5 questions every IT team should be able to answer

/0 Comments/in /by
Christy Wyatt
Contributor

Christy Wyatt is Chief Executive Officer and a member of the board of directors at Absolute, a leader in endpoint resilience solutions and the industry’s only undeletable defense platform embedded in over a half-billion devices.

Now more than ever, IT teams play a vital role in keeping their businesses running smoothly and securely. With all of the assets and data that are now broadly distributed, a CEO depends on their IT team to ensure employees remain connected and productive and that sensitive data remains protected.

CEOs often visualize and measure things in terms of dollars and cents, and in the face of continuing uncertainty, IT — along with most other parts of the business — is facing intense scrutiny and tightening of budgets. So, it is more important than ever to be able to demonstrate that they’ve made sound technology investments and have the agility needed to operate successfully in the face of continued uncertainty.

For a CEO to properly understand risk exposure and make the right investments, IT departments have to be able to confidently communicate what types of data are on any given device at any given time.

Here are five questions that IT teams should be ready to answer when their CEO comes calling:

What have we spent our money on?

Or, more specifically, exactly how many assets do we have? And, do we know where they are? While these seem like basic questions, they can be shockingly difficult to answer … much more difficult than people realize. The last several months in the wake of the COVID-19 outbreak have been the proof point.

With the mass exodus of machines leaving the building and disconnecting from the corporate network, many IT leaders found themselves guessing just how many devices had been released into the wild and gone home with employees.

One CIO we spoke to estimated they had “somewhere between 30,000 and 50,000 devices” that went home with employees, meaning there could have been up to 20,000 that were completely unaccounted for. The complexity was further compounded as old devices were pulled out of desk drawers and storage closets to get something into the hands of employees who were not equipped to work remotely. Companies had endpoints connecting to corporate network and systems that they hadn’t seen for years — meaning they were out-of-date from a security perspective as well.

This level of uncertainty is obviously unsustainable and introduces a tremendous amount of security risk. Every endpoint that goes unaccounted for not only means wasted spend but also increased vulnerability, greater potential for breach or compliance violation, and more. In order to mitigate these risks, there needs to be a permanent connection to every device that can tell you exactly how many assets you have deployed at any given time — whether they are in the building or out in the wild.

Are our devices and data protected?

Device and data security go hand in hand; without the ability to see every device that is deployed across an organization, it becomes next to impossible to know what data is living on those devices. When employees know they are leaving the building and going to be off network, they tend to engage in “data hoarding.”

U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise

/0 Comments/in /by

Communications at the U.S. Treasury and Commerce Departments were reportedly compromised by a supply chain attack on SolarWinds, a security vendor that helps the federal government and a range of Fortune 500 companies monitor the health of their IT networks. Given the breadth of the company’s customer base, experts say the incident may be just the first of many such disclosures.

Some of SolarWinds’ customers. Source: solarwinds.com

According to a Reuters story, hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments. Reuters reports the attackers were able to surreptitiously tamper with updates released by SolarWinds for its Orion platform, a suite of network management tools.

In a security advisory, Austin, Texas based SolarWinds acknowledged its systems “experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.”

In response to the intrusions at Treasury and Commerce, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks.

“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” CISA advised.

A blog post by Microsoft says the attackers were able to add malicious code to software updates provided by SolarWinds for Orion users. “This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials,” Microsoft wrote.

From there, the attackers would be able to forge single sign-on tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts on the network.

“Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application,” Microsoft explained.

Malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems thanks in part to guidance from SolarWinds itself. In this support advisory, SolarWinds says its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.

The Reuters story quotes several anonymous sources saying the intrusions at the Commerce and Treasury departments could be just the tip of the iceberg. That seems like a fair bet.

SolarWinds says it has over 300,000 customers including:

-more than 425 of the U.S. Fortune 500
-all ten of the top ten US telecommunications companies
-all five branches of the U.S. military
-all five of the top five U.S. accounting firms
-the Pentagon
-the State Department
-the National Security Agency
-the Department of Justice
-The White House.

It’s unclear how many of the customers listed on SolarWinds’ website are users of the affected Orion products. But Reuters reports the supply chain attack on SolarWinds is connected to a broad campaign that also involved the recently disclosed hack at FireEye, wherein hackers gained access to a slew of proprietary tools the company uses to help customers find security weaknesses in their computers and networks.

The compromises at the U.S. federal agencies are thought to date back to earlier this summer, and are being blamed on hackers working for the Russian government. FireEye said its breach was the work of APT 29, a.k.a. “Cozy Bear,” a Russian hacker group believed to be associated with one or more intelligence agencies of Russia.

In its own advisory, FireEye said multiple updates poisoned with a malicious backdoor program were digitally signed with a SolarWinds certificate from March through May 2020, and posted to the SolarWindws update website.

FireEye posits the impact of the hack on SolarWinds is widespread, affecting public and private organizations around the world.

“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” the company’s analysts wrote. “We anticipate there are additional victims in other countries and verticals.”

The Good, the Bad and the Ugly in Cybersecurity – Week 50

/0 Comments/in /by

The Good

Will the real APT32 please stand up? The OceanLotus APT group have been hitting the headlines a lot recently, but it’s reasonably unprecedented for an APT group’s identity to be outed in the way Facebook doxed the group this week.

The social media giant fingered Vietnamese IT company CyberOne Security as the entity behind APT32 activity that has targeted victims including human rights activists, news agencies, governmental and NGO agencies, as well as a wide range of businesses from agriculture and health to tech and IT. Researchers from Facebook identified Windows malware, a macOS backdoor and TTPs that include malicious Play Store apps, watering hole attacks, and fake FB and other social media personas to lure victims.

Facebook say they have disrupted the group’s behaviour by blocking associated domains from being posted on the platform, removing the group’s accounts and notifying suspected victims. As for the fake “CyberOne Security” company, journalists’ attempts to contact anyone via phone and email went, perhaps unsurprisingly, unanswered.

The Bad

It’s all about the APTs this week. While the security industry has rallied round to help enterprises defend against an APT attack on FireEye that resulted in the theft of offensive red teaming tools, it appears that Russian APT groups have been actively taking advantage of a vulnerability in VMware systems, according to a 3-page US National Security Agency advisory published this week.

Successfully exploiting the bug, CVE-2020-4006, allows threat actors to execute commands of choice on a compromised system running the vulnerable software. The agency reported that attackers have been exploiting the vulnerability via installing a web shell as a gateway into networks and accessing protected data by means of forged SAML assertions.

The VMware products affected by the security flaw are:

  • VMware Access 20.01 and 20.10 on Linux
  • VMware vIDM 3.3.1, 3.3.2, and 3.3.3 on Linux
  • VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
  • VMware Cloud Foundation 4.x
  • VMware vRealize Suite Lifecycle Manager 8.x

Malicious activity based on the flaw occurs within the TLS tunnel associated with the devices. Security teams that lack visibility into encrypted connections can hunt for post-compromise indicators in the configurator log (/opt/vmware/horizon/workspace/logs/configurator.log), specifically for an ‘exit’ statement followed by a 3-digit number, the NSA advised.


Source

Patches for the above have been available since December 3rd, and all users are advised to update as soon as possible. In addition, since exploitation of the bug requires password-based access to the web-based management interface of a targeted device, admins are urged to ensure that they follow best practice to avoid weak passwords and, where possible, to ensure the web-based management interface is not accessible from the internet. Other workarounds where patching is not immediately possible are suggested in the NSA advisory.

The Ugly

As we noted last week, there’s been a disturbing trend recently among both crimeware actors and sophisticated adversaries of targeting research data, organizations and infrastructure related to developing, manufacturing and distributing COVID-19 vaccines.

That trend continued this week with a cyberattack on the European Medicines Agency. The organization’s terse statement offered no further details other than to confirm an attack had taken place, but subsequent reports say documents relating to regulatory submission of the Pfizer/BioNTech vaccine, BNT162b2, had been accessed.

EMA is in the midst of the approval process for the vaccine and the documents were stored on an EMA server, according to a press release from BioNTech.

It is not clear whether such documents were the primary target of the attack or what other data may have been compromised, but there is no indication to date that any PPI belonging to staff or persons involved in vaccine trials was exposed. Reportedly, EMA have said the cyberattack will not delay regulatory approval of the vaccine in the EU, which is expected to be within the next few weeks.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Hibob raises $70M for its new take on human resources

/0 Comments/in /by

Productivity software has been getting a major re-examination this year, and human resources platforms — used for hiring, firing, paying and managing employees — have been no exception. Today, one of the startups that’s built what it believes is the next generation of how HR should and will work is announcing a big fundraise, underscoring its own growth and the focus on the category.

Hibob, the startup behind the HR platform that goes by the name of “bob” (the company name is pronounced, “Hi, Bob!”), has picked up $70 million in funding at a valuation that reliable sources close to the company tell us is around $500 million.

“Our mission is to modernize HR technology,” said Ronni Zehavi, Hibob’s CEO, who co-founded the company with Israel David. “We are a people management platform for how people work today. Whether that’s remotely or physically collaborative, our customers face challenges with work. We believe that the HR platforms of the future will not be clunky systems, annoying, giant platforms. We believe it should be different. We are a system of engagement rather than record.”

The Series B is being led by SEEK and Israel Growth Partners, with participation also from Bessemer Venture Partners, Battery Ventures, Eight Roads Ventures, Arbor Ventures, Presidio Ventures, Entree Capital, Cerca Partners and Perpetual Partners, the same group that also backed Hibob in its last round (a Series A extension) in 2019. It has raised $124 million to date.

The company has its roots in Israel but these days describes its headquarters as London and New York, and the funding comes on the back of strong growth in multiple markets. In an interview, Zehavi said that Hibob specialises in the mid-market customers and says that it has more than 1,000 of them currently on its books across the U.S., Europe and Asia, including Monzo, Revolut, Happy Socks, ironSource, Receipt Bank, Fiverr, Gong and VaynerMedia. In the last year Hibob has had “triple-digit” year-on-year growth (it didn’t specify what those digits are).

Human resources has never been at the more glamorous end of how a company works, and it can sometimes even be looked on with some disdain. However, HR has found itself in a new spotlight in 2020, the year when every company — whether one based around people sitting at desks or in more interactive and active environments — had to change how it worked.

That might have involved sending everyone home to sign in from offices possibly made out of corners of bedrooms or kitchens, or that might have involved a vastly different set of practices in terms of when and where workers showed up and how they interacted with people once they did. But regardless of the implementations, they all involved a team of people who needed to be linked together, still feeling connected and managed; and sometimes hired, furloughed, or let go.

That focus has started to reveal the strains of how some legacy systems worked, with older systems built to consider little more than creating an employee identity number that could then be tracked for payroll and other purposes.

Hibob — Zehavi said they chose the name after the person who owned the bob.com domain wanted too much to sell it, but they liked “bob” for the actual product — takes an approach from the ground up that is in line with how many people work today, balancing different software and apps depending on what they are doing, and linking them up by way of integrations: its own includes Slack, Microsoft Teams and Mercer, and other packages that are popular with HR departments. 

While it covers all of the necessary HR bases like payroll and further compensation, onboarding, managing time off and benefits, it further brings in a variety of other features that help build out bigger profiles of users, such as performance and culture, with the ability for peers, managers and workers themselves to provide feedback to enhance their own engagement with the company, and for the company to have a better idea of how they are fitting into the organization, and what might need more attention in the future.

That then links into a bigger organizational chart and conceptual charts that highlight strong performers, those who are possible flight risks, those who are leaders and so on. While there have been a number of others in the HR world that have built standalone apps that cover some of these features (for example, 15five was early to spot the value of a platform that made it much easier to set goals and provide feedback), what’s notable here is how they are all folded into one system together.

The end effect, as you can see here, looks less like word salad and more interactive, graphic interfaces that are presumably a lot more enjoyable and at least easier to use for HR people themselves.

The importance for investors has been that the product and the startup has identified the opportunity, but has delivered not just more engagement, but a strong piece of software that still provides the essentials.

“This is certainly not a Workday,” said Adam Fisher, a partner at Bessemer, in an interview. “Our overall thesis has been that HR is only growing in importance. And while engagement is super important, that opportunity is not enough to create the market.”

The end result is a platform that has a significant shot at building in even more over time. For example, another large area that has been seeing traction in the world of enterprise and B2B software is employee training. Specifically, enterprise learning systems are creating another way to help keep people not only up to speed on important aspects of how they work, but also engaged at a time when connections are under strain.

“Training, a SuccessFactors-style offering, is definitely in our road map,” said Zehavi, who noted they are adding new features all the time. The latest has been compensation, sometimes known as merit increase cycles. “That is a very complex issue and requires deeper integrations finance and the CFO’s office. We streamlined it and made it easy to use. We launched two months ago and it’s on fire. After learning and development there are other modules also down the road.”

New Relic acquires Kubernetes observability platform Pixie Labs

/0 Comments/in /by

Two months ago, Kubernetes observability platform Pixie Labs launched into general availability and announced a $9.15 million Series A funding round led by Benchmark, with participation from GV. Today, the company is announcing its acquisition by New Relic, the publicly traded monitoring and observability platform.

The Pixie Labs brand and product will remain in place and allow New Relic to extend its platform to the edge. From the outset, the Pixie Labs team designed the service to focus on providing observability for cloud-native workloads running on Kubernetes clusters. And while most similar tools focus on operators and IT teams, Pixie set out to build a tool that developers would want to use. Using eBPF, a relatively new way to extend the Linux kernel, the Pixie platform can collect data right at the source and without the need for an agent.

At the core of the Pixie developer experience are what the company calls “Pixie scripts.” These allow developers to write their debugging workflows, though the company also provides its own set of these and anybody in the community can contribute and share them as well. The idea here is to capture a lot of the informal knowledge around how to best debug a given service.

“We’re super excited to bring these companies together because we share a mission to make observability ubiquitous through simplicity,” Bill Staples, New Relic’s chief product officer, told me. “[…] According to IDC, there are 28 million developers in the world. And yet only a fraction of them really practice observability today. We believe it should be easier for every developer to take a data-driven approach to building software and Kubernetes is really the heart of where developers are going to build software.”

It’s worth noting that New Relic already had a solution for monitoring Kubernetes clusters. Pixie, however, will allow it to go significantly deeper into this space. “Pixie goes much, much further in terms of offering on-the-edge, live debugging use cases, the ability to run those Pixie scripts. So it’s an extension on top of the cloud-based monitoring solution we offer today,” Staples said.

The plan is to build integrations into New Relic into Pixie’s platform and to integrate Pixie use cases with New Relic One as well.

Pixie Labs raises $9.15M Series A round for its Kubernetes observability platform

Currently, about 300 teams use the Pixie platform. These range from small startups to large enterprises and, as Staples and Pixie co-founder Zain Asgar noted, there was already a substantial overlap between the two customer bases.

As for why he decided to sell, Asgar — a former Google engineer working on Google AI and adjunct professor at Stanford — told me that it was all about accelerating Pixie’s vision.

“We started Pixie to create this magical developer experience that really allows us to redefine how application developers monitor, secure and manage their applications,” Asgar said. “One of the cool things is when we actually met the team at New Relic and we got together with Bill and [New Relic founder and CEO] Lew [Cirne], we realized that there was almost a complete alignment around this vision […], and by joining forces with New Relic, we can actually accelerate this entire process.”

New Relic has recently done a lot of work on open-sourcing various parts of its platform, including its agents, data exporters and some of its tooling. Pixie, too, will now open-source its core tools. Open-sourcing the service was always on the company’s road map, but the acquisition now allows it to push this timeline forward.

“We’ll be taking Pixie and making it available to the community through open source, as well as continuing to build out the commercial enterprise-grade offering for it that extends the New Relic One platform,” Staples explained. Asgar added that it’ll take the company a little while to release the code, though.

“The same fundamental quality that got us so excited about Lew as an EIR in 2007, got us excited about Zain and Ishan in 2017 — absolutely brilliant engineers, who know how to build products developers love,” Benchmark Ventures General Partner Eric Vishria told me. “New Relic has always captured developer delight. For all its power, Kubernetes completely upends the monitoring paradigm we’ve lived with for decades. Pixie brings the same easy to use, quick time to value, no-nonsense approach to the Kubernetes world as New Relic brought to APM. It is a match made in heaven.”

Boast.ai raises $23M to help businesses get their R&D tax credits

/0 Comments/in /by

Nobody likes dealing with taxes — until the system works in your favor. In many countries, startups can receive tax credits for their R&D work and related employee cost, but as with all things bureaucracy, that’s often a slow and onerous task. Boast.ai aims to make this process far easier, by using a mix of AI and tax experts. The company, which currently has about 1,000 customers, today announced that it has raised a $23 million Series A round led by Radian Capital.

Launched in 2012 by co-founders Alex Popa (CEO) and Lloyed Lobo (president), Boast focuses on helping companies — and especially startups — in the U.S. and Canada claim their R&D tax credits.

“Globally, over $200 billion has been given in R&D incentives to fund businesses, not only in the U.S. and Canada, but the U.K., Australia, France, New Zealand, Ireland give out these incentives,” Lobo explained. “But there’s huge red tape. It’s a cumbersome process. You got to dive in and figure out work that qualifies and what doesn’t. Then you’ve got to file it with your taxes. Then if the government audits you, it’s like a long, laborious process.”

Image Credits: Boast.ai

After working on a few other startup ideas, the co-founders decided to go all-in on Boast. And in the process of working on other ideas, they also realized that AI wasn’t going to be able to do it all, but that it was getting good enough to augment humans to make a complex process like dealing with R&D tax credits scalable.

“The way I think to bootstrap a company is three things,” Lobo explained. “One, customers are looking for an outcome. Get them that outcome in the fastest, cheapest way possible. Two, when you’re doing that, you may have to do a lot of manual work. Figure out what those manual touch points are and then build the workflow to automate that. And once you have those two things, then you’ll have enough data to start working on artificial intelligence and machine learning. Those are the key learnings that we learned the hard way.”

So after doing some of that manual work, Boast can now automatically pull in data using tech tools like JIRA and GitHub and a company’s financial tools like QuickBooks, Gusto and (soon) ADP. It then uses its algorithms to cluster this data, figure out how much time employees spend on projects that would qualify for a tax credit and automate the tax filing process. Throughout the process — and to interact with the government if necessary — the company keeps humans in the loop.

“So all our [customer success] team is engineers,” Lobo noted. “Because if you don’t have engineers they can’t inform the decision-making process. They help figure out if there are any loose ends and then they deal with the audits, communicating with the government and whatnot. That’s how we’re able to effectively get SaaS-like margins or more.”

Ideally, a tool like Boast pays for itself and the company says it has secured more than $150 million in R&D tax credits since launch. Currently, it’s also doubling growth year over year, and that’s what made the founders decide to raise outside money for the first time. That funding will go toward increasing the sales team (which is currently only four people strong) and improving the platform, but Lobo was clear that he doesn’t want to be too aggressive. The goal, he said, is not to have to raise again until Boast can hit the $30 to $50 million revenue mark.

Once fully implemented, Boast also effectively becomes a system of record for all R&D and engineering data. And indeed, that’s the company’s overall vision, with the tax credits being somewhat of a Trojan horse to get to this point. By the middle of next year, the team plans to offer a new product around R&D-based financing, Lobo tells me.

Over the years, the Boast team also focused on not just growing its customer base but also the overall startup ecosystem in the markets in which it operates, with a special focus on Canada. The Boast team, for example, is also the team behind the popular annual Traction conference in Vancouver, Canada (Disclosure: I’ve moderated sessions at the event since its inception). A thriving startup ecosystem creates a larger client base for Boast, too, after all — and coincidently, the team met its investors at the event, too.

UserLeap raises $16 million to bring better qualitative data to PMs

/0 Comments/in /by

Product managers can only be successful if they can make effective use of both quantitative and qualitative data. But mapping the former to the latter, and collecting high-quality data, is a huge challenge to organizations looking to rapidly productize and innovate.

UserLeap, a company founded by serial product manager Ryan Glasgow, thinks it has found a better way, and so do its investors. The company today announced the close of a $16 million Series A financing led by Accel (Dan Levine led the round), with participation from angels like Elad Gil, Dylan Field, Ben Porterfield, Akshay Kothari, Jack Altman and Bobby Lo.

One of the main challenges of rapid product development is that the ratio of quantitative data to qualitative data isn’t equal. It can take weeks or even months to get results from user surveys, and that’s only if users actually respond. According to UserLeap, the average response rate for email surveys is between 3% and 5%. To add to the headache, PMs and data teams usually have to parse that information and organize it manually.

UserLeap offers product teams the ability to put a short line of code into their product that then delivers contextual micro-surveys to users right within the product. The company says that these micro-surveys usually see a 20% to 30% response rate, and sometimes that even pops all the way to 90%.

Plus, the UserLeap dashboard processes the natural language from respondents and organizes the data. For example, if one user references price and another references cost, those responses are grouped together.

Because the surveys are built right into the product and targeted to a specific action or flow, and because the data is parsed and automatically sorted, product teams usually have access to this data within a few hours.

UserLeap charges based on the number of end users tracked, plus the number of surveys sent out per month, offering tiers for those surveys in groupings of five. Glasgow says this is a bit of a differentiator when compared to other survey products like SurveyMonkey or TypeForm.

Q&A with J Crowley, Head of Product at Airbnb Lux, on what makes a great PM

“We have a usage-based pricing model, where our competitors often have a seat-based pricing model,” said Glasgow. “We don’t care how many people have access to us. Really, our goal is to get you to use our product.”

In other words, the insights gleaned from UserLeap can be shared and used across the entire organization without affecting the price.

This latest funding brings UserLeap’s total funding to $20 million — First Round Capital previously led a $4 million seed round.

Customers include Square, Opendoor and Codecademy. Thus far, the company has tracked more than 500 million visitors, and gotten 600,000 survey question responses.

The UserLeap team is currently made up of 15 people, with females representing 50% and people of color making up 33% of the leadership team. Across the company, women represent 32% of the team and people of color represent 42%.

“UserLeap cares deeply about diversity and inclusion,” said Glasgow. “Having a diverse team helps to ensure our employees feel comfortable and valued so that they can bring their whole selves to work. For that reason, UserLeap has a part-time recruiting sourcer dedicated to engaging underrepresented candidates and these efforts have contributed towards our diversity goals.”

Turing nabs $32M more for an AI-based platform to source and manage engineers remotely

/0 Comments/in /by

As remote work continues to solidify its place as a critical aspect of how businesses exist these days, a startup that has built a platform to help companies source and bring on one specific category of remote employees — engineers — is taking on some more funding to meet demand.

Turing — which has built an AI-based platform to help evaluate prospective, but far-flung, engineers, bring them together into remote teams, then manage them for the company — has picked up $32 million in a Series B round of funding led by WestBridge Capital. Its plan is as ambitious as the world it is addressing is wide: an AI platform to help define the future of how companies source IT talent to grow.

“They have a ton of experience in investing in global IT services, companies like Cognizant and GlobalLogic,” said co-founder and CEO Jonathan Siddharth of its lead investor in an interview the other day. “We see Turing as the next iteration of that model. Once software ate the IT services industry, what would Accenture look like?”

It currently has a database of some 180,000 engineers covering around 100 or so engineering skills, including React, Node, Python, Agular, Swift, Android, Java, Rails, Golang, PHP, Vue, DevOps, machine learning, data engineering and more.

In addition to WestBridge, other investors in this round included Foundation Capital, Altair Capital, Mindset Ventures, Frontier Ventures and Gaingels. There is also a very long list of high-profile angels participating, underscoring the network that the founders themselves have amassed. It includes unnamed executives from Google, Facebook, Amazon, Twitter, Microsoft, Snap and other companies, as well as Adam D’Angelo (Facebook’s first CTO and CEO at Quora), Gokul Rajaram, Cyan Banister and Scott Banister, and Beerud Sheth (the founder of Upwork), among many others (I’ll run the full list below).

Turing is not disclosing its valuation. But as a measure of its momentum, it was only in August that the company raised a seed round of $14 million, led by Foundation. Siddharth said that the growth has been strong enough in the interim that the valuations it was getting and the level of interest compelled the company to skip a Series A altogether and go straight for its Series B.

Turing raises $14M to help source, vet, place and manage remote developers in tech jobs

The company now has signed up to its platform 180,000 developers from across 10,000 cities (compared to 150,000 developers back in August). Some 50,000 of them have gone through automated vetting on the Turing platform, and the task will now be to bring on more companies to tap into that trove of talent.

Or, “We are demand-constrained,” which is how Siddharth describes it. At the same time, it’s been growing revenues and growing its customer base, jumping from revenues of $9.5 million in October to $12 million in November, increasing 17x since first becoming generally available 14 months ago. Current customers include VillageMD, Plume, Lambda School, Ohi Tech, Proxy and Carta Healthcare.

Remote work = immediate opportunity

A lot of people talk about remote work today in the context of people no longer able to go into their offices as part of the effort to curtail the spread of COVID-19. But in reality, another form of it has been in existence for decades.

Offshoring and outsourcing by way of help from third parties — such as Accenture and other systems integrators — are two ways that companies have been scaling and operating, paying sums to those third parties to run certain functions or build out specific areas instead of shouldering the operating costs of employing, upsizing and sometimes downsizing that labor force itself.

Turing is essentially tapping into both concepts. On one hand, it has built a new way to source and run teams of people, specifically engineers, on behalf of others. On the other, it’s using the opportunity that has presented itself in the last year to open up the minds of engineering managers and others to consider the idea of bringing on people they might have previously insisted work in their offices, to now work for them remotely, and still be effective.

Siddarth and co-founder Vijay Krishnan (who is the CTO) know the other side of the coin all too well. They are both from India, and both relocated to the Valley first for school (post-graduate degrees at Stanford) and then work at a time when moving to the Valley was effectively the only option for ambitious people like them to get employed by large, global tech companies, or build startups — effectively what could become large, global tech companies.

“Talent is universal, but opportunities are not,” Siddarth said to me earlier this year when describing the state of the situation.

A previous startup co-founded by the pair — content discovery app Rover — highlighted to them a gap in the market. They built the startup around a remote and distributed team of engineers, which helped them keep costs down while still recruiting top talent. Meanwhile, rivals were building teams in the Valley. “All our competitors in Palo Alto and the wider area were burning through tons of cash, and it’s only worse now. Salaries have skyrocketed,” he said.

After Rover was acquired by Revcontent, a recommendation platform that competes against the likes of Taboola and Outbrain, they decided to turn their attention to seeing if they could build a startup based on how they had, basically, built their own previous startup.

There are a number of companies that have been tapping into the different aspects of the remote work opportunity, as it pertains to sourcing talent and how to manage it.

They include the likes of Remote (raised $35 million in November), Deel ($30 million raised in September), Papaya Global ($40 million also in September), Lattice ($45 million in July) and Factorial ($16 million in April), among others.

What’s interesting about Turing is how it’s trying to address and provide services for the different stages you go through when finding new talent. It starts with an AI platform to source and vet candidates. That then moves into matching people with opportunities, and onboarding those engineers. Then, Turing helps manage their work and productivity in a secure fashion, and also provides guidance on the best way to manage that worker in the most compliant way, be it as a contractor or potentially as a full-time remote employee.

The company is not freemium, as such, but gives people two weeks to trial people before committing to a project. So unlike an Accenture, Turing itself tries to build in some elasticity into its own product, not unlike the kind of elasticity that it promises its customers.

It all sounds like a great idea now, but interestingly, it was only after remote work really became the norm around March/April of this year that the idea really started to pick up traction.

“It’s amazing what COVID has done. It’s led to a huge boom for Turing,” said Sumir Chadha, managing director for WestBridge Capital, in an interview. For those who are building out tech teams, he added, there is now “No need for to find engineers and match them with customers. All of that is done in the cloud.”

Lattice, a people management platform, picks up $45M at a $400M valuation

“Turing has a very interesting business model, which today is especially relevant,” said Igor Ryabenkiy, managing partner at Altair Capital, in a statement. “Access to the best talent worldwide and keeping it well-managed and cost-effective make the offering attractive for many corporations. The energy of the founding team provides fast growth for the company, which will be even more accelerated after the B-round.”

PS. I said I’d list the full, longer list of investors in this round. In these COVID times, this is likely the biggest kind of party you’ll see for a while. In addition to those listed above, it included [deep breath] Founders Fund, Chapter One Ventures (Jeff Morris Jr.), Plug and Play Tech Ventures (Saeed Amidi), UpHonest Capital (​Wei Guo, Ellen Ma​), Ideas & Capital (Xavier Ponce de León), 500 Startups Vietnam (Binh Tran and Eddie Thai), Canvas Ventures (Gary Little), B Capital (Karen Appleton P​age, Kabir Narang), Peak State Ventures (​Bryan Ciambella, Seva Zakharov)​, Stanford StartX Fund, Amino C​apital, ​Spike Ventures, Visary Capital (Faizan Khan), Brainstorm Ventures (Ariel Jaduszliwer), Dmitry Chernyak, Lorenzo Thione, Shariq Rizvi, Siqi Chen, Yi Ding, Sunil Rajaraman, Parakram Khandpur, Kintan Brahmbhatt, Cameron Drummond, Kevin Moore, Sundeep Ahuja, Auren Hoffman, Greg Back, Sean Foote, Kelly Graziadei, Bobby Balachandran, Ajith Samuel, Aakash Dhuna, Adam Canady, Steffen Nauman, Sybille Nauman, Eric Cohen, Vlad V, Marat Kichikov, Piyush Prahladka, Manas Joglekar, Vladimir Khristenko, Tim and Melinda Thompson, Alexandr Katalov, Joseph and Lea Anne Ng, Jed Ng, Eric Bunting, Rafael Carmona, Jorge Carmona, Viacheslav Turpanov, James Borow, Ray Carroll, Suzanne Fletcher, Denis Beloglazov, Tigran Nazaretian, Andrew Kamotskiy, Ilya Poz, Natalia Shkirtil, Ludmila Khrapchenko, Ustavshchikov Sergey, Maxim Matcin and Peggy Ferrell.

Remote raises $35M to help orgs with global workforce payroll, benefits and more

Fairmarkit lands $30M Series B to modernize procurement

/0 Comments/in /by

As the pandemic has raged on, it has shone a spotlight on the importance of procurement, especially in certain sectors. Fairmarkit, a Boston startup, is working to bring a modern digital procurement system to the enterprise. Today, the company announced a $30 million Series B.

GGV Capital and Insight Partners led the round with help from existing investors 1984 VC, NewStack and NewFund. Today’s investment brings the total raised to $42 million, according to the company.

Fairmarkit wants to replace large procurement software systems from companies like Oracle and SAP that have been around for decades, says company co-founder and CEO Kevin Frechette. When he looked around a couple of years ago, he saw a space full of these legacy vendors and ripe for disruption.

What’s more, he says that these systems have been designed to track only the biggest purchases over $500,000 or $1 million. Anything under that is what’s known as tail spend. “So procurement really focuses on companies’ biggest purchases, say things over a million, but anything under that size just gets forgotten about and neglected. It’s called tail spend, and it’s still 80% of what they buy, 80% of their vendors and 20% of the budget,” he told me.

This spending accounts for billions of dollars, yet Frechette says, it has lacked a good tracking system. He saw an opportunity, and he and his co-founders built a solution. Its first customer was the MBTA, Boston’s mass transit system (a system that could use all the help it can get in terms of getting more efficient). Today the company has more than 50 customers across a variety of industries.

The system acts as a marketplace for vendors and a central buying system for customers where they can find goods and services at this price point below $1 million. It imports a customer’s vendor data, and then combines this with other data to build a huge database of buying information. From that, they can determine what a customer needs and using AI, find the best prices for a particular order.

Frechette says this not only provides a way to save money — he says customers have been able to cut purchase costs by 10% with his system — it also provides a way to surface diverse vendors, whether that’s businesses owned by women, people of color, veterans, local business or however you define that.

Lightyear scores $3.7M seed to digitize networking infrastructure procurement

He says too often what happens is that these deals aren’t put under typical procurement department scrutiny and they just get passed through, but Fairmarkit helps surface these companies and give them a shot at the business. “So because the core of our technology is a vendor recommendation engine […], we can help to invite those diverse vendors and really just give them a fair shot,” he said.

The company started the year with 40 employees and have added 30 since. The plan is to double that number next year, and as they do, Frechette hopes to reflect the diversity of the company’s product by building a correspondingly diverse employee base.

“It’s really just keeping it at the forefront. We want to make sure that we’re not just doing surveys around how we are doing for diversity and inclusion, but we’re putting programs in place to help out with it. It’s something I’m very very passionate about because it’s been such a sticking point as well on how we’re helping diverse vendors,” he said.

Frechette says that he has managed to grow the company and build a culture in spite of the pandemic not allowing employees to come into an office. He doesn’t see a world where the office will be a requirement in the future.

“We’ve hit an inflection point this year where there’s no world where we need everyone to be in an office […], which once again only helps to accelerate our business because we’re not constricted by everyone in this one small [geographical] sector. We can operate across the board [from anywhere],” he said.

Procurify raises $7M Series A round for its purchasing platform

Payment Processing Giant TSYS: Ransomware Incident “Immaterial” to Company

/0 Comments/in /by

Payment card processing giant TSYS suffered a ransomware attack earlier this month. Since then reams of data stolen from the company have been posted online, with the attackers promising to publish more in the coming days. But the company says the malware did not jeopardize card data, and that the incident was limited to administrative areas of its business.

Headquartered in Columbus, Ga., Total System Services Inc. (TSYS) is the third-largest third-party payment processor for financial institutions in North America, and a major processor in Europe.

TSYS provides payment processing services, merchant services and other payment solutions, including prepaid debit cards and payroll cards. In 2019, TSYS was acquired by financial services firm Global Payments Inc. [NYSE:GPN].

On December 8, the cybercriminal gang responsible for deploying the Conti ransomware strain (also known as “Ryuk“) published more than 10 gigabytes of data that it claimed to have removed from TSYS’s networks.

Conti is one of several cybercriminal groups that maintains a blog which publishes data stolen from victims in a bid to force the negotiation of ransom payments. The gang claims the data published so far represents just 15 percent of the information it offloaded from TSYS before detonating its ransomware inside the company.

In a written response to requests for comment, TSYS said the attack did not affect systems that handle payment card processing.

“We experienced a ransomware attack involving systems that support certain corporate back office functions of a legacy TSYS merchant business,” TSYS said. “We immediately contained the suspicious activity and the business is operating normally.”

According to Conti, the “legacy” TSYS business unit hit was Cayan, an entity acquired by TSYS in 2018 that enables payments in physical stores and mobile locations, as well as e-commerce.

Conti claims prepaid card data was compromised, but TSYS says this is not the case.

“Transaction processing is conducted on separate systems, has continued without interruption and no card data was impacted,” the statement continued. “We regret any inconvenience this issue may have caused. This matter is immaterial to the company.”

TSYS declined to say whether it paid any ransom. But according to Fabian Wosar, chief technology officer at computer security firm Emsisoft, Conti typically only publishes data from victims that refuse to negotiate a ransom payment.

Some ransomware groups have shifted to demanding two separate ransom payments; one to secure a digital key that unlocks access to servers and computers held hostage by the ransomware, and a second in return for a promise not to publish or sell any stolen data. However, Conti so far has not adopted the latter tactic, Wosar said.

“Conti almost always does steal data, but we haven’t seen them negotiating for leaks and keys separately,” he explained. “For the negotiations we have seen it has always been one price for everything (keys, deletion of data, no leaks etc.).”

According to a report released last month by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium aimed at fighting cyber threats, the banking industry remains a primary target of ransomware groups. FS-ISAC said at least eight financial institutions were hit with ransomware attacks in the previous four months. The report notes that by a wide margin, Ryuk continues to be the most prolific ransomware threat targeting financial services firms.