The CISO’s Quick Guide to Verizon’s 2020 Data Breach Investigations Report

For the 13th consecutive year, Verizon has released its Data Breach Investigations Report, a comprehensive source of data breach-related information that offers invaluable insights to CISOs and CIOs. This year’s report was composed from data received from 81 organizations, including cybersecurity companies, law enforcement agencies, ISACs, CERTs, consulting firms and government agencies. It encompasses 157,525 reported incidents and 108,069 breaches. At 119 pages, there’s a lot to absorb. Here, we’ll detail the most important findings and provide our key recommendations to help inform your security operations.

Who Are Behind Most Cyber Attacks?

While insider attacks are certainly a thing (about 30% of the time, in fact) and may even be on the increase, by far the largest number of threats to your organization originate from external actors. The data for last year shows that 70% of breaches were from external actors. Only 1% involved multiple parties and again, a mere 1% were found to involve partner actions. The report states that:

“It is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous.”

However, we would caution the reader not to make the mistake of believing that the number of threats from a particular origin equates to the size of the risk presented by those threats: one insider attack could potentially cause ten times the harm of an external attack, depending on the nature of incident. Nevertheless, while security teams need to keep focus on attacks from any origin, the data make it pretty clear that external threat actors are queuing up not just to knock on your door, but to batter down your defenses.

But who are all these “external actors”, besides not being people you employ? Around 55% were categorized as “organized crime”, by which the researchers mean to refer to “criminals with a process, not the mafia”. Perhaps a better way to understand that is: an attack from criminals with a clearly observable objective and methodology. We’ll get to “objectives” in the next section, but for now let’s note that the use of “criminal” here excludes nation-state actors, and the use of “a process” excludes opportunistic attacks, hacktivists, and attacks where the motive could not be discerned.

What Do Threat Actors Want?

If you guessed the answer to the $64 million question was “money”, you would be right. At least in the overwhelming majority of cases. Some 86% of breaches were financially motivated, according to the report. This should not surprise anyone within the security industry, but for others in your organization, who keep hearing about high profile nation-state hackers and APTs, it may come as a surprise.

The focus on financial reward also makes sense of another interesting data point: attackers mostly engage in attacks that include no more than two or three steps. Anything more complicated than that is either abandoned or likely to originate from more persistent attackers. The explanation for this is that if you are a cyber criminal and your goal is financial reward, you tend to automate attacks as much as possible; picking off the low-hanging fruit is always preferable to investing time and effort in a hardened target. Operating at velocity and scale and employing automated targeting and exploitation tools is a simple ROI calculation. The lesson for defenders is straightforward: if you cover your bases and make the bad guys work hard, the vast majority of them will go elsewhere.

But while money may ultimately be what attackers really (really) want, they often come away with a whole lot more. In particular, 58% of attacks resulted in compromised personal data, and 37% of attacks either used or stole user credentials. Indeed, as we’ll see below, user credentials are a prime commodity for threat actors. Note also that your organization may be breached as a gateway to another, more valuable target. Perhaps you have a weakly-secured server that an attacker is only interested in enslaving as part of a botnet in a DDoS attack against someone else; on the other hand, perhaps you’re part of the supply chain of a more juicy victim, or you’re a compromised MSP whose real value to the threat actor lies in your clients rather than your organization itself.

How Do Hackers Penetrate Your Defenses?

The data on this one is overwhelming: stolen, phished or brute-forced credentials are attackers’ primary means into your network, and once they’re inside, obtaining further credentials for persistence or for sale is one of their primary objectives. Over 80% of breaches that involved hacking comprised some form of brute force or use of lost or stolen user credentials. That doesn’t surprise us. Credential stuffing, which involves replaying a list of (often leaked in other breaches) username/password combinations against multiple accounts, is said to occur tens of millions of times a day.

This is closely related to the fact that many organizations have shifted a substantial amount of their services and data to the cloud, where it is more difficult to drop malware. Instead, attackers opt for a much simpler, scalable solution: they bombard the service with login requests using the credentials they have stolen or obtained from data dumps. And, as the more aggressive ransomware attacks now exfiltrate data prior to encrypting it, it is highly likely that this data will be sold or even re-used by the same attackers to “stuff” their way back into the same organizations’ account at a later time. As the report authors put it:

“It appears to be a ubiquitous process that moves at a more or less consistent pace: Get a leak, append to your dictionary, continue brute forcing the internet. Rinse, repeat.”

Given the intense focus on stealing credentials both for compromise and persistence, it is imperative that organizations increase their focus on securing these.

Social engineering remains the primary way to steal new creds, gain a foothold and/or defraud companies out of money. Some 96% of phishing attacks were crafted through malicious email or malspam. The overwhelming filetype of choice for actors here was Office documents and Windows apps. Other filetypes that were seen used to a lesser extent included shell scripts, archives, Java, Flash, PDFs, DLLs and Linux, Android, and macOS applications.

Which Assets Are Attackers Leveraging the Most?

While attacks against on-premise assets still dominated the threat landscape at around 70% of breaches, cloud assets were involved in about 24% of breaches in the past year. Of these, email or web application servers were involved 73% of the time, and in those cases, credentials were stolen 77% of the time. It is evident that the attackers understand that organizations now store sensitive information in cloud infrastructure and applications, and are shifting their efforts in line with this trend in order to obtain and monetize this information.

Web application servers are targeted more than any other asset (including social engineering of people). Typically, this involves either using stolen credentials (as previously mentioned) or exploiting unpatched vulnerabilities.

Security teams should pay heed to this particular data point: only around half of all reported vulnerabilities are actually patched in the first quarter after discovery. This presents two points of weakness. First, attackers often move fast to beat the patch cycle, using services like Shodan to scan the entire net for vulnerable devices. Second, and perhaps more likely to be overlooked, is that the IT teams that don’t patch in the first quarter after discovery are less likely to ever patch at all. Vulnerabilities that receive special attention from attackers include those affecting SQL, PHP and local file injection, particularly against targets in the Retail industry.

Are Poor Security Practices Contributing to Your Own Downfall?

To err is human, it is said, but organizations are people guided by processes, and human error is something that businesses, if not the individuals within them, can control with better process implementation and oversight. In particular, human error leading to misconfigured storage is on the increase in reported breaches. According to the data, errors were causally significant in 22% of confirmed breaches. To put that in context, that’s the same percentage as attributed to social engineering as a tactic across the same dataset.

While the good news is that some portion, perhaps a significant one, of breaches due to misconfigured storage are reported by security researchers rather than discovered by threat actors, the bad news is such reports tend to make headlines, and reputational damage, though hard to quantify, could be as costly as a data theft by a malicious actor.

What Kinds of Malware Are Favored by Attackers?

Around 17% of confirmed breaches involved some form of malware. Of those, 27% were due specifically to ransomware, something that should come as no surprise given the volume of high-profile incidents reported in the media over the previous year.

As SentinelLabs has been noting for some time, ransomware tactics have evolved in recent months to include an element of extortion: by exfiltrating data before encryption, ransomware gangs are then able to threaten leaking sensitive customer data or IP if victims don’t pay. This trend began in earnest after the cut-off point for Verizon’s data collection, so we will see this trend more evident in next year’s report. However, even prior to October 2019 (the latest date for entry into the 2020 report), it’s clear that ransomware was on the increase during the earlier part of the year. Ransomware was noted as:

“…the third most common Malware breach variety and second most common Malware incident variety.”

Of the various sectors covered by the report, the Education and Public sectors were heavily targeted by ransomware operators throughout the year.

The most common kind of malware, in keeping with the data showing that credential theft was most threat actors’ top priority, were password dumpers. Following that, downloaders (think Emotet and TrickBot, for example) came in next, along with Trojans, which are largely a tool associated with advanced attackers looking for long-term persistence through backdoors and C2 functionality. Interestingly, there has been a sharp decline in cryptojacking malware after its surge in popularity during 2017 and, in particular, 2018.

SentinelOne Recommendations

At 119 pages, there is much more detail in the report than we could cover here, but we do hope to have painted a clear picture of the report’s main findings. In this section, we outline some recommendations based on our understanding of the entire report and SentinelOne’s own telemetry.

Unlike APTs, the majority of attackers do not go in for hugely complicated attacks with multiple stages. This means that catching an attack at any – rather than every – stage of the threat lifecycle (aka ‘The kill chain’) will significantly increase your chances of avoiding a breach. Moreover, the earlier you can do that the better chance you have of forcing the attacker out empty-handed and determined to try his luck elsewhere. As the recent MITRE ATT&CK evaluation results proved, SentinelOne excels at stopping attacks at all stages, but specifically at preventing attacks before they have taken a foothold. Hence, our first and obvious recommendation: ensure you have a trusted, proven next-gen AI platform protecting your endpoints.

As we have seen above, attackers are using automated attacks to make their own lives easy. Make it harder for them by ensuring that you do not leave unnecessary ports open and reduce the number of exposed ports. Allow only essential services to access the internet, and limit who has access to them. SSH and Telnet (on default ports 22 and 23, respectively) are a major target for malicious connection attempts. Who in your organization really needs them? Identify your needs and restrict everyone else.

Credentials are the pot of gold at the end of the rainbow for attackers. Ensure your Windows systems have all moved away from legacy LM and NTLMv1 and implement our recommendations here for protecting Windows credentials.

Windows Security Essentials | Preventing 4 Common Methods of Credentials Exfiltration
Credential dumping is a prelude to lateral movement, and some well-known password attacks are still successful in the wild. Have you got the basics covered?

Data is your lifeblood. Control access to data, maintain an up-to-date inventory of confidential and sensitive files and, above all, use encryption.

Aside from weakly protected servers, people are one of the main “assets” attackers seek to exploit, through social engineering and phishing attacks. By all means, keep up your user awareness programs to help educate your staff about phishing attacks. Support them with automated endpoint security software that will catch malware even if they fall for a malicious link or drive-by download scam. Raise the bar for attackers by enforcing 2FA and MFA on all user login accounts.

Error and misconfigurations are your unintentional backdoors to being compromised. Conduct a thorough review on your storage permissions, and just as importantly, implement proper review processes that can help prevent and identify misconfigurations. How many people are allowed to spin up repositories without some kind of security oversight or review? The answer should be none.

Finally, you’ve heard it before and you’ll no doubt hear it again. Patch early, patch often. That failure to patch within the 1st quarter of a vulnerability disclosure is a telling statistic that you don’t want your organization to add to, and it’s a failure you don’t want adversaries to discover, either.

Conclusion

It’s not exactly news, but it’s also worth emphasizing: most threat actors follow the money. And just as surely as organizations have begun the move from on-prem to the cloud, attackers are following. As the perimeter-less, zero trust network paradigm ripples out across global enterprises, attackers care most about obtaining those priceless sign-on credentials. And while organizations continue to rely on email and expecting people to click links to do their work, attackers will keep on sending phishing links to do their work, too.

The latest data on breach investigations is a reflection of current practices in organizational behavior. Where we go, they follow. Preventing breaches is a matter of recognizing this symbiotic relationship, anticipating the dangers and putting into place the security solutions, people practices and organizational processes that raise the cost of attack beyond that which the threat actor is willing to pay.

If you would like to see how SentinelOne can help protect your business from security breaches, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Docker expands relationship with Microsoft to ease developer experience across platforms

When Docker sold off its enterprise division to Mirantis last fall, that didn’t mark the end of the company. In fact, Docker still exists and has refocused as a cloud-native developer tools vendor. Today it announced an expanded partnership with Microsoft around simplifying running Docker containers in Azure.

As its new mission suggests, it involves tighter integration between Docker and a couple of Azure developer tools including Visual Studio Code and Azure Container Instances (ACI). According to Docker, it can take developers hours or even days to set up their containerized environment across the two sets of tools.

The idea of the integration is to make it easier, faster and more efficient to include Docker containers when developing applications with the Microsoft tool set. Docker CEO Scott Johnston says it’s a matter of giving developers a better experience.

“Extending our strategic relationship with Microsoft will further reduce the complexity of building, sharing and running cloud-native, microservices-based applications for developers. Docker and VS Code are two of the most beloved developer tools and we are proud to bring them together to deliver a better experience for developers building container-based apps for Azure Container Instances,” Johnston said in a statement.

Among the features they are announcing is the ability to log into Azure directly from the Docker command line interface, a big simplification that reduces going back and forth between the two sets of tools. What’s more, developers can set up a Microsoft ACI environment complete with a set of configuration defaults. Developers will also be able to switch easily between their local desktop instance and the cloud to run applications.

These and other integrations are designed to make it easier for Azure and Docker common users to work in in the Microsoft cloud service without having to jump through a lot of extra hoops to do it.

It’s worth noting that these integrations are starting in Beta, but the company promises they should be released some time in the second half of this year.

RudderStack raises $5M seed round for its open-source Segment competitor

RudderStack, a startup that offers an open-source alternative to customer data management platforms like Segment, today announced that it has raised a $5 million seed round led by S28 Capital. Salil Deshpande of Uncorrelated Ventures and Mesosphere/D2iQ co-founder Florian Leibert (through 468 Capital) also participated in this round.

In addition, the company also today announced that it has acquired Blendo, an integration platform that helps businesses transform and move data from their data sources to databases.

Like its larger competitors, RudderStack helps businesses consolidate all of their customer data, which is now typically generated and managed in multiple places — and then extract value from this more holistic view. The company was founded by Soumyadeb Mitra, who has a Ph.D. in database systems and worked on similar problems previously when he was at 8×8 after his previous startup, MairinaIQ, was acquired by that company.

Mitra argues that RudderStack is different from its competitors thanks to its focus on developers, its privacy and security options and its focus on being a data warehouse first, without creating yet another data silo.

“Our competitors provide tools for analytics, audience segmentation, etc. on top of the data they keep,” he said. “That works well if you are a small startup, but larger enterprises have a ton of other data sources — at 8×8 we had our own internal billing system, for example — and you want to combine this internal data with the event stream data — that you collect via RudderStack or competitors — to create a 360-degree view of the customer and act on that. This becomes very difficult with the SaaS-hosted data model of our competitors — you won’t be sending all your internal data to these cloud vendors.”

Part of its appeal, of course, is the open-source nature of RudderStack, whose GitHub repository now has more than 1,700 stars for the main RudderStack server. Mitra credits getting on the front page of HackerNews for its first sale. On that day, it received over 500 GitHub stars, a few thousand clones and a lot of signups for its hosted app. “One of those signups turned out to be our first paid customer. They were already a competitor’s customer, but it wasn’t scaling up so were looking to build something in-house. That’s when they found us and started working with us,” he said.

Because it is open source, companies can run RudderStack anyway they want, but like most similar open-source companies, RudderStack offers multiple hosting options itself, too, that include cloud hosting, starting at $2,000 per month, with unlimited sources and destination.

Current users include IFTTT, Mattermost, MarineTraffic, Torpedo and Wynn Las Vegas.

As for the Blendo acquisition, it’s worth noting that the company only raised a small amount of money in its seed round. The two companies did not disclose the price of the acquisition.

“With Blendo, I had the opportunity to be part of a great team that executed on the vision of turning any company into a data-driven organization,” said Blendo founder Kostas Pardalis, who has joined RudderStack as head of Growth. “We’ve combined the talented Blendo and RudderStack teams together with the technology that both companies have created, at a time when the customer data market is ripe for the next wave of innovation. I’m excited to help drive RudderStack forward.”

Mitra tells me that RudderStack acquired Blendo instead of building its own version of this technology because “it is not a trivial technology to build — cloud sources are really complicated and have weird schemas and API challenges and it would have taken us a lot of time to figure it out. There are independent large companies doing the ETL piece.”

Verizon CEO Hans Vestberg shares his COVID-19 strategy and tactics

This week, Verizon Communications CEO Hans Vestberg joined us for an episode of Extra Crunch Live.

Vestberg is leading the company through the midst of one its biggest rollouts to date with the push into 5G connectivity. In our discussion, he spoke about how he’s managing the organization during this global crisis, his thoughts on work from home and acquisition strategy, and the ways in which 5G will change the way we work and live.

(Disclosure: Verizon Communications is TechCrunch’s parent company.)

Extra Crunch members can check out a partial transcript of the conversation (edited for length and clarity) or watch it in its entirety via YouTube video below.


Extra Crunch Live features some of the brightest minds in tech and VC, including Aileen Lee, Roelof Botha, Kirsten Green and Mark Cuban. Upcoming episodes will include Aaron Levie from Box, GGV’s Hans Tung and Jeff Richards, Eventbrite’s Julia Hartz and others. Extra Crunch members can submit questions to speakers in real time, so please sign up here if you haven’t already.


His initial reaction to news of the lockdown

We’re a large company with 135,000 employees in 70 different countries around the globe. So, of course, we had an early warning when it started actually in Asia. We have employees in Asia, so we got the feeling that this could be really serious. It was early in the first week of February, we moved to the highest emergency or crisis level in the company. That means that we go to a certain crisis mode on how we organized and how we galvanized the company.

That’s usually put into place every time there is a big national disaster because you need to split between people taking care of the crisis and people taking care of running the business. So we were very early on with that. In the beginning of February, we started the emergency crisis operations center that was taking care of employee questions and prioritization of important things. At the same time, we continued to run the business. That was the first thing we did very early on.

Upcoming Extra Crunch Live episodes include discussions with Aaron Levie from Box, GGV’s Hans Tung and Jeff Richards, and Eventbrite’s Julia Hartz.

The other thing we did very early on is that we understood that this was something unprecedented. I mean, you have been in crisis before. I mean, I’ve been in the telecom crisis, and we’ve been in the banking crisis when everything just went boom. This is something totally different. You cannot use any of your historical experience when it comes to this pandemic, which actually impacts each and every one of us when it comes to health. So I was honest, and thought that they’re going to be a lot of questions. We decided very early on to run our noon live webcast to our employees. We are on our… I think it’s the 11th week, where at noon every day, we run the webcast for all our employees. That was two of the first things we did.

We didn’t think we were going to run for 11 weeks on the new live webcast, but we have done it because we see there’s a very good tool to communicate with all our employees.

Wasabi announces $30M Series B as cloud storage business continues to grow

We may be in the thick of a pandemic with all of the economic fallout that comes from that, but certain aspects of technology don’t change no matter the external factors. Storage is one of them. In fact, we are generating more digital stuff than ever, and Wasabi, a Boston-based startup that has figured out a way to drive down the cost of cloud storage is benefiting from that.

Today it announced a $30 million Series B led led by Forestay Capital, the technology innovation arm of Waypoint Capital with help from previous investors. As with the previous round, Wasabi is going with home office investors, rather than traditional venture capital firms. Today’s round brings the total raised to $110 million, according to the company.

While founder and CEO David Friend wouldn’t discuss the specific valuation, he did say it was in the hundreds of millions of dollars.

Friend says the company needs the funds to keep up with the rapid growth. “We’ve got about 15,000 customers today, hundreds of petabytes of storage, 2500 channel partners, 250 technology partners — so we’ve been busy,” he said.

He says that revenue continues to grow in spite of the impact of COVID-19 on other parts of the economy. “Revenue grew 5x last year. It’ll probably grow 3.5x this year. We haven’t seen any real slowdown from the Coronavirus. Quarter over quarter growth will be in excess of 40% — this quarter over Q1 — so it’s just continuing on a torrid pace,” he said.

The challenge for a company like Wasabi, which is looking to capture a large chunk of the growing cloud storage market is the infrastructure piece. It needs to keep building more to meet increasing demand, while keeping costs down, which remains its primary value proposition with customers.

The money will be used mostly to continue to expand its growing infrastructure requirements. The more they store, the more data centers they need and that takes money. It will also help the company expand into new markets where countries have data sovereignty laws that require data to be stored in-country.

The company launched in 2015. It previously raised $68 million in 2018.

Note: This article originally stated this was a debt financing round. The company has clarified that it is an equity round.

7 Common Ways Ransomware Can Infect Your Organization

Understanding how ransomware infects a device and spreads across a network is crucial to ensuring that your organization does not become the next victim of an attack. As recent trends have shown, the danger of losing access to your data, devices and services is compounded by threat actors that are now exfiltrating data and threatening to leak it on public sites if victims don’t pay up. Ransomware operators have become wise to the threat to their business model from their own success: increased public attention of the ransomware threat has pushed (at least some) businesses to invest in backup and recovery. But those techniques become redundant when the perpetrators are holding your most sensitive customer and corporate data over your head.

Post infection, ransomware can spread to other machines or encrypt shared filers in the organization’s network. In some cases, it can spread across organizational boundaries to infect supply chains, customers and other organizations, and indeed, some malware campaigns have specifically targeted MSPs. The real answer to ransomware lies in prevention rather than cure. So just how does this devastating malware commonly infect devices?

1. Breaches Through Phishing & Social Engineering

Still the most common method for hackers to initially infect an endpoint with ransomware is through phishing emails. Increasingly targeted, personalised and specific information is used to craft emails to gain trust and trick potential victims into opening attachments or clicking on links to download malicious PDF and other document files. These can look indistinguishable to normal files, and attackers may take advantage of a default Windows configuration that hides the file’s true extension. For example, an attachment may appear to be called ‘filename.pdf’, but revealing the full extension shows it to be an executable, ‘filename.pdf.exe’.

Files can take the form of standard formats like MS Office attachments, PDF files or JavaScript. Clicking on these files or enabling macros allows the file to execute, starting the process of encrypting data on the victim’s machine.

2. Infection via Compromised Websites

Not all ransomware attacks have to be packaged in a maliciously-crafted email. Compromised websites are easy places to insert malicious code. All it takes is for an unsuspecting victim to visit the site, perhaps one they frequent often. The compromised site then reroutes to a page that prompts the user to download a newer version of some software, such as the web browser, plugin, or media player.

Web redirections like this are particularly difficult for users to spot without digging into the code underneath every site they visit.

If the site has been primed to deliver ransomware, the malware could be either activated directly or more commonly run an installer that downloads and drops the ransomware.

3. Malvertising & Breaching The Browser

If a user has an unpatched vulnerability in his or her browser, a malvertising attack can occur. Using common advertisements on websites, cybercriminals can insert malicious code that will download the ransomware once an advertisement is displayed. While this is a less common ransomware vector, it still poses a danger since it doesn’t require the victim to take any overt action such as downloading a file and enabling macros.

4. Exploit Kits That Deliver Custom Malware

Angler, Neutrino, and Nuclear are exploit kits that have been widely used in ransomware attacks. These frameworks are a type of malicious toolkit with pre-written exploits that target vulnerabilities in browser plugins like Java and Adobe Flash. Microsoft Internet Explorer and Microsoft Silverlight are also common targets. Ransomware like Locky and CryptoWall have been delivered through exploit kits on booby-trapped sites and through malvertising campaigns.

New Snake Ransomware Adds Itself to the Increasing Collection of Golang Crimeware
The ransomware crime spree continues with threat actors increasingly turning to Golang as their language of choice. New entrant Snake is just the latest.

5. Infected Files and Application Downloads

Any file or application that can be downloaded can also be used for ransomware. Cracked software on illegal file-sharing sites are ripe for compromise, and such software is as often as not laden with malware. Recent cases of MBRLocker, for example, took this route. There is also potential for hackers to exploit legitimate websites to deliver an infected executable. All it takes is for the victim to download the file or application and then the ransomware is injected.

6. Messaging Applications As Infection Vectors

Through messaging apps like WhatsApp and Facebook Messenger, ransomware can be disguised as scalable vector graphics (SVG) to load a file that bypasses traditional extension filters. Since SVG is based on XML, cybercriminals are able to embed any kind of content they please. Once accessed, the infected image file directs victims to a seemingly legitimate site. After loading, the victim is prompted to accept an install, which if completed distributes the payload and goes on to the victim’s contacts to continue the impact.

7. Brute Force Through RDP

Attackers use ransomware like SamSam to directly compromise endpoints using a brute force attack through Internet-facing Remote Desktop Protocol (RDP) servers. RDP enables IT admins to access and control a user’s device remotely, but this also presents an opportunity for attackers to exploit it for malicious purposes.

Hackers can search for vulnerable machines using tools like Shodan and port scanners like Nmap and Zenmap. Once target machines are identified, attackers may gain access by brute-forcing the password to log on as an administrator. A combination of default or weak password credentials and open source password-cracking tools such as Aircrack-ng, John The Ripper, and DaveGrohl help achieve this objective. Once logged on as a trusted admin, attackers have full command of the machine and are able to drop ransomware and encrypt data. They may also be able to disable endpoint protection, delete backups to increase likelihood of payment or pivot to achieve other objectives.

Conclusion

Ransomware continues to evolve, with ransomware-as-a-service now growing in popularity. Malware authors sell custom-built ransomware to cybercriminals in exchange for a percentage of the profit. The buyer of the service decides on the targets and the delivery methods. This division of labor and risk is leading to increasingly targeted malware, innovation in delivery methods and ultimately a higher frequency of ransomware attacks.

Along with the threat of extortion through data leakage, these recent trends make it vital for organizations to invest in securing endpoints and networks and preventing breaches from occurring in the first place through AI-powered behavioral detection engines that do not rely on reputation nor rely on cloud-connectivity. If you would like to see how SentinelOne can help protect your business from ransomware and other threats, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Extra Crunch Live: Join Verizon CEO Hans Vestberg for a live Q&A right now

As the leader of a publicly traded corporation with 135,000 employees, Verizon Communications CEO Hans Vestberg has a unique perspective on the state of the world.

When he appears today on Extra Crunch Live, our virtual speaker series for Extra Crunch members, we’ll ask him about this extraordinary moment in history and his plans for seeing the company through a black swan event that’s reshaping the global economy.

The discussion starts at 2 p.m. EDT/11 a.m. PDT/9 p.m. GMT. You can find the full details below.

Vestberg served as president and CEO at Ericsson for six years and joined Verizon as its CTO and president of Global Networks in 2017 before stepping into the CEO role a little more than a year later. (Disclosure: TechCrunch is owned by Verizon).

We’ll talk to Vestberg about his tactics for managing a company at scale through a crisis and will check in on the company’s 5G rollout, a platform inflection point that should change the landscape for founders and entrepreneurs. Verizon recently acquired BlueJeans, which competes directly with Zoom and WebEx, so we’ll also ask Vestberg about the company’s forward-looking investment strategy.

Extra Crunch members are encouraged to ask their own questions during the Zoom call, so please come prepared. If you’re not already a member, sign up on the cheap right here.

You can also check out the full Extra Crunch Live schedule here.

See you soon!

Baton raises $10M Series A to organize post-sale implementation

Baton, an early-stage startup that wants to help customers organize the post-sales implementation process, emerged from stealth today with a $10 million Series A investment.

Activant Capital led the round, with help from Global Founders Capital and Hybris founder Carsten Thoma.

Like so many startups, the idea for Baton stemmed from a pain point that founder and CEO Alex Krug experienced first hand. He was and executive at Behance, which was later sold to Adobe, and he saw that there were tools to organize your customers and get you through the sale, but there was something distinctly lacking when it came to implementation post-sale.

Krug said that most companies hacked together a solution consisting of general project management tools, spreadsheets and email, but what was missing was a dedicated platform to help with this part of the process. He put his team to work to build it.

“We reconfigured a lot of the team that I worked with at Behance and Adobe and really started to build a platform around optimizing the implementation, what happens in between your presale and post-sale and how customers get on boarded through a platform,” Krug told TechCrunch.

He says where project management tends to be internally focused, Baton is designed to bring all the parties — from vendor to client to systems integrator — together in one tool, so everyone knows their responsibilities and targets.

While Krug understands that this may not be an optimal time to launch a startup out of stealth, in the middle of a pandemic and corresponding economic crisis, he still sees a real need for a tool like Baton.

“This era of top line growth is gone. Efficient growth is here to stay and Baton really optimizes processes and standardizes a toolset that allows you to grow efficiently from your fifth customer to your thousandth customer, whereas previous iterations of implementation have been these static spreadsheets and chasing people for manual updates.”

He believes his company is offering a reasonable alternative to that, as does his lead investor Peter McCoy at Activant Capital. “The best SaaS companies are built off of product-led growth, that can be network effects, novel go-to-market strategies or some other distribution advantage. The problem I kept seeing was even companies that had one or a couple of these attributes created operational debt, when they bloated up their services teams to keep up with top line growth. The need for a platform like Baton was super clear to me,” McCoy said in a statement.

Beginning today, the company will set forth on its startup journey as it attempts to carve out a market in difficult times, and help customers with this crucial part of the selling cycle.

Kentik raises $23.5M for its network intelligence platform

Kentik, the company once known as CloudHelix, today announced that it has raised a $23.5 million growth funding round led by Vistara Capital Partners, with existing investors August Capital, Third Point Ventures, DCVC, and Tahoma Ventures also participating. With this round, Kentik has now raised a total of $61.7 million.

The company’s platform allows enterprises to monitor their networks, no matter whether that’s over the Internet, inside their own data centers or in public clouds.

“The world has become even more internet-centric, and we are seeing growth in traffic levels, product engagement, and revenue across both our enterprise and service provider customers,” said Avi Freedman, the co-founder and CEO of Kentik when I asked him why he was raising a round now. “We’ve seen an increased pace of adoption of the kind of hybrid and internet-centric architectures that Kentik is built for and thought it was a great time to increase investment, especially in product, as well as go-to-market and partner expansion to support market demand.”

Freedman says the company has been growing 100% compounded year-over-year since it launched in 2015 and now has customers in 25 countries. These include leading enterprises, SaaS companies, content providers, gaming companies, content providers, and cloud and communication service providers, he tells me. Current customers include the likes of IBM, Zoom, Dropbox, eBay, Cisco and GoDaddy.

The company says it will use the new funding to invest in its product and for go-to-market investments.

One notable fact about this new round is that it is a combination of equity and growth debt. Why growth debt? “Growth debt is an attractive option for startups with the right scale and strong unit economics, especially with the changes to capital markets in response to current economic conditions,” said Freedman. “Another element that makes long-term debt attractive is that unlike equity financing, long-term debt limits dilution for everyone, but especially benefits our employees who hold common stock.” That, it’s worth noting, is also something that lead investor Vistara Capital has made one of the core tenants of its investment philosophy. “Since Kentik is now at a scale where we have enough data on the business fundamentals to be able to make growth investments using debt while still being able to repay it over time, it made sense to us and our investors,” noted Freedman.

Toro snags $4M seed investment to monitor data quality

Toro’s founders started at Uber helping monitor the data quality in the company’s vast data catalogs, and they wanted to put that experience to work for a more general audience. Today, the company announced a $4 million seed round.

The round was co-led by Costanoa Ventures and Point72 Ventures with help from a number of individual investors.

Company co-founder and CEO Kyle Kirwin says the startup wanted to bring the kind of automated monitoring we have in applications performance monitoring products to data. Instead of getting an alert when the application is performing poorly, you would get an alert that there is an issue with the data.

“We’re building a monitoring platform that helps data teams find problems in their data content before that gets into dashboards and machine learning models and other places where problems in the data could cause a lot of damage,” Kirwin told TechCrunch.

When it comes to data, there are specific kinds of issues a product like Toro would be looking at. It might be a figure that falls outside of a specific dollar range that could be indicative of fraud, or it could be simply a mistake in how the data was labeled that is different from previous ways that could break a model.

The founders learned the lessons they use to build Toro while working on the data team at Uber. They had helped build tools there to find these kinds of problems, but in a way that was highly specific to Uber. When they started Toro, they needed to build a more general purpose tool.

The product works by understanding what it’s looking at in terms of data, and what the normal thresholds are for a particular type of data. Anything that falls outside of the threshold for a particular data point would trigger an alert, and the data team would need to go to work to fix the problem.

Casey Aylward, vice president at Costanoa Ventures likes the pedigree of this team and the problem it’s trying to solve. “Despite its importance, data quality has remained a challenge for many enterprise companies,” he said in a statement. He added, “[The co-founders] deep experience building several of Uber’s internal data tools makes them uniquely qualified to build the best solution.”

The company has been at this for just over a year and have been keeping it lean with 4 employees including the two co-founders, but they do have plans to add a couple of data scientists in the coming year as they continue to build out the product.