macOS Big Sur Has Landed | 10 Essential Security Tips You Should Know

Today, Apple releases the next iteration of its desktop operating system, now rebranded as macOS 11. In this post, we take a tour of what’s new and how it affects security in the enterprise. While we covered some of these in our beta preview post back in June, we’ll also cover today some of the important changes since then.

1. Adjust Your Scripts for the New Version Number

This is the third time Apple have re-branded their desktop operating system in recent years, from OS X to macOS 10 and now we arrive at macOS 11. As the last version of macOS was 10.15, it’s not surprising that you’ll also see references to macOS as 10.16, even in some official documentation.

However, if you’re running admin or security scripts that are checking the version number via the sw_vers command line tool your output should be like this:

ProductName: macOS
ProductVersion: 11.0.1

2. Kexts Still Live – With Your Approval

Kexts are not quite dead and buried and even live on in Apple’s own system software; however, for 3rd party developers, the push to abandon kernel extensions from both Apple and users has been strong, and most vendors, including SentinelOne, are moving to the new System Extensions as replacement for kexts. You can find out more about SentinelOne’s kextless agent and support for Big Sur here.

In Big Sur, all kernel extensions need user approval, including updated versions of existing kexts. Interestingly, Apple have not exempted themselves from that rule either, so you may see alerts for approving updates to kexts that live in /Library/Apple/System/Library/Extensions, too, like this:

Yes, that’s a UI alert for a kernel extension update, now slightly confusingly referred to in macOS Big Sur as a “System Extension”, too.

3. Screen Recording is an Admin Privilege

If you’re supporting users remotely with software like TeamViewer or similar, be aware that Screen Recording on macOS 11 now requires Administrator approval. Using Zoom or other tele-conferencing software? That’s right, you’ll need to authenticate those applications for screen recording, too.

And here’s a little tip for anyone making screencasts on Big Sur: after you’ve approved your 3rd party recording app, you might want to go into System Preferences “General” tab and set the status bar to automatically hide. That’s the only way you’re going to be able to hide the system clock, which might otherwise give away large intervals between frames that you edit out.

4. Limitations for Standard User with networksetup

The networksetup utility on Big Sur also requires authorization for all functions except reading the network settings, turning Wi-Fi power on or off and changing the Wi-Fi access point. Essentially, if it requires unlocking a padlock in the System Preferences GUI, it’ll require a password from the CLI utility now as well.

5. Adjust Your Scripts for TCC.db

For admins or developers using scripts to access the TCC.db, note that there’s been some changes in the schema also, so you’ll need to consider whether you need to adjust for that. Whereas on 10.15 you could use something like this to list applications with Full Disk Access permissions:

That will now fail on Big Sur because the allowed column no longer exists in the schema for the access table, and you’ll be met with an Error: no such column: allowed message if you try.

To achieve the same effect on Big Sur, replace allowed with auth_value and 1 with 2 in the grep command:

sudo sqlite3 TCC.db "SELECT client,auth_value FROM access WHERE service=='kTCCServiceSystemPolicyAllFiles'" | grep '2'$


Other changes in the access table scheme are the addition of auth_reason and auth_version columns, the removal of the prompt_count column, and a new default NOT NULL value for the indirect_object_identifier column.

6. More Trust Needed for Certificate Trust Settings

Outside of TCC itself but still regarding consent, there have also been changes to certificate trust settings. These now require administrator approval and/or confirmation through supplying the user’s password for non-admin trust domains. If you are running scripts that call /usr/bin/security add-trusted-cert -d as root, or leveraging the SecTrustSettingsSetTrustSettings API, you will need to take these changes into account.

macOS Big Sur is Here
We’re ready to bring our capabilities to this new world!

7. No More On-Board System Libraries

When Apple announced the first beta of macOS Big Sur, they mentioned that copies of system libraries would no longer be present on the file system. Instead, Apple are shipping a “built-in dynamic linker cache of all system-provided libraries”. What that means, essentially, is that all system-provided libraries are tamper-proof, even if you turn off System Integrity Protection. Code attempting to check for the presence of a dynamic library at a particular path will fail; instead use the dlopen() function and pass the library’s expected path to check for and return the relevant library from the cache.

As Jeff Johnson pointed out soon after this was announced, it appears that it is possible to extract the libraries from the cache for purposes of disassembly and security research.

8. New Signed System Volume – Watch Your Backups

More lock down arrives in Big Sur with the implementation of the signed system volume (SSV) feature. SSV extends the read-only system volume that Apple introduced in macOS 10.15 Catalina. Now, the system volume is cryptographically signed, which means the integrity of the system volume is checked at runtime. Any data on the volume that doesn’t have a valid cryptographic signature from Apple is rejected.

Apple claim that adding strong cryptographic protection to the system volume not only hardens the OS against tampering but also improves the speed and reliability of software updates.

For users, the main upshot is to ensure that your backup software is compliant with Apple’s new SSV format, as SSV means that an ordinary copy of the system volume will not be bootable. Apple have provided developers with a tool (ASR) to copy the system volume, but that tool reportedly only became fully functional with the release of 11.0.1 beta last week. Be sure to consult with your backup software provider to find out more if you need to create backups of your system volume.

9. Install Profile Configurations – in 8 Minutes or Less

If you’re installing Profile configurations to manage various user settings and you’re not using an MDM solution, these are also going to require the user to manually take a trip to System Preferences to complete the installation. And for reasons best known to Apple, this manual step needs to happen within 8 minutes of the installation beginning or macOS Big Sur will remove the Profile.

10. Check Your Hardware Specifications

To run Big Sur on your devices, you’ll need a minimum 4GB of RAM and a minimum 80GB drive. While Apple doesn’t ship any devices with less than 4GB RAM any longer, it’s still worth bearing these specs in mind for virtualization efforts.

The official list of supported hardware devices is as follows:

  • MacBook (2015 and newer)
  • MacBook Air (2013 and newer)
  • MacBook Pro (Late-2013 and newer)
  • iMac (2014 and newer)
  • iMac Pro (2017 and newer)
  • Mac Pro (2013 and newer)
  • Mac mini (2014 and newer)

And, of course, any of the newly released Apple Silicon models, MacBook Air with M1, MacBook Pro with M1, Mac mini with M1 will come with Big Sur as the default installation.

Conclusion

The latest version of macOS is billed as the biggest change to Apple’s desktop operating system ever, with increased lock down of both system and user data, along with support for two different kinds of hardware (Intel and ARM). Arguably, the biggest change for vendors is the move from kernel extensions to system extensions. You can learn more about that and SentinelOne’s support for Big Sur here.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

The Good, the Bad and the Ugly in Cybersecurity – Week 46

The Good

U.S. Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) – in collaboration with the Brazil Ministry of Justice and the Public Security (MJSP) Secretariat for Integrated Operation (SEOPI) Cyber Laboratory – have arrested over a hundred child predators in an operation that lasted 6 days and spanned across the U.S. and South America.

“This collaborative effort by ICE’s Homeland Security Investigations and its foreign law enforcement partners has put dangerous criminals behind bars and, most importantly, has led to the rescue of innocent children,” said ICE Attaché for Brazil and Bolivia, Robert Fuentes Jr.

This was part of an ongoing activity named ”Operation Protected Childhood” (OPC) that simultaneously targets the distributors and producers of child sexual abuse material throughout the Americas (in Brazil, Argentina, Paraguay, and Panama).

It seems that the perpetrators are extremely prolific in utilizing innocent applications for communicating with their peers and clients and for distributing their “merchandise”. The operation discovered that suspects were using the anonymous messaging application “Kik”, Facebook Messenger app, peer to peer file sharing software, Twitter direct messaging and of course darknet forums. It appears that both Kik and Twitter have aided the investigation.

The Bad

Cyber attacks against courts and even live trials are not new, but a cyber attack that disables a country’s highest court of appeals is both novel and very disturbing.

Brazil’s Superior Court of Justice was hit by a ransomware attack which disabled IT systems for at least 3 days. Superior Court of Justice President Humberto Martins announced that “the court’s information technology network suffered a cyber attack on Tuesday afternoon, when the judgment sessions were taking place”.

Initially, the attack caused the cancellation of ongoing sessions, as well as rendering email and telephones unavailable. However, all the SCJs systems’ and their website were down for at least two days after the attack, which was rumored to have hit other federal entities as well.

Reportedly, the attack was caused by the RansomExx gang, and has not affected all but the most urgent court proceedings over video conferencing but also encrypted backups and quite possibly syphoned off data for subsequent extortion attempts.

Brazilian president Jair Bolsonaro said on a live broadcast that a ransom demand had been made and that the hackers behind the attack had been identified, but it is unclear if this is accurate as federal police have not formally commented on the matter. Other agencies impacted by (possibly related) cyber attacks are the Ministry of Health, Federal District Department of Economics and Federal District Government.

The Ugly

While we can’t travel abroad at the moment, we can all reminisce about our last vacation, one that we have likely booked a hotel room online, for. Unfortunately, if you had done so in the past 7 years your details might have been leaked. Researchers from websiteplanet found a misconfigured AWS S3 bucket belonging to Spanish software company Prestige Software, which sells a cloud-based software to hotels to automate their communicate with online booking sites (as to present rooms availability), including Hotels.com, Agoda, Expedia, Booking.com, Amadeus, Hotelbeds, and Omnibees.

It appears that Prestige Software had been storing personal identification data of guests and at least 100,000 credit cards on a misconfigured S3 bucket, dating back to 2013. The amount of leaked data is said to be around ten million records. Many of these records represent family reservations, so the number of individuals whose details may be exposed could easily be double or quadruple that number. The researchers have notified Amazon and ensured the repo was secured from further exposure. However, as is often the case with these discoveries, it is unknown whether any malicious actors may have accessed and utilized the data prior to the researchers discovery. If indeed data was leaked, and customers’ information wass compromised, than Prestige Software could be facing a fine from the EU regulator under GDPR law.

In a similar case, Marriott International was recently fined 18.4m for a 2014 data breach that affected 339 million guest records worldwide, a fine that has been significantly reduced from the initial £99 million notice due to the strain the company is under. It is difficult enough for the travel industry to survive the ongoing Covid-19 crisis, and recovery isn’t helped if travelers cannot be confident that online bookings are left insecure. Let’s hope that such incidents serve as a wake up call to the industry to improve security standards and allow us all to book our travels with peace of mind.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Menlo Security announces $100M Series E on $800M valuation

Menlo Security, a malware and phishing prevention startup, announced a $100 million Series E today on an $800 million valuation. The round was led by Vista Equity Partners with help from Neuberger Berman, General Catalyst, JP Morgan and other unnamed existing investors. The company has now raised approximately $250 million.

CEO and co-founder Amir Ben-Efraim says that while the platform has expanded over the years, the company stays mostly focused on web and email as major attack vectors for customers. “We really focused on a better kind of security outcome relative to the major threat factors of web and email. So web and email is really how most of the world or the enterprise world at least does its work, and these channels remain forever vulnerable to the latest attack,” Ben-Efraim explained.

He says that to protect those attack surfaces, the company pioneered a technology called web isolation to disconnect the user from the content and send only safe visuals. “When they click a link or engage with a website, the safe visuals are guaranteed to be malware-free, no matter where you go or you end up,” Ben-Efraim said.

With a valuation of $800 million, he’s proud having built his company from the ground up to this point. He’s not quite ready to discuss an IPO yet, but he expects to take this large influx of cash and continue to grow an independent company with an IPO perhaps three years out.

With an increase in business and the new capital, the company, which has 270 employees of which around 70 came on board this year, hopes to continue to grow at that pace in 2021. He says that as that happens the security startup has been paying close attention to the social justice movements.

“As a management team and for myself as a CEO, it’s an important topic. So we were paying close attention to our own diversification goals. We want Menlo to become a more diversified company,” Ben-Efraim said. He believes the way to get there is to prioritize recruiting channels where they can tap into a wider variety of potential recruits for the company.

While he wouldn’t discuss revenue, he did say in spite of the pandemic, the business is growing rapidly and sales are up 155% in terms of net new sales over last year. “The momentum for that being customers specifically in critical infrastructure, financial services, government and the like are seeing an uptick in attacks associated with COVID, and are looking at security as essential in an area that they need to double down on. So despite the financial difficulties, that’s created a bit of a tailwind for us strangely in 2020, even though the world economy as a whole is clearly being challenged by this epidemic,” he said.

Livestorm raises $30M for its browser-based meeting and webinar platform

Video communication startup Livestorm announced today that it has raised $30 million in Series B funding.

Co-founder and CEO Gilles Bertaux told me that the company started out with a focus on webinars before launching a video meeting product as well (which we used for our interview).

“The way we think about it is, webinars and meetings are not use cases,” Bertaux said.

He argued that it’s more meaningful to talk about whether you’re having a team meeting or a training demo or whatever else, and then how many people you want to attend, with Livestorm supporting all of those use cases and meeting sizes through different templates: “We’re trying to remove the semantic distinction of meeting and webinar out of the equation.”

Among other things, Livestorm is distinguished from other video conferencing tools because it’s purely browser based, without requiring presenters or attendees to install any software. The company says it has grown revenue 8x since it raised its €4.6 million Series A last fall, with a customer base that now includes 3,500 customers such as Shopify, Honda and Sephora.

Livestorm screenshot

Image Credits: Livestorm

Of course, you’d expect a video communication product to do well in 2020. At the same time, Zoom has dominated the remote work conversation this year — in fact, Bertaux acknowledged that Zoom may have built “the best video meeting technology.”

But he also suggested that the landscape is changing: “The thing is, we’re entering a period where video is becoming a commodity.”

So the Livestorm team is less focused on the core video technology and more on the experience around the video, with in-meeting features like screen sharing and virtual background, as well as a broader suite of marketing tools that allow customers to continue delivering targeted messages to event attendees.

Bertaux compared Livestorm to HubSpot, which he said “didn’t reinvent landing pages,” but put the different pieces of the marketing stack together around those landing pages.

Livestorm executives

The Livestorm executive team. Image Credits: Livestorm

“In 2021, we want to have the biggest ecosystem of integrations on a video product,” he said.

The round was led by Aglaé Ventures and Bpifrance Digital Venture, with participation from Raise Ventures and IDInvest.

In a statement, Aglaé Ventures partner Cyril Guenoun similarly described Livestorm “the HubSpot for video communications,” adding, “Video and online events have become essential in 2020, and are here to stay. The Livestorm platform thrives in this environment, providing a seamless solution for meetings and events with all the connectors that marketing, sales, customer service and HR pros need to make video a tightly integrated part of their communications strategies.”

Bertaux said the new funding will allow Paris-headquartered Livestorm to continue expanding into North America — apparently, the U.S. already represents one-third of its customer base and is the company’s fastest-growing region.

Mirantis brings extensions to its Lens Kubernetes IDE, launches a new Kubernetes distro

Earlier this year, Mirantis, the company that now owns Docker’s enterprise business, acquired Lens, a desktop application that provides developers with something akin to an IDE for managing their Kubernetes clusters. At the time, Mirantis CEO Adrian Ionel told me that the company wants to offer enterprises the tools to quickly build modern applications. Today, it’s taking another step in that direction with the launch of an extensions API for Lens that will take the tool far beyond its original capabilities.

In addition to this update to Lens, Mirantis also today announced a new open-source project: k0s. The company describes it as “a modern, 100% upstream vanilla Kubernetes distro that is designed and packaged without compromise.”

It’s a single optimized binary without any OS dependencies (besides the kernel). Based on upstream Kubernetes, k0s supports Intel and Arm architectures and can run on any Linux host or Windows Server 2019 worker nodes. Given these requirements, the team argues that k0s should work for virtually any use case, ranging from local development clusters to private data centers, telco clusters and hybrid cloud solutions.

“We wanted to create a modern, robust and versatile base layer for various use cases where Kubernetes is in play. Something that leverages vanilla upstream Kubernetes and is versatile enough to cover use cases ranging from typical cloud based deployments to various edge/IoT type of cases,” said Jussi Nummelin, senior principal engineer at Mirantis and founder of k0s. “Leveraging our previous experiences, we really did not want to start maintaining the setup and packaging for various OS distros. Hence the packaging model of a single binary to allow us to focus more on the core problem rather than different flavors of packaging such as debs, rpms and what-nots.”

Mirantis, of course, has a bit of experience in the distro game. In its earliest iteration, back in 2013, the company offered one of the first major OpenStack distributions, after all.

Image Credits: Mirantis

As for Lens, the new API, which will go live next week to coincide with KubeCon, will enable developers to extend the service with support for other Kubernetes-integrated components and services.

“Extensions API will unlock collaboration with technology vendors and transform Lens into a fully featured cloud native development IDE that we can extend and enhance without limits,” said Miska Kaipiainen, the co-founder of the Lens open-source project and senior director of engineering at Mirantis. “If you are a vendor, Lens will provide the best channel to reach tens of thousands of active Kubernetes developers and gain distribution to your technology in a way that did not exist before. At the same time, the users of Lens enjoy quality features, technologies and integrations easier than ever.”

The company has already lined up a number of popular CNCF projects and vendors in the cloud-native ecosystem to build integrations. These include Kubernetes security vendors Aqua and Carbonetes, API gateway maker Ambassador Labs and AIOps company Carbon Relay. Venafi, nCipher, Tigera, Kong and StackRox are also currently working on their extensions.

“Introducing an extensions API to Lens is a game-changer for Kubernetes operators and developers, because it will foster an ecosystem of cloud-native tools that can be used in context with the full power of Kubernetes controls, at the user’s fingertips,” said Viswajith Venugopal, StackRox software engineer and developer of KubeLinter. “We look forward to integrating KubeLinter with Lens for a more seamless user experience.”

Kyklo raises $8.5M to bring electrical distributors online

Kyklo, a startup that helps wholesale distributors of electrical and automation products launch e-commerce stores, is announcing that it has raised $8.5 million in seed funding.

The industry may sound a bit arcane, but it’s one that founders Remi Ducrocq (Kyklo’s CEO) and Fabien Legouic (CTO) know from having worked at Schneider Electric. Ducrocq said that the process of selling these products to manufacturers and electricians remains a cumbersome process that relies largely on PDF catalogs.

Shifting these businesses to digital is a much bigger challenge than creating your standard online store, both because of the number of products being sold and the needs for accurate listings.

“Even the small folks sell 100,000 SKUs [distinct products], up to 1 million SKUs,” Ducrocq told me. “If you choose the wrong product, your factory gets shut down. [It’s essential] to have accurate information present on the web store to have a transaction happen.”

Kyklo doesn’t automate the process completely, Ducrocq added, because “you can’t just create content or apply AI to something that is so unstructured.” Sreating these stores remains a manual process for the Kylo team, but the company has built “technology to make that manual process as easy as possible.”

That includes standardized data structures and a variety of scripts to create these product listings more quickly. Ultimately, Ducrocq said Kyklo can get distributors up and running with an online store within 30 days, and sometimes as quickly as two weeks.

In total, Kyklo has created a catalog of more than 2.5 million products for more than 35 distributors. It’s also been endorsed by manufacturers like Schneider Electric, Wago, Festo US and Mitsubishi Electric Automation as their preferred e-commerce partner.

Ducrocq suggested that creating going digital with Kyklo helps these businesses both by allowing them to reach new customers with improved SEO and by giving them tools to expand their sales with existing customers. For example, IEC Supply says that its online sales increased 600% for the first six months after launching with Kyklo, while new customer interactions tripled.

“Market maturity accelerated because of the pandemic,” he added. “These B2B traditional businesses were reluctant to go towards digitization, with only visionaries embarking on the journey. But during the pandemic, salespeople haven’t been able to see ther customers in person for six months, so many distributors are reassessing how they should effectively go to market.”

Kyklo has now raised a total of $10.2 million. The new funding was led by Felicis Ventures and IA Ventures, with participation from Jungle Ventures, partners at Wavemaker, Seedplus and strategic angel investors.

“With 80% of the $640 billion electrical, industrial and automation distribution industry still relying on PDF catalogs and phone and emails for its operations, distributors face a challenge in the market,” said Felicis Managing Director Sundeep Peechu in a statement. “KYKLO’s platform helps these companies keep pace with crucial industry needs and reassess how digital tools can transform their sales force.”

Databricks launches SQL Analytics

AI and data analytics company Databricks today announced the launch of SQL Analytics, a new service that makes it easier for data analysts to run their standard SQL queries directly on data lakes. And with that, enterprises can now easily connect their business intelligence tools like Tableau and Microsoft’s Power BI to these data repositories as well.

SQL Analytics will be available in public preview on November 18.

In many ways, SQL Analytics is the product Databricks has long been looking to build and that brings its concept of a ‘lake house’ to life. It combines the performance of a data warehouse, where you store data after it has already been transformed and cleaned, with a data lake, where you store all of your data in its raw form. The data in the data lake, a concept that Databrick’s co-founder and CEO Ali Ghodsi has long championed, is typically only transformed when it gets used. That makes data lakes cheaper, but also a bit harder to handle for users.

Image Credits: Databricks

“We’ve been saying Unified Data Analytics, which means unify the data with the analytics. So data processing and analytics, those two should be merged. But no one picked that up,” Ghodsi told me. But ‘lake house’ caught on as a term.

“Databricks has always offered data science, machine learning. We’ve talked about that for years. And with Spark, we provide the data processing capability. You can do [extract, transform, load]. That has always been possible. SQL Analytics enables you to now do the data warehousing workloads directly, and concretely, the business intelligence and reporting workloads, directly on the data lake.”

The general idea here is that with just one copy of the data, you can enable both traditional data analyst use cases (think BI) and the data science workloads (think AI) Databricks was already known for. Ideally, that makes both use cases cheaper and simpler.

The service sits on top of an optimized version of Databricks’ open-source Delta Lake storage layer to enable the service to quickly complete queries. In addition, Delta Lake also provides auto-scaling endpoints to keep the query latency consistent, even under high loads.

While data analysts can query these data sets directly, using standard SQL, the company also built a set of connectors to BI tools. Its BI partners include Tableau, Qlik, Looker and Thoughtspot, as well as ingest partners like Fivetran, Fishtown Analytics, Talend and Matillion.

Image Credits: Databricks

“Now more than ever, organizations need a data strategy that enables speed and agility to be adaptable,” said Francois Ajenstat, Chief Product Officer at Tableau. “As organizations are rapidly moving their data to the cloud, we’re seeing growing interest in doing analytics on the data lake. The introduction of SQL Analytics delivers an entirely new experience for customers to tap into insights from massive volumes of data with the performance, reliability and scale they need.”

In a demo, Ghodsi showed me what the new SQL Analytics workspace looks like. It’s essentially a stripped-down version of the standard code-heavy experience that Databricks users are familiar with. Unsurprisingly, SQL Analytics provides a more graphical experience that focuses more on visualizations and not Python code.

While there are already some data analysts on the Databricks platform, this obviously opens up a large new market for the company — something that would surely bolster its plans for an IPO next year.

mmhmm videochat software is now available to all for Mac

mmhmm, the presentation software developed by Evernote founder Phil Libin, is today coming out of beta. The mmhmm app is now officially available for Mac.

The software allows folks to spice up their video calls with the ability to add different backgrounds, play videos, add images, and use filters, among other cool effects. The app has been invite only since its inception, but today it becomes available to all.

Alongside the launch of the free app, mmhmm is also introducing Premium Tools.

This includes customizable rooms, presenter controls and extra add-ons like laser pointers. Users can get a free seven-day trial of the Premium Tools, and after the trial will have access to these tools for one hour per day. The Premium Tools will cost $99/year or $9.99/month, but free users will still be able to videochat, record, collaborate and use the basic present with a default background and simple presenter mode.

Another important note: mmhmm has decided to make its Premium Tools free to students and educators for one year.

The public launch also brings a handful of new features, including Big Hand Mode (which lets folks in the video call visually react), improvements to the appearance of mmhmm’s virtual green screen, and mmhmm Creative Services.

Big Hand Mode is only available on Apple’s new M1-powered Macs.

Creative Services represent another revenue channel for the company, which will now offer white-glove bespoke services to folks running large events or experiences.

For now, mmhmm is only available on MacOS, but the company is working on a Windows beta as we speak.

Solo.io announces service mesh platform aimed at enterprise customers

Solo.io, a Cambridge, MA service mesh startup, announced some big changes to its approach today with a full-stack platform of services aimed squarely at the enterprise. The culmination of this will be Gloo Mesh Enterprise, a new product that will be available in Beta by the end of the year.

Service meshes are part of a cloud native, containerized approach to development that enable micro services to communicate with one another.

Idit Levine, founder and CEO at Solo, says that she began by creating individual components since launching the company in 2017 because she knew that it was early for service meshes. Today’s announcement is about bringing all of these components the company has created into a more coherent and connected enterprise product.

While she was worried at first that the pandemic would have a negative impact on business, she says that her company has been busier than ever and today’s announcement is really about giving customers what they have been asking for throughout this tumultuous year.

Most of Solo’s customers are running Kubernetes and they needed some missing pieces that Solo was happy to provide for them. The first problem is the primary reason the company started, which was to manage service meshes, and Gloo Mesh, which is based on the open source Istio service mesh, helps developers manage their service mesh clusters.

Another problem involved running containers at the edge, which required an API gateway. To that end, the company announced Gloo Edge, an API gateway built on the Envoy Proxy, an edge service proxy. Running applications at the edge means they get the resources they need to improve performance and save bandwidth.

The third piece is called Gloo Portal. This provides a centralized, self-service catalog of services that developers can tap into as they are building their applications. The final piece is Gloo Extensions, which provides a way for developers to access or build extensions called web assembly modules.

All of these pieces are available as open source, but companies that want additional functionality and support and a way to connect all of these pieces will need to buy the enterprise product. Among the additional features in the enterprise version is the ability to apply roles to the APIs in Gloo Edge to control who has access. Gloo Mesh users get production Istio support including updates and patches. It also includes a dashboard for managing clusters and developer tools for building web assembly pieces in Gloo Extension

The company has raised over $36 million, according to Pitchbook data. The most recent deal was $23 million in September. Levine says the startup has several dozen large customers at this point and 35 employees. She said she is actively hiring and expects to be at 50 soon.

IBM CEO Arvind Krishna wants to completely transform his organization

When IBM announced it was spinning out its infrastructure services business last month, it was surely a sign that the company was going all in on hybrid cloud. Today in an interview with Jon Fortt at the CNBC Evolve summit, IBM CEO Arvind Krishna made it clear that his whole focus is going to be on transforming his organization into a hybrid cloud management vendor moving forward.

That means that instead of trying to primarily sell its own infrastructure or software services — although it will continue to do that — it will concentrate on leveraging Red Hat, the company it bought for $34 billion in 2018, to help customers manage their hybrid environments regardless of location. That could be on prem or it could be with any of the public cloud providers or anything in between.

Krishna sees this acquisition as a key part of the transition strategy to capture what he estimates is a trillion dollar opportunity in the hybrid cloud management market, and he believes his company is well-positioned to grab a piece of that. “The Red Hat acquisition gave us the technology base on which to build a hybrid cloud technology platform based on open-source, and based on giving choice to our clients as they embark on this journey. With the success of that acquisition now giving us the fuel, we can then take the next step, and the larger step, of taking the managed infrastructure services out. So the rest of the company can be absolutely focused on hybrid cloud and artificial intelligence,” Krishna told CNBC.

While he recognizes that Microsoft and Amazon are powerful players in the public cloud, he doesn’t see them as competitors, so much as partners in this new approach. In fact, mixing in a broad variety of third party partners is a big part of this.

“I look at both Microsoft and Amazon as likely partners in this journey, not as being the one and two [in market share]. In the hybrid world the question is where does the client want to decide where the workload runs? They could run it on Amazon. They can run on Microsoft. They can run it on IBM or they can run it on premises,” he said.

He believes that Red Hat can be the glue to hold this environment together and let customers have a single way of managing this complexity. The key question for IBM is whether customers see IBM and by extension Red Hat, as the key vendor for this role.

He recognizes that this isn’t just about adding and subtracting technology pieces. When it comes to transforming the way you do business in this way, it requires a massive cultural shift, one we saw Satya Nadella pull off when he took over as CEO at Microsoft in 2014. Much like Nadella, Krishna was promoted from within. He understands how things operate and that he needs to change the way things have traditionally been done at Big Blue if he’s going to succeed.

“I’ve talked a lot internally about a growth mindset, and about being much more entrepreneurial. And we can be entrepreneurs, even within large companies. But it comes from having extreme focus. So when we provide the focus of being focused on hybrid cloud and artificial intelligence, which I believe are the two fundamental forces, then you say how do you unlock everybody being able to go after that,” he said.

That’s going to be the big key for him moving forward as transforming a company the size of IBM is going to be a tremendous challenge for him as a leader. As Fortt pointed out, IBM salespeople are used to focusing on IBM products. This approach means they have to look at the market much more broadly, and that requires a new mindset. It will be up to Krishna to lead the way and make sure that his employees are on the same page about this. The success of this approach depends on that.