Moveworks expands IT chatbot platform to encompass entire organization

When investors gave Moveworks a hefty $75 million Series B at the end of 2019, they were investing in a chatbot startup that to that point had been tuned to answer IT help question in an automated way. Today, the company announced it had used that money to expand the platform to encompass employee questions across all lines of business.

At the time of that funding, nobody could have anticipated a pandemic either, but throughout last year as companies moved to work from home, having an automated systems in place like Moveworks became even more crucial, says CEO and company co-founder Bhavin Shah.

“It was a tragic year on a variety of fronts, but what it did was it coalesced a lot of energy around people’s need for support, people’s need for speed and help,” Shah said. It helps that employees typically access the Moveworks chatbot inside collaboration tools like Slack or Microsoft Teams, and people have been spending more time in these tools while working at home.

“We definitely saw a lot more interest in the market, and part of that was fueled by the large scale adoption of collaboration tools like Slack and Microsoft Teams by enterprises around the world,” he said.

The company is working with 100 large enterprise customers today, and those customers were looking for a more automated way for employees to ask questions about a variety of tooling from HR to finance and facilities management. While Shah says expanding the platform to move beyond IT into other parts of an organization had been on the roadmap, the pandemic definitely underscored the need to expand even more.

While the company spent its first several years tuning the underlying artificial intelligence technology for IT language, they had built it with expansion in mind. “We learned how to build a conversational system so that it can be dynamic and not be predicated on some person’s forethought around [what the question and answer will be] — that approach doesn’t scale. So there were a lot of things around dealing with all these enterprise resources and so forth that really prepared us to be an enterprise-wide partner,” Shah said.

The company also announced a new communications tool that enables companies to use the Moveworks bot to communicate directly with employees to get them to take some action. Shah says companies usually send out an email that for example, employees have to update their password. The bot tells you it’s time to do that and provides a link to walk you through the process. He says that beta testers have seen a 70% increase in responses using the bot to communicate about an action instead of email.

Shah recognizes that a technology that understands language is going to have a lot of cultural variances and nuances and that requires a diverse team to build a tool like this. He says that his HR team has a set of mandates to make sure they are interviewing people in under-represented roles to build a team that reflects the needs of the customer base and the world at large.

The company has been working with about a dozen customers over the last 9 months on the platform expansion, iterating with these customers to improve the quality of the responses, regardless of the type of question or which department it involves. Today, these tools are generally available.

Hex lands $5.5M seed to help data scientists share data across the company

As companies embrace the use of data, hiring more data scientists, a roadblock persists around sharing that data. It requires too much copying and pasting and manual work. Hex, a new startup, wants to change that by providing a way to dispense data across the company in a streamlined and elegant way.

Today, the company announced a $5.5 million seed investment, and also announced that it’s opening up the product from a limited beta to be more widely available. The round was led by Amplify Partners with help from Box Group, XYZ, Data Community Fund, Operator Collective and a variety of individual investors. The company closed the round last July, but is announcing it for the first time today.

Co-founder and CEO Barry McCardel says that it’s clear that companies are becoming more data-driven and hiring data scientists and analysts at a rapid pace, but there is an issue around data sharing, one that he and his co-founders experienced first-hand when they were working at Palantir.

They decided to develop a purpose-built tool for sharing data with other parts of the organization that are less analytically technical than the data science team working with these data sets. “What we do is we make it very easy for data scientists to connect to their data, analyze and explore it in notebooks. […] And then they can share their work as interactive data apps that anyone else can use,” McCardel explained.

Most data scientists work with their data in online notebooks like Jupyter where they can build SQL queries and enter Python code to organize it, chart it, and so forth. What Hex is doing is creating this super-charged notebook that lets you pull a data set from Snowflake or Amazon Redshift, work with and format the data in an easy way, then drag and drop components from the notebook page — maybe a chart or a data set — and very quickly build a kind of app that you can share with others.

Hex app example with data elements at the top and live graph below it.

Image Credits: Hex

The startup has 9 employees including co-founders McCardel, CTO Caitlin Colgrove and VP of architecture Glen Takahashi. “We’ve really focused on the team front from an early stage, making sure that we’re building a diverse team. And actually today our engineering team is majority female, which is definitely the first time that that’s ever happened to me,” Colgrove said.

She is also part of a small percentage of female founders. A report last year from Silicon Valley Bank, found that while the number was heading in the right direction, only 28% of US startups have at least one female founder. That was up from 22% in 2017.

The company was founded in late 2019 and the founders spent a good part of last year building the product and working with design partners. They have a small set of paying customers, and are looking to expand that starting today. While customers still need to work with the Hex team for now to get going, the plan is to make the product self-serve some time later this year.

Hex’s early customers include Glossier, imgur and Pave.

Whistleblower: Ubiquiti Breach “Catastrophic”

On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.

A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Ubiquiti has not responded to repeated requests for comment.

According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

In its Jan. 11 public notice, Ubiquiti said it became aware of “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” although it declined to name the third party.

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Adam says Ubiquiti’s security team picked up signals in late December 2020 that someone with administrative access had set up several Linux virtual machines that weren’t accounted for.

Then they found a backdoor that an intruder had left behind in the system.

When security engineers removed the backdoor account in the first week of January, the intruders responded by sending a message saying they wanted 50 bitcoin (~$2.8 million USD) in exchange for a promise to remain quiet about the breach. The attackers also provided proof they’d stolen Ubiquiti’s source code, and pledged to disclose the location of another backdoor if their ransom demand was met.

Ubiquiti did not engage with the hackers, Adam said, and ultimately the incident response team found the second backdoor the extortionists had left in the system. The company would spend the next few days furiously rotating credentials for all employees, before Ubiquiti started alerting customers about the need to reset their passwords.

But he maintains that instead of asking customers to change their passwords when they next log on — as the company did on Jan. 11 — Ubiquiti should have immediately invalidated all of its customer’s credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

If you have Ubiquiti devices installed and haven’t yet changed the passwords on the devices since Jan. 11 this year, now would be a good time to take care of that.

It might also be a good idea to just delete any profiles you had on these devices, make sure they’re up to date on the latest firmware, and then re-create those profiles with new [and preferably unique] credentials. And seriously consider disabling any remote access on the devices.

Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today. By market close Tuesday, UI had slipped to $349.

SOC Fundamentals | Tuning the Signal To Noise Ratio

Ask any security operations analyst about their biggest frustrations, and alert fatigue will be among them. They constantly struggle to identify the serious threat indicators while ignoring the false positives. Scientists and engineers have a name for this balance between useful and irrelevant data. It’s called the signal-to-noise ratio.

The signal is the important data, while the noise is everything else; the white noise that gets in the way. When the signal-to-noise ratio is too low, the noise drowns out what’s important. Experts from radio operators to genome scientists grapple with these issues in some form.

Improving the signal-to-noise ratio is also a problem for modern IR teams who face information overload. They are swamped with rising levels of network event data. They have trouble sifting through it all to find the real threats. Sometimes they fail, with potentially disastrous consequences.

Too Much Data, Too Few Resources

The problem facing SOCs is twofold. The first issue is data volume. There’s a lot of it. Modern networks are information firehoses, churning out rivers of data. Every year, better network telemetry increases that volume. The result is a surplus of alerts, which we can call ‘candidate signals’. These are interesting data points that might warrant further investigation.

This is compounded by the second problem: resource scarcity. SOCs continually struggle to find enough talent to cope with the flood of data from increasingly complex infrastructures. Without those manual skills, many find themselves overburdened and unable to get the intelligence they need from the data that’s coming in.

The natural reaction to not having enough of a signal is to add more data. For many SOCs, this means buying more tools and telemetry, typically in the form of endpoint detection and response (EDR) or endpoint protection platform (EPP) products.

This is the wrong approach. Many SOCs incident response platforms are already disjointed, comprising tools from different vendors, acquired over time, that don’t play well together. This makes it difficult to get an end-to-end view of the incident response process, and in most cases also stops operators handing off interesting telemetry investigations to each other.

Adding to these platforms might create more relevant signals, but it won’t help SOCs to spot them. It will do the opposite, creating more noise that drowns those signals out. Any attempt to fix the SOC by generating more data amplifies the underlying problem.

If the signal-to-noise ratio remains low, then the growth in network telemetry becomes a greater source of risk. Poor candidate signal filtering leaves operators unsure where to begin and blinds them to real, time-critical attacks. The results can be catastrophic.

The Answer to Alert Fatigue

SOCs can’t dig themselves out of this hole by generating more data. Instead, they must address the underlying problem. They must find better ways to spot the right signals in the data they already have. To do that, they must alter the signal-to-noise ratio.

In practice, this means reducing the number of candidate signals. SOCs must present SOC analysts with fewer alerts so that they can focus their attention on what really matters.

The key to increasing the signal-to-noise ratio is a tightly integrated end-to-end tool chain. This is a set of tools that work together seamlessly with little overlap, and all able to exchange data with each other smoothly throughout the entire cycle of detection, containment, mitigation, cleanup, and post-incident analysis.

Cloud Funnel by SentinelOne
Aggregated Endpoint Telemetry in Your Data Lake.
Retain Your Data Locally. Correlate With Other Data Sources. Automate SOAR Workflows.

This approach helps in several ways. First, it reduces the noise from different tools that would otherwise overlap with each other. This eliminates the shadow signals that can distract busy operators.

It also combines events and alerts into incidents, which are larger, more visible data elements that are easier to track. This gives analysts a top-down view of candidate signals without having to trawl through low-level events and correlate them manually.

Finally, it enables SOCs to better automate the detection, analysis, and reporting of incidents. This automation is a key part of the event correlation process.

A well-formed tool chain detects candidate signals early, developing them through several stages of analysis. This allows the SOC to either confirm and escalate candidate signals or dismiss them quickly if they are found to be benign. This helps to automatically mitigating many incidents without having to alert human operators, leaving them to focus on those alerts that need their attention.

Easing the SOC’s Burden With Contextualized Data

SOCs that invest in tool chain integration will enjoy a smaller, refined set of alerts that come with the appropriate, contextualized data, ready for human operators to deal with efficiently.

This higher signal-to-noise ratio will show up on analyst screens, reducing their cognitive load. It will mean fewer investigation numbers and reduced investigation times. This will lead to better outcomes for SOCs in the form of shorter containment times and an overall reduction in response times. Ideally, this will prevent attackers from getting close to your infrastructure, but in the event of a successful compromise, it can also reduce attacker dwell time, mitigating the effect of the attack.

When it comes to handling fast-moving cybersecurity incidents, the sharper focus that comes from a less cluttered data environment can be the difference between containing an incident before it does any damage, and making the next week’s headlines for all the wrong reasons.

Rapid Threat Hunting with Storylines
Time always seems to be on the attacker’s side, but security analysts can get ahead by hunting threats faster than ever before.

The Time For Change Is Now

This optimisation process should begin as early as possible in the incident response process. The longer that the SOC allows less relevant candidate signals to linger, the more they will proliferate and the more difficult it will be to discern what’s important. Triaging candidate signals as soon as possible frees up analysts to apply their skills to the signals that matter. In an industry where talent is hard to come by, it’s imperative to keep those analysts as productive as possible.

With that in mind, now is the time to support these goals by revising your process chain to look for improvement opportunities. Take a beat and step back to examine your overall tool set and your team structure. At some point, you might find that generating more telemetry yields results, but only if you have the capabilities to weed out the noise quickly. In the meantime, less is more.

If you’d like to learn more about how the SentinelOne Singuarlity platform can help your organization achieve these goals, contact us for more information or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

EQT Ventures promotes Laura Yao to partner; hires Anne Raimondi as operating partner

EQT Ventures, an investment firm based in Europe that has raised more than €1.2 billion ($1.4 billion USD), announced that it has promoted Laura Yao to partner. At the same time, the firm announced it recently hired Anne Raimondi, former SVP of Operations at Zendesk, as operating partner.

The company is based in Stockholm, with offices in London, Berlin, Paris, Amsterdam and Luxembourg. Yao is based in the U.S. office in San Francisco, where she has been working for three years prior to her recent promotion to partner. She says that the company tends to hire people with operator experience because they relate well to the founders of startups in which they invest.

“Our goal is to partner with the most ambitious and boldest founders in Europe and the U.S. and kind of be the investors that we all wish we’d had when we were on the other side of the table,” Yao told me.

Yao’s background includes co-founding a startup called The PhenomList in 2011.

While she is responsible for looking for new investments, Raimondi works with the existing portfolio of companies, particularly B2B SaaS companies, helping them with practical aspects of building a startup like go-to-market strategy, organizational design, hiring executives and other components of company building.

“I joined earlier this year as an operating partner, so I’m not on the investing side but actually focused on working with existing portfolio company founders as they grow and scale,” Raimondi said.

Unfortunately, female partners like Yao and Raimondi remain a rarity in most venture firms with a Crunchbase report from last April finding that just 3% of investors are women, and that over two-thirds of firms don’t have a single woman as a partner.

EQT has a 50/50 male to female employee ratio. Yao joins partner Ashley Lundstrom as full partners along with Ramondi’s role as operating partner. There are currently six full partners as the company attempts to make the investment team reflect the rest of the company and the population at large.

Part of Raimondi’s job is talking to startups about building diverse and equitable organizations and she and Yao know the company needs to model that. She says that thriving startups understand on the product side that to build a successful product, they start with a hypothesis, then develop targets and metrics to test, learn and then iterate.

She says that they need to do the same thing to build a diverse and inclusive company. That starts with defining what diversity and inclusion looks like and setting up metrics to measure their progress.

“You evaluate [your diversity goals] and hold [the company] accountable to what you’ve signed up for. If you don’t meet them, [you look at] what can you do to improve them. Then you look at how you keep iterating, and then constantly measuring the employee experience across many dimensions, including not only diversity, but the important part of belonging,” Raimondi said.

Both women say their company does a good job at this, and their hiring/promotion proves that. Yao says that the organization as a whole has created a comfortable and inclusive culture. “It’s very collaborative and egalitarian. Anyone can say whatever’s on their mind. It’s very non-hierarchical and a comfortable place for a woman to work. I felt immediately welcomed and that my ideas were welcome immediately,” she said.

The company portfolio includes startups in the U.S. and Europe and the firm sees itself as a bridge between the two locations. Among the companies EQT has invested in include bug bounty startup HackerOne, website building technology Netlify and quantum computing startup Seeqc.

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE” at checkout to get 20% off tickets right here.

Testing platform Tricentis acquires performance testing service Neotys

If you develop software for a large enterprise company, chances are you’ve heard of Tricentis. If you don’t develop software for a large enterprise company, chances are you haven’t. The software testing company with a focus on modern cloud and enterprise applications was founded in Austria in 2007 and grew from a small consulting firm to a major player in this field, with customers like Allianz, BMW, Starbucks, Deutsche Bank, Toyota and UBS. In 2017, the company raised a $165 million Series B round led by Insight Venture Partners.

Today, Tricentis announced that it has acquired Neotys, a popular performance testing service with a focus on modern enterprise applications and a tests-as-code philosophy. The two companies did not disclose the price of the acquisition. France-based Neotys launched in 2005 and raised about €3 million before the acquisition. Today, it has about 600 customers for its NeoLoad platform. These include BNP Paribas, Dell, Lufthansa, McKesson and TechCrunch’s own corporate parent, Verizon.

As Tricentis CEO Sandeep Johri noted, testing tools were traditionally script-based, which also meant they were very fragile whenever an application changed. Early on, Tricentis introduced a low-code tool that made the automation process both easier and resilient. Now, as even traditional enterprises move to DevOps and release code at a faster speed than ever before, testing is becoming both more important and harder for these companies to implement.

“You have to have automation and you cannot have it be fragile, where it breaks, because then you spend as much time fixing the automation as you do testing the software,” Johri said. “Our core differentiator was the fact that we were a low-code, model-based automation engine. That’s what allowed us to go from $6 million in recurring revenue eight years ago to $200 million this year.”

Tricentis, he added, wants to be the testing platform of choice for large enterprises. “We want to make sure we do everything that a customer would need, from a testing perspective, end to end. Automation, test management, test data, test case design,” he said.

The acquisition of Neotys allows the company to expand this portfolio by adding load and performance testing as well. It’s one thing to do the standard kind of functional testing that Tricentis already did before launching an update, but once an application goes into production, load and performance testing becomes critical as well.

“Before you put it into production — or before you deploy it — you need to make sure that your application not only works as you expect it, you need to make sure that it can handle the workload and that it has acceptable performance,” Johri noted. “That’s where load and performance testing comes in and that’s why we acquired Neotys. We have some capability there, but that was primarily focused on the developers. But we needed something that would allow us to do end-to-end performance testing and load testing.”

The two companies already had an existing partnership and had integrated their tools before the acquisition — and many of its customers were already using both tools, too.

“We are looking forward to joining Tricentis, the industry leader in continuous testing,” said Thibaud Bussière, president and co-founder at Neotys. “Today’s Agile and DevOps teams are looking for ways to be more strategic and eliminate manual tasks and implement automated solutions to work more efficiently and effectively. As part of Tricentis, we’ll be able to eliminate laborious testing tasks to allow teams to focus on high-value analysis and performance engineering.”

NeoLoad will continue to exist as a stand-alone product, but users will likely see deeper integrations with Tricentis’ existing tools over time, include Tricentis Analytics, for example.

Johri tells me that he considers Tricentis one of the “best kept secrets in Silicon Valley” because the company not only started out in Europe (even though its headquarters is now in Silicon Valley) but also because it hasn’t raised a lot of venture rounds over the years. But that’s very much in line with Johri’s philosophy of building a company.

“A lot of Silicon Valley tends to pay attention only when you raise money,” he told me. “I actually think every time you raise money, you’re diluting yourself and everybody else. So if you can succeed without raising too much money, that’s the best thing. We feel pretty good that we have been very capital efficient and now we’re recognized as a leader in the category — which is a huge category with $30 billion spend in the category. So we’re feeling pretty good about it.”

MessageBird acquires 24sessions to bring video to its ‘omnichannel’ platform

MessageBird, the omnichannel cloud communications platform recently valued at $3 billion, is continuing to ramp up its M&A activity. Following last year’s acquisition of Pusher, a company that provides real-time web technologies, it is announcing that it has acquired “video-first” customer engagement platform 24sessions, and customer data platform Hull.

Terms of the two new deals aren’t being disclosed, although MessageBird founder and CEO Robert Vis tells me the three acquisitions add up to about $100 million in total, and we alreadly know that Pusher’s acquisition price was $35 million. I also understand that the 24sessions and Hull acquisitions saw both companies’ investors exit entirely.

Originally seen as a European or “rest of the world” competitor to U.S.-based Twilio — offering a cloud communications platform that supports voice, video and text capabilities all wrapped up in an API — MessageBird has since repositioned itself as an “Omnichannel Platform-as-a-Service” (OPaaS). The idea is to easily enable enterprises and medium and smaller-sized companies to communicate with customers on any channel of their choosing.

Out of the box, this includes support for WhatsApp, Messenger, WeChat, Twitter, Line, Telegram, SMS, email and voice. Customers can start online and then move their support request or query over to a more convenient channel, such as their favourite mobile messaging app, which, of course, can go with them. It’s all part of MessageBird Vis’ big bet that the future of customer interactions is omni-channel.

To that end, the acquisition of 24sessions adds another channel: video. This, Vis tells me, is a particularly important channel where in-person interactions are being replicated digitally. However, he says it’s not just enough to have a video option — you need one that is compliant and secure. This is especially true for regulated industries such as financial services and healthcare. In addition, 24sessions is web-based, meaning that end-users aren’t required to install an app.

“Bringing a safe, secure and customizable video platform into the MessageBird family is the next step in our strategic journey,” said Vis in a statement. “Our portfolio of owned services already includes SMS, voice, email, OTT, social, live chat and push. The addition of 24sessions’ video platform gives us one of the world’s most comprehensive and powerful omnichannel offerings, and is consistent with our having end-to-end control of the stack in order to create magical experiences for our customers”.

“By joining forces with MessageBird, we’re making a leap forward in our mission to improve personal customer contact and turn it into a smooth digital experience, without losing the human touch,” adds Rutger Teunissen, CEO of 24sessions. “Video has become a more embedded, instant, intelligent, and integrated part of the omnichannel customer experience”.

However, communicating with customers more efficiently doesn’t just mean interacting with them on the channels of their choosing and building backend workflows to support this, it also requires a better understanding of the customer and the context of their query. That’s where the acquisition of Hull, based in France and the U.S., comes into play.

Described as a customer data platform (CDP), Hull’s team and technology will be deployed to create an “in-depth analytics layer” between MessageBird’s omnichannel offering and the workflow solutions it provides to customers.

“We want to empower clients to have easy, frictionless conversations with customers, so it’s crucial that we understand where those customers are and how they like to communicate,” said Vis. “To do that, it’s crucial that our platform is able to collect, unify and enrich product, marketing, and sales data and synchronize it across the workflow.”

In total, 45 staff will join from 24sessions, and 14 will join from Hull. The combined M&A brings MessageBird’s total headcount to almost 500 people across its nine hubs globally.

HYCU raises $87.5M to take on Rubrik and the rest in multi-cloud data backup and recovery

As more companies become ever more reliant on digital infrastructure for everyday work, the more they become major targets for malicious hackers — both trends accelerated by the pandemic — and that is leading to an ever-greater need for IT and security departments to find ways of protecting data should it become compromised. Today, one of the companies that has emerged as a strong player in data backup and recovery is announcing its first major round of funding.

HYCU, which provides multi-cloud backup and recovery services for mid-market and enterprise customers, has raised $87.5 million, a Series A that it the Boston-based startup will be using to invest in building out its platform further, to bring its services into more markets, and to hire 100 more people.

HYCU’s premise and ambition, CEO and founder Simon Taylor said in an interview, is to provide backup and storage services that are as simple to use “as backing up in iCloud for consumers.”

“If you look at primary storage, it’s become very SaaS-ifed, with no professional services required,” he continued. “But backup has stayed very legacy. It’s still mostly focused on one specific environment and can’t perform well when multi-cloud is being used.”

And HYCU’s name fits with that ethos. It is pronounced “haiku”, which Taylor told me refers not just to that Japanese poetic form that looks simple but hides a lot of meaning, but also “hybrid cloud uptime.”

The company is probably known best for its integration with Nutanix, but has over time expanded to serve enterprises building and operating IT and apps over VMware, Google Cloud, Azure and AWS. The company also has built a tool to help migrate data for enterprises, HYCU Protégé, which will also be expanded.

The funding is being led by Bain Capital Ventures, with participation also from Acrew Capital (which was also in the news last week as an investor in the $118 million round for Pie Insurance). The valuation is not being disclosed.

This is the first major outside funding that the company has announced since being founded in 2018, but in that time it has grown into a sizeable competitor against others like Rubrik, Veeam, Veritas and CommVault. The Rubrik comparison is interesting, given that it is also backed by Bain (which led a $261 million round in Rubrik in 2019). HYCU now has more than 2,000 customers in 75 countries. Taylor says that not taking funding while growing into what it has become meant that it was “listening and closer to the needs of our customers,” rather than spending more time paying attention to what investors says.

Now that it’s reached a certain scale, though, things appear to be shifting and there will probably be more money down the line. “This is just round one for us,” Taylor said.

He added that this funding came in the wake of a lot of inbound interest that included not just the usual range of VCs and private equity firms that are getting more involved in VC, but also, it turns out, SPACs, which as they grow in number, seem to be exploring what kinds and stages of companies they tap with their quick finance-and-go-public model.

And although HYCU hadn’t been proactively pitching investors for funding, it would have been on their radars. In fact, Bain is a major backer of Nutanix, putting some $750 million into the company last August. There is some strategic sense in supporting businesses that figure strongly in the infrastructure of your other portfolio companies.

There is another important reason for HYCU raising capital to expand beyond what its balance sheet could provide to fuel growth: HYCU’s would-be competition is itself going through a moment of investment and expansion. For example, Veeam, which was acquired by Insight last January for $5 billion, then proceeded to acquire Kasten to move into serving enterprises that used Kubernetes-native workloads across on-premises and cloud environments. And Rubrik last year acquired Igneous to bring management of unstructured data into its purview. And it’s not a given that just because this is a sector seeing a lot of demand, that it’s all smooth sailing. Igneous was on the rocks at the time of its deal, and Rubrik itself had a data leak in 2019, highlighting that even those who are expert in protecting data can run up against problems.

Taylor notes that ransomware indeed remains a very persistent problem for its customers — reflecting what others in the security world have observed — and its approach for now is to remain focused on how it delivers services in an agent-less environment. “We integrate into the platform,” he said. “That is incredibly important. It means that you can be up and running immediately, with no need for professional services to do the integrating, and we also make it a lot harder for criminals because of this.”

Longer term, it will keep its focus on backup and recovery with no immediate plans to move into adjacent areas though such as more security services or other tools. “We’re not trying to be a Veritas and own the entire business end-to-end,” Taylor said. “The goal is to make sure the IT department has visibility and the cloud journey is protected.”

Enrique Salem, a partner at Bain Capital Ventures and the former CEO of Symantec, is joining HYCU’s board with this round and sees the opportunity in the market for a product like HYCU’s.

“We are in the early days of a multi-decade shift to the public cloud, but existing on-premises backup vendors are poorly equipped to enable this transition, creating tremendous opportunity for a new category of cloud-native backup providers,” he said in a statement. “As one of the early players in multi-cloud backup as a service bringing true SaaS to both on-premises and cloud-native environments, HYCU is a clear leader in a space that will continue to create large multi-billion dollar companies.”

Stefan Cohen, a principal at Bain Capital Ventures, will also be joining the board.

6sense raises $125M at a $2.1B valuation for its ‘ID graph’, an AI-based predictive sales and marketing platform

AI has become a fundamental cornerstone of how tech companies are building tools for salespeople: they are useful for supercharging (and complementing) the abilities of talented humans, or helping them keep themselves significantly more organised; even if in some cases — as with chatbots — they are replacing them altogether. In the latest development, 6sense, one of the pioneers in using AI to boost the sales and marketing experience, is announcing a major round of funding that underscores the traction AI tools are seeing in the sales realm.

The startup has raised $125 million at a valuation of $2.1 billion, a Series D being led by D1 Capital Partners, with Sapphire Ventures, Tiger Global and previous backer Insight Partners also participating.

The company plans to use the funding to expand its platform and its predictive capabilities across a wider range of sources.

For some context, this is a huge jump for the company compared to its last fundraise: at the end of 2019, when it raised $40 million, it was valued at a mere $300 million, according to data from PitchBook.

But it’s not a big surprise: at a time when a lot of companies are going through “digital transformation” and investing in better tools for their employees to work more efficiently remotely (especially important for sales people who might have previously worked together in physical teams), 6sense is on track for its fourth year of more than 100% growth, adding 100 new customers in the fourth quarter alone. It caters to small, medium, and large businesses, and some of its customers include Dell, Mediafly, Sage and SocialChorus.

The company’s approach speaks to a classic problem that AI tools are often tasked with solving: the data that sales people need to use and keep up to date on customer accounts, and critically targets, lives in a number of different silos — they can include CRM systems, or large databases outside of the company, or signals on social media.

While some tools are being built to handle all of that from the ground up, 6sense takes a different approach, providing a way of ingesting and utilizing all of it to get a complete picture of a company and the individuals a salesperson might want to target within it. It takes into account some of the harder nuts to crack in the market, such as how to track “anonymous buying behavior” to a more concrete customer name; how to prioritizes accounts according to those most likely to buy; and planning for multi-channel campaigns.

6sense has patented the technology it uses to achieve this and calls its approach building an “ID graph.” (Which you can think of as the sales equivalent of the social graph of Facebook, or the knowledge graph that LinkedIn has aimed to build mapping skills and jobs globally.) The key with 6sense is that it is building a set of tools that not just sales people can use, but marketers too — useful since the two sit much closer together at companies these days.

Jason Zintak, the company’s CEO (who worked for many years as a salesperson himself, so gets the pain points very well), referred to the approach and concept behind 6sense as “revtech”: aimed at organizations in the business whose work generates revenue for the company.

“Our AI is focused on signal, identifying companies that are in the market to buy something,” said Zintak in an interview. “Once you have that you can sell to them.”

That focus and traction with customers is one reason investors are interested.

“Customer conversations are a critical part of our due diligence process, and the feedback from 6sense customers is among the best we’ve heard,” said Dan Sundheim, founder and chief investment officer at D1 Capital Partners, in a statement. “Improving revenue results is a goal for every business, but it’s easier said than done. The way 6sense consistently creates value for customers made it clear that they deliver a unique, must-have solution for B2B revenue teams.”

Teddie Wardi at Insight highlights that AI and the predictive elements of 6sense’s technology — which have been a consistent part of the product since it was founded — are what help it stand out.

“AI generally is a buzzword, but here it is a key part of the solution, the brand behind the platform,” he said in an interview. “Instead of having massive funnels, 6sense switches the whole thing around. Catching the right person at the right time and in the right context make sales and marketing more effective. And the AI piece is what really powers it. It uses signals to construct the buyer journey and tell the sales person when it is the right time to engage.”

No, I Did Not Hack Your MS Exchange Server

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name.

Let’s just get this out of the way right now: It wasn’t me.

The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling).

Shadowserver has been tracking wave after wave of attacks targeting flaws in Exchange that Microsoft addressed earlier this month in an emergency patch release. The group looks for attacks on Exchange systems using a combination of active Internet scans and “honeypots” — systems left vulnerable to attack so that defenders can study what attackers are doing to the devices and how.

David Watson, a longtime member and director of the Shadowserver Foundation Europe, says his group has been keeping a close eye on hundreds of unique variants of backdoors (a.k.a. “web shells”) that various cybercrime groups worldwide have been using to commandeer any unpatched Exchange servers. These backdoors give an attacker complete, remote control over the Exchange server (including any of the server’s emails).

On Mar. 26, Shadowserver saw an attempt to install a new type of backdoor in compromised Exchange Servers, and with each hacked host it installed the backdoor in the same place: “/owa/auth/babydraco.aspx.

“The web shell path that was dropped was new to us,” said Watson said. “We have been testing 367 known web shell paths via scanning of Exchange servers.”

OWA refers to Outlook Web Access, the Web-facing portion of on-premises Exchange servers. Shadowserver’s honeypots saw multiple hosts with the Babydraco backdoor doing the same thing: Running a Microsoft Powershell script that fetches the file “krebsonsecurity.exe” from the Internet address 159.65.136[.]128. Oddly, none of the several dozen antivirus tools available to scan the file at Virustotal.com currently detect it as malicious.

The Krebsonsecurity file also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file. Watson said the Krebsonsecurity file will attempt to open up an encrypted connection between the Exchange server and the above-mentioned IP address, and send a small amount of traffic to it each minute.

Shadowserver found more than 21,000 Exchange Server systems that had the Babydraco backdoor installed. But Watson said they don’t know how many of those systems also ran the secondary download from the rogue Krebsonsecurity domain.

“Despite the abuse, this is potentially a good opportunity to highlight how vulnerable/compromised MS Exchange servers are being exploited in the wild right now, and hopefully help get the message out to victims that they need to sign up our free daily network reports,” Watson said.

There are hundreds of thousands of Exchange Server systems worldwide that were vulnerable to attack (Microsoft suggests the number is about 400,000), and most of those have been patched over the last few weeks. However, there are still tens of thousands of vulnerable Exchange servers exposed online. On Mar. 25, Shadowserver tweeted that it was tracking 73,927 unique active webshell paths across 13,803 IP addresses.

Image: Shadowserver.org

Exchange Server users that haven’t yet patched against the four flaws Microsoft fixed earlier this month can get immediate protection by deploying Microsoft’s “One-Click On-Premises Mitigation Tool.”

The motivations of the cybercriminals behind the Krebonsecurity dot top domain are unclear, but the domain itself has a recent association with other cybercrime activity — and with harassing this author. I first heard about the domain in December 2020, when a reader told me how his entire network had been hijacked by a cryptocurrency mining botnet that called home to it.

“This morning, I noticed a fan making excessive noise on a server in my homelab,” the reader said. “I didn’t think much of it at the time, but after a thorough cleaning and test, it still was noisy. After I was done with some work-related things, I checked up on it – and found that a cryptominer had been dropped on my box, pointing to XXX-XX-XXX.krebsonsecurity.top’. In all, this has infected all three linux boxes on my network.”

What was the subdomain I X’d out of his message? Just my Social Security number. I’d been doxed via DNS.

This is hardly the first time malware or malcontents have abused my name, likeness and website trademarks as a cybercrime meme, for harassment, or just to besmirch my reputation. Here are a few of the more notable examples, although all of those events are almost a decade old. That same list today would be pages long.

Further reading:

A Basic Timeline of the Exchange Mass-Hack

Warning the World of a Ticking Timebomb

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails