IBM transformation struggles continue with cloud and AI revenue down 4.5%

/0 Comments/in /by

A couple of months ago at CNBC’s Transform conference, IBM CEO Arvind Krishna painted a picture of a company in the midst of a transformation. He said that he wanted to take advantage of IBM’s $34 billion 2018 Red Hat acquisition to help customers manage a growing hybrid cloud world, while using artificial intelligence to drive efficiency.

It seems like a sound enough approach. But instead of the new strategy acting as a big growth engine, IBM’s earnings today showed that its cloud and cognitive software revenues were down 4.5% to $6.8 billion. Meanwhile cognitive applications — where you find AI incomes — were flat.

If Krishna was looking for a silver lining, perhaps he could take solace in the fact that Red Hat itself performed well, with revenue up 18% compared to the year-ago period, according to the company. But overall the company’s revenue declined for the fourth straight quarter, leaving the executive in much the same position as his predecessor Ginni Rometty, who led IBM during 22 straight quarters of revenue losses.

Incoming IBM CEO Arvind Krishna faces monumental challenges on multiple fronts

Krishna laid out his strategy in November, telling CNBC, “The Red Hat acquisition gave us the technology base on which to build a hybrid cloud technology platform based on open-source, and based on giving choice to our clients as they embark on this journey.” So far the approach is simply not generating the growth Krishna expected.

The company is also in the midst of spinning out its legacy managed infrastructure services division, which, as Krishna said in the same November interview, should allow Big Blue to concentrate more on its new strategy. “With the success of that acquisition now giving us the fuel, we can then take the next step, and the larger step, of taking the managed infrastructure services out. So the rest of the company can be absolutely focused on hybrid cloud and artificial intelligence,” he said.

While it’s certainly too soon to say his transformation strategy has failed, the results aren’t there yet, and IBM’s falling top line has to be as frustrating to Krishna as it was to Rometty. If you guide the company toward more modern technologies and away from the legacy ones, at some point you should start seeing results, but so far that has not been the case for either leader.

Krishna continued to build on this vision at the end of last year by buying some additional pieces like cloud applications performance monitoring company Instana and hybrid cloud consulting firm Nordcloud. He did so to build a broader portfolio of hybrid cloud services to make IBM more of a one-stop shop for these services.

As retired NFL football coach Bill Parcells used to say, referring to his poorly performing teams, “you are what your record says you are.” Right now IBM’s record continues to trend in the wrong direction. While it’s making some gains with Red Hat leading the way, it’s simply not enough to offset the losses, and something needs to change.

Ginni Rometty leaves complex legacy as she steps away as IBM CEO

DDoS-Guard To Forfeit Internet Space Occupied by Parler

/0 Comments/in /by

Parler, the beleaguered social network advertised as a “free speech” alternative to Facebook and Twitter, has had a tough month. Apple and Google removed the Parler app from their stores, and Amazon blocked the platform from using its hosting services. Parler has since found a home in DDoS-Guard, a Russian digital infrastructure company. But now it appears DDoS-Guard is about to be relieved of more than two-thirds of the Internet address space the company leases to clients — including the Internet addresses currently occupied by Parler.

The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups.

In October, a phone call from Guilmette to an Internet provider in Oregon was all it took to briefly sideline a vast network of sites tied to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump. As a result, those QAnon and 8chan sites also ultimately ended up in the arms of DDoS-Guard.

Much like Internet infrastructure firm CloudFlare, DDoS-Guard typically doesn’t host sites directly but instead acts as a go-between to simultaneously keep the real Internet addresses of its clients confidential and to protect them from crippling Distributed Denial-of-Service (DDoS) attacks.

The majority of DDoS-Guard’s employees are based in Russia, but the company is actually incorporated in two other places: As “Cognitive Cloud LLP” in Scotland, and as DDoS-Guard Corp. based in Belize.  However, none of the company’s employees are listed as based in Belize, and DDoS-Guard makes no mention of the Latin American region in its map of global operations.

In studying the more than 11,000 Internet addresses assigned to those two companies, Guilmette found that approximately 66 percent of them were doled out to the Belize entity by LACNIC, the regional Internet registry for the Latin American and Caribbean regions.

Suspecting that DDoS-Guard incorporated in Belize on paper just to get huge swaths of IP addresses that are supposed to be given only to entities with a physical presence in the region, Guilmette filed a complaint with the Internet registry about his suspicions back in November.

Guilmette said LACNIC told him it would investigate, and that any adjudication on the matter could take up to three months. But earlier this week, LACNIC published a notice on its website that it intends to revoke 8,192 IPv4 addresses from DDoS-Guard — including the Internet address currently assigned to Parler[.]com.

A notice of revocation posted by LACNIC.

LACNIC has not yet responded to requests for comment. The notice on its site says the Internet addresses are set to be revoked on Feb. 24.

DDoS-Guard CEO Evgeniy Marchenko maintains the company has done nothing wrong, and that DDoS-Guard does indeed have a presence in Belize.

“They were used strongly according [to] all LACNIC policies by [a] company legally substituted in LACNIC region,” Marchenko said in an email to KrebsOnSecurity. “There is nothing illegal or extremist. We have employers and representatives in different countries around the world because we are global service. And Latin America region is not an exception.”

Guilmette said DDoS-Guard could respond by simply moving Parler and other sites sitting in those address ranges to another part of its network. But he considers it a victory nonetheless that a regional Internet registry took his concerns seriously.

“It appeared to me that it was more probable than not that they got these 8,000+ IPv4 addresses by simply creating an arguably fraudulent shell company in Belize and then going cap in hand to LACNIC, claiming that they had a real presence in the Latin & South American region, and then asking for 8,000+ IPv4 addresses,” he said. “So I reported my suspicions to the LACNIC authorities in early November, and as I have only just recently learned, the LACNIC authorities followed up diligently on my report and, it seems, verified my suspicions.”

In October, KrebsOnSecurity covered another revelation by Guilmette about the same group of QAnon and 8chan-related sites that moved to DDoS-Guard: The companies that provided the Internet address space used by the sites were defunct businesses in the eyes of their respective U.S. state regulators. In other words, the American Registry for Internet Numbers (ARIN) — the non-profit which administers IP addresses for entities based in North America — was well within its contract rights to revoke the IP space.

Guilmette brought his findings to ARIN, which declined to act on the complaint and instead referred the matter to state investigatory agencies.

Still, Guilmette’s gadfly efforts to stir things up in the RIR community sometimes do pay off. For example, he spent nearly three years documenting how $50 million worth of the increasingly scarce IPv4 addresses were misappropriated from African companies to dodgy Internet marketing firms.

His complaints about those findings to the African Network Information Centre (AFRINIC) resulted in an investigation that led to the termination of a top AFRINIC executive, who was found to have quietly sold many of the address blocks for personal gain to marketers based in Europe, Asia and elsewhere.

And this week, AFRINIC took the unusual step of officially documenting the extent of the damage wrought by its former employee, and revoking discrete chunks of address space currently being used by marketing firms.

In a detailed report released today (PDF), AFRNIC said its investigation revealed more than 2.3 million IPv4 addresses were “without any lawful authority, misappropriated from AFRINIC’s pool of resources and attributed to organizations without any justification.”

AFRINIC said it began its inquiry in earnest back in March 2019, when it received an application by the U.S. Federal Bureau of Investigation (FBI) about “certain suspicious activities regarding several IPv4 address blocks which it held.” So far, AFRNINIC said it has reclaimed roughly half of the wayward IP address blocks, with the remainder “yet to be reclaimed due to ongoing due diligence.”

Six Steps to Successful And Efficient Threat Hunting 

/0 Comments/in /by

Cybersecurity often feels like a game of cat and mouse. As our solutions get better at stopping an attack, adversaries have often already developed and started utilizing new tactics and techniques. According to Verizon DBIR, advanced threats lurk in our environment undetected, often for months, while they stealthily look to gather valuable information to steal or data to compromise. If you wait until these threats become visible or an alert is generated by traditional SOC monitoring tools, it can be too late. Threat hunting can help combat these challenges. Rather than waiting for an alert, threat hunters proactively assume that an advanced adversary operates inside the network and operates to find their existence.

In this post, we discuss threat hunting, why it’s essential, and how you can enable your team to adopt efficient hunting strategies with the SentinelOne Platform.

What is Threat Hunting?

Threat hunting has been defined by some as a “computer security incident response before there is an incident declared”. Others define it as “threat detection using the tools from incident response” or even“security hypothesis testing on a live IT environment.”

We define threat hunting as the process of searching across networks and endpoints to identify threats that evade security controls before they can execute an attack or fulfill their goals.

Rather than simply relying on security solutions to detect threats, threat hunting is a proactive approach to finding threats hidden in your network.

Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat hunters not only respond to threats; they actively search for them. This process involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data and analysis.

Threat hunting is also quite a different activity from either incident response or digital forensics. The purpose of DF/IR methodologies is to determine what happened after a breach was discovered. In contrast, when a team engages in threat hunting, the aim is to search for attacks that may have already slipped through your defensive layers.

Threat hunting differs from penetration testing and vulnerability assessment, too. These attempt to simulate an attack, ask questions such as what ‘could’ happen if someone compromised my security. Whereas threat hunters work from the premise that an attacker is already in the network and then look for indicators of compromise, lateral movement, and other tell-tale artifacts that may provide evidence of the attacker.

Why Do You Need To Incorporate Threat Hunting?

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage.

Simply stated, if you aren’t looking for threat actors inside your network, you may never know they are there. What if the attackers lock you out of the systems before you notice that you are under attack? With an efficient threat hunting program, you don’t have to stress over such possibilities.

Threat hunting is human-driven, iterative, adaptive, and systematic. Hence, it effectively reduces damage and overall risk to an organization, as its proactive nature enables security professionals to respond to incidents more rapidly than would otherwise be possible. It reduces the probability of an attacker being able to cause damage to an organization, its systems, and its data.

Threat hunting also reduces your reliance on external vendors that may not know your network or normal employee behavior as well as your threat hunting team might.

Finally, threat hunting will force you to learn your networks, systems, applications, and users.

Understanding all of these components is a critical element of a robust security framework.

Six Steps To Creating An Efficient Hunting Program

So how do you create a perfect and efficient hunting program? Well! In reality, the perfect hunting program rarely exists! You need your hunting program to be an iterative combination of processes, tools, and techniques continually evolving and adaptive to suit your organization. Here are six steps that will help you create an efficient threat hunting program in your organization.

1. Ensure You Have The Right Data.

No data, no hunt! Period!

All successful threat hunting begins with having the right data to answer the right questions. Without the right data, you will not be able to conduct a successful and meaningful hunt. You need to ensure you have telemetry that captures a wide range of activity and behaviors across multiple operating systems and which can serve as a base for all your threat hunting efforts. Device telemetry should include data like network traffic patterns, file hashes, processes, user activity, network activity, file operations, persistence activity, system and event logs, denied connections, and peripheral device activity.

Just having the raw data is not enough; you also need to ensure that you have context surrounding the data. Knowing which data to combine, correlate, or extend is critical. Ideally, you want tools that allow a clear overview of all the above data with powerful capabilities to automatically contextualize and correlate different events into unified detections that minimize the amount of manual sifting through raw logs.

SentinelOne patented StorylineTM technology provides analysts with real-time actionable correlation and context and lets security analysts understand the full story of what happened in your environment.

Each autonomous SentinelOne Agent builds a model of its endpoint infrastructure and real-time running behavior. Every element of a story has the same Storyline. This gives you the full picture of what happened on a device and what caused it to happen. SentinelOne automatically correlates related activity into unified alerts that provide Campaign Level Insight. This reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of responding to alerts.

2. Baseline To Understand What’s Normal In Your Environment

Threat hunters need a solid understanding of the organization’s profile, business activities that could attract threat actors, such as hiring new staff or acquiring new assets, and companies.

A critical component of threat hunting is having the data to baseline ‘normal’ and find outliers (outlier analysis). Attackers will often want to blend in with ordinary users to acquire user credentials from phishing campaigns, so understanding a user’s typical behavior is a useful baseline for investigating anomalous file access or login events.

Combining that with understanding what company data is of value to attackers and where it is located can lead to creating hypotheses such as “Is an attacker trying to steal data located at a specific location?” This, in turn, could prompt data collection that answers questions like: “Which users have accessed that location for the first time in the last n days?”

SentinelOne’s behavioral AI engine leverages advanced data science methods to teach systems the difference between regular day-to-day operations and actual threat behavior.

This provides the analyst with the complete picture and any additional context needed to help them understand what normal looks like and enable them to spot any outliers. An alert is triggered if a pattern emerges, such as repeated login attempts from a country that is not the usual norm in your environment, which may indicate a potential brute force attack. This helps make threat detection and hunting faster and more accurate. SentinelOne also retains historical data from 14 days to 365+ days, available to query in near real-time, so that the hunting team can understand and analyze data over large periods of time.

3. Develop A Hypothesis

Many hunts start from an intel source that uses Indicators of Compromise (IoCs), hash values, IP addresses, domain names, network or host artifacts provided by third-party data sources such as Information Sharing and Analysis Center (ISAC) or the FBI. Hunts can also be incident driven; given any incident, you need to answer how and when it happened. However, not all threats are known. In fact, a large number of threats are unknown, so hunting cannot solely rely on utilizing known methodologies.

In a hypothesis-driven workflow, a hunt starts with creating a hypothesis, or an educated guess, about some type of activity that might be going on in your environment. Using Open-source intelligence (OSINT) tools and frameworks like MITRE ATT&CK works effectively if you know what you are looking for.

That brings us to one of the essential components of threat hunting: hypothesis formation and testing. Hypotheses are typically formulated by hunters based on tools and frameworks, social intelligence, threat intelligence, and past experiences. Generalized questions could include, “If I were to attack this environment, how would I do it? What would I attempt to gain access to? What would be my targets?”. Other examples could include questions like “Why do I see encrypted HTTPS, FTP traffic to countries in the East, in my environment?” or “Why do I see an abnormal volume of DNS queries from a single machine?”

Ideas can be derived from the following sources:

  • MITRE ATT&CK framework: a vast knowledge base of attack tactics, techniques, and procedures. Studying the MITRE techniques and their simulation in test environments can serve as a foundation for developing hypotheses.
  • Threat Intelligence reports: contain useful information about attack techniques and procedures based on real incidents. Systematic analysis of such reports should spark some thought and give rise to many threat hunting ideas.
  • Blogs, Twitter, and conference talks: information about new attack techniques appears for the first time via research blogs, and conferences, even before the attackers start actively using it. The timely study of such information will allow threat hunters to be proactive and prepare before the new attack technique becomes widespread.
  • Penetration testing: attackers tend to use tools similar to those applied by experienced pen testers. Therefore, studying pen-testing practices creates a treasure trove of knowledge for generating threat hunting hypotheses.
SentinelOne’s patented Deep Visibility lets you quickly and iteratively query and pivot across endpoint telemetry captured from endpoint devices to validate hypotheses.

SentinelOne automatically correlates all related objects (processes, files, threads, events, and more) of a threat. For example, suppose a process modifies a different process by injecting code. When you run a query, all interaction between the source process, target process, and parent process shows clearly in the cross-process details. This lets you quickly understand the data relationships: the root cause behind a threat with all of its context, relationships, and activities. Analysts can also leverage historical data to map advanced threat campaigns across time to enable efficient hypothesis generation.

You can create powerful hunting queries with easy-to-use shortcuts. As a threat hunter, the MITRE ATT&CK framework has likely become one of your go-to tools. SentinelOne makes hunting for MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) fast and painless. It’s as easy as entering the MITRE technique ID and using this to perform a hunt.

SentinelOne provides a query library of hunts using data from various open, commercial, and bespoke sources curated by SentinelOne research.

These hunts are the output of hypotheses that are proven across research data and are generic. For example, the use of unmanaged, unsigned PowerShell is likely abnormal in most environments and would commonly require additional investigation. Both of the above examples are not malicious in and of themselves but fit in a hunting workflow as they are descriptive of anomalies.

4. Investigate & Analyze Potential Threats

After generating the hypothesis, the next step is to follow up on it by investigating various tools and techniques to discover new malicious patterns in the data and uncover the attacker’s TTPs. If the hypothesis is correct and evidence of malicious activity is found, then the threat hunter should immediately validate the nature, extent, impact, and scope of the finding.

Although threat hunting starts with a human-generated hypothesis, threat protection tools, like SentinelOne, make the investigation more efficient. SentinelOne’s Deep Visibility empowers rapid threat hunting capabilities thanks to Storyline. Each autonomous SentinelOne Agent monitors endpoint activity and real-time running behavior. A Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events, and other data with a single query.

With Storyline, Deep Visibility returns full, contextualized data that lets you swiftly understand the root cause behind a threat with all of its context, relationships, and activities revealed from one search.

Storyline allows threat hunters to understand the full story of what happened on an endpoint and enable them to see the complete chain of events, saving time for your security teams.

5. Rapidly Respond To Remediate Threats

Once you uncover a new TTP, you need to make sure you can effectively respond and remediate the threat.

The response should distinctively define both short term and long term response measures that will be used to neutralize the attack. The main goal of the response is to immediately put an end to the ongoing attack to prevent the system from damage by a perceived threat. But it is also essential to understand the cause of the threat to improve security and prevent attacks of a similar manner in the future. All necessary steps must be taken to ensure that similar attacks are not likely to happen again.

SentinelOne enables analysts to take all the required actions needed to respond and remediate the threat with a single click.

With one click, the analyst can rollback the threat or perform any other available mitigation actions. Rollback functionality automatically restores deleted or corrupted files caused by ransomware activity to their pre-infected state without needing to reimage the machine.

The threat can be added to Exclusions, marked as resolved, and notes can be added to explain the rationale behind the decisions taken. SentinelOne also offers full Remote Shell capabilities to give your security team a quick way to investigate attacks, collect forensic data, and remediate breaches no matter where the compromised endpoints are located, eliminating uncertainty and significantly reducing any downtime that results from an attack.

SentinelOne also can detect threats in advance through the aid of its machine learning and intelligent automation. It can anticipate threats and attacks by deeply inspecting files, documents, emails, credentials, browsers, payloads, and memory storage. It can automatically disconnect a device from a network when it identifies a possible security threat or attack.

6. Enrich And Automate For Future Events

Finally, successful hunts form the basis for informing and enriching automated analytics. The final step in the threat hunting practice is to use the knowledge generated during the threat hunting process to enrich and improve EDR systems. This way, the organization’s global security is enhanced thanks to the discoveries made during the investigation.

Advanced threat hunting techniques will try to automate as many tasks as possible. Monitoring user behavior and comparing that behavior against itself to search for anomalies, for example, is far more effective than running individual queries. However, both techniques are likely to be required in practice. Both are made easier if you have tools like SentinelOne with a rich set of native APIs enabling full integration across your security software stack.

SentinelOne is designed to lighten the load on your team in every way, and that includes giving you the tools to set up and run custom threat hunting searches.

With Storyline Auto-Response (STAR) custom detection rules, you can turn Deep Visibility queries into automated hunting rules that trigger alerts and responses when rules detect matches. STAR gives you the flexibility to create custom alerts specific to your environment that can enhance alerting and triaging of events

SentinelOne can also automatically mitigate detections based on the policy for suspicious threats or the policy for malicious threats or can put endpoints in Network Quarantine. Alerts are triggered in near-real-time and show in the Activity log in the Management Console. You can enable alerts in Syslog that can be used for triage and SIEM integration.

After running the query in Deep Visibility and investigating, you can select an Auto-Response for the rule to automatically mitigate the rule detections. With that, you have set your SentinelOne solution to automatically protect your environment, according to your needs, from every threat, every second of every day. Modern adversaries are automating their techniques, tactics, and procedures to evade preventative defenses, so it makes sense that enterprise security teams can better keep up with attacks by automating their manual workloads.

Closing Thoughts

Implementing a threat hunting program can reap many benefits to the organization, including proactively uncovering security incidents, faster Incident Response times, and a more robust security posture. Effective threat hunting needs to result in less work for your busy analysts while at the same time future-proofing your SOC from a variety of known and unknown adversaries. SentinelOne gives you visibility, ease of use, speed, and context to make threat hunting more effective than ever before. Please contact us or request a demo to see how SentinelOne can help you develop an efficient hunting program.

Additional Resources

Deep Dive – Hunting with MITRE ATT&CK
Use the S1QL Cheatsheet For Security Analysis
Learn more about Rapid Threat Hunting with Storyline
Visit SentinelOne Platform page
Visit Sans Threat Hunting Report – Automating Hunt
Read Gartner Report about Using Threat Hunting for Proactive Threat Detection

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

StackPulse announces $28M investment to help developers manage outages

/0 Comments/in /by

When a system outage happens, chaos can ensue as the team tries to figure out what’s happening and how to fix it. StackPulse, a new startup that wants to help developers manage these crisis situations more efficiently, emerged from stealth today with a $28 million investment.

The round actually breaks down to a previously unannounced $8 million seed investment and a new $20 million Series A. GGV led the A round, while Bessemer Venture Partners led the seed and also participated in the A. Glenn Solomon at GGV and Amit Karp at Bessemer will join the StackPulse board.

Nobody is immune to these outages. We’ve seen incidents from companies as varied as Amazon and Slack in recent months. The biggest companies like Google, Facebook and Amazon employ site reliability engineers and build customized platforms to help remediate these kinds of situations. StackPulse hopes to put this kind of capability within reach of companies, whose only defense is the on-call developers.

Company co-founder and CEO Ofer Smadari says that in the midst of a crisis with signals coming at you from Slack and PagerDuty and other sources, it’s hard to figure out what’s happening. StackPulse is designed to help sort out the details to get you back to equilibrium as quickly as possible.

FireHydrant lands $8M Series A for disaster management tool

First off, it helps identify the severity of the incident. Is it a false alarm or something that requires your team’s immediate attention or something that can be put off for a later maintenance cycle? If there is something going wrong that needs to be fixed right now, StackPulse can not only identify the source of the problem, but also help fix it automatically, Smadari explained.

After the incident has been resolved, it can also help with a post-mortem to figure out what exactly went wrong by pulling in all of the alert communications and incident data into the platform.

As the company emerges from stealth, it has some early customers, and 35 employees based in Portland, Oregon and Tel Aviv. Smadari says that he hopes to have 100 employees by the end of this year. As he builds the organization, he is thinking about how to build a diverse team for a diverse customer base. He believes that people with diverse backgrounds build a better product. He adds that diversity is a top level goal for the company, which already has an HR leader in place to help.

Glenn Solomon from GGV, who will be joining the company board, saw a strong founding team solving a big problem for companies and wanted to invest. “When they described the vision for the product they wanted to build, it made sense to us,” he said.

Customers are impatient with down time and Solomon sees developers on the front line trying to solve these issues. “Performance is more important than ever. When there is downtime, it’s damaging to companies,” he said. He believes StackPulse can help.

How you react when your systems fail may define your business

UK’s WhiteHat rebrands as Multiverse, raises $44M to build tech apprenticeships in the US

/0 Comments/in /by

University education is getting more expensive, and at the moment it feels a bit like a Petri dish for infections, but the long-term trends continue to show a dramatic growth in the number of people worldwide getting degrees beyond high school, with one big reason for this being that a college degree generally provides better economic security.

But today, a startup that is exploring a different route for those interested in technology and knowledge worker positions — specifically by way of apprenticeships to bring in and train younger people on the job — is announcing a significant round of growth funding to see if it can provide a credible, scalable alternative to that model.

Multiverse, a U.K. startup that works with organizations to develop these apprenticeships, and then helps source promising, diverse candidates to fill those roles, has raised $44 million, funding that it will be using to spearhead a move into the U.S. market after picking up some 300 clients in the U.K. and thousands of apprentices.

The Series B is being led by General Catalyst (which has been especially active this week with U.K. startups: it also led a large round yesterday for Bloom & Wild), with GV (formerly known as Google Ventures), Audacious Ventures, Latitude and SemperVirens also participating. Index Ventures and Lightspeed Venture Partners, which first invested in the company in its $16 million Series A in 2020, also participated.

Valuation is not being disclosed, but for what it’s worth, the round was one that generated a lot of interest. In between getting pitched this story and publishing it, the size of the Series B grew by $8 million (it was originally closed at $36 million). The FT notes that the valuation was around $200 million with this round, but the company says that is “speculation on the FT’s part.”

UK’s Bloom & Wild raises $102M to seed its flower delivery service across Europe

The company was originally co-founded as WhiteHat and is officially rebranding today. Co-founder Euan Blair (who happens to be the son of the former U.K. Prime Minister Tony Blair and his accomplished barrister wife Cherie Booth Blair) said the name change was because the original name was a reference to how the startup sought to “hack the system for good.”

However, he added, “The scale has become bigger and more evolved.” The new name is to convey that — as in gaming, which is probably the arena where you might have heard this term before — “anything is possible.”

There are “multiple universes” one can inhabit as a post-18 young adult, Blair continued. While it’s been assumed that to get into tech, the obvious route was a two-to-four year (and often more) tour through college or university to pick up a higher education degree, the bet that Multiverse is making here is that apprenticeships can easily, and widely, become another. “We want to build an outstanding alternative to university and college,” he said. These typically last 1.5 years. 

The idea of an “outstanding alternative” is especially important when thinking of how to target more marginalized groups and how this ties up with how tech companies are looking to be more diverse in the future, without cutting down on the quality of what people are getting out of the experience, or the resulting talent that is getting recruited.

There’s long been a stigma attached to less prestigious institutions, and putting money or effort into another channel to perpetuate that doesn’t really make sense or point to progress.

Blair said that currently over half of the people making their way through Multiverse are people of color, and 57% are women, and the plan is to build tools to make that an even firmer part of its mission. 

The startup sees itself as part tech company and part education enterprise.

It works with tech companies and others to open up opportunities for people who have not had any higher education or any training, where fresh high school graduates can come in, learn the ropes of a job while getting paid and then continue on working their way up the ladder with that knowledge base in place.

Apprenticeships on the platform right now range from data analysts through to exhibition designers, and the idea is that by opening up and targeting the U.S. market, the breadth, number and location of roles will grow.

This is not just a social enterprise: There is actual money in this area. Blair said that prices it charges the companies it works with range by qualification, “but are broadly around the $15,000 mark.” (The individuals applying don’t pay anything, and they will also be paid by the companies providing the apprenticeships.)

On the educational front, Multiverse doesn’t just connect people as a recruiter might: it has a team in place to build out what the “curriculum” might be for a particular apprenticeship, and how to deliver and train people with the requisite skills alongside the practice experience of working, and more.

That latter role, of course, has taken on a more poignant dimension in the last year: Concepts like remote training and virtual mentorship have very much come into their own at a time when offices are largely standing empty to help reduce the spread of COVID-19.

Regardless of what happens in the year ahead — fingers crossed that vaccinations and other efforts will help us collectively move past where we are right now — many believe that the infrastructure that has been put into place to keep working virtually will continue to be used, which bodes well for a company like Multiverse that is building a business around that, both with technology it creates itself and will bring in from third parties and partners.

Indeed, the ecosystem of companies building tools to deliver educational content, provide training and work collaboratively has really boomed in the pandemic, giving companies like Multiverse a large library of options for how to bring people into new work situations. (Google, which is now an investor in Multiverse, is very much one of the makers of such education tools.)

Apprenticeships are an interesting area for a startup to tackle. Traditionally, it’s a term that would have been associated mainly with skilled labor positions, rather than “knowledge workers.”

But you can argue that with the bigger swing that the globe has seen away from industrial and towards knowledge economies, there is an argument to be made for building more enterprises and opportunities for an ever wider pool of users, rather than expecting everyone to be shoehorned into the models of the last 50 years. (The latter would essentially imply that college is possibly the only way up.)

You might also be fair to claim that Blair’s connections helped him secure funding and open doors with would-be customers, and that might well be the case, but ultimately the startup will live or die by how well it executes on its premise, whether it finds a good way to connect more people, engage them in opportunities and keep them on board.

This is what really attracted the investors, said Joel Cutler, managing director and co-founder of General Catalyst.

“Euan has a genuine belief that this is important, and when you talk to him, you get a  feeling of manifest destiny,” Cutler said in an interview. In response to the question of family connections, he said that this was precisely the kind of issue that the technology industry should be tackling to fight.

“Of all the industries to break the mold of where you went to school, it should be the tech world that will do that, since it is far more of a meritocracy than others. This is the perfect place to start to break that mold,” he said. “Education will be super valuable but apprenticeships will also be important.” He noted that another company that General Catalyst invests in, Guild Education, is addressing similar opportunities, or rather the gaps in current opportunities, for older people.

Citrix is acquiring Wrike from Vista for $2.25B

/0 Comments/in /by

Citrix announced today that it plans to acquire Wrike, a SaaS project management platform, from Vista Equity Partners for $2.25 billion. Vista bought the company just two years ago.

Citrix, which is best known for its digital workspaces, sees this as a good match, especially at a time when employees have been forced to work from home because of the pandemic. Combining the two companies produces a powerful approach, one that didn’t escape Citrix CEO and president David Henshall.

“Together, Citrix and Wrike will deliver the solutions needed to power a cloud-delivered digital workspace experience that enables teams to securely access the resources and tools they need to collaborate and get work done in the most efficient and effective way possible across any channel, device or location,” Henshall said in a statement.

Andrew Filev, founder and CEO at Wrike, who has managed the company through these multiple changes and remains at the helm, believes his company has landed in a good spot with the Citrix purchase.

“First, as part of the Citrix family we will be able to scale our product and accelerate our roadmap to deliver capabilities that will help our customers get more from their Wrike investment. We have always listened to our customers and have built our product based on their feedback — now we will be able to do more of that, faster,” Filev wrote in a company blog post announcing the deal, stating a typical argument from CEOs of acquired companies.

The startup reports $140 million ARR, growing at 30% annually, so that comes out to approximately 16x its present-day revenue, which is the price companies are generally paying for acquisitions these days. However, as Wrike expects to reach $180 million to $190 million in ARR this year, the company’s sale price could look like a bargain in a few years’ time if the projections come to pass.

The price was not revealed in the 2018 sale, but it surely feels like a big win for Vista. Consider that Wrike has previously raised just $26 million.

Wrike launches new AI tools to keep your projects on track

A first look at Qualtrics’ IPO pricing

/0 Comments/in /by

Earlier today, Qualtrics dropped a new S-1 filing, this time detailing its proposed IPO pricing. That means we can now get a good look at how much the company may be worth when it goes public later this month.

The debut has been one TechCrunch has been looking forward to since the company announced that it would be spun out from its erstwhile corporate parent, SAP. In 2019, the Germany-based enterprise giant SAP snatched up Qualtrics for $8 billion just before it was to go public.

Qualtrics is either worth less than we would have guessed, or its first IPO range feels light.

That figure provides a good marker for how well SAP has done with the deal and how much value Qualtrics has generated in the intervening years. Keep in mind, however, that the value of software companies has risen greatly in the last few years, so the numbers we’ll see below benefit from a market-wide repricing of recurring revenue.

Qualtrics estimates that it may be worth $22 to $26 per share when it goes public. Is that a lot? Let’s find out.

Qualtrics’ first IPO range

First, scale. Qualtrics is selling just under 50 million shares in its public offering. As you can math out, at more than $20 per share, the company is looking to raise north of $1 billion.

After going public, Qualtrics anticipates having 510,170,610 shares outstanding, inclusive of its 7.4 million underwriter option. Using that simple share count, Qualtrics would be worth $11.2 billion to $13.3 billion.

New Charges Derail COVID Release for Hacker Who Aided ISIS

/0 Comments/in /by

A hacker serving a 20-year sentence for stealing personal data on 1,300 U.S. military and government employees and giving it to an Islamic State hacker group in 2015 has been charged once again with fraud and identity theft. The new charges have derailed plans to deport him under compassionate release because of the COVID-19 pandemic.

Ardit Ferizi, a 25-year-old citizen of Kosovo, was slated to be sent home earlier this month after a federal judge signed an order commuting his sentence to time served. The release was granted in part due to Ferizi’s 2018 diagnosis of asthma, as well as a COVID outbreak at the facility where he was housed in 2020.

But while Ferizi was in quarantine awaiting deportation the Justice Department unsealed new charges against him, saying he’d conspired from prison with associates on the outside to access stolen data and launder the bitcoin proceeds of his previous crimes.

In the years leading up to his arrest, Ferizi was the administrator of a cybercrime forum called Pentagon Crew. He also served as the leader of an ethnic Albanian group of hackers from Kosovo known as Kosova Hacker’s Security (KHS), which focused on compromising government and private websites in Israel, Serbia, Greece, Ukraine and the United States.

The Pentagon Crew forum founded by Ferizi.

In December 2015, Ferizi was apprehended in Malaysia and extradited to the United States. In January 2016, Ferizi pleaded guilty to providing material support to a terrorist group and to unauthorized access. He admitted to hacking a U.S.-based e-commerce company, stealing personal and financial data on 1,300 government employees, and providing the data to an Islamic State hacking group.

Ferizi gave the purloined data to Junaid “Trick” Hussain, a 21-year-old hacker and recruiter for ISIS who published it in August 2015 as part of a directive that ISIS supporters kill the named U.S. military members and government employees. Later that month, Hussain was reportedly killed by a drone strike in Syria.

The government says Ferizi and his associates made money by hacking PayPal and other financial accounts, and through pornography sites he allegedly set up mainly to steal personal and financial data from visitors.

Junaid Hussain’s Twitter profile photo.

Between 2015 and 2019, Ferizi was imprisoned at a facility in Illinois that housed several other notable convicts. For example, prosecutors allege that Ferizi was an associate of Mahmud “Red” Abouhalima, who was serving a 240 year sentence at the prison for his role in the 1993 World Trade Center bombing.

Another inmate incarcerated at the same facility was Shawn Bridges, a former U.S. Secret Service agent serving almost eight years for stealing $820,000 worth of bitcoin from online drug dealers while investigating the hidden underground website Silk Road. Prosecutors say Ferizi and Bridges discussed ways to hide their bitcoin.

The information about Ferizi’s inmate friends came via a tip from another convict, who told the FBI that Ferizi was allegedly using his access to the prison’s email system to share email and bitcoin account passwords with family members back home.

The Justice Department said subpoenas served on Ferizi’s email accounts and interviews with his associates show Ferizi’s brother in Kosovo used the information to “liquidate the proceeds of Ferizi’s previous criminal hacking activities.”

[Side note: It may be little more than a coincidence, but my PayPal account was hacked in Dec. 2015 by criminals who social engineered PayPal employees over the phone into changing my password and bypassing multi-factor authentication. The hackers attempted to send my balance to an account tied to Hussain, but the transfer never went through.]

Ferizi is being tried in California, but has not yet had an initial appearance in court. He’s charged with one count of aggravated identity theft and one count of wire fraud. If convicted of wire fraud, he faces a maximum penalty of 20 years in prison and a fine of $250,000. If convicted of aggravated identity theft, he faces a mandatory penalty of 2 years in prison in addition to the punishment imposed for a wire fraud conviction.

Personio raises $125M on a $1.7B valuation for an HR platform targeting SMEs

/0 Comments/in /by

With the last year changing how (and where) many of us work, organizations have started to rethink how well they manage their employees, and what tools they use to do that. Today, one of the startups that is building technology to address this challenge is announcing a major round of funding that underscores its traction to date.

Personio — the German startup that targets small- and medium-sized businesses (10-2,000 employees) with an all-in-one HR platform covering recruiting and onboarding, payroll, absence tracking and other major HR functions — has picked up $125 million in funding at a $1.7 billion post-money valuation.

The Series D is being co-led by Index Ventures and Meritech, with previous backers Accel, Lightspeed Venture Partners, Northzone, Global Founders Capital and Picus all participating.

The $1.7 billion valuation is a big jump on the company’s $500 million valuation a year ago, and it comes after a year where the startup has doubled its revenues and was not on the hunt to raise, with much of its previous fundraising still in the bank.

Personio currently counts some 3,000 SMEs in Europe as customers.

In an interview, Hanno Renner, the co-founder and CEO of Personio, said that the startup would be using the funding to continue building out the product — which operates a little like Workday, but built for much smaller organizations — as well as expanding its presence in Europe.

Although SMEs can be a notoriously challenging customer segment, Renner said that a new opportunity has emerged: A new wave of people in the SME sector have started to realise the value of having a modern and integrated HR platform.

“We started Personio in 2016 wanting to become the leading HR platform for midmarket companies, and we knew it could be a great company, but we realize it can be hard to grasp what HR really means,” he said. “But I think what has driven our business in the past year has been the realization that HR is not just an important part, but maybe the most important part, of any business.”

It may take one magic turn to convert users, he said, by providing (as one example) tools to recruit, sign contracts and onboard new employees remotely. Still, he acknowledges that the midmarket — especially those companies not built around technology — has been “lagging for years,” with many still working off Excel spreadsheets, or even more surprisingly, pen and paper. “Supporting them by helping them to digitize in a more efficient way has been driving our business.”

Personio is not the only startup hopeful that the shift in how we work will bring a new appreciation (and appetite) for purchasing HR tools. Others like Hibob have also seen a big boost in their business and have also been raising money to tap into the opportunity more aggressively.

Hibob is looking to build in more training tools, underscoring the feature race that Personio will also have to run to keep up.

But given the sheer numbers of SMBs in the European market — more than 25 million, and accounting for more than 99% of all enterprises, according to research from the European Union — the fact that many of them have yet to adopt any kind of HR platform at all, there remains a lot of growth for a number of players.

“SMEs are the backbone of the European economy, employing 100 million people across the continent, but it is also a sector that has been neglected by software companies focused predominantly on large enterprises,” Martin Mignot, a partner at Index who sits on Personio’s board, said in a statement. “Personio changes that, having created a set of powerful tools tailored to address the needs of small businesses.”

“We have had the pleasure of working with some of the most successful SaaS companies in the world, and given Personio’s success over the past five years and the immense market potential, we strongly believe in Personio’s ability to build an equally successful and impactful business,” added Alex Clayton, general partner at Meritech Capital, in his own statement. “After many great discussions with Hanno over recent years, we are now excited to be joining the journey.” Clayton is also joining the board with this round.

Personio, the German HR platform for SMEs, raises $75M Series C at a $500M valuation

Salesforce leads $15M investment in Asian HR tech platform Darwinbox

/0 Comments/in /by

Darwinbox, which operates a cloud-based human resource management platform, has raised $15 million in a new financing round as the Indian startup looks to further expand in the country and Southeast Asian markets.

The new round — a Series C — for the Hyderabad-headquartered startup was led by Salesforce Ventures, the venture arm of the American enterprise giant. This is Salesforce Ventures’ one of rare investments in India. Existing investors including Lightspeed India and Sequoia Capital India also participated in the round, which brings the five-year old startup’s raise to-date to about $35 million.

Over 500 firms including — Tokopedia, Indorama, JG Summit Group, Zilingo, Zalora, Fave, Adani, Mahindra, Kotak, TVS, National Stock Exchange, Ujjivan Small Finance Bank, Dr.Reddy’s, Nivea, Puma, Swiggy, Bigbasket — use Darwinbox’s HR platform to provide more than a million employees of theirs with a range of features in 60 nations, up from about 200 firms across 50 nations in late 2019, said Chaitanya Peddi, co-founder of Darwinbox, in an interview with TechCrunch.

Peddi said the startup has always looked up to Salesforce for inspiration, and investment from the enterprise giant is “nothing sort of a child receiving validation from their father,” he said.

The fundraise caps the most successful year for the startup that started with uncertainty as the coronavirus spread across Asian nations. The startup initially took a hit as its customers scrambled to navigate through the global pandemic, but the last two quarters have been its best to date, said Peddi.

Overall, the startup’s revenue has ballooned by 300% since September 2019, when it last raised money, he said. “In HR tech and SaaS space, we are now only behind SAP and Oracle in India in terms of revenue,” he said.

Dev Khare, a partner at Lightspeed India, an early backer of the startup, said that Darwinbox has become the preferred human capital management solution for Asian conglomerates, governments, and high-growth businesses and multi-national corporations operating in Asia as they witness digital transformation.

Image Credits: Darwinbox

Darwinbox’s platform is built to take care of the entire “hiring to retiring” cycle needs of employees. It handles onboarding of new hires, keeps a tab on their performance, monitors attrition rate, and provides an ongoing feedback loop.

It also provides its customers with a social network for their employees to remain connected with one another and an AI assistant to apply for a leave or set up meetings with quick voice commands from their phones.

Peddi said the startup will deploy the fresh capital to expand to several more countries, especially in more emerging markets in the Middle East Asia and Africa, and broaden its offerings. “We will be leveraging the power of our platform to do a lot more. We are a product-led firm and our focus will remain on innovation in that space,” he said. The startup is also open to exploring opportunities to acquire smaller firms for inorganic growth, he said.

“India is home to one of the world’s youngest population, and by 2050, it is expected to account for over 18% of the global working age population,” said Arundhati Bhattacharya, Chairperson and CEO, Salesforce India, in a statement. “This makes technology platforms like Darwinbox, that focuses on workforces, incredibly important. I’m proud that Salesforce is supporting Darwinbox on their journey as they continue to grow and innovate in this space.”

Alex Kayyal, partner and head of international at Salesforce Ventures, told TechCrunch in an interview that the firm helps its partners in a number of ways, including exposing them to the firm’s customers, executives and their networks, and helping startups scale their business.

“We have one of the most innovative and disruptive customer bases that are looking for cloud solutions and digital transformation. So the opportunity to expose companies like Darwinbox to our customer base is something we get really excited about,” said Kayyal. Salesforce Ventures is exploring more investment opportunities in India, he said.