Seed investors take long view on promising enterprise startups

/0 Comments/in /by

The job of an early-stage startup founder is challenging in good times, never mind a crash like the one we are experiencing today.

While most expect private investing to slow down, it’s clear that some investments are still happening in spite of the pandemic, if the stories we are writing on TechCrunch are any indication.

But the downturn is bound to have an impact on the types of deals that receive funding; any startup that offers a good or service requiring human interaction or installation will face an uphill battle, at least in the short term. That said, enterprise SaaS vendors, especially ones that solve hard problems, help with work-from-home or collaboration, or better yet, help increase efficiency and save money, are still very much in demand.

Nobody can do anything about the CIO who is hunkering down until things improve — but that’s not everyone. Companies might be thinking twice about where they spend money, but some are still helping drive the net-new, post-COVID-19 investments happening from seed to late stage across many sectors.

We looked at data and spoke to a couple of enterprise-focused, NYC-based seed investors to better understand their investing cadence. Nobody painted a rosy picture of today’s climate, but seed investors were never about immediate gratification, especially where enterprise startups are concerned. That means, if a seed-stage investor believes in the founders and their vision and the company can ride out today’s economic upset, there’s still money in the till — at least for now.

Seed investment generally in decline

Factorial raises $16M to take on the HR world with a platform for SMBs

/0 Comments/in /by

A startup that’s hoping to be a contender in the very large and fragmented market of human resources software has captured the eye of a big investor out of the US and become its first investment in Spain.

Barcelona-based Factorial, which is building an all-in-one HR automation platform aimed at small and medium businesses that manages payroll, employee onboarding, time off and other human resource functions, has raised €15 ($16 million) in a Series A round of funding led by CRV, with participation also from existing investors Creandum, Point Nine and K Fund.

The money comes on the heels of Factorial — which has customers in 40 countries — seeing eightfold growth in revenues in 2019, with more than 60,000 customers now using its tools.

Jordi Romero, the CEO who co-founded the company with Pau Ramon (CTO) and Bernat Farrero (head of corporate), said in an interview that the investment will be used both to expand to new markets and add more customers, as well as to double down on tech development to bring on more features. These will include RPA integrations to further automate services, and to move into more back-office product areas such as handling expenses,

Factorial has now raised $18 million and is not disclosing its valuation, he added.

The funding is notable on a couple of levels that speak not just to the wider investing climate but also to the specific area of human resources.

In addition to being CRV’s first deal in Spain, the investment is being made at a time when the whole VC model is under a lot of pressure because of the global coronavirus pandemic — not least in Spain, which has a decent, fledgling technology scene but has been one of the hardest-hit countries in the world when it comes to COVID-19.

“It made the closing of the funding very, very stressful,” Romero said from Barcelona last week (via video conference). “We had a gentleman’s agreement [so to speak] before the virus broke out, but the money was still to be wired. Seeing the world collapse around you, with some accounts closing, and with the bigger business world in a very fragile state, was very nerve wracking.”

Ironically, it’s that fragile state that proved to be a saviour of sorts for Factorial.

“We target HR leaders and they are currently very distracted with furloughs and layoffs right now, so we turned around and focused on how we could provide the best value to them,” Romero said.

The company made its product free to use until lockdowns are eased up, and Factorial has found a new interest from businesses that had never used cloud-based services before but needed to get something quickly up and running to use while working from home. He noted that among new companies signing up to Factorial, most either previously kept all their records in local files or at best a “Dropbox folder, but nothing else.”

The company also put in place more materials and other tools specifically to address the most pressing needs those HR people might have right now, such as guidance on how to implement furloughs and layoffs, best practices for communication policies and more. “We had to get creative,” Romero said.

At $16 million, this is at the larger end of Series A rounds as of January 2020, and while it’s definitely not as big as some of the outsized deals we’ve seen out of the US, it happens to be the biggest funding round so far this year in Spain.

Its rise feels unlikely for another reason, too: it comes at a time when we already have dozens (maybe even hundreds) of human resources software businesses, with many an established name — they include PeopleHR, Workday, Infor, ADP, Zenefits, Gusto, IBM, Oracle, SAP, Rippling, and many others — in a market that analysts project will be worth $38.17 billion by 2027 growing at a CAGR of over 11%.

But as is often the case in tech, status quo breeds disruption, and that’s the case here. Factorial’s approach has been to build HR tools specifically for people who are not HR professionals per se: companies that are small enough not to have specialists, or if they do, they share a lot of the tasks and work with other managers who are not in HR first and foremost.

It’s a formula that Romero said could potentially see the company taking on bigger customers, but for now, investors like it for having built a platform approach for the huge but often under-served SME market.

“Factorial was built for the users, designed for the modern web and workplace,” said Reid Christian, General Partner at CRV, in a statement. “Historically the HR software market has been one of the most lucrative categories for enterprise tech companies, and today, the HR stack looks much different. As we enter the third generation of cloud HR products, with countless point solutions, there’s a strong need for an underlying platform to integrate work across these.”

The Good, the Bad and the Ugly in Cybersecurity – Week 17

/0 Comments/in /by

The Good

User education is possibly one of the most powerful tools in the world of breach prevention or attack evasion, particularly when it comes to phishing attempts and the like. The more confident and aware users are in regard to their cyber hygiene, the better off they are generally speaking. This week GCHQ and The National Cyber Security Centre (NCSC) joined forces and established a new user-awareness campaign dubbed ‘SERS’, the Suspicious Email Reporting Service. This is part of a broader ‘Cyber Aware’ campaign to arm the public with better email security guidance in the light of a rapid increase in scams since the Coronavirus outbreak. The new service, a joint effort with the City of London Police, enables the public to directly submit suspicious and potentially malicious emails to report@phishing.gov.uk. When users submit messages to SERS, the validity of various aspects of the message are interrogated and validated. Domains and hosts of the sender, for example, are tested for validity and any sites found to be phishing scams will be removed immediately. In one day of operation, over 5000 reports were sent in and 83 online phishing campaigns were shut down as a result. Nice work!

On another positive note this week, the results for the latest round of MITRE ATT&CK evaluation were released. MITRE’s focus for Round 2 was “APT29” and the tactics, techniques and procedures relevant to this notorious Russian-backed threat actor. This year we are proud to highlight SentinelOne’s leading results for the round. SentinelOne achieved the lowest number of overall missed detections, as well as reaching the highest number of combined high-quality detections with the highest levels of correlation. That being said, we applaud and congratulate all of the participants that tested alongside SentinelOne. We are all working together toward the greater good of a more secure world.

The Bad

Researchers claim to have found critical vulnerabilities within Apple’s Mail app on iOS this week. The remote code-execution vulnerability appears to have been present in the OS since 2012, iOS 6 being current at the time. It is reported that the flow specifically affects iOS 6 through iOS 13.4.1. This flaw is especially critical due to the compete lack of user input. Typical email-bourne threats at least require the target to open the messages, or click a link, or even open attachments. In this case, the Mail.app need only receive a maliciously-crafted message to invoke the exploitable conditions. The flaw is due to a pair of heap-overflow and out-of-bounds write conditions that can be invoked by an attacker whilst composing the weaponized message.

The discovering party (ZecOps) also reports that they are aware of attackers attempting to exploit this vulnerability in the wild. However, Apple have contradicted that claim, stating that they “have found no evidence they were used against customers”. The issues have apparently already been addressed in a beta build of a forthcoming iOS update. Other email clients on the platform such as Chrome or Outlook are not affected and offer a potential workaround for concerned users in the meantime.

The Ugly

This week the Maze Crew (actors behind the Maze ransomware) set their sights on global MSP and consulting firm Cognizant. APT groups and highly-sophisticated cybercrime operators alike have been targeting MSPs as they are considered high-value targets. MSPs (Managed Service Providers) typically manage and host massive amounts of network environments and users. Attackers focused on MSPs potentially have the ability to disrupt the operations of all entities under the MSP’s scope or control.

That aspect of the attack alone is cause for alarm. However, this being a Maze attack adds yet another possible consequence to the compromise. Maze, like many other malware families of late, also steals data from targeted environments. They increase impact by threatening to publicly release the data pilfered from their victims. Having to consider any modern ransomware attack as essentially a full-scale breach is a scenario that more and more enterprises are facing these days. Maze alone has publicly posted data belonging to approximately 100 of their victims. Other ransomware families like DoppelPaymer and Sodin / REvil are not far behind. More recently, families like Ragnar and Netphilim have been actively posting victim data and threats as well.

These attacks are currently on the rise, and the threat of leaking sensitive information is far from empty. Taking the time to understand your exposure, adjusting your security posture, and adopting necessary measures to mitigate risk is critical. Knowledge and powerful technological controls together go a long way to reduce our exposure to data-robbing cybercriminals. 

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies

/0 Comments/in /by

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

A Google Trends graph depicting the incidence of Web searches for “chloroquine” over the past 90 days.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Muskbegan suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

Recent 30-day sales figures from the pharmacy affiliate program PharmCash.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

An ad promoting various unproven remedies for COVID-19, from the pharmacy affiliate program Rx-Partners.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program.

But the boost in sales from the global chloroquine frenzy would be short-lived. Demand for chloroquine phosphate became so acute worldwide that India — the world’s largest producer of hydroxychloroquine — announced it would ban exports of the drug. On Mar. 25, India also began shutting down its major international shipping ports, leaving the pharmacy affiliate programs scrambling to source their products from other countries.

A Mar. 31 message to affiliates working with the Union Pharm program, noting that supplies of Aralen had dried up due to the shipping closures in India.

India recently said it would resume exports of the drug, and judging from recent posts at the aforementioned affiliate site gofuckbiz[.]com, denizens of various pharmacy affiliate programs are anxiously awaiting news of exactly when shipments of chloroquine drugs will continue.

“As soon as India opens and starts mail, then we will start everything, so get ready,” wrote one of Rx-Partners’ senior recruiters. “I am sure that there will still be demand for pills.”

Global demand for these pills, combined with India’s recent ban on exports, have conspired to create shortages of the drug for patients who rely on it to treat chronic autoimmune diseases, including lupus and rheumatoid arthritis.

While hydroxychloroquine has long been considered a relatively safe drug, some people have been so anxious to secure their own stash of the drug that they’ve turned to unorthodox sources.

On March 19, Fox News ran a story about how demand for hydroxychloroquine had driven up prices on eBay for bottles of chloroquine phosphate designed for removing parasites from fish tanks. A week later, an Arizona man died and his wife was hospitalized after the couple ingested one such fish tank product in hopes of girding their immune systems against the Coronavirus.

Despite many claims that hydroxychloroquine can be effective at fighting COVID-19, there is little real data showing how it benefits patients stricken with the disease. The largest test of the drug’s efficacy against Coronavirus showed no benefit in a large analysis of its use in U.S. veterans hospitals. On the contrary, there were more deaths among those given hydroxychloroquine versus standard care, researchers reported.

In an advisory released today, the U.S. Food and Drug Administration (FDA) cautioned against use of hydroxychloroquine or chloroquine for COVID-19 outside of the hospital setting or a clinical trial due to risk of heart rhythm problems.

Miro lands $50M Series B for digital whiteboard as demand surges

/0 Comments/in /by

Miro is a company in the right place at the right time. The makers of a digital whiteboard are seeing usage surge right now as businesses move from the workplace and physical whiteboards. Today, the company announced a hefty $50 million Series B.

Iconiq Capital led the round with help from Accel and a slew of individual investors. Today’s investment brings the total raised to around $75 million, according to the company. Among the company’s angel investors was basketball star Steph Curry.

What’s attracting this level of investment is that this is a product made for a moment when workers are forced to stay home. One of the primary complaints about working at home is the inability to sit in the same room with colleagues and brainstorm around a whiteboard. This reproduces that to an extent.

What’s more, Miro isn’t simply light-weight add-in like you might find built into a collaboration tool like Zoom or Microsoft Teams; it’s more of a platform play designed to integrate with many different enterprise tools, much like Slack does for communications.

Miro co-founder and CEO Andrey Khusid said the company planned the platform idea from its earliest days. “The concept from day one was building something for real-time collaboration and the platform thing is very important because we expect that people will build on top of our product,” Khusid told TechCrunch.

Image Credit: Miro

That means that people can build integrations to other common tools and customize the base tool to meet the needs of an individual team or organization. It’s an approach that seems to be working as the company reports it’s profitable with more than 21,000 customers including 80% of the Fortune 100. Customers include Netflix, Salesforce, PwC, Spotify, Expedia and Deloitte.

Khusid says usage has been skyrocketing among both business and educational customers as the pandemic has forced millions of people to work at home. He says that has been a challenge for his engineering team to keep up with the demand, but one that the company has been able to meet to this point.

The startup just passed the 300 employee mark this week, and it will continue to hire with this new influx of money. Khusid expects to have another 150 employees before the end of the year to keep up with increasing demand for the product.

“We understand that we need to come out strong from this situation. The company is growing much faster than we expected, so we need to have a very strong team to maintain the growth at the same pace after the crisis ends.”

Want to survive the downturn? Better build a platform

Stripe adds card issuing, localized card networks and expanded approvals tool

/0 Comments/in /by

At a time when more transactions than ever are happening online, payments behemoth Stripe is announcing three new features to continue expanding its reach.

The company today announced that it will now offer card issuing services directly to businesses to let them in turn make credit cards for customers tailored to specific purposes. Alongside that, it’s going to expand the number of accepted local, large card networks to cut down some of the steps it takes to make transactions in international markets. And finally, it’s launching a “revenue optimization” feature that essentially will use Stripe’s AI algorithms to reassess and approve more flagged transactions that might have otherwise been rejected in the past.

Together the three features underscore how Stripe is continuing to scale up with more services around its core payment processing APIs, a significant step in the wake of last week announcing its biggest fundraise to date: $600 million at a $36 billion valuation.

The rollouts of the new products are specifically coming at a time when Stripe has seen a big boost in usage among some (but not all) of its customers, said John Collison, Stripe’s co-founder and president, in an interview. Instacart, which is providing grocery delivery at a time when many are living under stay-at-home orders, has seen transactions up by 300% in recent weeks. Another newer customer, Zoom, is also seeing business boom. Amazon, Stripe’s behemoth customer that Collison would not discuss in any specific terms except to confirm it’s a close partner, is also seeing extremely heavy usage.

But other Stripe users — for example, many of its sea of small business users — are seeing huge pressures, while still others, faced with no physical business, are just starting to approach e-commerce in earnest for the first time. Stripe’s idea is that the launches today can help it address all of these scenarios.

“What we’re seeing in the COVID-19 world is that the impact is not minor,” said Collison. “Online has always been steadily taking a share from offline, but now many [projected] years of that migration are happening in the space of a few weeks.”

Stripe is among those companies that have been very mum about when they might go public — a state of affairs that only become more set in recent times, given how the IPO market has all but dried up in the midst of a health pandemic and economic slump. That has meant very little transparency about how Stripe is run, whether it’s profitable and how much revenues it makes.

But Stripe did note last week that it had some $2 billion in cash and cash reserves, which at least speaks to a level of financial stability. And another hint of efficiency might be gleaned from today’s product news.

While these three new services don’t necessarily sound like they are connected to each other, what they have underpinning them is that they are all building on top of tech and services that Stripe has previously rolled out. This speaks to how, even as the company now handles some 250 million API requests daily, it’s keeping some lean practices in place in terms of how it invests and maximises engineering and business development resources.

The card issuing service, for example, is built on a card service that Stripe launched last year. Originally aimed at businesses to provide their employees with credit cards — for example to better manage their own work-related expenses, or to make transactions on behalf of the business — now businesses can use the card issuing platform to build out aspects of its customer-facing services.

For example, Stripe noted that the first customer, Zipcar, will now be placing credit cards in each of its vehicles, which drivers can use to fuel up the vehicles (that is, the cards can only be used to buy gas). Another example Collison gave for how these could be implemented would be in a food delivery service, for example for a Postmates delivery person to use the card to pay for the meal that a customer has already paid Postmates to pick up and deliver to them.

Collison noted that while other startups like Marqeta have built big businesses around innovative card issuing services, “this is the first time it’s being issued on a self-serving basis,” meaning companies that want to use these cards can now set this up more quickly as a “programmatic card” experience, akin to self-serve, programmatic ads online.

It seems also to be good news for investors. “Stripe Issuing is a big step forward,” said Alex Rampell, general partner at Andreessen Horowitz, in a statement. “Not just for the millions of businesses running on Stripe, but for credit cards as a fundamental technology. Businesses can now use an API to create and issue cards exactly when and where they need them, and they can do it in a few clicks, not a few months. As investors, we’re excited by all the potential new companies and business models that will emerge as a result.”

Meanwhile, the revenue “optimization” engine that Stripe is rolling out is built on the same machine learning algorithms that it originally built for Radar, its fraud prevention tool that originally launched in 2016 and was extended to larger enterprises in 2018. This makes a lot of sense, since oftentimes the reason transactions get rejected is because of the suspicion of fraud. Why it’s taken four years to extend that to improve how transactions are approved or rejected is not entirely clear, but Stripe estimates that it could enable a further $2.5 billion in transactions annually.

One reason why the revenue optimization may have taken some time to roll out was because while Stripe offers a very seamless, simple API for users, it’s doing a lot of complex work behind the scenes knitting together a lot of very fragmented payment flows between card issuers, banks, businesses, customers and more in order to make transactions possible.

The third product announcement speaks to how Stripe is simplifying a bit more of that. Now, it’s able to provide direct links into six big card networks — Visa, Mastercard, American Express, Discover, JCB and China Union Pay, which effectively covers the major card networks in North and Latin America, Southeast Asia and Europe. Previously, Stripe would have had to work with third parties to integrate acceptance of all of these networks in different regions, which would have cut into Stripe’s own margins and also given it less flexibility in terms of how it could handle the transaction data.

Launching the revenue optimization by being able to apply machine learning to the transaction data is one example of where and how it might be able to apply more innovative processes from now on.

While Stripe is mainly focused today on how to serve its wider customer base and to just help business continue to keep running, Collison noted that the COVID-19 pandemic has had a measurable impact on Stripe beyond just boosts in business for some of its customers.

The whole company has been working remotely for weeks, including its development team, making for challenging times in building and rolling out services.

And Stripe, along with others, is also in the early stages of piloting how it will play a role in issuing small business loans as part of the CARES Act, he said.

In addition to that, he noted that there has been an emergence of more medical and telehealth services using Stripe for payments.

Before now, many of those use cases had been blocked by the banks, he said, for reasons of the industries themselves being strictly regulated in terms of what kind of data could get passed across networks and the sensitive nature of the businesses themselves. He said that a lot of that has started to get unblocked in the current climate, and “the growth of telemedicine has been off the charts.”

When in Doubt: Hang Up, Look Up, & Call Back

/0 Comments/in /by

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme.

On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.

The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.

Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.

That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.

Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.

It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.

Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.

Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.

Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida.

Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.

“I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.’”

Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.

If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).

As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.

“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.”

Further reading:

Voice Phishing Scams are Getting More Clever
Why Phone Numbers Stink as Identity Proof
Apple Phone Phishing Scams Getting Better
SMS Phishing + Cardless ATM = Profit

Coverage and Context: The Key Measures of MITRE ATT&CK 2020

/0 Comments/in /by

The Quick Read

MITRE has become the common language of EDR and is the de facto way to evaluate a product’s ability to provide actionable information to the SOC. MITRE ATT&CK’s use of APT29, the notorious threat actor that evaded the DNC, shows us that many of today’s EDR tools fail to cope with advanced techniques. CISOs should carefully evaluate which technologies capture the most information and provide context at each stage in MITRE’s simulation. In this post, we discuss SentinelOne’s performance in MITRE’s ATT&CK Round 2 with the following takeaways.

  • SentinelOne had the lowest number of missed detections. SentinelOne has proved it provides the widest coverage of the MITRE ATT&CK framework – an EDR is primarily measured by its ability to see, analyze, and react – SentinelOne saw more, and provided more insight and context than any other vendor.
  • SentinelOne achieved the highest number of combined high-quality detections and the highest number of correlated detections. SentinelOne delivered the highest number of actionable detections – MITRE have identified the successful attribution of activity to their tactics (good) and their techniques (best) as a significant measure of an EDR’s value and ROI. SentinelOne delivered better MITRE attribution than any other vendor.
  • SentinelOne automatically grouped hundreds of data points over the 3-day test into 11 correlated console alerts. SentinelOne automatically correlates related activity into unified alerts that provide Campaign Level Insight. This reduces the amount of manual effort needed, helps with alert fatigue and significantly lowers the skillset barrier of responding to alerts. SentinelOne aggregates the same amount of visibility into a fraction of the alerts.
  • Human-powered MSSP scores must not be a crutch for failures in a software’s ability to detect. SentinelOne had the highest number of product-only detections and – in parallel – the highest number of human-only “MSSP” detections. Having the top scores in both is a good thing and means that the technology itself is robust and can stand alone without a Managed Detection & Response (MDR) service; for SentinelOne, worldclass Vigilance MDR service is optional – providing verification and actioning should customers desire or require such a service.

Great products will catch the eye of CISOs and SecOps professionals if they provide the ability to do more with less, if they make work easier and more interesting for analysts, and if they can be operationalized without adversely affecting the production environment.

Now Read The Full Story…

The latest MITRE ATT&CK results were released Tuesday, April 21, 2020 and as expected interpreting them is an exercise. Consulting MITRE testing is one component an organization can employ to help evaluate cyberthreat preparedness – specifically how well cybersecurity solutions perform in the face of adversaries. 

SentinelOne’s April 20, 2020 blog delves into the rationale and methodology behind MITRE testing and is a helpful compendium for understanding MITRE ATT&CK. It is important to understand that this MITRE test does not test everything in the MITRE framework, but instead focuses on two specific attack flows over three days in a lab. All told there were 135 substeps. 

High-level Remarks

We caution you out of the gate to not believe all of the claims you will read in relation to this test – question everything and check the data. What you can expect from SentinelOne is that we will present the data and be as helpful as we can to enable you to help yourself to interpret what it all means. We will also articulate our value claims and design principles. Thus by intersecting these two realms, we will provide fertile ground upon which you may draw your own conclusions.

1. Seeing Is Believing: Coverage is Table Stakes

The foundation of a superior EDR solution lies in its ability to consume and correlate data at scale in an economic way harnessing the power of the cloud. Every piece of pertinent data should be captured to provide breadth of visibility for the operator. Data, specifically capturing all events, is the building block of EDR.

As the graphs below show, SentinelOne had the fewest misses of all the participants in Round 2. 

2. Context is the Key to Operationalizing Data

We believe that our MITRE results clearly support the SentinelOne platform’s effectiveness in not only identifying and stopping malicious code early and often but also illustrating the extent to which SentinelOne goes in solving the data overload problem. In the MITRE evaluation, “Techniques” and “Tactics” are the key measures of data precision. 

1. Technique: this is the epitome of relevant and actionable data – fully contextualized data points that tell a story, indicating what happened, why it happened, and crucially, how it happened. 

2. Tactic: this is the next level down in the hierarchy, representing categories of techniques that tell us the actor’s steps in achieving their ultimate goals (persistence, data egress, evasions, etc). In short, the ‘what’ and the ‘why’.

These two detection classifications are the core of the MITRE framework and are of the highest value in creating context. According to MITRE’s published results, out of all participants in the Round 2 evaluation, SentinelOne recorded the highest number of “Techniques” and “Tactics” awards. 

To paraphrase Paul Webber, Gartner Endpoint Protection analyst, today’s security products must turn weak signals into strong detections. This is exactly what SentinelOne does as proven by MITRE’s ATT&CK evaluation. SentinelOne as a standalone product is effective in identifying and placing actionable context in the attack. 

As we explained in our MITRE primer post on Monday, correlation is one of the detection modifiers applied to Technique and Tactic detections. Correlation represents the act of building relationships between data, completed at machine speed, so an analyst doesn’t have to manually stitch data together and waste precious time. SentinelOne had the most correlation modifiers in the MITRE ATT&CK Round 2:

Defenders are past the stage where more data is good. Instead, they need context from related data. We believe that the ideal state for a SOC is articulated stories that have all data pre-indexed and assigned to actionable storyline alerts. The entire MITRE ATT&CK Round 2 testing battery is captured in the SentinelOne console with just 11 alerts. 

Our customers don’t want 3,000 pieces of a Do-It-Yourself telemetry jigsaw puzzle, and they don’t want 135 uncontextualized alerts for every attack. What they want is the jigsaw puzzle ready-assembled into a tidy package that makes it easy for analysts to discern what is happening at first glance. 

Our data ingestion capabilities capture data that, coupled with our patented AI engines, assembles storylines with vivid pictures and rich context to apply autonomous actions at machine speed.

3. Great Products Solve Complex Problems – Services Should Always Be Optional

For an extra layer of completeness, or for those who seek to outsource SOC operations, SentinelOne offers optional Vigilance Managed Detect and Respond (MDR) services. The MITRE data as related to SentinelOne proves unequivocally that our technology paired with our global expert MDR analysts provides absolute coverage across the board. 

Join our MITRE webinar to see SentinelOne’s victorious performance against APT29.
Wednesday, April 29th @ 9 am PST

Register Now

To summarize conversations with Josh Zelonis, Forrester’s EDR Wave analyst, buyers should ask and ascertain if MDR is a crutch for the product or if it’s value additive. 

MITRE’s ATT&CK data shows that SentinelOne had the highest level of detections delivered exclusively by the product (without any MDR services); in addition, Vigilance MDR services, operating the SentinelOne product, had the most MSSP detections. This is possible because our agent captures a richer set of events/signals that can be analyzed by our Level 4 Vigilance Ninjas to identify targeted attacks.

The experience for a SentinelOne Vigilance MDR customer would have been a single proactive email or phone call (depending on customer preference) with updates across the 11 alerts.  Even in a detection-only policy with the product taking no actions – which is the MITRE ATT&CK simulation – Vigilance would have stopped and remediated the attack in under 20 minutes. 

It is important to note that SentinelOne’s platform operated independently of its MSSP scoring proving that the tool stands alone but that if extra depth is desired, the tool + MDR provides a deep solution.

MITRE 2020 Results Take Away

Great products, and in this case great security products, will catch the eye of CISOs and SecOps professionals if they do these things:

  • Shift work from mundane brain-killing activities to more interesting initiatives
  • Integrate with other parts of the security stack
  • Automate more of the work
  • Defeat adversaries in real time
  • Include granular remediation capabilities for automated cleanup and recovery
  • Encompass preventative measures that handle garden-variety up to advanced attacks 

SentinelOne’s performance in MITRE ATT&CK Round 2 is a strong statement that visibility and AI when coupled together create a powerful EDR solution. As evidenced in the data output of the simulation, SentinelOne excels at detection, and even more importantly, the autonomous mapping and correlating of data into fully indexed and correlated stories. SentinelOne’s storyline technology, powered by our patented Behavior AI, sets us apart from every other vendor on the market. 

Every CISO we speak with tells us the value they fundamentally seek is a solution that not only sees more but also does more – without adding friction, complexity, or cost. Cyber attackers move quickly, especially advanced adversaries. With SentinelOne, CISOs and their team can trust a performant, cloud-native EDR platform that is proven to stay one step ahead with a product-driven approach to understanding, organizing, and actioning data at machine speed.

To learn more about SentinelOne’s performance in MITRE ATT&CK APT29, join us in the webinar on Wednesday, April 29 at 9AM PST.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Fishtown Analytics raises $12.9M Series A for its open-source analytics engineering tool

/0 Comments/in /by

Philadelphia-based Fishtown Analytics, the company behind the popular open-source data engineering tool dbt, today announced that it has raised a $12.9 million Series A round led by Andreessen Horowitz, with the firm’s general partner Martin Casado joining the company’s board.

“I wrote this blog post in early 2016, essentially saying that analysts needed to work in a fundamentally different way,” Fishtown founder and CEO Tristan Handy told me, when I asked him about how the product came to be. “They needed to work in a way that much more closely mirrored the way the software engineers work and software engineers have been figuring this shit out for years and data analysts are still like sending each other Microsoft Excel docs over email.”

The dbt open-source project forms the basis of this. It allows anyone who can write SQL queries to transform data and then load it into their preferred analytics tools. As such, it sits in-between data warehouses and the tools that load data into them on one end, and specialized analytics tools on the other.

As Casado noted when I talked to him about the investment, data warehouses have now made it affordable for businesses to store all of their data before it is transformed. So what was traditionally “extract, transform, load” (ETL) has now become “extract, load, transform” (ELT). Andreessen Horowitz is already invested in Fivetran, which helps businesses move their data into their warehouses, so it makes sense for the firm to also tackle the other side of this business.

“Dbt is, as far as we can tell, the leading community for transformation and it’s a company we’ve been tracking for at least a year,” Casado said. He also argued that data analysts — unlike data scientists — are not really catered to as a group.

Before this round, Fishtown hadn’t raised a lot of money, even though it has been around for a few years now, except for a small SAFE round from Amplify.

But Handy argued that the company needed this time to prove that it was on to something and build a community. That community now consists of more than 1,700 companies that use the dbt project in some form and over 5,000 people in the dbt Slack community. Fishtown also now has over 250 dbt Cloud customers and the company signed up a number of big enterprise clients earlier this year. With that, the company needed to raise money to expand and also better service its current list of customers.

“We live in Philadelphia. The cost of living is low here and none of us really care to make a quadro-billion dollars, but we do want to answer the question of how do we best serve the community,” Handy said. “And for the first time, in the early part of the year, we were like, holy shit, we can’t keep up with all of the stuff that people need from us.”

The company plans to expand the team from 25 to 50 employees in 2020 and with those, the team plans to improve and expand the product, especially its IDE for data analysts, which Handy admitted could use a bit more polish.

Medallia acquires voice-to-text specialist Voci Technologies for $59M

/0 Comments/in /by

M&A has largely slowed down in the current market, but there remain pockets of activity when the timing and price are right. Today, Medallia — a customer experience platform that scans online reviews, social media, and other sources to provide better insights into what a company is doing right and wrong and what needs to get addressed — announced that it would acquire Voci Technologies, a speech-to-text startup, for $59 million in cash.

Medallia plans to integrate the startup’s AI technology so that voice-based interactions — for example from calls into call centers — can be part of the data crunched by its analytics platform. Despite the rise of social media, messaging channels, and (currently) a shift for people to do a lot more online, voice still accounts for the majority of customer interactions for a business, so this is an important area for Medallia to tackle.

“Voci transcribes 100% of live and recorded calls into text that can be analyzed quickly to determine customer satisfaction, adding a powerful set of signals to the Medallia Experience Cloud,” said Leslie Stretch, president and CEO of Medallia, in a statement. “At the same time, Voci enables call analysis moments after each interaction has completed, optimizing every aspect of call center operations securely. Especially important as virtual and remote contact center operations take shape.”

While there are a lot of speech-to-text offerings in the market today, the key with Voci is that it is able to discern a number of other details in the call, including emotion, gender, sentiment, and voice biometric identity. It’s also able to filter out personal identifiable information to ensure more privacy around using the data for further analytics.

Voci started life as a spinout from Carnegie Mellon University (its three founders were all PhDs from the school), and it had raised a total of about $18 million from investors that included Grotech Ventures, Harbert Growth Parnters, and the university itself. It was last valued at $28 million in March 2018 (during a Series B raise), meaning that today’s acquisition was slightly more than double that value.

The company seems to have been on an upswing with its business. Voci has to date processed some 2 billion minutes of speech, and in January, the company published some momentum numbers that said bookings had grown some 63% in the last quarter, boosted by contact center customers.

In addition to contact centers, the company catered to companies in finance, healthcare, insurance and others areas of business process outsourcing, although it does not disclose names. As with all companies and organizations that have products that cater to offering services remotely, Voci has seen stronger demand for its business in recent weeks, at a time when many have curtailed physical contact due to COVID-19-related movement restrictions.

“Our whole company is delighted to be joining forces with experience management leader Medallia. We are thrilled that Voci’s powerful speech to text capabilities will become part of Medallia Experience Cloud,” said Mike Coney, CEO of Voci, in a statement. “The consolidation of all contact center signals with video, survey and other critical feedback is a game changer for the industry.”

It’s not clear whether Voci had been trying to raise money in the last few months, or if this was a proactive approach from Medallia. But more generally, M&A has found itself in a particularly key position in the world of tech: startups are finding it more challenging right now to raise money, and one big question has been whether that will lead to more hail-mary-style M&A plays, as one route for promising businesses and technologies to avoid shutting down altogether.

For its part, Medallia, which went public in July 2019 after raising money from the likes of Sequoia, has seen its stock hit like the rest of the market in recent weeks. Its current market cap is at around $2.8 billion, just $400 million more than its last private valuation.

The deal is expected to close in May 2020, Medallia said.