types of security skills shortages that the pandemic is either causing or worsening. The other is regulatory compliance skills. Think about it: who would have predicted, six months ago, that a bike-sharing company would start taking the temperature of workers when they clock in, meaning that they’re suddenly in possession of health records, subject to regulations such as HIPAA? … that local craft breweries would be collecting contact tracing details? … or that such details might be abused by employees who collect them? Case in point: A woman in Auckland, New Zealand, bought a sandwich at a fast-food shop, gave her contact tracing details to a worker, and consequently got hit up for a date via Facebook, Instagram, Messenger and texting.

There are obviously good reasons why companies and governments should be paying excruciating attention to how to protect privacy as countries and states gradually retreat from lockdown and institute ways to do so safely. It’s been all over the map.

That was evidenced by a survey done by PwC, which developed a contact-tracing app to help employers identify workers who may have been exposed to the virus. The survey found that, as of April, governments around the world had issued more than 60 directives regarding protecting data privacy while responding to the pandemic.

What to Do First?

What’s the answer? If you’re looking for a new job, you might want to consider specializing in regulatory compliance. If you’re a CISO thinking about heading to the cloud, you’ve got a few things to keep in mind: if the business is small, you might have one person working part-time doing anti-virus scans. Well, that process may no longer work in the cloud. If you’ve got a 50-person SecOps team, already responsible for all your servers, routers, switches and more, they still have to deal with all that—plus the infrastructure that’s moved to the cloud.

“They’re strained,” Knape says. “They’re already being asked to do more with less, and now it’s more with less. And it’s completely different from what they were doing yesterday. You have a balloon. You can only squeeze it so hard before it bursts.”

Knape suggests sticking with what they know. Don’t go multi-cloud. Pick one cloud vendor and stick to it. If you’re a Google or AWS shop, be that Google or Amazon customer. If you’re a Microsoft shop, go with Microsoft Azure. “Why learn a different language?” Knape says. “Think data security as opposed to network or infrastructure security, and pick a cloud and stick with it. Learn to be an expert, and have your people be experts in that cloud.”

Even if you do that, your security team will likely still be stressed and stretched thin. On the plus side, WFH means that you might be free to hire anywhere you can find talent, regardless of where you’re geographically located.

Beyond “hire anywhere you can find talent,” now might just be the perfect time to start thinking about sourcing talent that doesn’t need to sleep. Now might be the time to start thinking of artificial intelligence plugged into every endpoint: helpers that can whittle down all those false flags your stretched-thin security analysts are chasing down. Now might be the right time for ActiveEDR and its autonomous, automatic mitigation.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Movable Ink raises $30M as it expands its personalization technology beyond email marketing

Movable Ink, a company that helps businesses deliver more personalized and relevant email marketing, is announcing that it has raised $30 million in Series C funding.

The company will be 10 years old in October, and founder and CEO Vivek Sharma told me that it’s always been “capital efficient” — even with the new round, Movable Ink has only raised a total of $39 million.

However, Sharma noted that with COVID-19, it felt like “a good idea to have some dry powder on our balance sheet … if things turned south.”

At the same time, he suggested that the pandemic’s impact has been more limited than he anticipated, and has been “really focused” on a few sectors like travel, hospitality and “old line retailers.”

“Those who are adopting to e-commerce really quickly have done well, financial services has done well, media has done well,” he said.

The company’s senior vice president of strategy Alison Lindland added that clients using Movable Ink were able to move much more quickly, with campaigns that would normally take months launching in just a few days.

“We really saw those huge, wholesale digital transformations in a time of duress,” Lindland said. “Obviously, large Fortune 500 companies were making difficult decisions, were putting vendors on hold, but email marketers are always the last people furloughed themselves, because of how critical email marketing is to their businesses. We were just as critical to their operations.”

Movable Ink Image

Image Credits: Movable Ink

The company said it now works with more than 700 brands, and in the run up to the 2020 election, its customers include the Democratic National Committee.

The new funding comes from Contour Venture Partners, Intel Capital and Silver Lake Waterman. Sharma said the money will be spent on three broad categories: “Platforms, partners and people.”

On the platform side, that means continuing to develop Movable Ink’s technology and expanding into new channels. He estimated that around 95% of Movable Ink’s revenue comes from email marketing, but he sees a big opportunity to grow the web and mobile side of the business.

“We take any data the brand has available to it and activate and translate it into really engaging creative,” he said, arguing that this approach is applicable in “every other channel where there’s pixels in front of the consumer’s eyes.”

The company also plans to make major investments into AI. Sharma said it’s too early to share details about those plans, but he pointed to the recent hire of Ashutosh Malaviya as the company’s vice president of artificial intelligence.

As for partners, the company has launched the Movable Ink Exchange, a marketplace for integrations with data partners like Oracle Commerce Cloud, MessageGears Engage, Trustpilot and Yotpo.

And Movable Ink plans to expand its team, both through hiring and potential acquisitions. To that end, it has hired Katy Huber as its senior vice president of people.

Sharma also said that in light of the recent conversations about racial justice and diversity, the company has been looking at its own hiring practices and putting more formal measures in place to track its progress.

“We use OKRs to track other areas of the business, so if we don’t incorporate [diversity] into our business objectives, we’re only paying lip service,” he said. “For us, it was really important to not just have a big spike of interest, and instead save some of that energy so that it’s sustained into the future.”

Wix launches a new company, Wix Answers, to unify customer support

Website-building platform Wix today launched a new company Wix Answers, which it says offers enterprise-level customer support and is intended to compete with companies like Zendesk and Salesforce.

Joe Pollaro, the general manager of Wix’s U.S. business, said that while the company has “been expanding into much larger types of users, enterprise-class users,” Wix Answers wasn’t initially part of that grand strategy. Instead, it’s a product that the company built to meet its own needs, which it subsequently productized and spun out into a separate entity (still owned by Wix).

“I don’t think there are many companies out there that have gone out there and just decided to build something so critical as customer communications,” Pollaro told me. “That’s part of our DNA: If we don’t feel like we find something out there that fits our needs, we just decide to build it ourselves.”

What was missing from those existing products? Pollaro said Wix “needed something to give us the full picture of customer communication — not just opening tickets and solving problems and moving on.” He later added in a statement provided by the company, “After that, because of the success we had with it managing support for 180 million of our own customers, we realized we should make this available to the enterprise as a separate offering.”

Wix Answers

Image Credits: Wix

Carl Lane, the product solutions expert for Wix Answers, made similar points when he demonstrated the product. For example, he pointed to the platform’s “360 degree view of the user,” with things like the company they work for, whether they’re “a VIP user” and showing all the customer service conversations they’ve had across channels, whether that’s via phone call, chat, website ticket or email.

“There is a need to move the customer support industry forward to a newer and more consolidated approach,” Wix President & COO Nir Zohar said in a statement. “We’re revolutionizing and elevating the industry standards as the industry moves towards a more personalized and knowledge-driven style of support.”

Lane also said that the platform uses AI to help customer support agents respond more quickly, and to recommend ways to make the team more effective (like making customer support articles more accessible).

And with the Wix Answers dashboard, “it doesn’t matter what channel [the customer] used, there’s a consistent experience for our agents.”

That can help with the workflow, for example by flagging when there’s an alarming number of people waiting to have their calls answered (so maybe it’s time to pull some people out of meetings).

Wix Answers Image 3

Image Credits: Wix Answers

“You get complete visibility over your workforce any time,” Lane said. Similarly, on the analytics side, he said, “Analytics are vital to customer support organizations. When customers have one product for chat and one product for email, it’s really hard at the end of the day to see how well did everyone do.”

With Wix Answers, Lane showed me that a manager could bring up a customer service team member’s record to see the total number of tickets they’d responded to and many customer satisfaction surveys were filled out afterwards.

Clients already using the Answers product include Getty Images, MyHeritage, Guesty, Viber, Fiverr and Yotpo.

Update: The original draft of this story incorrectly described Wix Answers as a new product launched by Wix. It has been updated throughout to reflect that Wix Answers is a new, separate company, albeit one that’s still owned by Wix.

Cloudflare’s Michelle Zatlyn to discuss building a company with a bold idea at TechCrunch Disrupt

When you start a company, it can be tempting to keep it simple. You want something that investors and customers can easily understand. While it might be easier to go that route, that is not something that Cloudflare did when it launched a decade ago at TechCrunch Disrupt. Instead, the company decided to go big or go home, and went with the wild idea of building a faster and safer internet. Not too much pressure.

It launched in 2010 with a free product and a paid tier and grew that original notion of delivering speed and security into a suite of products and services. Today, a decade later, Cloudflare is a public company with a market cap of nearly $12 billion.

We are going to talk to company co-founder and chief operating officer Michelle Zatlyn in a one-on-one interview at TechCrunch Disrupt 2020 about what it took to build off that vision as an early stage company. They were going after established giants like Akamai at the time. They needed to build a network of data centers around the world, starting with five on three continents at launch.

None of this could have been easy from an operations perspective. They were offering the bold assertion that they could make the world’s websites faster and safer and do it in a way that didn’t require any additional hardware and software. As an early adherent to the notion of cloud computing, they were giving customers the ability to do things that up until that point were only in reach of the largest internet properties, selling a value proposition that is common today, but was pretty unusual at the time.

We’re going to ask Zatlyn how they built this early product, how they grew the product set and expanded their data center coverage to over 200 around the world and what it took do all that and eventually become a public company.

You can see this session on the Disrupt stage along with all the programming on the Extra Crunch stage, network with CrunchMatch and discover hundreds of early-stage companies in Digital Startup Alley with your Digital Pro Pass purchase for just $345. There are discounts available for students, government and nonprofit employees as well as a great offer for early-stage founders who want to exhibit in Digital Startup Alley. Get your pass today before prices increase!

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-bc5e644f85a11b970469253c6a947a65’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-bc5e644f85a11b970469253c6a947a65’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

A pandemic and recession won’t stop Atlassian’s SaaS push

No company is completely insulated from the macroeconomic fallout of COVID-19, but we are seeing some companies fare better than others, especially those providing ways to collaborate online. Count Atlassian in that camp, as it provides a suite of tools focused on working smarter in a digital context.

At a time when many employees are working from home, Atlassian’s product approach sounds like a recipe for a smash hit. But in its latest earnings report, the company detailed slowing growth, not the acceleration we might expect. Looking ahead, it’s predicting more of the same — at least for the short term.

Part of the reason for that — beyond some small-business customers, hit by hard times, moving to its new free tier introduced last March — is the pain associated with moving customers off of older license revenue to more predictable subscription revenue. The company has shown that it is willing to sacrifice short-term growth to accelerate that transition.

We sat down with Atlassian CRO Cameron Deatsch to talk about some of the challenges his company is facing as it navigates through these crazy times. Deatsch pointed out that in spite of the turbulence, and the push to subscriptions, Atlassian is well-positioned with plenty of cash on hand and the ability to make strategic acquisitions when needed, while continuing to expand the recurring-revenue slice of its revenue pie.

The COVID-19 effect

Deatsch told us that Atlassian could not fully escape the pandemic’s impact on business, especially in April and May when many companies felt it. His company saw the biggest impact from smaller businesses, which cut back, moved to a free tier, or in some cases closed their doors. There was no getting away from the market chop that SMBs took during the early stages of COVID, and he said it had an impact on Atlassian’s new customer numbers.

Atlassian Q4FY2020 customer growth graph

Image Credits: Atlassian

Still, the company believes it will recover from the slow down in new customers, especially as it begins to convert a percentage of its new, free-tier users to paid users down the road. For this quarter it only translated into around 3000 new customers, but Deatsch didn’t seem concerned. “The customer numbers were off, but the overall financials were pretty strong coming out of [fiscal] Q4 if you looked at it. But also the number of people who are trying our products now because of the free tier is way up. We saw a step change when we launched free,” he said.

Just what would an enterprise company like Microsoft or Oracle do with TikTok?

By now you’ve probably heard that under pressure from the current administration, TikTok owner ByteDance is putting the viral video service up for sale, and surprisingly a couple of big name enterprise companies are interested. These organizations are better known for the kind of tech that would bore the average TikTok user to tears. Yet, stories have persisted that Microsoft and even Oracle are sniffing around the video social network.

As TechCrunch’s Danny Crichton pointed out last week, bankers involved in the sale have a lot of motivation to leak rumors to the press to drive up the price of TikTok. That means none of this might be true, yet the rumors aren’t going away. It begs the question: Why would a company like Oracle or Microsoft be interested in a property like TikTok?

For starters, Oracle is a lot more than the database company it was known for in the past. These days, it has its fingers in many, many pies, including marketing automation and cloud infrastructure services. In April, as the pandemic was just beginning to heat up, Zoom surprised just about everyone when it announced a partnership with Oracle’s cloud arm.

Oracle isn’t really even on the board when it comes to cloud infrastructure market share, where it is well behind rivals AWS, Microsoft, Google, Alibaba and IBM, wallowing somewhere in single-digit market share. Oracle wants to be a bigger player.

Meanwhile, Microsoft has successfully transitioned to the cloud as well as any company, but still remains far behind AWS in the cloud infrastructure market. It wants to close the gap with AWS, and owning TikTok could get it closer to that goal faster.

Simply put, says Holger Mueller, an analyst at Constellation Research, if Oracle combined Zoom and TikTok, it could have itself a couple of nice anchor clients. Yes, like the proverbial mall trying to attract Target and Nordstrom, apparently Oracle wants to do the same with its cloud service, and if it has to buy the tenant, so be it.

“TikTok will add plenty of load to their infrastructure service. That’s what matters to them with viral loads preferred. If Microsoft gets TikTok it could boost their usage by between 2% and 5%, while for Oracle it could be as much 10%,” he said. He says the difference is that Oracle has a much smaller user base now, so it would relatively boost its usage all the more.

As Mueller points out, with the government helping push TikTok’s owner to make the sale, it’s a huge opportunity for a company like Oracle or Microsoft, and why the rumors have weight. “It’s very plausible from a cloud business perspective, and plausible from a business opportunity perspective created by the U.S. government,” he said.

While it could make sense to attract a large user base to your systems to drive up usage and market share in that way, Brent Leary, founder and principal analyst at CRM Essentials, says that just by having a large U.S. tech company buy the video app could make it less attractive to the very users Microsoft or Oracle is hoping to capture.

“An old-guard enterprise tech company buying Tiktok would likely lessen the appeal of current users. Younger people are already leaving Facebook because the old folks have taken it over,” Leary said. And that could mean young users, who are boosting the platform’s stats today, could jump ship to whatever is the next big social phenomenon.

It’s worth pointing out that just today, the president indicated support for Oracle, according to a Wall Street Journal report. The publication also reported that Oracle’s billionaire owner Larry Ellison is a big supporter of the president, having thrown him a fundraiser for his reelection bid at his house earlier this year. Oracle CEO Safra Catz also has ties to the administration, having served on the transition team in 2016.

It’s unclear whether these companies have a genuine interest, but the general feeling is someone is going to buy the service, and whoever does could get a big boost in users simply by using some percentage of their cash hordes to get there. By the way, another company with reported interest is Twitter. Certainly putting the two social platforms together could create a mega platform to compete more directly with Facebook.

You might see other big names trying to boost cloud infrastructure usage, like IBM or Google, enter the fray.  Perhaps even Amazon could make an offer to cement its lead, although if the deal has to go through the federal government, that makes it less likely, given the tense relationship between Amazon CEO Jeff Bezos and the president that surfaced during the Pentagon JEDI cloud contract drama.

Apple has already indicated that in spite of having the largest cash on hand of any company, with over $193 billion, give or take, it apparently isn’t interested. Apple may not be, but somebody surely is, even some companies you couldn’t imagine owning a property like this.

Voice Phishers Targeting Corporate VPNs

The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.

According to interviews with several sources, this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or “bounties,” where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.

And over the past six months, the criminals responsible have created dozens if not hundreds of phishing pages targeting some of the world’s biggest corporations. For now at least, they appear to be focusing primarily on companies in the financial, telecommunications and social media industries.

“For a number of reasons, this kind of attack is really effective,” said Allison Nixon, chief research officer at New York-based cyber investigations firm Unit 221B. “Because of the Coronavirus, we have all these major corporations that previously had entire warehouses full of people who are now working remotely. As a result the attack surface has just exploded.”

TARGET: NEW HIRES

A typical engagement begins with a series of phone calls to employees working remotely at a targeted organization. The phishers will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s virtual private networking (VPN) technology.

The employee phishing page bofaticket[.]com. Image: urlscan.io

The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.

Zack Allen is director of threat intelligence for ZeroFOX, a Baltimore-based company that helps customers detect and respond to risks found on social media and other digital channels. Allen has been working with Nixon and several dozen other researchers from various security firms to monitor the activities of this prolific phishing gang in a bid to disrupt their operations.

Allen said the attackers tend to focus on phishing new hires at targeted companies, and will often pose as new employees themselves working in the company’s IT division. To make that claim more believable, the phishers will create LinkedIn profiles and seek to connect those profiles with other employees from that same organization to support the illusion that the phony profile actually belongs to someone inside the targeted firm.

“They’ll say ‘Hey, I’m new to the company, but you can check me out on LinkedIn’ or Microsoft Teams or Slack, or whatever platform the company uses for internal communications,” Allen said. “There tends to be a lot of pretext in these conversations around the communications and work-from-home applications that companies are using. But eventually, they tell the employee they have to fix their VPN and can they please log into this website.”

SPEAR VISHING

The domains used for these pages often invoke the company’s name, followed or preceded by hyphenated terms such as “vpn,” “ticket,” “employee,” or “portal.” The phishing sites also may include working links to the organization’s other internal online resources to make the scheme seem more believable if a target starts hovering over links on the page.

Allen said a typical voice phishing or “vishing” attack by this group involves at least two perpetrators: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page and quickly uses them to log in to the target company’s VPN platform in real-time.

Time is of the essence in these attacks because many companies that rely on VPNs for remote employee access also require employees to supply some type of multi-factor authentication in addition to a username and password — such as a one-time numeric code generated by a mobile app or text message. And in many cases, those codes are only good for a short duration — often measured in seconds or minutes.

But these vishers can easily sidestep that layer of protection, because their phishing pages simply request the one-time code as well.

A phishing page (helpdesk-att[.]com) targeting AT&T employees. Image: urlscan.io

Allen said it matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.

And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.

Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization, Nixon said.

“These guys are calling companies over and over, trying to learn how the corporation works from the inside,” she said.

NOW YOU SEE IT, NOW YOU DON’T

All of the security researchers interviewed for this story said the phishing gang is pseudonymously registering their domains at just a handful of domain registrars that accept bitcoin, and that the crooks typically create just one domain per registrar account.

“They’ll do this because that way if one domain gets burned or taken down, they won’t lose the rest of their domains,” Allen said.

More importantly, the attackers are careful to do nothing with the phishing domain until they are ready to initiate a vishing call to a potential victim. And when the attack or call is complete, they disable the website tied to the domain.

This is key because many domain registrars will only respond to external requests to take down a phishing website if the site is live at the time of the abuse complaint. This requirement can stymie efforts by companies like ZeroFOX that focus on identifying newly-registered phishing domains before they can be used for fraud.

“They’ll only boot up the website and have it respond at the time of the attack,” Allen said. “And it’s super frustrating because if you file an abuse ticket with the registrar and say, ‘Please take this domain away because we’re 100 percent confident this site is going to be used for badness,’ they won’t do that if they don’t see an active attack going on. They’ll respond that according to their policies, the domain has to be a live phishing site for them to take it down. And these bad actors know that, and they’re exploiting that policy very effectively.”

A phishing page (github-ticket[.]com) aimed at siphoning credentials for a target organization’s access to the software development platform Github. Image: urlscan.io

SCHOOL OF HACKS

Both Nixon and Allen said the object of these phishing attacks seems to be to gain access to as many internal company tools as possible, and to use those tools to seize control over digital assets that can quickly be turned into cash. Primarily, that includes any social media and email accounts, as well as associated financial instruments such as bank accounts and any cryptocurrencies.

Nixon said she and others in her research group believe the people behind these sophisticated vishing campaigns hail from a community of young men who have spent years learning how to social engineer employees at mobile phone companies and social media firms into giving up access to internal company tools.

Traditionally, the goal of these attacks has been gaining control over highly-prized social media accounts, which can sometimes fetch thousands of dollars when resold in the cybercrime underground. But this activity gradually has evolved toward more direct and aggressive monetization of such access.

On July 15, a number of high-profile Twitter accounts were used to tweet out a bitcoin scam that earned more than $100,000 in a few hours. According to Twitter, that attack succeeded because the perpetrators were able to social engineer several Twitter employees over the phone into giving away access to internal Twitter tools.

Nixon said it’s not clear whether any of the people involved in the Twitter compromise are associated with this vishing gang, but she noted that the group showed no signs of slacking off after federal authorities charged several people with taking part in the Twitter hack.

“A lot of people just shut their brains off when they hear the latest big hack wasn’t done by hackers in North Korea or Russia but instead some teenagers in the United States,” Nixon said. “When people hear it’s just teenagers involved, they tend to discount it. But the kinds of people responsible for these voice phishing attacks have now been doing this for several years. And unfortunately, they’ve gotten pretty advanced, and their operational security is much better now.”

A phishing page (vzw-employee[.]com) targeting employees of Verizon. Image: DomainTools

PROPER ADULT MONEY-LAUNDERING

While it may seem amateurish or myopic for attackers who gain access to a Fortune 100 company’s internal systems to focus mainly on stealing bitcoin and social media accounts, that access — once established — can be re-used and re-sold to others in a variety of ways.

“These guys do intrusion work for hire, and will accept money for any purpose,” Nixon said. “This stuff can very quickly branch out to other purposes for hacking.”

For example, Allen said he suspects that once inside of a target company’s VPN, the attackers may try to add a new mobile device or phone number to the phished employee’s account as a way to generate additional one-time codes for future access by the phishers themselves or anyone else willing to pay for that access.

Nixon and Allen said the activities of this vishing gang have drawn the attention of U.S. federal authorities, who are growing concerned over indications that those responsible are starting to expand their operations to include criminal organizations overseas.

“What we see now is this group is really good on the intrusion part, and really weak on the cashout part,” Nixon said. “But they are learning how to maximize the gains from their activities. That’s going to require interactions with foreign gangs and learning how to do proper adult money laundering, and we’re already seeing signs that they’re growing up very quickly now.”

WHAT CAN COMPANIES DO?

Many companies now make security awareness and training an integral part of their operations. Some firms even periodically send test phishing messages to their employees to gauge their awareness levels, and then require employees who miss the mark to undergo additional training.

Such precautions, while important and potentially helpful, may do little to combat these phone-based phishing attacks that tend to target new employees. Both Allen and Nixon — as well as others interviewed for this story who asked not to be named — said the weakest link in most corporate VPN security setups these days is the method relied upon for multi-factor authentication.

A U2F device made by Yubikey, plugged into the USB port on a computer.

One multi-factor option — physical security keys — appears to be immune to these sophisticated scams. The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.

In July 2018, Google disclosed that it had not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical security keys in place of one-time codes.

Probably the most popular maker of security keys is Yubico, which sells a basic U2F Yubikey for $20. It offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems. Yubico also sells more expensive keys designed to work with mobile devices. [Full disclosure: Yubico was recently an advertiser on this site].

Nixon said many companies will likely balk at the price tag associated with equipping each employee with a physical security key. But she said as long as most employees continue to work remotely, this is probably a wise investment given the scale and aggressiveness of these voice phishing campaigns.

“The truth is some companies are in a lot of pain right now, and they’re having to put out fires while attackers are setting new fires,” she said. “Fixing this problem is not going to be simple, easy or cheap. And there are risks involved if you somehow screw up a bunch of employees accessing the VPN. But apparently these threat actors really hate Yubikey right now.”

Melbourne-based CI/CD platform Buildkite gets $28 million AUD Series A led by OpenView

Buildkite’s founding team — Lachlan Donald, Keith Pitt and Tim Lucas — working remotely

Buildkite, a Melbourne-based company that provides a hybrid continuous integration and continuous delivery (CI/CD) platform for software developers, announced today that it has raised AUD $28 million (about USD $20.2 million) in Series A funding, bringing its valuation to more than AUD $200 million (about USD $145 million).

The funding was led by OpenView, an investment firm that focuses on growth-stage enterprise software companies, with participation from General Catalyst.

This round is the company’s first since Buildkite raised about AUD $200,000 in seed funding when it was founded in 2013.

Co-founder and chief executive officer Lachlan Donald told TechCrunch that Buildkite didn’t seek more funding earlier because it was growing profitably. In fact, the company turned away interested investors “because we wanted to focus on sustainable growth and maintain control of our destiny.”

But Donald said they were open to investment from OpenView and General Catalyst because they see the two investors as “true partners as we enter and define this next generation of CI/CD.”

Buildkite’s team is small, with just 26 employees. “We’re a lean, focused team, so their expert advice and guidance will help more software teams around the world discover Buildkite,” Donald said. He added that part of the funding round will be used to give 42X returns to early investors and shareholders, and the rest will be used on product development.

In a statement about the funding, OpenView partner Mackey Craven said, “The global pandemic and the resulting economic uncertainty underlines the importance for companies to maximize efficiencies and build for growth. As the world continues to build digital-first applications, we believe Buildkite’s unique approach will be the new enterprise standard of CI/CD and we’re excited to be supporting them in realizing this ambition.”

Continuous integration gives software teams an automated way to develop and test applications, making collaboration more efficient, while continuous delivery refers to the process of pushing code to environments for further testing by other teams, or deploying it to customers. CI/CD platforms make it easier for fast-growing tech companies to test and deliver software. Buildkite says it now has more than 1,000 customers, including Shopify, Pinterest and Wayfair.

As part of the round, Jean-Michel Lemieux, Shopify’s chief technology officer, and Ashley Smith, chief revenue officer at Gatsby and OpenView venture partner, will join Buildkite’s board.

The increased use of online applications caused by the COVID-19 pandemic means there is more demand for CI/CD platform, since engineering teams need to work more quickly.

“A good example is Shopify, one of our longstanding partners. They came to us after they outgrew their previous hosted CI provider,” Donald said. “Their challenge is one we see across all of customers — they needed to reduce build time and scale their team across multiple time zones. Once they wrapped Buildkite into their development flow, they saw a 75% reduction in build wait times. They grew their team by 300% and have still been able to keep build time under 10 minutes.”

Other CI platforms available include Jenkins, CircleCI, Travis, Codeship and GitLab. Co-founder and chief technology officer Keith Pitt said one of the ways that BuildKite differentiates from its rivals is its focus on security, which prompted his interest in building the platform in the first place.

“Back in 2013, my then-employer asked that I stop using a cloud-based CI/CD platform due to security concerns, but I found the self-hosted alternatives to be incredibly outdated,” Pitt said. “I realized a hybrid approach was the solution for testing and deploying software at scale without compromising security or performance, but was surprised to find a hybrid CI/CD tool didn’t exist yet. I decided to create it myself, and Buildkite was born.”

The World Has Changed. Have You? Capturing Today Through the Lens of Cybersecurity

It was March 2020. From kitchen tables to televisions to emergency rooms, COVID engulfed the world. Our physical and digital lives fundamentally changed within a matter of days. “Shelter in place” became and continues to be everyday life with many bound to remote work. Our work computers now reside outside offices, operating without the millions of dollars and years of time invested in procuring and maintaining traditional enterprise infrastructure.

As the months carried on and we had the opportunity to assist more than 4,000 customers with secure workforce transformation, it was a perfect time to capture the cybersecurity zeitgeist through our eyes. Today we tell the story of the changing enterprise – and the experiences of the women and men that make up the enterprise of today – through an iconoclastic campaign that poses the question every cybersecurity professional must ask: our business has changed – has our cybersecurity changed, too?

Today we release a timely brand campaign about the need for cybersecurity technology built for today and tomorrow.

For the world’s enterprises, this shift became a cybersecurity imperative: securing the remote workforce quickly – with technology designed for remote and perimeterless – became a top priority. Now became the time to leave legacy technologies like signature antivirus and first-generation EDR behind. Today’s operating environment requires technology purpose built for the new world. Through embedding living AI on each device to prevent and proactively respond in real time, coupled with cloud scale, SentinelOne is uniquely positioned to help enterprises securely thrive in times of remote work and beyond. And be stronger than ever.

Cybersecurity Built for the New World

You work from home. Your chairs have changed. Your wardrobe has changed. Your cybersecurity should, too. SentinelOne’s Singularity platform was built for this new world. From endpoint device to IoT device to server and cloud workload, our platform was built from the ground up by us for enterprise scale in a world where physical location is irrelevant and people are optional. As we show in our campaign video, today’s offices are living rooms and forests. The enterprise of today needs a technology-first platform that doesn’t require services or people to proactively secure every device. SentinelOne is THE cybersecurity built for the new world. Here’s why. Each of the below concepts tells the story of how SentinelOne is uniquely built for the new world.

ActiveEDR. Every Threat.

SentinelOne’s patented behavioral AI maps all device activity into fully contextualized and connected storylines. Storylines enable our software to independently prevent and respond to malicious and suspicious activity in real time – delivering the industry’s only ActiveEDR. While other technologies require humans to hunt and peck to connect alerts and build their own stories, our technology does it for the analyst. SentinelOne is the only endpoint solution that automatically prevents and remediates threats – on device – in real time. ActiveEDR is a groundbreaking technology that fundamentally changes SOC productivity by enabling people to do more. It’s no wonder that this technology is deployed in some of the world’s largest enterprises, from global telecommunications leaders to investment banks to airlines to technology companies. ActiveEDR defeats the threat at the source … hours and days before a breach needs to be stopped by humans or services.

Dynamic IoT Security. Every Device.

The enterprise of today isn’t just Windows and Mac endpoint devices or Linux servers. Whether at home or in the office, CISOs need to know how many devices are in the enterprise, where are these devices, and most importantly what are they? Gaining attack surface visibility and control is uniquely offered by SentinelOne’s Ranger solution without having to deploy any new software or hardware. Whether an endpoint device, container, or even a printer, SentinelOne’s Singularity platform is the only endpoint security platform that goes beyond the endpoint for full network visibility and control.

Online and Offline Protection. Every Second.

Today’s cyberattacks don’t need an internet connection to act, yet all other cybersecurity products on the market require a connection to function. Adversaries have the benefit in the construct of existing next-gen and legacy antivirus. With SentinelOne, our patented prevention, detection, and response – even automatic remediation – doesn’t require connectivity to function. We believe and prove that if your security doesn’t work offline, it really doesn’t work at all. The enterprise of today and tomorrow needs protection at every second, regardless of network connectivity.

The world of today is confusing. The thought of the unknown (How long will it take before there’s a cure? When will we go back to normal life? Will we travel like we used to?) weighs on the individual and society as a whole. In the midst of all of this, protecting the digital identity and data of the enterprise and its people are critical. Our New World campaign states the undeniable fact of the day – “the world has changed” – and asks the key question, “are you ready?”

2020 has proven to be a year of accelerated change, especially in cybersecurity. Each week, we see new enterprises in the news for breaches. Standing still in this environment is actually moving backwards. The tactics now are no longer just about encrypting devices; today it’s about leaking enterprise data and extortion to deconstruct enterprise value and compromise customer data. It’s no longer enough – or possible – to keep putting more people behind the problem, as the time needed to respond to a threat is costly and precious. The breaches we read about on the news prove time and time again that legacy and subpar technologies can’t cope with modern adversaries. The time is now for new measures, techniques, and solutions to combat the threat landscape of today.

Cybersecurity for the remote workforce
Every threat. Every device. Every second.

On a personal note, I’m proud of SentinelOne’s 600+ (and quickly growing) team members around the world who work 24/7/365 to support our existing customers, keeping them safe, all while onboarding new businesses and enterprises across each and every sector. From financial institutions to healthcare, government to university, manufacturing to design, transportation to elections across the world, we remain focused on our mission of helping pioneer autonomous cybersecurity to give enterprises the advantage over tomorrow.

I hope you enjoy watching our story across a wide variety of digital mediums. Whether you’re at home, in the office, or somewhere in between, SentinelOne is the cybersecurity solution for your new world. Join our story and transform your cybersecurity for the new world of today and the better world of tomorrow.

Wishing you and your loved ones continued health and safety,

DB

Additional Resources


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Suse contributes EiriniX to the Cloud Foundry Foundation

Suse today announced that it has contributed EiriniX, a framework for building extensions for Eirini, a technology that brings support for Kubernetes-based container orchestration to the Cloud Foundry platform-as-a-service project.

About a year ago, Suse also contributed the KubeCF project to the foundation, which itself allows the Cloud Foundry Application Runtime — the core of Cloud Foundry — to run on top of Kubernetes.

Image Credits: Suse

“At Suse we are developing upstream first as much as possible,” said Thomas Di Giacomo, president of Engineering and Innovation at Suse. “So, after experiencing the value of contributing KubeCF to the Foundation earlier this year, we decided it would be beneficial to both the Cloud Foundry community and the EiriniX team to do it again. We have seen an uptick in contributions to and usage of KubeCF since it became a Foundation project, indicating that more organizations are investing developer time into the upstream. Contributing EiriniX to the Foundation is a surefire way to get the broader community involved.”

Suse first demonstrated EiriniX a year ago. The tool implements features like the ability to SSH into a container and debug it, for example, or to use alternative logging solutions for KubeCF.

“There is significant value in contributing this project to the Foundation, as it ensures that other project teams looking for a similar solution to creating Extensions around Eirini will not reinvent the wheel,” said Chip Childers, executive director, Cloud Foundry Foundation. “Now that EiriniX exists within the Foundation, developers can take full advantage of its library of add-ons to Eirini and modify core features of Cloud Foundry. I’m excited to see all of the use cases for this project that have not yet been invented.”