Canalys: Google is top cloud infrastructure provider for online retailers

While Google Cloud Platform has shown some momentum in the last year, it remains a distant third behind Amazon and Microsoft in the cloud infrastructure market. But Google got some good news from Canalys today when the firm reported that GCP is the No. 1 cloud platform provider for retailers.

Canalys didn’t provide specific numbers, but it did set overall market positions in the retail sector, with Microsoft coming in second, Amazon third, followed by Alibaba and IBM in fourth and fifth respectively.

Canalys cloud infrastructure retail segment market share numbers

Image Credits: Canalys

It’s probably not a coincidence that Google went after retail. Many retailers don’t want to put their cloud presence onto AWS, as Amazon.com competes directly with these retailers. Brent Leary, founder and principal analyst at CRM Essentials, says that as such, the news doesn’t really surprise him.

“Retailers have to compete with Amazon, and I’m guessing the last thing they want to do is use AWS and help Amazon fund all their new initiatives and experiments that in some cases will be used against them,” Leary told TechCrunch. Further, he said that many retailers would also prefer to keep their customer data off of Amazon’s services.

Canalys Senior Director Alex Smith says that this Amazon effect combined with the pandemic and other technological factors has been working in Google’s favor, at least in the retail sector. “Now more than ever, retailers need a digital strategy to win in an omnichannel world, especially with Amazon’s online dominance. Digital is applied everywhere from customer experience to cost optimization, and the overall technological capability of a retailer is what will define its success,” he said.

COVID-19 has forced many retailers to close stores for extended periods of time, and when you combine that with people being more reluctant to go inside stores when they do open, retailers have had to take a crash course in e-commerce if they didn’t have a significant online presence already.

Canalys points out that Google has lured customers with its advertising and search capabilities beyond just pure infrastructure offerings, taking advantage of its other strengths to grow the market segment.

Recognizing this, Google has been making a big retail push, including a big partnership with Salesforce and specific products announced at Google Cloud Next last year. As we wrote at the time of the retail offering:

The company offers eCommerce Hosting, designed specifically for online retailers, and it is offering a special premium program, so retailers get “white glove treatment with technical architecture reviews and peak season operations support…” according to the company. In other words, it wants to help these companies avoid disastrous, money-losing results when a site goes down due to demand.

What’s more, Canalys reports that Google Cloud has also been hiring aggressively and forming partnerships with big systems integrators to help grow the retail business. Retail customers include Home Depot, Kohl’s, Costco and Best Buy.

Microsoft Put Off Fixing Zero Day for 2 Years

A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem.

One of the 120 security holes Microsoft fixed on Aug. 11’s Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.

Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author.

Microsoft said an attacker could use this “spoofing vulnerability” to bypass security features intended to prevent improperly signed files from being loaded. Microsoft’s advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.

In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months.

Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer.

Quintero said this weakness would particularly acute if an attacker were to use it to hide a malicious Java file (.jar). And, he said, this exact attack vector was indeed detected in a malware sample sent to VirusTotal.

“In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows,” Quintero wrote.

But according to Quintero, while Microsoft’s security team validated his findings, the company chose not to address the problem at the time.

“Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” his blog post concluded.

Tal Be’ery, founder of Zengo, and Peleg Hadar, senior security researcher at SafeBreach Labs, penned a blog post on Sunday that pointed to a file uploaded to VirusTotal in August 2018 that abused the spoofing weakness, which has been dubbed GlueBall. The last time that August 2018 file was scanned at VirusTotal (Aug 14, 2020), it was detected as a malicious Java trojan by 28 of 59 antivirus programs.

More recently, others would likewise call attention to malware that abused the security weakness, including this post in June 2020 from the Security-in-bits blog.

Image: Securityinbits.com

Be’ery said the way Microsoft has handled the vulnerability report seems rather strange.

“It was very clear to everyone involved, Microsoft included, that GlueBall is indeed a valid vulnerability exploited in the wild,” he wrote. “Therefore, it is not clear why it was only patched now and not two years ago.”

Asked to comment on why it waited two years to patch a flaw that was actively being exploited to compromise the security of Windows computers, Microsoft dodged the question, saying Windows users who have applied the latest security updates are protected from this attack.

“A security update was released in August,” Microsoft said in a written statement sent to KrebsOnSecurity. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

Update, 12:45 a.m. ET: Corrected attribution on the June 2020 blog article about GlueBall exploits in the wild.

The Good, the Bad and the Ugly in Cybersecurity – Week 33

The Good

This week’s good news: attackers tossed lemons, and their victim made lemonade. First, the embarrassing bit: The august cybersecurity training body SANS Institute announced that it had been breached when an employee fell for a phishing attack.

On Tuesday, SANS said that the attackers got access to the worker’s Office 365 account and planted a suspicious email forwarding rule—one that was flagged during a systematic review of email configuration and rules. SANS said that the hackers forwarded 513 emails, some with personally identifiable information (PII) such as name, email, work title, company name and address, to a “suspicious” external email address. In total, about 28,000 PII records were exfiltrated.

Bad? Yes. But by week’s end, SANS had plans to turn it into a teachable moment by creating a webinar and training material based on the lessons it learned from the breach, CTO James Lyne explained: “We use any bump in the road as an opportunity to ask ourselves questions in retrospect of what we should have done differently. That’s exactly the process that we’re in the middle of now, because, clearly, if things had been better, we would not be in this situation. And you can always improve.”

Though SANS hasn’t released the name or job role of the responsible employee, it did say that they a) didn’t have access to sensitive or financial data and b) don’t teach at the institute.

In other good news this week, a U.S. Immigration and Customs Enforcement (ICE) investigation has led to the shutdown of thousands of fraudulent COVID-19 websites—the type that target people through financial fraud, import counterfeit pharmaceuticals and medical supplies, and that promise to sell in-demand products like hand sanitizer and disinfectant wipes, taking people’s money for things with no intention of delivering. Feds have seized over $3.2 million in illicit proceeds and made 11 arrests.

The Department of Justice has tips on avoiding these scams. Here’s more on Operation Stolen Promise and how to report COVID-19 fraud.

The Bad

A ReVoLTE-ing development: the mobile voice standard known as Long Term Evolution (LTE) was supposed to give us far better sound quality than previous generations, with up to three times the capacity of the earlier 3G standard and an extra layer of security, to boot. But researchers say that due to an implementation glitch in the LTE protocol, Voice over LTE (VoLTE) lets hackers eavesdrop on calls with only $7,000 worth of gear.

As described in a paper presented by the researchers at USENIX, the problem is usually found at the level of base stations, which in most cases either reuse the same stream cipher as encrypted calls or use predictable algorithms to generate the encryption key for voice calls. Due to this common, flawed implementation of VoLTE, attackers can convert cryptographically scrambled data into unencrypted sound. It’s easy: using a software radio, an attacker sniffs the encrypted radio traffic between, say, Alice and Bob, within the same, vulnerable base station. After the first call ends, the attacker calls Alice and talks with her—the longer, the better. For that second call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).

Here’s a demo of the attack, and here’s a site explaining it in detail, along with mitigation. Long story short: Germany’s fixed it, but it’s likely a problem everywhere else. On Wednesday, the researchers released an Android app that mobile operators can use to test their networks and base stations for the vulnerability. It’s open-source, and you can get it on GitHub.

The Ugly

Mozilla announced it’s slashing 250 jobs: about a quarter of its workforce. This won’t be good for development of its privacy-first Firefox browser, it says. CEO Mitchell Baker blamed the pandemic: “Economic conditions resulting from the global pandemic have significantly impacted our revenue,” he wrote. “As a result, our pre-COVID plan was no longer workable.”

In a memo sent to employees, Baker said that it will shutter its operations in Taipei, Taiwan. The workforce will also shrink in Canada, the US, Europe, Australia and New Zealand.

A slew of browser development is going to suffer, Baker wrote: “In order to refocus the Firefox organization on core browser growth through differentiated user experiences, we are reducing investment in some areas such as developer tools, internal tooling, and platform feature development, and transitioning adjacent security/privacy products to our New Products and Operations team.”

Those security/privacy products do a lot: the browser blocks a mess of undesirable online crud, including social-media trackers, cross-site tracking cookies, tracking code, fingerprinters and cryptominers.

Shortly after this news broke, Mozilla and Google announced a deal worth “mega-millions” that would keep Google as the default search engine on the browser.

Hopefully the deal will help keep the wolves from the door. Meanwhile, all we can do is wish Mozilla’s New Products and Operations team the best of luck in doing more with less. May security and privacy in this popular browser not slip in these trying times.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack

R1 RCM Inc. [NASDAQ:RCM], one of the nation’s largest medical debt collection companies, has been hit in a ransomware attack.

Formerly known as Accretive Health Inc., Chicago-based R1 RCM brought in revenues of $1.18 billion in 2019. The company has more than 19,000 employees and contracts with at least 750 healthcare organizations nationwide.

R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story.

The “RCM” portion of its name refers to “revenue cycle management,” an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients.

The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data.

It’s unclear when the intruders first breached R1’s networks, but the ransomware was unleashed more than a week ago, right around the time the company was set to release its 2nd quarter financial results for 2020.

R1 RCM declined to discuss the strain of ransomware it is battling or how it was compromised. Sources close to the investigation tell KrebsOnSecurity the malware is known as Defray.

Defray was first spotted in 2017, and its purveyors have a history of specifically targeting companies in the healthcare space. According to Trend Micro, Defray usually is spread via booby-trapped Microsoft Office documents sent via email.

“The phishing emails the authors use are well-crafted,” Trend Micro wrote. For example, in an attack targeting a hospital, the phishing email was made to look like it came from a hospital IT manager, with the malicious files disguised as patient reports.

Email security company Proofpoint says the Defray ransomware is somewhat unusual in that it is typically deployed in small, targeted attacks as opposed to large-scale “spray and pray” email malware campaigns.

“It appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely,” Proofpoint observed.

A recent report (PDF) from Corvus Insurance notes that ransomware attacks on companies in the healthcare industry have slowed in recent months, with some malware groups even dubiously pledging they would refrain from targeting these firms during the COVID-19 pandemic. But Corvus says that trend is likely to reverse in the second half of 2020 as the United States moves cautiously toward reopening.

Corvus found that while services that scan and filter incoming email for malicious threats can catch many ransomware lures, an estimated 75 percent of healthcare companies do not use this technology.

Slack and Atlassian strengthen their partnership with deeper integrations

A lot of “partnerships” between tech companies don’t get very far beyond a press release and maybe some half-hearted co-selling attempts. When Atlassian sold its chat services to Slack in 2018, the two companies said they would form a new partnership and with Atlassian leaving the chat space, a lot of people were skeptical about what that would really mean.

Since then, things got pretty quiet around the collaboration between the two companies, but today the companies announced some of the deep integration work they’ve done, especially within Slack .

Image Credits: Atlassian

Over the course of the last two years, Slack and Atlassian shipped 11 product integrations, which now see about a million active users every month, with Jira being the most often used integration, followed by Halp, which Atlassian acquired earlier this year.

Every month, Atlassian currently sends 42 million Jira notifications to Slack — and that number continues to grow.

At the core of these integrations is the ability to get rich unfurls of deep links to Atlassian products in Slack, no matter whether that’s in DMs, public or private channels. Coming soon, those unfurls will become a default feature within Slack, even if the user who is seeing the link isn’t an Atlassian user yet.

“Today, if you do drop a Jira link in your channel and you’re not a user — or even if you are and you’re not authed in — you just see a link,” Brad Armstrong said.

“You don’t get the benefit of the unfurl. And so one of the things we’re doing is making that unfurl available to everybody, regardless of whether you are logged in and regardless of whether you’re even an Atlassian customer.”

Image Credits: Atlassian

The two companies also worked closely together on making moving between the products easier. If you are a Jira user, for example, you’ll soon be able to click on a link in Slack and if you’re not currently logged into your Atlassian account, you’ll be automatically logged in. The two companies are taking this even further by automatically creating Jira accounts for users when they come from Slack.

“Even if you’re not a user, when you click on the link, we will then map you from Slack and create a Jira user for you that provisions you and auths you in so you’re immediately becoming a Jira user by virtue of wanting to collaborate on that piece of content in Slack,” Armstrong explained.

That, the two companies argue, turns Slack into something akin to a passport that gives you access to the Atlassian product suite — and that should also make onboarding a lot easier for new users.

Image Credits: Atlassian

“As you could probably imagine, as you know, onboarding is a pain, it’s hard because you have different roles, different size teams, so on and so forth,” said Bryant Lee, Atlassian’s head of product partnerships. “And that’s where you see some of the authentication stuff, the unfurling discovery piece really being an understanding of what those practices are. But the way that we look at it is not just about the product but people, products and practices. So it’s really about understanding who it is that we’re trying to optimize for.”

In addition to these new integrations that are launching soon, the two companies are also expanding their co-marketing efforts, starting with a new 50%-off offer for Atlassian users who want to also use Slack.

“We’re building on the strong foundation of our partnership’s success from the past two years, which has yielded tremendous shared customer momentum and impactful product integrations,” said Slack co-founder and CEO Stewart Butterfield . “Thanks to our strategic alliance, Slack and Atlassian have become the technology stack of choice for developer teams.”

Mirantis acquires Lens, an IDE for Kubernetes

Mirantis, the company that recently bought Docker’s enterprise business, today announced that it has acquired Lens, a desktop application that the team describes as a Kubernetes-integrated development environment. Mirantis previously acquired the team behind the Finnish startup Kontena, the company that originally developed Lens.

Lens itself was most recently owned by Lakend Labs, though, which describes itself as “a collective of cloud native compute geeks and technologists” that is “committed to preserving and making available the open-source software and products of Kontena.” Lakend open-sourced Lens a few months ago.

Image Credits: Mirantis

“The mission of Mirantis is very simple: We want to be — for the enterprise — the fastest way to [build] modern apps at scale,” Mirantis CEO Adrian Ionel told me. “We believe that enterprises are constantly undergoing this cycle of modernizing the way they build applications from one wave to the next — and we want to provide products to the enterprise that help them make that happen.”

Right now, that means a focus on helping enterprises build cloud-native applications at scale and, almost by default, that means providing these companies with all kinds of container infrastructure services.

“But there is another piece of the story that’s always been going through our minds, which is, how do we become more developer-centric and developer-focused, because, as we’ve all seen in the past 10 years, developers have become more and more in charge off what services and infrastructure they’re actually using,” Ionel explained. And that’s where the Kontena and Lens acquisitions fit in. Managing Kubernetes clusters, after all, isn’t trivial — yet now developers are often tasked with managing and monitoring how their applications interact with their company’s infrastructure.

“Lens makes it dramatically easier for developers to work with Kubernetes, to build and deploy their applications on Kubernetes, and it’s just a huge obstacle-remover for people who are turned off by the complexity of Kubernetes to get more value,” he added.

“I’m very excited to see that we found a common vision with Adrian for how to incorporate Lens and how to make life for developers more enjoyable in this cloud-native technology landscape,” Miska Kaipiainen, the former CEO of Kontena and now Mirantis’ director of Engineering, told me.

He describes Lens as an IDE for Kubernetes. While you could obviously replicate Lens’ functionality with existing tools, Kaipiainen argues that it would take 20 different tools to do this. “One of them could be for monitoring, another could be for logs. A third one is for command-line configuration, and so forth and so forth,” he said. “What we have been trying to do with Lens is that we are bringing all these technologies [together] and provide one single, unified, easy to use interface for developers, so they can keep working on their workloads and on their clusters, without ever losing focus and the context of what they are working on.”

Among other things, Lens includes a context-aware terminal, multi-cluster management capabilities that work across clouds and support for the open-source Prometheus monitoring service.

For Mirantis, Lens is a very strategic investment and the company will continue to develop the service. Indeed, Ionel said the Lens team now basically has unlimited resources.

Looking ahead, Kaipiainen said the team is looking at adding extensions to Lens through an API within the next couple of months. “Through this extension API, we are actually able to collaborate and work more closely with other technology vendors within the cloud technology landscape so they can start plugging directly into the Lens UI and visualize the data coming from their components, so that will make it very powerful.”

Ionel also added that the company is working on adding more features for larger software teams to Lens, which is currently a single-user product. A lot of users are already using Lens in the context of very large development teams, after all.

While the core Lens tools will remain free and open source, Mirantis will likely charge for some new features that require a centralized service for managing them. What exactly that will look like remains to be seen, though.

If you want to give Lens a try, you can download the Windows, macOS and Linux binaries here.

Going Kextless | Why We All Need to Transition Away from Kernel Extensions

Last year, with the release of macOS Catalina, Apple introduced a new technology with the intention of replacing kernel extensions (aka “kexts”). This year, with the forthcoming release of macOS Big Sur, Apple have continued the phasing out of kexts and further developed their alternative technologies. Although kernel extensions will continue to be allowed on macOS Big Sur and possibly later versions of the operating system, SentinelOne fully supports Apple’s move to a “kextless” architecture, and SentinelOne intends to support macOS Big Sur as early as possible after Apple’s public release, and once we ensure the product meets our high standards of protection, quality and performance. In this post, we explain why moving away from kernel extensions is an important development for macOS endpoint security products and describe some of the advantages that the new architecture brings.

What Are Kexts and Why Are They Problematic?

For those unfamiliar, kernel extensions or kexts are a kind of third-party, system-level plug-in that developers can use to provide functionality that is not typically available from “user space”. Examples of such functionality include controlling hardware devices, querying low-level file events, and inspecting network traffic. Moreover, with kexts, developers can tap into kernel-level APIs that are not available to ordinary user-level applications and achieve things like code injection, memory mapping and authentication. With access to the kernel, programs can access data or files from other applications and users.

With such power, kernel extensions have been vital for endpoint security products in the fight against malware, but kernel extensions themselves can, if not developed with great care, cause security issues of their own.

Apple’s own documentation on developing kexts has plenty of warning to this effect, with statements even so bold as this:

Kernel code must be nearly perfect. A bug in the kernel could cause random crashes, data corruption, or even render the operating system inoperable…Kernel programming is a black art that should be avoided if at all possible.

As noted, kernel extension programming errors can cause all sorts of problems, from crashing the system to local privilege escalation and data leakage. Moreover, minor changes in kernel APIs can have profound effects on an application’s functionality and performance, even rendering it useless or worse, such as causing kernel panics that bring the entire device down. It’s probably fair to say that few developers really enjoy the added complications of trying to maintain and debug kernel extension code. For these reasons, Apple’s decision to move away from kexts is one both users and developers should welcome and benefit from.

However, without kernel extensions, there would be no access to some of the low-level APIs that security products rely on. Fortunately, from 10.15 onwards, Apple have provided an alternative specifically for vendors of security software: meet the new Endpoint Security Framework.

Introducing Apple’s New Endpoint Security Framework

In order to replace the work done by kernel extensions, Apple introduced System Extensions, Network Extensions and DriverKit in macOS Catalina, along with a framework specifically for security solutions, called – appropriately enough – the Endpoint Security Framework. We won’t get into the thorny details too much, but we do need to scratch the surface a little to understand the benefits (for those interested in a deeper dive, take a look here and here).

Essentially, the Endpoint Security (ES) Framework means that security products can tap into event streams from the kernel without directly interacting with the kernel itself. This alone solves a number of problems. It means that bugs in third-party developer code aren’t going to crash the kernel or the device (just themselves), and more importantly it means malicious code cannot now circumvent system-level protections by abusing access to the kernel itself.

Borrowing from Apple’s recent WWDC 2020 presentation, we can visualize the relationship like this, where the two ES Applications represent 3rd party apps utilizing the Endpoint Security Framework:


© Apple, Inc.

What’s of particular interest in this model is the messages that are passed between the kernel and the third party applications. Apple provides two broad kinds of messages, notifications (NOTIFY events) and authorizations (AUTH events). These effectively allow a security application to receive enriched data from the kernel about other processes and file actions, to perform analysis, and ultimately decide whether to block or allow those actions. It is then the kernel’s responsibility to safely enforce any action requested by the third party application.

Kextless Brings First Class Protection to Fight Malware

Now at this point you might be thinking: well, what’s to stop a malicious process jumping on that bandwagon and using the ES Framework itself to either override or bypass the ES security tool?

First of all, not just any application can request access to the Endpoint Security Framework. With kernel extensions, any registered developer could create and distribute a kext, but the ES Framework is locked down by a specific entitlement that registered developers must request directly from Apple, citing good reasons why their application needs it (SentinelOne was among the first to request and be approved for this entitlement when it initially became available last year). This kind of control means Apple always has an overview of who can actually use the ES Framework and can just as quickly revoke that entitlement should it be abused.

Secondly, security tools that possess the entitlement can also reap other benefits that put them in a better position to detect and block malware on a device. These benefits include the ability to boot before other third-party code via the NSEndpointSecurityEarlyBoot property list key and being protected by the operating system’s own System Integrity Protection features.

This means that malware cannot tamper with the security product just as it cannot tamper with the macOS system itself. Even if running with root privileges, neither a malicious process nor a malicious user would be able to interfere with the security product or unload it’s launchd jobs.

SentinelOne Will Support Kextless on macOS Catalina and Big Sur

SentinelOne is fully committed to supporting Apple’s transition away from kernel extensions and to implementing the Endpoint Security Framework as part of our solution.

Our team has been working tirelessly with Apple’s macOS Big Sur beta builds and, as with last year’s release of macOS Catalina, SentinelOne intends to support macOS Big Sur after Apple’s public release. This support will include an updated, kextless agent that will replace the kernel extension-based solution on macOS 10.15 Catalina and macOS 10.16/11.0 Big Sur.

For SentinelOne customers who are interested in testing our kextless agent prior to public release of macOS Big Sur, we are today announcing a SentinelOne Beta testing program for selected customers. Please contact the Beta support team for details of how to join the program.

Conclusion

As we’ve noted recently, threat actors targeting Mac users continue to invest in learning and understanding the platform, and long gone are the days when the only macOS malware to be found in-the-wild was poorly-coded by malware authors unfamiliar with the details of the operating system. Today, macOS malware threats show that actors use and abuse low-level APIs and are fluent in Apple’s native programming languages, AppleScript, Objective-C and Swift.

With this transition away from kernel extensions and the move to a kextless, ES Framework-based architecture, SentinelOne will continue to stay ahead of all threats targeting macOS and offer best-in-class protection to enterprises with Mac devices in their fleet. If you’d like to find out more about how SentinelOne can protect your enterprise or apply to join our macOS Big Sur Beta program, request a demo or contact the Beta support team today.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Adaptive Shield raises $4M for its SaaS security platform

Adaptive Shield, a Tel Aviv-based security startup, is coming out of stealth today and announcing its $4 million seed round led by Vertex Ventures Israel. The company’s platform helps businesses protect their SaaS applications by regularly scanning their various setting for security issues.

The company’s co-founders met in the Israeli Defense Forces, where they were trained on cybersecurity, and then worked at a number of other security companies before starting their own venture. Adaptive Shield CEO Maor Bin, who previously led cloud research at Proofpoint, told me the team decided to look at SaaS security because they believe this is an urgent problem few other companies are addressing.

Pictured is a representative sample of nine apps being monitored by the Adaptive Shield platform, including the total score of each application, affected categories and affected security frameworks and standards. (Image Credits: Adaptive Shield)

“When you look at the problems that are out there — you want to solve something that is critical, that is urgent,” he said. “And what’s more critical than business applications? All the information is out there and every day, we see people moving their on-prem infrastructure into the cloud.”

Bin argues that as companies adopt a large variety of SaaS applications, all with their own security settings and user privileges, security teams are often either overwhelmed or simply not focused on these SaaS tools because they aren’t the system owners and may not even have access to them.

“Every enterprise today is heavily using SaaS services without addressing the associated and ever-changing security risks,” says Emanuel Timor, general partner at Vertex Ventures Israel . “We are impressed by the vision Adaptive Shield has to elegantly solve this complex problem and by the level of interest and fast adoption of its solution by customers.”

Onboarding is pretty easy, as Bin showed me, and typically involves setting up a user in the SaaS app and then logging into a given service through Adaptive Shield. Currently, the company supports most of the standard SaaS enterprise applications you would expect, including GitHub, Office 365, Salesforce, Slack, SuccessFactors and Zoom.

“I think that one of the most important differentiators for us is the amount of applications that we support,” Bin noted.

The company already has paying customers, including some Fortune 500 companies across a number of verticals, and it has already invested some of the new funding round, which closed before the global COVID-19 pandemic hit, into building out more integrations for these customers. Bin tells me that Adaptive Shield immediately started hiring once the round closed and is now also in the process of hiring its first employee in the U.S. to help with sales.

Gong raises another $200M on $2.2B valuation

For the third time since last February, Gong has raised a significant sum. In February, the company scored $40 million. In December, it grabbed another $65 million. And today, it was $200 million on a $2.2 billion valuation. That’s a total of $305 million in less than 18 months.

Coatue led today’s cash infusion, with help from new investors Index Ventures, Salesforce Ventures and Thrive Capital, and existing investors Battery Ventures, NextWorld Capital, Norwest Venture Partners, Sequoia Capital and Wing Venture Capital. It has now raised a total of $334 million, according to the company.

What is attracting this kind of investor attention? When we spoke to Gong about its Series B round, it had 300 customers. Today it has around 1,300, representing substantial growth in that time period. The company reports revenue has grown 2.5x this year alone.

Gong CEO Amit Bendov says his company is trying to create a category they have dubbed “revenue intelligence.” As he explains it, today sales data is stored in a CRM database consisting of descriptions of customer interactions as described by the salesperson or CSR. Gong is trying to transform that process by capturing both sides of the interaction, then, using artificial intelligence, it transcribes and analyzes those interactions.

Bendov says the pandemic and economic malaise has created a situation where there is a lot of liquidity in the market and investors have been looking for companies like his to invest some of it.

“There’s a lot of liquidity in the market. There are very few investment opportunities. I think the investment community was waiting a little bit to see how the market shakes out […] and they are betting on companies that could benefit long-term from the new normal, and I think we’re one of them,” Bendov told TechCrunch.

He says that he wasn’t looking for money, and in fact still is operating off the Series B investment, but when firms come knocking with checkbooks open and favorable terms, he wasn’t about to turn them down. “There are CEOs schools [of thought] that tell you to raise money when you can, not when you need to. It’s not very diluted at this kind of valuation and it was a very easy process. […] The whole deal closed in 14 days from term sheet to money in the bank,” he said.

Bendov said that taking the money was “pretty much a no-brainer.” In fact, he says the money gives them the freedom to operate and further legitimacy in the marketplace. “It gives us the ability to buy companies, make strategic investment, accelerate plans, and it also, especially since we cater to large enterprise customers, it gives them confidence that this company is here to stay,” he said.

With around 350 employees today, it hopes to add 100 people by the end of the year. Bendov says diversity and inclusion is a “massive priority” for the company. Among the steps they’ve taken recently is opening a recruiting hub in Atlanta to bring more diverse candidates into the company, working with a company called FlockJay to train and hire underrepresented groups in customer success roles, and in Israel where the company’s R&D center is located, helping members of the Arab community with computer science backgrounds to learn interview skills. Some of those folks will end up working for Gong, and some at other places.

While the company has grown remarkably quickly and has shown great promise, Bendov is not thinking ahead to an IPO just yet. He says he wants to grow the company to at least a couple of hundred million dollars in sales, and that’s two to three years away at this point. He certainly has plenty of cash to operate until then.

Stacklet launches cloud governance platform with $4M seed investment

Stacklet co-founders Travis Stanfield and Kapil Thangavelu met while both were working at Capital One several years ago. Thangavelu helped create the Cloud Custodian open-source cloud governance project. The two eventually got together and decided to build a startup based on that project and today the company launched out of stealth with a $4 million seed investment from Foundation Capital and Addition.

Stanfield, who is CEO at the young startup, says that Cloud Custodian came about as Capital One was moving to a fully cloud approach in around 2013. As the company looked for ways to deal with compliance and governance, it found that organizations like theirs were forced to do one-off scripts and they were looking for a way that could be repeatable and scale.

“Cloud Custodian was developed as a way of understanding what all those one-off scripts were doing, looking at the cloud control plane, finding the interesting set of resources, and then taking sensitive actions on them,” he explained.

After leaving Capital One, and going off in different directions for a time, the two came together this year to start Stacklet as a way to nurture the underlying open-source project Thangavelu helped build, and build a commercial company to add some functionality to make it easier for enterprises to implement and understand.

While cloud administrators can download and figure out how to use the raw open source, Stacklet is attempting to make that easier by providing an administrative layer to manage usage across thousands of cloud accounts along with pre-packaged sets of common kinds of compliance requirements out of the box, analytics to understand how the tool is doing and what it’s finding in terms of issues, and finally a resources database to understand all of the cloud resources under management.

The company has just three employees, including the two founders, but will be adding a couple of more shortly with a goal of having a team of 10 by year’s end. The open-source project has 270 contributors from around the world. The startup is looking to build diversity through being fully remote. Not being limited by geography means they can hire from anywhere, and that can help lead to a more diverse group of employees.

The founders admit that it’s a tough time to start a company and to be fundraising, but on the bright side, they didn’t have to be on a plane to San Francisco every week during the process.

In fact, Sid Trivedi, partner at Foundation Capital, said that this was his first investment where he never met the founders in person, but he said through long discussions he learned “their passion for the opportunity at hand, experience of the market dynamics and vision for how they would solve the problem of meeting the needs of both IT/security admins and developers.”