The Good, the Bad and the Ugly in Cybersecurity – Week 31

The Good

These last few years have been, at the very least, challenging as well as eye-opening. The rate of high-profile, high-impact ransomware and extortion attacks has been and continues to be on a steep rise. The stakes are higher than ever before, with entire countries’ infrastructure at risk. This week, in the wake of attacks against the likes of Kaseya, SolarWinds, the Colonial Pipeline and more, the Biden administration unveiled the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

This updated memorandum aims to bring together multiple federal agencies, including CISA and NIST, to develop updated cybersecurity goals and metrics, as well as new guidelines for the support of critical infrastructure. The memorandum also includes the Industrial Control Systems Cybersecurity Initiative. This is a voluntary collaborative effort between the private and public sector to work towards improving critical infrastructure security. Expanding on the ICS, it also aims to greatly accelerate improvements around visibility and monitoring of these systems. As stated in Section 3:

“We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response…is central to ensuring the safe operations of these critical systems.”

All this comes on the heels of recent remarks from President Joe Biden, essentially stating that an escalation of cyber threats can potentially lead to a ‘real shooting war’.

While that is an extreme we hopefully will never see, proactive measures such as these are a welcome effort. Updating and modernizing security of these critical systems is crucial to the ongoing security of all countries.

The Bad

Iran has been in the cyber wars again with two stories breaking this week in which the country has both been on the giving and receiving end of APT campaigns. According to one research paper, the Iranian nation-state APT group TA456 targeted a U.S defense contractor over a period of years by masquerading as an attractive female aerobics instructor by the name of “Marcella Flores”.

The ruse was designed to infect the device of an employee at the aerospace defense contractor with malware that could exfiltrate sensitive information over SMTPS. The employee was “groomed” from at least 2019 through email and social media chat before being sent a malicious link in June 2021 to a cloud-hosted document purporting to be a diet survey. The document contained macros to infect the user’s device. The fake persona included a Facebook profile first created in 2018 that linked ‘Marcy’ with multiple social media ‘friends’ working at defense contractors. While it appears that the plot was unsuccessful, it demonstrates just how much time and resources APTs are prepared to dedicate when it comes to high-value targets.

Source: Proofpoint

Meanwhile, SentinelLabs reported this week that Iran was itself on the receiving end of a sophisticated attack that disrupted its national train service earlier this year with a previously unknown wiper malware dubbed ‘MeteorExpress’. The threat actor behind the attack also seems to be a new player, displaying TTPs that do not track to any other known group. A full analysis of the malware is given here, but much remains to be discovered about the motives and identity of the attacker.

The Ugly

This week a cybersecurity advisory was released covering the top routinely exploited vulnerabilities. The new report was released as a joint effort between the FBI, NCSC (UK Cyber Security Centre), ACSC (Australian Cyber Security Centre), and CISA (U.S. Cybersecurity and Infrastructure Security Agency. The report encompasses data from 2020 to current and goes into detail on related indicators of compromise and associated mitigations. The 2021 list should be of little surprise to those of us that made it through the Hafnium (aka ProxyLogon/Exchange) attacks just a few months ago.

Source: CISA

The top targeted applications (so far) for 2020 include:

For 2020, the bulletin provides the top 10 specific CVEs regularly targeted, which are as follows:

Citrix CVE-2019-19781
Pulse CVE 2019-11510
Fortinet CVE 2018-13379
F5- Big IP CVE 2020-5902
MobileIron CVE 2020-15505
Microsoft CVE-2017-11882
Atlassian CVE-2019-11580
Drupal CVE-2018-7600
Telerik CVE 2019-18935
Microsoft CVE-2019-0604
Microsoft CVE-2020-0787
Netlogon CVE-2020-1472

Many of these flaws have been actively exploited by numerous threat actors since their public disclosure. CVE-2017-11882, for instance, has been leveraged by the Ramsay Trojan, Agent Tesla, and it is incorporated into numerous exploit kits and Malware-as-a-Service (MaaS) products distributed among threat actors. Pulse is another standout, having been heavily leveraged by REvil across multiple campaigns. Also worthy of special mention is CVE-2019-1150, which allows attackers to read sensitive files or data off a remote host. This includes the ability for remote, unauthenticated, attackers to siphon usernames and passwords in cleartext from exposed devices.

Those tasked with enterprise security can learn an important lesson from this list. These CVEs are not all from 2021 or even 2020. Some were disclosed as far back as 2017. In other words, despite constant outcries to patch and update exposed and vulnerable systems, attackers know this does not always transition into timely action. Targeting old flaws remains a successful attack vector and is less work than discovering and developing new zero days.

Unfortunately, the list in this new joint alert is only a subset of what is being leveraged by threat actors and it is vital to keep our sense of awareness grounded in the reality of our threat landscape. There is always room for improvement when it comes to patch deployment and threat mitigation.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

ConverseNow is targeting restaurant drive-thrus with new $15M round

One year after voice-based AI technology company ConverseNow raised a $3.3 million seed round, the company is back with a cash infusion of $15 million in Series A funding in a round led by Craft Ventures.

The Austin-based company’s AI voice ordering assistants George and Becky work inside quick-serve restaurants to take orders via phone, chat, drive-thru and self-service kiosks, freeing up staff to concentrate on food preparation and customer service.

Joining Craft in the Series A round were LiveOak Venture Partners, Tensility Venture Partners, Knoll Ventures, Bala Investments, 2048 Ventures, Bridge Investments, Moneta Ventures and angel investors Federico Castellucci and Ashish Gupta. This new investment brings ConverseNow’s total funding to $18.3 million, Vinay Shukla, co-founder and CEO of ConverseNow, told TechCrunch.

As part of the investment, Bryan Rosenblatt, partner at Craft Ventures, is joining the company’s board of directors, and said in a written statement that “post-pandemic, quick-service restaurants are primed for digital transformation, and we see a unique opportunity for ConverseNow to become a driving force in the space.”

At the time when ConverseNow raised its seed funding in 2020, it was piloting its technology in just a handful of stores. Today, it is live in over 750 stores and grew seven times in revenue and five times in headcount.

Restaurants were some of the hardest-hit industries during the pandemic, and as they reopen, Shukla said their two main problems will be labor and supply chain, and “that is where our technology intersects.”

The AI assistants are able to step in during peak times when workers are busy to help take orders so that customers are not waiting to place their orders, or calls get dropped or abandoned, something Shukla said happens often.

It can also drive more business. ConverseNow said it is shown to increase average orders by 23% and revenue by 20%, while adding up to 12 hours of extra deployable labor time per store per week.

Company co-founder Rahul Aggarwal said more people prefer to order remotely, which has led to an increase in volume. However, the more workers have to multitask, the less focus they have on any one job.

“If you step into restaurants with ConverseNow, you see them reimagined,” Aggarwal said. “You find workers focusing on the job they like to do, which is preparing food. It is also driving better work balance, while on the customer side, you don’t have to wait in the queue. Operators have more time to churn orders, and service time comes down.”

ConverseNow is one of the startups within the global restaurant management software market that is forecasted to reach $6.94 billion by 2025, according to Grand View Research. Over the past year, startups in the space attracted both investors and acquirers. For example, point-of-sale software company Lightspeed acquired Upserve in December for $430 million. Earlier this year, Sunday raised $24 million for its checkout technology.

The new funding will enable ConverseNow to continue developing its line-busting technology and invest in marketing, sales and product innovation. It will also be working on building a database from every conversation and onboarding new customers quicker, which involves inputting the initial menu.

By leveraging artificial intelligence, the company will be able to course-correct any inconsistencies, like background noise on a call, and better predict what a customer might be saying. It will also correct missing words and translate the order better. In the future, Shukla and Aggarwal also want the platform to be able to tell what is going on around the restaurant — what traffic is like, the weather and any menu promotions to drive upsell.

 

4 key areas SaaS startups must address to scale infrastructure for the enterprise

Startups and SMBs are usually the first to adopt many SaaS products. But as these customers grow in size and complexity — and as you rope in larger organizations — scaling your infrastructure for the enterprise becomes critical for success.

Below are four tips on how to advance your company’s infrastructure to support and grow with your largest customers.

Address your customers’ security and reliability needs

If you’re building SaaS, odds are you’re holding very important customer data. Regardless of what you build, that makes you a threat vector for attacks on your customers. While security is important for all customers, the stakes certainly get higher the larger they grow.

Given the stakes, it’s paramount to build infrastructure, products and processes that address your customers’ growing security and reliability needs. That includes the ethical and moral obligation you have to make sure your systems and practices meet and exceed any claim you make about security and reliability to your customers.

Here are security and reliability requirements large customers typically ask for:

Formal SLAs around uptime: If you’re building SaaS, customers expect it to be available all the time. Large customers using your software for mission-critical applications will expect to see formal SLAs in contracts committing to 99.9% uptime or higher. As you build infrastructure and product layers, you need to be confident in your uptime and be able to measure uptime on a per customer basis so you know if you’re meeting your contractual obligations.

While it’s hard to prioritize asks from your largest customers, you’ll find that their collective feedback will pull your product roadmap in a specific direction.

Real-time status of your platform: Most larger customers will expect to see your platform’s historical uptime and have real-time visibility into events and incidents as they happen. As you mature and specialize, creating this visibility for customers also drives more collaboration between your customer operations and infrastructure teams. This collaboration is valuable to invest in, as it provides insights into how customers are experiencing a particular degradation in your service and allows for you to communicate back what you found so far and what your ETA is.

Backups: As your customers grow, be prepared for expectations around backups — not just in terms of how long it takes to recover the whole application, but also around backup periodicity, location of your backups and data retention (e.g., are you holding on to the data too long?). If you’re building your backup strategy, thinking about future flexibility around backup management will help you stay ahead of these asks.

The Life Cycle of a Breached Database

Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.

Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse.

When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that are built primarily for mining virtual currencies can set to work using those systems to crack passwords.

How successful this password cracking is depends a great deal on the length of one’s password and the type of password hashing algorithm the victim website uses to obfuscate user passwords. But a decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5 (one of the weaker and more commonly-used password hashing algorithms).

“You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary [of pre-computed hashes] then you can essentially break 60-70 percent of the hashed passwords in a day or two,” said Fabian Wosar, chief technology officer at security firm Emsisoft.

From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular websites (and heaven help those who’ve re-used their email password elsewhere).

This sifting of databases for low-hanging fruit and password re-use most often yields less than a one percent success rate — and usually far less than one percent.

But even a hit rate below one percent can be a profitable haul for fraudsters, particularly when they’re password testing databases with millions of users. From there, the credentials are eventually used for fraud and resold in bulk to legally murky online services that index and resell access to breached data.

Much like WeLeakInfo and others operated before being shut down by law enforcement agencies, these services sell access to anyone who wants to search through billions of stolen credentials by email address, username, password, Internet address, and a variety of other typical database fields.

TARGETED PHISHING

So hopefully by this point it should be clear why re-using passwords is generally a bad idea. But the more insidious threat with hacked databases comes not from password re-use but from targeted phishing activity in the early days of a breach, when relatively few ne’er-do-wells have got their hands on a hot new hacked database.

Earlier this month, customers of the soccer jersey retailer classicfootballshirts.co.uk started receiving emails with a “cash back” offer. The messages addressed customers by name and referenced past order numbers and payment amounts tied to each account. The emails encouraged recipients to click a link to accept the cash back offer, and the link went to a look-alike domain that requested bank information.

The targeted phishing message that went out to classicfootballshirts.co.uk customers this month.

“It soon became clear that customer data relating to historic orders had been compromised to conduct this attack,” Classicfootballshirts said in a statement about the incident.

Allison Nixon, chief research officer with New York City-based cyber intelligence firm Unit221B, recalled what happened in the weeks leading up to Dec. 22, 2020, when cryptocurrency wallet company Ledger acknowledged that someone had released the names, mailing addresses and phone numbers for 272,000 customers.

Nixon said she and her colleagues noticed in the preceding months a huge uptick in SIM-swapping attacks, a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

“A week or two prior to that we were seeing a whole lot of SIM swapping activity,” Nixon said. “We knew the information was coming from some database but we couldn’t figure out what service they all had in common. After the Ledger database got leaked publicly, we started looking at the [SIM swapping] victims and found 100 percent of them were present in the Ledger database.”

In a statement about the breach, Ledger said the data was likely stolen in June 2020, meaning hackers had roughly six months to launch targeted attacks using extremely detailed information about customers.

“If you were to look [on cybercrime forums] at the past history of people posting about that Ledger database, you’d see people were selling it privately for months prior to that,” Nixon said. “It seems like this database was slowly percolating out wider and wider, until someone decided to remove a lot of its value by posting the whole thing publicly.”

Here are some tips to help avoid falling prey to incessant data breaches and increasingly sophisticated phishing schemes:

Avoid clicking on links and attachments in email, even in messages that appear to be sent from someone you have heard from previously. And as the phishing examples above demonstrate, many of today’s phishing scams use elements from hacked databases to make their lures more convincing.

Urgency should be a giant red flag. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly. Take a deep breath. If you’re unsure whether the message is legitimate, visit the site or service in question manually (ideally, using a browser bookmark so as to avoid potential typosquatting sites).

Don’t re-use passwords. If you’re the kind of person who likes to use the same password across multiple sites, then you definitely need to be using a password manager. That’s because password managers handle the tedious task of creating and remembering unique, complex passwords on your behalf; all you need to do is remember a single, strong master password or passphrase. In essence, you effectively get to use the same password across all Web sites. Some of the more popular password managers include DashlaneKeepassLastPass and Roboform.

–Phone-based phishing uses hacked databases, too: A great many scams are perpetrated over the phone, leveraging personal and financial information gleaned from past data breaches to make them sound more believable. If you think you’d never fall for someone trying to scam you over the phone, check out this story about how a tech-savvy professional got taken for thousands of dollars by a fraudster masquerading as his credit union. Remember, When in Doubt: Hang Up, Look Up, & Call Back.

How To Build A Great Data Team | A Q&A With Denise Schlesinger

Denise Schlesinger is senior director of R&D at SentinelOne. In this interview, Denise gives us an inside look at her work and how big data presents new challenges for enterprises in general and cybersecurity in particular. Denise discusses how she meets and defeats these challenges in her work and shares what it takes to build a great data team that can respond to the problems and opportunities created by collecting data at scale.

Tell Us About Your Journey So Far.

I grew up in Argentina and came to Israel at the age of 18 to study Computer Science. I started working in software companies at the age of 24 as a software engineer, mostly developing web applications. I was promoted to team leader and then R&D director by the age of 30 and was managing teams of software engineers.

Over the years, I worked as an architect and a VP of R&D at several startups in different industries: Agrotech, Adtech and Cybersecurity. My roles involved supporting big infrastructure and re-architecting products to support large-scale building and scaling tech teams. I was part of teams where I oversaw designing the complete architecture, from the ground up, of many cloud-based SaaS products and defining technical strategy and roadmap for Distributed applications, ensuring high availability and scalability.

To keep myself up to date, I read many blogs on subjects such as big data, high scale and productionizing of Machine Learning Models such as engineering blogs from Uber, Netflix, Lyft and Wix.

What Does Your Typical Day Look Like at SentinelOne?

Before SentinelOne, I was VP R&D at Novarize, where we developed AI-based tools to provide insights for marketers. I joined SentinelOne remotely during the pandemic, which was certainly a big challenge. It was incredible to see how generous people are with their time and knowledge. Thanks to their support and understanding, my transition has been a fun and positive experience.

Currently, I am a Senior Director of Engineering at SentinelOne. I lead AI and Big Data teams. My group is in charge of the data pipelines, the services that do pre-processing, aggregation and detection for all the data collected. We ingest hundreds of millions of events per minute, we run on the cloud. Our production infrastructure is huge.

On my day to day, I am involved in all aspects of architecture, software and product development, delivery schedules for high scale applications. I review my group’s development projects to ensure reliability, effectiveness and ROI.

Give Us a Glimpse Into Your Toolkit.

We run Presto, Spark, Kafka, ElasticSearch and all of our services on top of Kubernetes. We leverage Databricks, AWS Sagemaker and Spark for machine learning. We use AI to solve the hardest problems that are part of leading with such huge amounts of data. I am hands-on and love trying new technologies and frameworks.

What Does It Take to Build a Great Data Team?

I manage and mentor my teams and the managers I lead. I lead by example, I love understanding the small details that make the big picture. I like the challenge of simplifying complex systems. Enabling my teams to grow by granting autonomy, I create a safe environment with permission to fail. I truly care for them, I understand the strengths of each person and do my best to enable him/her to thrive.

I work closely with different business stakeholders in the organization to create awesome products. Building relationships, motivating, coaching and enabling each team member to be at their top game. On top of the really interesting technical challenges that come with working with big data and AI, one great thing about working is the impact you can create. Also big data means big scale and this means big problems, which are usually fun and challenging to solve. We invest a lot in building our Data Infrastructure to provide Scalability, Reliability, and Efficiency. I strongly believe in the saying: “culture eats strategy for breakfast”. This is highly important when creating a data-driven culture to breathe data and require for every decision to be data-driven.

What Do You Look for in Your Team Members When Hiring?

When hiring people I look for critical thinking, accountability, and innovation. I appreciate the ability to look at things from a bird’s eye view and at the same time dive into the details to get the whole picture. I value curiosity and find that great engineers want to work on difficult problems alongside peers. I hire good team players that believe in the mission and who value a culture of collaboration and exploration.

Soul of SentinelOne: Our Values

What Are Your Views on the Current AI and Cybersecurity Landscape?

Nowadays, hackers launch hundreds of millions of attacks worldwide. Unknown threats can cause massive damage affecting a company’s business if they go undetected. Human beings cannot possibly identify all the threats.

Organisations face the challenge of analysing and tracking cloud, network and workstation activities. There’s a lot of data that has to be scanned to allow protection from malicious people and software. AI is able to analyse billions of events and identify different types of threats: from malware exploiting zero-day vulnerabilities to identifying risky behavior that might lead to a phishing attack or download of malicious code.

AI allows the automated detection needed to skim through massive amounts of data and traffic; it can be trained to generate alerts for threats, identify new types of malware and protect sensitive data for organisations. Leveraging machine learning and deep learning to learn the network’s behavior over time can help recognize patterns, detect anomalies and respond to them.

We’d like to thank Denise for taking the time to talk with us about her role and the fascinating work of AI and Big Data. If you’re interested in working with Denise or any of our other teams at SentinelOne, check out our open positions here.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Coralogix logs $55M for its new take on production analytics, now valued at $300-$400M

Data may be the new oil, but it’s only valuable if you make good use of it. Today, a startup that has built a new kind of production analytics platform for developers, security engineers and data scientists to track and better understand how data is moving around their networks is announcing a round of funding that underscores the demand for their technology. Coralogix, which provides stateful streaming services to engineering teams, has picked up $55 million in a Series C round of funding.

The round was led by Greenfield Partners, with Red Dot Capital Partners, StageOne Ventures, Eyal Ofer’s – O.G. Tech, Janvest Capital Partners, Maor ventures, and 2B Angels also participating.

This Series C is coming about 10 months after the company’s Series B of $25 million, and from what we understand Coralogix’s valuation is now in the range of $300 million – $400 million, a big jump for the startup, coming on the back of it growing 250% since this time last year, racking up some 2,000 paying customers, some small teams paying as little as $100/year through to large enterprises paying $1.5 million/year.

Previously, Coralogix — founded in Tel Aviv and with a HQ also in San Francisoc — had also raised a round of $10 million.

Coralogix got its start initially as a platform aimed at quality assurance support for R&D and engineering teams. The focus here is on log analytics and metrics for platform engineers, and this still forms a big part of its business today. Added to that, in recent years, Coralogix’s tools are also being applied to cloud security services, contributing to a company’s threat intelligence by providing a way to observe data for any inconsistencies that typically might point to a breach or another incident. (It integrates with Alien Vault and others for this purpose.)

The third area that is just picking up now and will be developed further — one of the uses of this investment, in fact — will be to develop how Coralogix is used for business intelligence. This is a particularly interesting area because it plays into how Coralogix is built, to provide analytics on data before it is indexed.

“It’s about high volume, but low value data,” Ariel Assaraf, Coralogix’s CEO, said in an interview. “Customers don’t want to store the data [or index it] but want to view it live and visualize it. We are starting to see a use case where business information and our analytics come together for sentiment analysis and other areas.”

There are dozens of strong companies providing tools these days to cover log analytics and data observability, underscoring the general growth and importance of DevOps these days. They include companies like DataDog, Sumo Logic, Splunk and more.

However, Assaraf believes that what sets his company apart from them is its approach: essentially it has devised a way of observing and analyzing data streams before they get indexed, giving engineers a more flexibility to query the data in different ways, and essentially glean more insights, faster. The other issue with indexing, he said, is that it impacts latency, which also has a big impact on overall costs for an organization.

For many of Coralogix’s competitors, turning around the nature of the business to focus not first on indexing would be akin to completely rebuilding the business, hard to do at their scale (although in fact this is what Coralogix did, when it pivoted as a small company several years ago, which is when Assaraf took on the role of CEO). One company he believes might be more of a direct rival is Confluent.

“I think we will see Confluent getting into observability very soon because they have the streaming capabilities,” he said, “but not the tools we have.” Another potential competitor looming on the horizon: Salesforce, and its potential move into that area, underscores the shifting sands of what is powering enterprise IT investment decisions today.

Salesforce already has Heroku, Slack and Tableau, three major tools developers use for tracking and working with data, Assaraf pointed out, and there were strong rumors of it trying to buy DataDog, “so we definitely see where they are going. For sure, they understand the way things are changing. All the budgets when Salesforce first started were in marketing and sales. Now you sell to IT. Salesforce understands that shift to developers, and so that is where they are going.”

It makes for a very interesting landscape and future for companies like Coralogix, one that investors believe the startup will continue to shape as it has up to now.

“The  dramatic shift in digital transformation is generating an explosion of data, which until now has forced enterprises to decide between cost and coverage,” said Shay Grinfeld, managing partner at Greenfield Partners. “Coralogix’s real-time streaming analytics  pipeline employs proprietary algorithms to break this tradeoff and generate significant cost savings. Coralogix has built a customer roster that comprises some of the largest and most innovative companies in the world. We’re thrilled to partner with Ariel and the Coralogix team on their journey to reinvent the future of data observability.”

Homebase raises $71M for a team management platform aimed at SMBs and their hourly workers

Small and medium enterprises have become a big opportunity in the world of B2B technology in the last several years, and today a startup that’s building tools aimed at helping them manage their teams of workers is announcing some funding that underscores the state of that market. Homebase, which provides a platform that helps SMBs manage various services related to their hourly workforces, has closed $71 million in funding, a Series C that values the company at between $500 million and $600 million, according to sources close to the startup.

The round has a number of big names in it that are as much a sign of how large VCs are valuing the SMB market right now, as it is of the strategic interest of the individuals who are also participating. GGV Capital is leading the round, with past backers Bain Capital Ventures, Baseline Ventures, Bedrock, Cowboy Ventures, and Khosla Ventures also participating. Individuals meanwhile include president of Focus Brands Kat Cole, Jocelyn Mangan (a board member at PapaJohns and Chownow and former COO of Snag), former CFO of payroll and benefits company Gusto Mike Dinsdale, Guild Education founder Rachel Carlson, star athletes Jrue and Lauren Holiday and alright alright alright actor and famous everyman and future political candidate Matthew McConaughey.

Homebase has raised $108 million to date.

The funding is coming on the heels of strong growth for Homebase (which is not to be confused with the UK/Irish home improvement chain of the same name, nor the YC-backed Vietnamese proptech startup).

The company now has some 100,000 small businesses, with 1 million employees in total, on its platform, which use Homebase to manage all manner of activities related to workers that are paid hourly, including (most recently) payroll, as well as shift scheduling, timeclocks and timesheets, hiring and onboarding, communication, and HR compliance.

John Waldmann, Homebase’s founder and CEO, said the funding will go towards both continuing to bring on more customers, as well as expand the list of services offered to them, which could include more features geared to front-line and service workers, as well as features for small businesses who might also have some “desk” workers who might still work hourly.

The common thread, Waldmann said, is not the exact nature of those jobs, but the fact that all of them, partly because of that hourly aspect, have been largely underserved by tech up to now.

“From the beginning, our mission was to help local businesses and their teams,” he said. Part of his inspiration he said came from people he knew: a childhood friend who owned an independent, expanding restaurant chain, and was going through the challenges of managing his teams there, carrying out most of his work on paper; and his sister who worked in hospitality, which didn’t look all that different from his restaurant friend’s challenges. She had to call in to see when she was working, writing her hours in a notebook to make sure she got paid accurately. 

“There are a lot of tech companies focused on making work easier for folks that sit at computers or desks, but are building tools for these others,” Waldmann said. “In the world of work, the experience just looks different with technology.”

Homebase currently is focused on the North American market — there are some 5 million small businesses in the U.S. alone, and so there is a lot of opportunity there. The huge pressure that many them have experienced in the last 18 months of Covid-19 living, leading some to shut down altogether, has also focused the mind on how to manage and carry out work much more efficiently and in a more organized way to ensure you know where your staff is, and that your staff knows what it should be doing at all times.

What will be interesting is to see what kinds of services Homebase adds to its platform over time: in a way it’s a sign of how the hourly wage workers are becoming a more sophisticated and salient aspect of the workforce, with their own unique demands. Payroll, which is now live in 27 states, also comes with pay advances, opening the door to other kinds of financial services for Homebase, for example.

“Small businesses are the lifeblood of the American economy, with more than 60% of Americans employed by one of our 30 million small businesses. In a post-pandemic world, technology has never been more important to businesses of all sizes, including SMBs,” said Jeff Richards, managing aartner at GGV Capital and new Homebase board member, in a statement. “The team at Homebase has worked tirelessly for years to bring technology to SMBs in a way that helps drive increased profitability, better hiring and growth. We’re thrilled to see Homebase playing such an important role in America’s small business recovery and thrilled to be part of the mission going forward.”

It’s interesting to see McConaughey involved in this round, given that he’s most recently made a turn towards politics, with plans to run for governor of Texas in 2022. “Hard working people who work in and run restaurants and local businesses are important to all of us,” he said in a statement. “They play an important role in giving our cities a sense of livelihood, identity, and community. This is why I’ve invested in Homebase. Homebase brings small business operations into the modern age and helps folks across the country not only continue to work harder, but work smarter.”

Blameless raises $30M to guide companies through their software lifecycle

Site reliability engineering platform Blameless announced Tuesday it raised $30 million in a Series B funding round, led by Third Point Ventures with participation from Accel, Decibel and Lightspeed Venture Partners, to bring total funding to over $50 million.

Site reliability engineering (SRE) is an extension of DevOps designed for more complex environments.

Blameless, based in San Mateo, California, emerged from stealth in 2019 after raising both a seed and Series A round, totaling $20 million. Since then, it has turned its business into a blossoming software platform.

Blameless’ platform provides the context, guardrails and automated workflows so engineering teams are unified in the way they communicate and interact, especially to resolve issues quicker as they build their software systems.

It originally worked with tech-forward teams at large companies, like Home Depot, that were “dipping [their toes] into the space and now [want] to double down,” co-founder and CEO Lyon Wong told TechCrunch.

The company still works with those tech-forward teams, but in the past two years, more companies sought out resident SRE architect Kurt Anderson to advise them, causing Blameless to change up its business approach, Wong said.

Other companies are also seeing a trend of customers asking for support — for example, in March, Google Cloud unveiled its Mission Critical Services support option for SRE to serve in a similar role as a consultant as companies move toward readiness with their systems. And in February, Nobl9 raised a $21 million Series B to provide enterprises with the tools they need to build service-level-objective-centric operations, which is part of a company’s SRE efforts.

Blameless now has interest from more mainstream companies in the areas of enterprise, logistics and healthcare. These companies aren’t necessarily focused on technology, but see a need for SRE.

“Companies recognize the shortfall in reliability, and then the question they come to us with is how do they get from where they are to where they want to be,” Anderson said. “Often companies that don’t have a process respond with ‘all hands on deck’ all the time, but instead need to shift to the right people responding.”

Lyon plans to use the new funding to fill key leadership roles, the company’s go-to-market strategy and product development to enable the company to go after larger enterprises.

Blameless doubled its revenue in the last year and will expand to service all customer segments, adding small and emerging businesses to its roster of midmarket and large companies. The company also expects to double headcount in the next three quarters.

As part of the funding announcement, Third Point Ventures partner Dan Moskowitz will join Blameless’ board of directors with Wong, Accel partner Vas Natarajan and Lightspeed partner Ravi Mhatre.

“Freeing up engineering to focus on shipping code is exactly what Blameless achieves,” said Moskowitz in a written statement. “The Blameless market opportunity is big as we see teams struggle and resort to creating homegrown playbooks and point solutions that are incomplete and costly.”

 

No-code Bubble raises $100M to make technical co-founders obsolete

Among Silicon Valley circles, a fun parlor game is to ask to what extent world GDP levels are held back by a lack of computer science and technical training. How many startups could be built if hundreds of thousands or even millions more people could code and bring their entrepreneurial ideas to fruition? How many bureaucratic processes could be eliminated if developers were more latent in every business?

The answer, of course, is on the order of “a lot,” but the barriers to reaching this world remain formidable. Computer science is a challenging field, and despite proactive attempts by legislatures to add more coding skills into school curriculums, the reality is that the demand for software engineering vastly outstrips the supply available in the market.

Coding is not a bubble, and Bubble wants to empower the democratization of software development and the creation of new startups. Through its platform, Bubble enables anyone — coder or not — to begin building modern web applications using a click-and-drag interface that can connect data sources and other software together in one fluid interface.

It’s a bold bet — and it’s just received a bold bet as well. Bubble announced today that Ryan Hinkle of Insight Partners has led a $100 million Series A round into the company. Hinkle, a longtime managing director at the firm, specializes in growth buyout deals as well as growth SaaS companies.

If that round size seems huge, it’s because Bubble has had a long history as a bootstrapped company before reaching its current scale. Co-founders Emmanuel Straschnov and Josh Haas spent seven years bootstrapping and tinkering with the product before securing a $6.5 million seed round in June 2019 led by SignalFire. Interestingly, according to Straschnov, Insight was the first venture firm to reach out to Bubble all the way back in 2014. Seven years on, the two have now signed and closed a deal.

Since the seed round, Bubble has been expanding its functionality. As a no-code tool, any missing feature could potentially block an application from being built. “In our business, it’s a features game,” Straschnov said. “[Our users] are not technical, but they have high standards.” He noted that the company introduced a plugins system that allows the Bubble community to build their own additions to the platform.

Image Credits: Bubble. Its editor offers a clickable interface for designing dynamic web applications. 

As the platform matured, it happened to nail the timing of the COVID-19 pandemic last year, which saw people scrambling for new skills and improving their prospects amid a gloomy job market. Straschnov says that Bubble saw an immediate bump in usage in March and April 2020, and the company has tripled revenue over the past 12 months.

Bubble’s focus for the past eight years has been on helping people turn their ideas into startups. The company’s proposition is that a large number of even venture-backed companies could be built using Bubble without the expense of a large engineering team writing code from scratch.

Unlike other no-code tools, which focus on building internal corporate apps, Straschnov says that the company remains as focused today on these new companies as it has always been. “[We’re] not trying to move upmarket just yet — we are trying to do the same thing that AWS and Stripe did five years ago,” he said. Instead of trying to dominate the enterprise, Bubble wants to grow with its nascent customers as they expand in scale.

The company today charges a range of prices depending on the performance and scale requirements of an application. There’s a free tier, and then professional pricing starts at $25/month all the way to $475/month for its top-listed offering. Enterprise pricing is also available, as is special pricing for students.

On the latter point, Bubble is looking to invest heavily in education using its newly raised capital. While the platform is easy to use, the reality is that any design of a web application can be intimidating for a new user, particularly one who isn’t technical. So the company wants to create more videos and documentation while also heavily investing in partnerships with universities to get more students using the platform.

While the no-code space has seen prodigious investment, Straschnov said that “I don’t look at all the no-code players as competition … the true competition we have is code.” He noted that while the no-code label has been assumed by more and more startups, very few companies are focused on his company’s specific niche, and he believes he offers a compelling value proposition in that category.

The company has doubled headcount since the beginning of the pandemic, growing from around 21 employees to about 45 today. They are lightly concentrated in New York City, but the company operates remotely and has folks in 15 states as well as in France. Straschnov says that the company is looking to aggressively hire technical talent to build out the product using its new funds.

RapidSOS learned that the best product design is sometimes no product design

Sometimes, the best missions are the hardest to fund.

For the founders of RapidSOS, improving the quality of emergency response by adding useful data, like location, to 911 calls was an inspiring objective, and one that garnered widespread support. There was just one problem: How would they create a viable business?

The roughly 5,700 public safety answering points (PSAPs) in America weren’t great contenders. Cash-strapped and highly decentralized, 911 centers already spent their meager budgets on staffing and maintaining decades-old equipment, and they had few resources to improve their systems. Plus, appropriations bills in Congress to modernize centers have languished for more than a decade, a topic we’ll explore more in part four of this EC-1.

Who would pay? Who was annoyed enough with America’s antiquated 911 system to be willing to shell out dollars to fix it?

People obviously desire better emergency services — after all, they are the ones who will dial 911 and demand help someday. Yet, they never think about emergencies until they actually happen, as RapidSOS learned from the poor adoption of its Haven app we discussed in part one. People weren’t ready to pay a monthly subscription for these services in advance.

So, who would pay? Who was annoyed enough with America’s antiquated 911 system to be willing to shell out dollars to fix it?

Ultimately, the company iterated itself into essentially an API layer between the thousands of PSAPs on one side and developers of apps and consumer devices on the other. These developers wanted to include safety features in their products, but didn’t want to engineer hundreds of software integrations across thousands of disparate agencies. RapidSOS’ business model thus became offering free software to 911 call centers while charging tech companies to connect through its platform.

It was a tough road and a classic chicken-and-egg problem. Without call center integrations, tech companies wouldn’t use the API — it was essentially useless in that case. Call centers, for their part, didn’t want to use software that didn’t offer any immediate value, even if it was being given away for free.

This is the story of how RapidSOS just plowed ahead against those headwinds from 2017 onward, ultimately netting itself hundreds of millions in venture funding, thousands of call agency clients, dozens of revenue deals with the likes of Apple, Google and Uber, and partnerships with more software integrators than any startup has any right to secure. Smart product decisions, a carefully calibrated business model and tenacity would eventually lend the company the escape velocity to not just expand across America, but increasingly across the world as well.

In this second part of the EC-1, I’ll analyze RapidSOS’ current product offerings and business strategy, explore the company’s pivot from consumer app to embedded technology and take a look at its nascent but growing international expansion efforts. It offers key lessons on the importance of iterating, how to secure the right customer feedback and determining the best product strategy.

The 411 on a 911 API

It became clear from the earliest stages of RapidSOS’ journey that getting data into the 911 center would be its first key challenge. The entire 911 system — even today in most states — is built for voice and not data.

Karin Marquez, senior director of public safety at RapidSOS, who we met in the introduction, worked for decades at a PSAP near Denver, working her way up from call taker to a senior supervisor. “When I started, it was a one-man dispatch center. So, I was working alone, I was answering 911 calls, non-emergency calls, dispatching police, fire and EMS,” she said.

RapidSOS senior director of public safety Karin Marquez. Image Credits: RapidSOS

As a 911 call taker, her very first requirement for every call was figuring out where an emergency is taking place — even before characterizing what is happening. “Everything starts with location,” she said. “If I don’t know where you are, I can’t send you help. Everything else we can kind of start to build our house on. Every additional data [point] will help to give us a better understanding of what that emergency is, who may be involved, what kind of vehicle they’re involved in — but if I don’t have an address, I can’t send you help.”