Soci raises $80M for its localized marketing platform

/0 Comments/in /by

Soci, a startup focused on what it calls “localized marketing,” is announcing that it has raised $80 million in Series D funding.

National and global companies like Ace Hardware, Anytime Fitness, The Hertz Corporation and Nekter Juice Bar use Soci (pronounced soh-shee) to coordinate individual stores as they promote themselves through search, social media, review platforms and ad campaigns. Soci said that in 2020, it brought on more than 100 new customers, representing nearly 30,000 new locations.

Co-founder and CEO Afif Khoury told me that the pandemic was a crucial moment for the platform, with so many businesses “scrambling to find a real solution to connect with local audiences.”

One of the key advantages to Soci’s approach, Khoury said, is to allow the national marketing team to share content and assets so that each location stays true to the “national corporate personality,” while also allowing each location to express  a “local personality.” During the pandemic, businesses could share basic information about “who’s open, who’s not” while also “commiserating and expressing the humanity that’s often missing element from marketing nationally.”

“The result there was businesses that had to close, when they had their grand reopenings, people wanted to support that business,” he said. “It created a sort of bond that hopefully lasts forever.”

Soci raises $12M to help big brands manage local marketing

Khoury also emphasized that Soci has built a comprehensive platform that businesses can use to manage all their localized marketing, because “nobody wants to have seven different logins to seven different systems, especially at the local level.”

The new funding, he said, will allow Soci to make the platform even more comprehensive, both through acquisitions and integrations: “We want to connect into the CRM, the point-of-sale, the rewards program and take all that data and marry that to our search, social, reviews data to start to build a profile on a customer.”

Soci has now raised a total of $110 million. The Series D was led by JMI Equity, with participation from Ankona Capital, Seismic CEO Doug Winter and Khoury himself.

“All signs point to an equally difficult first few months of this year for restaurants and other businesses dependent on their communities,” said JMI’s Suken Vakil in a statement. “This means there will be a continued need for localized marketing campaigns that align with national brand values but also provide for community-specific messaging. SOCi’s multi-location functionality positions it as a market leader that currently stands far beyond its competitors as the must-have platform solution for multi-location franchises/brands.”

5 VCs agree: COVID-19 reshaped adtech and martech

Cloud infrastructure startup CloudNatix gets $4.5 million seed round led by DNX Ventures

/0 Comments/in /by

CloudNatix founder and chief executive officer Rohit Seth

CloudNatix founder and chief executive officer Rohit Seth. Image Credits: CloudNatix

CloudNatix, a startup that provides infrastructure for businesses with multiple cloud and on-premise operations, announced it has raised $4.5 million in seed funding. The round was led by DNX Ventures, an investment firm that focuses on United States and Japanese B2B startups, with participation from Cota Capital. Existing investors Incubate Fund, Vela Partners and 468 Capital also contributed.

The company also added DNX Ventures managing partner Hiro Rio Maeda to its board of directors.

DNX Ventures launches $315 million fund for US and Japanese B2B startups

CloudNatix was founded in 2018 by chief executive officer Rohit Seth, who previously held lead engineering roles at Google. The company’s platform helps businesses reduce IT costs by analyzing their infrastructure spending and then using automation to make IT operations across multiple clouds more efficient. The company’s typical customer spends between $500,000 to $50 million on infrastructure each year, and use at least one cloud service provider in addition to on-premise networks.

Built on open-source software like Kubernetes and Prometheus, CloudNatix works with all major cloud providers and on-premise networks. For DevOps teams, it helps configure and manage infrastructure that runs both legacy and modern cloud-native applications, and enables them to transition more easily from on-premise networks to cloud services.

CloudNatix competes most directly with VMware and Red Hat OpenShift. But both of those services are limited to their base platforms, while CloudNatix’s advantage is that it is agnostic to base platforms and cloud service providers, Seth told TechCrunch.

The company’s seed round will be used to scale its engineering, customer support and sales teams.

Cloud infrastructure revenue grows 33% this quarter to almost $33B

 

South African startup Aerobotics raises $17M to scale its AI-for-agriculture platform

/0 Comments/in /by

As the global agricultural industry stretches to meet expected population growth and food demand, and food security becomes more of a pressing issue with global warming, a startup out of South Africa is using artificial intelligence to help farmers manage their farms, trees and fruits.

Aerobotics, a South African startup that provides intelligent tools to the world’s agriculture industry, has raised $17 million in an oversubscribed Series B round.

South African consumer internet giant Naspers led the round through its investment arm, Naspers Foundry, investing $5.6 million, according to Aerobotics. Cathay AfricInvest Innovation, FMO: Entrepreneurial Development Bank and Platform Investment Partners also participated.

Founded in 2014 by James Paterson and Benji Meltzer, Aerobotics is currently focused on building tools for fruit and tree farmers. Using artificial intelligence, drones and other robotics, its technology helps track and assess the health of these crops, including identifying when trees are sick, tracking pests and diseases, and analytics for better yield management. 

The company has progressed its technology and provides to farmers independent and reliable yield estimations and harvest schedules by collecting and processing both tree and fruit imagery from citrus growers early in the season. In turn, farmers can prepare their stock, predict demand and ensure their customers have the best quality of produce.

Kenya’s Apollo Agriculture raises $6M Series A led by Anthemis

Aerobotics has experienced record growth in the last few years. For one, it claims to have the largest proprietary data set of trees and citrus fruit in the world, having processed 81 million trees and more than a million citrus fruit.

The seven-year-old startup is based in Cape Town, South Africa. At a time when many of the startups out of the African continent have focused their attention primarily on identifying and fixing challenges at home, Aerobotics has found a lot of traction for its services abroad, too. It has offices in the U.S., Australia and Portugal — like Africa, home to other major, global agricultural economies — and operates in 18 countries across Africa, the Americas, Europe and Australia. 

Image Credits: Aerobotics

Within that, the U.S. is the company’s primary market, and Aerobotics says it has two provisional patents pending in the country, one for systems and methods for estimating tree age and another for systems and methods for predicting yield.  

The company said it plans to use this Series B investment to continue developing more technology and product delivery, both for the U.S. and other markets. 

“We’re committed to providing intelligent tools to optimize automation, minimize inputs and maximize production. We look forward to further co-developing our products with the agricultural industry leaders,” said Paterson, the CEO in a statement.

Once heralded as a frontier for technology centuries ago, the agriculture industry has stalled in that aspect for a long while. However, agritech companies like Aerobotics that support climate-smart agriculture and help farmers have sprung forth trying to take the industry back to its past glory. Investors have taken notice and over the past five years, investments have flowed with breathtaking pace. 

For Aerobotics, it raised $600,000 from 4Di Capital and Savannah Fund as part of its seed round in September 2017. The company then raised a further $4 million in Series A funding in February 2019, led by Nedbank Capital and Paper Plane Ventures.

SunCulture wants to turn Africa into the world’s next bread basket, one solar water pump at a time

Naspers Foundry, the lead investor in this Series B round, was launched by Naspers in 2019 as a 1.4 billion rand (~$100 million) fund for tech startups in South Africa. 

Phuthi Mahanyele-Dabengwa, CEO of Naspers South Africa, said of the investment, “Food security is of paramount importance in South Africa and the Aerobotics platform provides a positive contribution towards helping to sustain it. This type of tech innovation addresses societal challenges and is exactly the type of early-stage company that Naspers Foundry looks to back.”

Besides Aerobotics, Naspers Foundry has invested in online cleaning service SweepSouth, and food service platform Food Supply Network.

IBM transformation struggles continue with cloud and AI revenue down 4.5%

/0 Comments/in /by

A couple of months ago at CNBC’s Transform conference, IBM CEO Arvind Krishna painted a picture of a company in the midst of a transformation. He said that he wanted to take advantage of IBM’s $34 billion 2018 Red Hat acquisition to help customers manage a growing hybrid cloud world, while using artificial intelligence to drive efficiency.

It seems like a sound enough approach. But instead of the new strategy acting as a big growth engine, IBM’s earnings today showed that its cloud and cognitive software revenues were down 4.5% to $6.8 billion. Meanwhile cognitive applications — where you find AI incomes — were flat.

If Krishna was looking for a silver lining, perhaps he could take solace in the fact that Red Hat itself performed well, with revenue up 18% compared to the year-ago period, according to the company. But overall the company’s revenue declined for the fourth straight quarter, leaving the executive in much the same position as his predecessor Ginni Rometty, who led IBM during 22 straight quarters of revenue losses.

Incoming IBM CEO Arvind Krishna faces monumental challenges on multiple fronts

Krishna laid out his strategy in November, telling CNBC, “The Red Hat acquisition gave us the technology base on which to build a hybrid cloud technology platform based on open-source, and based on giving choice to our clients as they embark on this journey.” So far the approach is simply not generating the growth Krishna expected.

The company is also in the midst of spinning out its legacy managed infrastructure services division, which, as Krishna said in the same November interview, should allow Big Blue to concentrate more on its new strategy. “With the success of that acquisition now giving us the fuel, we can then take the next step, and the larger step, of taking the managed infrastructure services out. So the rest of the company can be absolutely focused on hybrid cloud and artificial intelligence,” he said.

While it’s certainly too soon to say his transformation strategy has failed, the results aren’t there yet, and IBM’s falling top line has to be as frustrating to Krishna as it was to Rometty. If you guide the company toward more modern technologies and away from the legacy ones, at some point you should start seeing results, but so far that has not been the case for either leader.

Krishna continued to build on this vision at the end of last year by buying some additional pieces like cloud applications performance monitoring company Instana and hybrid cloud consulting firm Nordcloud. He did so to build a broader portfolio of hybrid cloud services to make IBM more of a one-stop shop for these services.

As retired NFL football coach Bill Parcells used to say, referring to his poorly performing teams, “you are what your record says you are.” Right now IBM’s record continues to trend in the wrong direction. While it’s making some gains with Red Hat leading the way, it’s simply not enough to offset the losses, and something needs to change.

Ginni Rometty leaves complex legacy as she steps away as IBM CEO

DDoS-Guard To Forfeit Internet Space Occupied by Parler

/0 Comments/in /by

Parler, the beleaguered social network advertised as a “free speech” alternative to Facebook and Twitter, has had a tough month. Apple and Google removed the Parler app from their stores, and Amazon blocked the platform from using its hosting services. Parler has since found a home in DDoS-Guard, a Russian digital infrastructure company. But now it appears DDoS-Guard is about to be relieved of more than two-thirds of the Internet address space the company leases to clients — including the Internet addresses currently occupied by Parler.

The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups.

In October, a phone call from Guilmette to an Internet provider in Oregon was all it took to briefly sideline a vast network of sites tied to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump. As a result, those QAnon and 8chan sites also ultimately ended up in the arms of DDoS-Guard.

Much like Internet infrastructure firm CloudFlare, DDoS-Guard typically doesn’t host sites directly but instead acts as a go-between to simultaneously keep the real Internet addresses of its clients confidential and to protect them from crippling Distributed Denial-of-Service (DDoS) attacks.

The majority of DDoS-Guard’s employees are based in Russia, but the company is actually incorporated in two other places: As “Cognitive Cloud LLP” in Scotland, and as DDoS-Guard Corp. based in Belize.  However, none of the company’s employees are listed as based in Belize, and DDoS-Guard makes no mention of the Latin American region in its map of global operations.

In studying the more than 11,000 Internet addresses assigned to those two companies, Guilmette found that approximately 66 percent of them were doled out to the Belize entity by LACNIC, the regional Internet registry for the Latin American and Caribbean regions.

Suspecting that DDoS-Guard incorporated in Belize on paper just to get huge swaths of IP addresses that are supposed to be given only to entities with a physical presence in the region, Guilmette filed a complaint with the Internet registry about his suspicions back in November.

Guilmette said LACNIC told him it would investigate, and that any adjudication on the matter could take up to three months. But earlier this week, LACNIC published a notice on its website that it intends to revoke 8,192 IPv4 addresses from DDoS-Guard — including the Internet address currently assigned to Parler[.]com.

A notice of revocation posted by LACNIC.

LACNIC has not yet responded to requests for comment. The notice on its site says the Internet addresses are set to be revoked on Feb. 24.

DDoS-Guard CEO Evgeniy Marchenko maintains the company has done nothing wrong, and that DDoS-Guard does indeed have a presence in Belize.

“They were used strongly according [to] all LACNIC policies by [a] company legally substituted in LACNIC region,” Marchenko said in an email to KrebsOnSecurity. “There is nothing illegal or extremist. We have employers and representatives in different countries around the world because we are global service. And Latin America region is not an exception.”

Guilmette said DDoS-Guard could respond by simply moving Parler and other sites sitting in those address ranges to another part of its network. But he considers it a victory nonetheless that a regional Internet registry took his concerns seriously.

“It appeared to me that it was more probable than not that they got these 8,000+ IPv4 addresses by simply creating an arguably fraudulent shell company in Belize and then going cap in hand to LACNIC, claiming that they had a real presence in the Latin & South American region, and then asking for 8,000+ IPv4 addresses,” he said. “So I reported my suspicions to the LACNIC authorities in early November, and as I have only just recently learned, the LACNIC authorities followed up diligently on my report and, it seems, verified my suspicions.”

In October, KrebsOnSecurity covered another revelation by Guilmette about the same group of QAnon and 8chan-related sites that moved to DDoS-Guard: The companies that provided the Internet address space used by the sites were defunct businesses in the eyes of their respective U.S. state regulators. In other words, the American Registry for Internet Numbers (ARIN) — the non-profit which administers IP addresses for entities based in North America — was well within its contract rights to revoke the IP space.

Guilmette brought his findings to ARIN, which declined to act on the complaint and instead referred the matter to state investigatory agencies.

Still, Guilmette’s gadfly efforts to stir things up in the RIR community sometimes do pay off. For example, he spent nearly three years documenting how $50 million worth of the increasingly scarce IPv4 addresses were misappropriated from African companies to dodgy Internet marketing firms.

His complaints about those findings to the African Network Information Centre (AFRINIC) resulted in an investigation that led to the termination of a top AFRINIC executive, who was found to have quietly sold many of the address blocks for personal gain to marketers based in Europe, Asia and elsewhere.

And this week, AFRINIC took the unusual step of officially documenting the extent of the damage wrought by its former employee, and revoking discrete chunks of address space currently being used by marketing firms.

In a detailed report released today (PDF), AFRNIC said its investigation revealed more than 2.3 million IPv4 addresses were “without any lawful authority, misappropriated from AFRINIC’s pool of resources and attributed to organizations without any justification.”

AFRINIC said it began its inquiry in earnest back in March 2019, when it received an application by the U.S. Federal Bureau of Investigation (FBI) about “certain suspicious activities regarding several IPv4 address blocks which it held.” So far, AFRNINIC said it has reclaimed roughly half of the wayward IP address blocks, with the remainder “yet to be reclaimed due to ongoing due diligence.”

Six Steps to Successful And Efficient Threat Hunting 

/0 Comments/in /by

Cybersecurity often feels like a game of cat and mouse. As our solutions get better at stopping an attack, adversaries have often already developed and started utilizing new tactics and techniques. According to Verizon DBIR, advanced threats lurk in our environment undetected, often for months, while they stealthily look to gather valuable information to steal or data to compromise. If you wait until these threats become visible or an alert is generated by traditional SOC monitoring tools, it can be too late. Threat hunting can help combat these challenges. Rather than waiting for an alert, threat hunters proactively assume that an advanced adversary operates inside the network and operates to find their existence.

In this post, we discuss threat hunting, why it’s essential, and how you can enable your team to adopt efficient hunting strategies with the SentinelOne Platform.

What is Threat Hunting?

Threat hunting has been defined by some as a “computer security incident response before there is an incident declared”. Others define it as “threat detection using the tools from incident response” or even“security hypothesis testing on a live IT environment.”

We define threat hunting as the process of searching across networks and endpoints to identify threats that evade security controls before they can execute an attack or fulfill their goals.

Rather than simply relying on security solutions to detect threats, threat hunting is a proactive approach to finding threats hidden in your network.

Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat hunters not only respond to threats; they actively search for them. This process involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data and analysis.

Threat hunting is also quite a different activity from either incident response or digital forensics. The purpose of DF/IR methodologies is to determine what happened after a breach was discovered. In contrast, when a team engages in threat hunting, the aim is to search for attacks that may have already slipped through your defensive layers.

Threat hunting differs from penetration testing and vulnerability assessment, too. These attempt to simulate an attack, ask questions such as what ‘could’ happen if someone compromised my security. Whereas threat hunters work from the premise that an attacker is already in the network and then look for indicators of compromise, lateral movement, and other tell-tale artifacts that may provide evidence of the attacker.

Why Do You Need To Incorporate Threat Hunting?

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage.

Simply stated, if you aren’t looking for threat actors inside your network, you may never know they are there. What if the attackers lock you out of the systems before you notice that you are under attack? With an efficient threat hunting program, you don’t have to stress over such possibilities.

Threat hunting is human-driven, iterative, adaptive, and systematic. Hence, it effectively reduces damage and overall risk to an organization, as its proactive nature enables security professionals to respond to incidents more rapidly than would otherwise be possible. It reduces the probability of an attacker being able to cause damage to an organization, its systems, and its data.

Threat hunting also reduces your reliance on external vendors that may not know your network or normal employee behavior as well as your threat hunting team might.

Finally, threat hunting will force you to learn your networks, systems, applications, and users.

Understanding all of these components is a critical element of a robust security framework.

Six Steps To Creating An Efficient Hunting Program

So how do you create a perfect and efficient hunting program? Well! In reality, the perfect hunting program rarely exists! You need your hunting program to be an iterative combination of processes, tools, and techniques continually evolving and adaptive to suit your organization. Here are six steps that will help you create an efficient threat hunting program in your organization.

1. Ensure You Have The Right Data.

No data, no hunt! Period!

All successful threat hunting begins with having the right data to answer the right questions. Without the right data, you will not be able to conduct a successful and meaningful hunt. You need to ensure you have telemetry that captures a wide range of activity and behaviors across multiple operating systems and which can serve as a base for all your threat hunting efforts. Device telemetry should include data like network traffic patterns, file hashes, processes, user activity, network activity, file operations, persistence activity, system and event logs, denied connections, and peripheral device activity.

Just having the raw data is not enough; you also need to ensure that you have context surrounding the data. Knowing which data to combine, correlate, or extend is critical. Ideally, you want tools that allow a clear overview of all the above data with powerful capabilities to automatically contextualize and correlate different events into unified detections that minimize the amount of manual sifting through raw logs.

SentinelOne patented StorylineTM technology provides analysts with real-time actionable correlation and context and lets security analysts understand the full story of what happened in your environment.

Each autonomous SentinelOne Agent builds a model of its endpoint infrastructure and real-time running behavior. Every element of a story has the same Storyline. This gives you the full picture of what happened on a device and what caused it to happen. SentinelOne automatically correlates related activity into unified alerts that provide Campaign Level Insight. This reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of responding to alerts.

2. Baseline To Understand What’s Normal In Your Environment

Threat hunters need a solid understanding of the organization’s profile, business activities that could attract threat actors, such as hiring new staff or acquiring new assets, and companies.

A critical component of threat hunting is having the data to baseline ‘normal’ and find outliers (outlier analysis). Attackers will often want to blend in with ordinary users to acquire user credentials from phishing campaigns, so understanding a user’s typical behavior is a useful baseline for investigating anomalous file access or login events.

Combining that with understanding what company data is of value to attackers and where it is located can lead to creating hypotheses such as “Is an attacker trying to steal data located at a specific location?” This, in turn, could prompt data collection that answers questions like: “Which users have accessed that location for the first time in the last n days?”

SentinelOne’s behavioral AI engine leverages advanced data science methods to teach systems the difference between regular day-to-day operations and actual threat behavior.

This provides the analyst with the complete picture and any additional context needed to help them understand what normal looks like and enable them to spot any outliers. An alert is triggered if a pattern emerges, such as repeated login attempts from a country that is not the usual norm in your environment, which may indicate a potential brute force attack. This helps make threat detection and hunting faster and more accurate. SentinelOne also retains historical data from 14 days to 365+ days, available to query in near real-time, so that the hunting team can understand and analyze data over large periods of time.

3. Develop A Hypothesis

Many hunts start from an intel source that uses Indicators of Compromise (IoCs), hash values, IP addresses, domain names, network or host artifacts provided by third-party data sources such as Information Sharing and Analysis Center (ISAC) or the FBI. Hunts can also be incident driven; given any incident, you need to answer how and when it happened. However, not all threats are known. In fact, a large number of threats are unknown, so hunting cannot solely rely on utilizing known methodologies.

In a hypothesis-driven workflow, a hunt starts with creating a hypothesis, or an educated guess, about some type of activity that might be going on in your environment. Using Open-source intelligence (OSINT) tools and frameworks like MITRE ATT&CK works effectively if you know what you are looking for.

That brings us to one of the essential components of threat hunting: hypothesis formation and testing. Hypotheses are typically formulated by hunters based on tools and frameworks, social intelligence, threat intelligence, and past experiences. Generalized questions could include, “If I were to attack this environment, how would I do it? What would I attempt to gain access to? What would be my targets?”. Other examples could include questions like “Why do I see encrypted HTTPS, FTP traffic to countries in the East, in my environment?” or “Why do I see an abnormal volume of DNS queries from a single machine?”

Ideas can be derived from the following sources:

  • MITRE ATT&CK framework: a vast knowledge base of attack tactics, techniques, and procedures. Studying the MITRE techniques and their simulation in test environments can serve as a foundation for developing hypotheses.
  • Threat Intelligence reports: contain useful information about attack techniques and procedures based on real incidents. Systematic analysis of such reports should spark some thought and give rise to many threat hunting ideas.
  • Blogs, Twitter, and conference talks: information about new attack techniques appears for the first time via research blogs, and conferences, even before the attackers start actively using it. The timely study of such information will allow threat hunters to be proactive and prepare before the new attack technique becomes widespread.
  • Penetration testing: attackers tend to use tools similar to those applied by experienced pen testers. Therefore, studying pen-testing practices creates a treasure trove of knowledge for generating threat hunting hypotheses.
SentinelOne’s patented Deep Visibility lets you quickly and iteratively query and pivot across endpoint telemetry captured from endpoint devices to validate hypotheses.

SentinelOne automatically correlates all related objects (processes, files, threads, events, and more) of a threat. For example, suppose a process modifies a different process by injecting code. When you run a query, all interaction between the source process, target process, and parent process shows clearly in the cross-process details. This lets you quickly understand the data relationships: the root cause behind a threat with all of its context, relationships, and activities. Analysts can also leverage historical data to map advanced threat campaigns across time to enable efficient hypothesis generation.

You can create powerful hunting queries with easy-to-use shortcuts. As a threat hunter, the MITRE ATT&CK framework has likely become one of your go-to tools. SentinelOne makes hunting for MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) fast and painless. It’s as easy as entering the MITRE technique ID and using this to perform a hunt.

SentinelOne provides a query library of hunts using data from various open, commercial, and bespoke sources curated by SentinelOne research.

These hunts are the output of hypotheses that are proven across research data and are generic. For example, the use of unmanaged, unsigned PowerShell is likely abnormal in most environments and would commonly require additional investigation. Both of the above examples are not malicious in and of themselves but fit in a hunting workflow as they are descriptive of anomalies.

4. Investigate & Analyze Potential Threats

After generating the hypothesis, the next step is to follow up on it by investigating various tools and techniques to discover new malicious patterns in the data and uncover the attacker’s TTPs. If the hypothesis is correct and evidence of malicious activity is found, then the threat hunter should immediately validate the nature, extent, impact, and scope of the finding.

Although threat hunting starts with a human-generated hypothesis, threat protection tools, like SentinelOne, make the investigation more efficient. SentinelOne’s Deep Visibility empowers rapid threat hunting capabilities thanks to Storyline. Each autonomous SentinelOne Agent monitors endpoint activity and real-time running behavior. A Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events, and other data with a single query.

With Storyline, Deep Visibility returns full, contextualized data that lets you swiftly understand the root cause behind a threat with all of its context, relationships, and activities revealed from one search.

Storyline allows threat hunters to understand the full story of what happened on an endpoint and enable them to see the complete chain of events, saving time for your security teams.

5. Rapidly Respond To Remediate Threats

Once you uncover a new TTP, you need to make sure you can effectively respond and remediate the threat.

The response should distinctively define both short term and long term response measures that will be used to neutralize the attack. The main goal of the response is to immediately put an end to the ongoing attack to prevent the system from damage by a perceived threat. But it is also essential to understand the cause of the threat to improve security and prevent attacks of a similar manner in the future. All necessary steps must be taken to ensure that similar attacks are not likely to happen again.

SentinelOne enables analysts to take all the required actions needed to respond and remediate the threat with a single click.

With one click, the analyst can rollback the threat or perform any other available mitigation actions. Rollback functionality automatically restores deleted or corrupted files caused by ransomware activity to their pre-infected state without needing to reimage the machine.

The threat can be added to Exclusions, marked as resolved, and notes can be added to explain the rationale behind the decisions taken. SentinelOne also offers full Remote Shell capabilities to give your security team a quick way to investigate attacks, collect forensic data, and remediate breaches no matter where the compromised endpoints are located, eliminating uncertainty and significantly reducing any downtime that results from an attack.

SentinelOne also can detect threats in advance through the aid of its machine learning and intelligent automation. It can anticipate threats and attacks by deeply inspecting files, documents, emails, credentials, browsers, payloads, and memory storage. It can automatically disconnect a device from a network when it identifies a possible security threat or attack.

6. Enrich And Automate For Future Events

Finally, successful hunts form the basis for informing and enriching automated analytics. The final step in the threat hunting practice is to use the knowledge generated during the threat hunting process to enrich and improve EDR systems. This way, the organization’s global security is enhanced thanks to the discoveries made during the investigation.

Advanced threat hunting techniques will try to automate as many tasks as possible. Monitoring user behavior and comparing that behavior against itself to search for anomalies, for example, is far more effective than running individual queries. However, both techniques are likely to be required in practice. Both are made easier if you have tools like SentinelOne with a rich set of native APIs enabling full integration across your security software stack.

SentinelOne is designed to lighten the load on your team in every way, and that includes giving you the tools to set up and run custom threat hunting searches.

With Storyline Auto-Response (STAR) custom detection rules, you can turn Deep Visibility queries into automated hunting rules that trigger alerts and responses when rules detect matches. STAR gives you the flexibility to create custom alerts specific to your environment that can enhance alerting and triaging of events

SentinelOne can also automatically mitigate detections based on the policy for suspicious threats or the policy for malicious threats or can put endpoints in Network Quarantine. Alerts are triggered in near-real-time and show in the Activity log in the Management Console. You can enable alerts in Syslog that can be used for triage and SIEM integration.

After running the query in Deep Visibility and investigating, you can select an Auto-Response for the rule to automatically mitigate the rule detections. With that, you have set your SentinelOne solution to automatically protect your environment, according to your needs, from every threat, every second of every day. Modern adversaries are automating their techniques, tactics, and procedures to evade preventative defenses, so it makes sense that enterprise security teams can better keep up with attacks by automating their manual workloads.

Closing Thoughts

Implementing a threat hunting program can reap many benefits to the organization, including proactively uncovering security incidents, faster Incident Response times, and a more robust security posture. Effective threat hunting needs to result in less work for your busy analysts while at the same time future-proofing your SOC from a variety of known and unknown adversaries. SentinelOne gives you visibility, ease of use, speed, and context to make threat hunting more effective than ever before. Please contact us or request a demo to see how SentinelOne can help you develop an efficient hunting program.

Additional Resources

Deep Dive – Hunting with MITRE ATT&CK
Use the S1QL Cheatsheet For Security Analysis
Learn more about Rapid Threat Hunting with Storyline
Visit SentinelOne Platform page
Visit Sans Threat Hunting Report – Automating Hunt
Read Gartner Report about Using Threat Hunting for Proactive Threat Detection

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

UK’s WhiteHat rebrands as Multiverse, raises $44M to build tech apprenticeships in the US

/0 Comments/in /by

University education is getting more expensive, and at the moment it feels a bit like a Petri dish for infections, but the long-term trends continue to show a dramatic growth in the number of people worldwide getting degrees beyond high school, with one big reason for this being that a college degree generally provides better economic security.

But today, a startup that is exploring a different route for those interested in technology and knowledge worker positions — specifically by way of apprenticeships to bring in and train younger people on the job — is announcing a significant round of growth funding to see if it can provide a credible, scalable alternative to that model.

Multiverse, a U.K. startup that works with organizations to develop these apprenticeships, and then helps source promising, diverse candidates to fill those roles, has raised $44 million, funding that it will be using to spearhead a move into the U.S. market after picking up some 300 clients in the U.K. and thousands of apprentices.

The Series B is being led by General Catalyst (which has been especially active this week with U.K. startups: it also led a large round yesterday for Bloom & Wild), with GV (formerly known as Google Ventures), Audacious Ventures, Latitude and SemperVirens also participating. Index Ventures and Lightspeed Venture Partners, which first invested in the company in its $16 million Series A in 2020, also participated.

Valuation is not being disclosed, but for what it’s worth, the round was one that generated a lot of interest. In between getting pitched this story and publishing it, the size of the Series B grew by $8 million (it was originally closed at $36 million). The FT notes that the valuation was around $200 million with this round, but the company says that is “speculation on the FT’s part.”

UK’s Bloom & Wild raises $102M to seed its flower delivery service across Europe

The company was originally co-founded as WhiteHat and is officially rebranding today. Co-founder Euan Blair (who happens to be the son of the former U.K. Prime Minister Tony Blair and his accomplished barrister wife Cherie Booth Blair) said the name change was because the original name was a reference to how the startup sought to “hack the system for good.”

However, he added, “The scale has become bigger and more evolved.” The new name is to convey that — as in gaming, which is probably the arena where you might have heard this term before — “anything is possible.”

There are “multiple universes” one can inhabit as a post-18 young adult, Blair continued. While it’s been assumed that to get into tech, the obvious route was a two-to-four year (and often more) tour through college or university to pick up a higher education degree, the bet that Multiverse is making here is that apprenticeships can easily, and widely, become another. “We want to build an outstanding alternative to university and college,” he said. These typically last 1.5 years. 

The idea of an “outstanding alternative” is especially important when thinking of how to target more marginalized groups and how this ties up with how tech companies are looking to be more diverse in the future, without cutting down on the quality of what people are getting out of the experience, or the resulting talent that is getting recruited.

There’s long been a stigma attached to less prestigious institutions, and putting money or effort into another channel to perpetuate that doesn’t really make sense or point to progress.

Blair said that currently over half of the people making their way through Multiverse are people of color, and 57% are women, and the plan is to build tools to make that an even firmer part of its mission. 

The startup sees itself as part tech company and part education enterprise.

It works with tech companies and others to open up opportunities for people who have not had any higher education or any training, where fresh high school graduates can come in, learn the ropes of a job while getting paid and then continue on working their way up the ladder with that knowledge base in place.

Apprenticeships on the platform right now range from data analysts through to exhibition designers, and the idea is that by opening up and targeting the U.S. market, the breadth, number and location of roles will grow.

This is not just a social enterprise: There is actual money in this area. Blair said that prices it charges the companies it works with range by qualification, “but are broadly around the $15,000 mark.” (The individuals applying don’t pay anything, and they will also be paid by the companies providing the apprenticeships.)

On the educational front, Multiverse doesn’t just connect people as a recruiter might: it has a team in place to build out what the “curriculum” might be for a particular apprenticeship, and how to deliver and train people with the requisite skills alongside the practice experience of working, and more.

That latter role, of course, has taken on a more poignant dimension in the last year: Concepts like remote training and virtual mentorship have very much come into their own at a time when offices are largely standing empty to help reduce the spread of COVID-19.

Regardless of what happens in the year ahead — fingers crossed that vaccinations and other efforts will help us collectively move past where we are right now — many believe that the infrastructure that has been put into place to keep working virtually will continue to be used, which bodes well for a company like Multiverse that is building a business around that, both with technology it creates itself and will bring in from third parties and partners.

Indeed, the ecosystem of companies building tools to deliver educational content, provide training and work collaboratively has really boomed in the pandemic, giving companies like Multiverse a large library of options for how to bring people into new work situations. (Google, which is now an investor in Multiverse, is very much one of the makers of such education tools.)

Apprenticeships are an interesting area for a startup to tackle. Traditionally, it’s a term that would have been associated mainly with skilled labor positions, rather than “knowledge workers.”

But you can argue that with the bigger swing that the globe has seen away from industrial and towards knowledge economies, there is an argument to be made for building more enterprises and opportunities for an ever wider pool of users, rather than expecting everyone to be shoehorned into the models of the last 50 years. (The latter would essentially imply that college is possibly the only way up.)

You might also be fair to claim that Blair’s connections helped him secure funding and open doors with would-be customers, and that might well be the case, but ultimately the startup will live or die by how well it executes on its premise, whether it finds a good way to connect more people, engage them in opportunities and keep them on board.

This is what really attracted the investors, said Joel Cutler, managing director and co-founder of General Catalyst.

“Euan has a genuine belief that this is important, and when you talk to him, you get a  feeling of manifest destiny,” Cutler said in an interview. In response to the question of family connections, he said that this was precisely the kind of issue that the technology industry should be tackling to fight.

“Of all the industries to break the mold of where you went to school, it should be the tech world that will do that, since it is far more of a meritocracy than others. This is the perfect place to start to break that mold,” he said. “Education will be super valuable but apprenticeships will also be important.” He noted that another company that General Catalyst invests in, Guild Education, is addressing similar opportunities, or rather the gaps in current opportunities, for older people.

StackPulse announces $28M investment to help developers manage outages

/0 Comments/in /by

When a system outage happens, chaos can ensue as the team tries to figure out what’s happening and how to fix it. StackPulse, a new startup that wants to help developers manage these crisis situations more efficiently, emerged from stealth today with a $28 million investment.

The round actually breaks down to a previously unannounced $8 million seed investment and a new $20 million Series A. GGV led the A round, while Bessemer Venture Partners led the seed and also participated in the A. Glenn Solomon at GGV and Amit Karp at Bessemer will join the StackPulse board.

Nobody is immune to these outages. We’ve seen incidents from companies as varied as Amazon and Slack in recent months. The biggest companies like Google, Facebook and Amazon employ site reliability engineers and build customized platforms to help remediate these kinds of situations. StackPulse hopes to put this kind of capability within reach of companies, whose only defense is the on-call developers.

Company co-founder and CEO Ofer Smadari says that in the midst of a crisis with signals coming at you from Slack and PagerDuty and other sources, it’s hard to figure out what’s happening. StackPulse is designed to help sort out the details to get you back to equilibrium as quickly as possible.

FireHydrant lands $8M Series A for disaster management tool

First off, it helps identify the severity of the incident. Is it a false alarm or something that requires your team’s immediate attention or something that can be put off for a later maintenance cycle? If there is something going wrong that needs to be fixed right now, StackPulse can not only identify the source of the problem, but also help fix it automatically, Smadari explained.

After the incident has been resolved, it can also help with a post-mortem to figure out what exactly went wrong by pulling in all of the alert communications and incident data into the platform.

As the company emerges from stealth, it has some early customers, and 35 employees based in Portland, Oregon and Tel Aviv. Smadari says that he hopes to have 100 employees by the end of this year. As he builds the organization, he is thinking about how to build a diverse team for a diverse customer base. He believes that people with diverse backgrounds build a better product. He adds that diversity is a top level goal for the company, which already has an HR leader in place to help.

Glenn Solomon from GGV, who will be joining the company board, saw a strong founding team solving a big problem for companies and wanted to invest. “When they described the vision for the product they wanted to build, it made sense to us,” he said.

Customers are impatient with down time and Solomon sees developers on the front line trying to solve these issues. “Performance is more important than ever. When there is downtime, it’s damaging to companies,” he said. He believes StackPulse can help.

How you react when your systems fail may define your business

Citrix is acquiring Wrike from Vista for $2.25B

/0 Comments/in /by

Citrix announced today that it plans to acquire Wrike, a SaaS project management platform, from Vista Equity Partners for $2.25 billion. Vista bought the company just two years ago.

Citrix, which is best known for its digital workspaces, sees this as a good match, especially at a time when employees have been forced to work from home because of the pandemic. Combining the two companies produces a powerful approach, one that didn’t escape Citrix CEO and president David Henshall.

“Together, Citrix and Wrike will deliver the solutions needed to power a cloud-delivered digital workspace experience that enables teams to securely access the resources and tools they need to collaborate and get work done in the most efficient and effective way possible across any channel, device or location,” Henshall said in a statement.

Andrew Filev, founder and CEO at Wrike, who has managed the company through these multiple changes and remains at the helm, believes his company has landed in a good spot with the Citrix purchase.

“First, as part of the Citrix family we will be able to scale our product and accelerate our roadmap to deliver capabilities that will help our customers get more from their Wrike investment. We have always listened to our customers and have built our product based on their feedback — now we will be able to do more of that, faster,” Filev wrote in a company blog post announcing the deal, stating a typical argument from CEOs of acquired companies.

The startup reports $140 million ARR, growing at 30% annually, so that comes out to approximately 16x its present-day revenue, which is the price companies are generally paying for acquisitions these days. However, as Wrike expects to reach $180 million to $190 million in ARR this year, the company’s sale price could look like a bargain in a few years’ time if the projections come to pass.

The price was not revealed in the 2018 sale, but it surely feels like a big win for Vista. Consider that Wrike has previously raised just $26 million.

Wrike launches new AI tools to keep your projects on track

A first look at Qualtrics’ IPO pricing

/0 Comments/in /by

Earlier today, Qualtrics dropped a new S-1 filing, this time detailing its proposed IPO pricing. That means we can now get a good look at how much the company may be worth when it goes public later this month.

The debut has been one TechCrunch has been looking forward to since the company announced that it would be spun out from its erstwhile corporate parent, SAP. In 2019, the Germany-based enterprise giant SAP snatched up Qualtrics for $8 billion just before it was to go public.

Qualtrics is either worth less than we would have guessed, or its first IPO range feels light.

That figure provides a good marker for how well SAP has done with the deal and how much value Qualtrics has generated in the intervening years. Keep in mind, however, that the value of software companies has risen greatly in the last few years, so the numbers we’ll see below benefit from a market-wide repricing of recurring revenue.

Qualtrics estimates that it may be worth $22 to $26 per share when it goes public. Is that a lot? Let’s find out.

Qualtrics’ first IPO range

First, scale. Qualtrics is selling just under 50 million shares in its public offering. As you can math out, at more than $20 per share, the company is looking to raise north of $1 billion.

After going public, Qualtrics anticipates having 510,170,610 shares outstanding, inclusive of its 7.4 million underwriter option. Using that simple share count, Qualtrics would be worth $11.2 billion to $13.3 billion.