AWS, Salesforce join forces with Linux Foundation on Cloud Information Model

Last year, Adobe, SAP and Microsoft came together and formed the Open Data Initiative. Not to be outdone, this week, AWS, Salesforce and Genesys, in partnership with The Linux Foundation, announced the Cloud Information Model.

The two competing data models have a lot in common. They are both about bringing together data and applying a common open model to it. The idea is to allow for data interoperability across products in the partnership without a lot of heavy lifting, a common problem for users of these big companies’ software.

Jim Zemlin, executive director at The Linux Foundation, says this project provides a neutral home for the Cloud Information model, where a community can work on the problem. “This allows for anyone across the community to collaborate and provide contributions under a central governance model. It paves the way for full community-wide engagement in data interoperability efforts and standards development, while rapidly increasing adoption rate of the community,” Zemlin explained in a statement.

Each of the companies in the initial partnership is using the model in different ways. AWS will use it in conjunction with its AWS Lake Formation tool to help customers move, catalog, store and clean data from a variety of data sources, while Genesys customers can use its cloud and AI products to communicate across a variety of channels.

Patrick Stokes from Salesforce says his company is using the Cloud Information Model as the underlying data model for his company’s Customer 360 platform of products. “We’re super excited to announce that we’ve joined together with a few partners — AWS, Genesys and The Linux Foundation — to actually open-source that data model,” Stokes told TechCrunch.

Of course, now we have two competing “open” data models, and it’s going to create some friction until the two competing projects find a way to come together. The fact is that many companies use tools from each of these companies, and if there continues to be these competing approaches, it’s going to defeat the purpose of creating these initiatives in the first place.

As Satya Nadella said in 2015, “It is incumbent upon us, especially those of us who are platform vendors to partner broadly to solve real pain points our customers have.” If that’s the case, having competing models is not really achieving that.

Freshworks raises $150M Series H on $3.5B valuation

Freshworks, a company that makes a variety of business software tools, from CRM to help-desk software, announced a $150 million Series H investment today from Sequoia Capital, CapitalG (formerly Google Capital) and Accel on a hefty $3.5 billion valuation. The late-stage startup has raised almost $400 million, according to Crunchbase data.

The company has been building an enterprise SaaS platform to give customers a set of integrated business tools, but CEO and co-founder Girish Mathrubootham says they will be investing part of this money in R&D to keep building out the platform.

To that end, the company also announced today a new unified data platform called the “Customer-for-Life Cloud” that runs across all of its tools. “We are actually investing in really bringing all of this together to create the “Customer-for-Life Cloud,” which is how you take marketing, sales, support and customer success — all of the aspects of a customer across the entire life cycle journey and bring them to a common data model where a business that is using Freshworks can see the entire life cycle of the customer,” Mathrubootham explained.

While Mathrubootham was not ready to commit to an IPO, he said they are in the process of hiring a CFO and are looking ahead to one day becoming a public company. “We don’t have a definite timeline. We want to go public at the right time. We are making sure that as a company that we are ready with the right processes and teams and predictability in the business,” he said.

In addition, he says he will continue to look for good acquisition targets, and having this money in the bank will help the company fill in gaps in the product set should the right opportunity arise. “We don’t generally acquire revenue, but we are looking for good technology teams both in terms of talent, as well as technology that would help give us a jumpstart in terms of go-to-market.” It hasn’t been afraid to target small companies in the past, having acquired 12 already.

Freshworks, which launched in 2010, has almost 2,500 employees, a number that’s sure to go up with this new investment. It has 250,000 customers worldwide, including almost 40,000 paying customers. These including Bridgestone Tires, Honda, Hugo Boss, Toshiba and Cisco.

Messaging app Wire confirms $8.2M raise, responds to privacy concerns after moving holding company to the US

Big changes are afoot for Wire, an enterprise-focused end-to-end encrypted messaging app and service that advertises itself as “the most secure collaboration platform”. In February, Wire quietly raised $8.2 million from Morpheus Ventures and others, we’ve confirmed — the first funding amount it has ever disclosed — and alongside that external financing, it moved its holding company in the same month to the US from Luxembourg, a switch that Wire’s CEO Morten Brogger described in an interview as “simple and pragmatic.”

He also said that Wire is planning to introduce a freemium tier to its existing consumer service — which itself has half a million users — while working on a larger round of funding to fuel more growth of its enterprise business — a key reason for moving to the US, he added: There is more money to be raised there.

“We knew we needed this funding and additional to support continued growth. We made the decision that at some point in time it will be easier to get funding in North America, where there’s six times the amount of venture capital,” he said.

While Wire has moved its holding company to the US, it is keeping the rest of its operations as is. Customers are licensed and serviced from Wire Switzerland; the software development team is in Berlin, Germany; and hosting remains in Europe.

The news of Wire’s US move and the basics of its February funding — sans value, date or backers — came out this week via a blog post that raises questions about whether a company that trades on the idea of data privacy should itself be more transparent about its activities.

Specifically, the changes to Wire’s financing and legal structure were only communicated to users when news started to leak out, which brings up questions not just about transparency, but about the state of Wire’s privacy policy, given the company’s holding company now being on US soil.

It was an issue picked up and amplified by NSA whistleblower Edward Snowden . Via Twitter, he described the move to the US as “not appropriate for a company claiming to provide a secure messenger — claims a large number of human rights defenders relied on.”

The key question is whether Wire’s shift to the US puts users’ data at risk — a question that Brogger claims is straightforward to answer: “We are in Switzerland, which has the best privacy laws in the world” — it’s subject to Europe’s General Data Protection Regulation framework (GDPR) on top of its own local laws — “and Wire now belongs to a new group holding, but there no change in control.” 

In its blog post published in the wake of blowback from privacy advocates, Wire also claims it “stands by its mission to best protect communication data with state-of-the-art technology and practice” — listing several items in its defence:

  • All source code has been and will be available for inspection on GitHub (github.com/wireapp).
  • All communication through Wire is secured with end-to-end encryption — messages, conference calls, files. The decryption keys are only stored on user devices, not on our servers. It also gives companies the option to deploy their own instances of Wire in their own data centers.
  • Wire has started working on a federated protocol to connect on-premise installations and make messaging and collaboration more ubiquitous.
  • Wire believes that data protection is best achieved through state-of-the-art encryption and continues to innovate in that space with Messaging Layer Security (MLS).

But where data privacy and US law are concerned, it’s complicated. Snowden famously leaked scores of classified documents disclosing the extent of US government mass surveillance programs in 2013, including how data-harvesting was embedded in US-based messaging and technology platforms.

Six years on, the political and legal ramifications of that disclosure are still playing out — with a key judgement pending from Europe’s top court which could yet unseat the current data transfer arrangement between the EU and the US.

Privacy versus security

Wire launched at a time when interest in messaging apps was at a high watermark. The company made its debut in the middle of February 2014, and it was only one week later that Facebook acquired WhatsApp for the princely sum of $19 billion.

We described Wire’s primary selling point at the time as a “reimagining of how a communications tool like Skype should operate had it been built today” rather than in in 2003. That meant encryption and privacy protection, but also better audio tools and file compression and more.

It was a pitch that seemed especially compelling considering the background of the company. Skype co-founder Janus Friis and funds connected to him were the startup’s first backers (and they remain the largest shareholders);Wire was co-founded in by Skype alums Jonathan Christensen and Alan Duric (no longer with the company); and even new investor Morpheus has Skype roots.

Yet even with that Skype pedigree, the strategy faced a big challenge.

“The consumer messaging market is lost to the Facebooks of the world, which dominate it,” Brogger said today. “However, we made a clear insight, which is the core strength of Wire: security and privacy.”

That, combined with trend around the consumerization of IT that’s brought new tools to business users, is what led Wire to the enterprise market in 2017 — a shift that’s seen it pick up a number of big names among its 700 enterprise customers, including Fortum, Aon, EY and SoftBank Robotics.

But fast forward to today, and it seems that even as security and privacy are two sides of the same coin, it may not be so simple when deciding what to optimise in terms of features and future development, which is part of the question now and what critics are concerned with.

“Wire was always for profit and planned to follow the typical venture backed route of raising rounds to accelerate growth,” one source familiar with the company told us. “However, it took time to find its niche (B2B, enterprise secure comms).

“It needed money to keep the operations going and growing. [But] the new CEO, who joined late 2017, didn’t really care about the free users, and the way I read it now, the transformation is complete: ‘If Wire works for you, fine, but we don’t really care about what you think about our ownership or funding structure as our corporate clients care about security, not about privacy.’”

And that is the message you get from Brogger, too, who describes individual consumers as “not part of our strategy”, but also not entirely removed from it, either, as the focus shifts to enterprises and their security needs.

Brogger said there are still half a million individuals on the platform, and they will come up with ways to continue to serve them under the same privacy policies and with the same kind of service as the enterprise users. “We want to give them all the same features with no limits,” he added. “We are looking to switch it into a freemium model.”

On the other side, “We are having a lot of inbound requests on how Wire can replace Skype for Business,” he said. “We are the only one who can do that with our level of security. It’s become a very interesting journey and we are super excited.”

Part of the company’s push into enterprise has also seen it make a number of hires. This has included bringing in two former Huddle C-suite execs, Brogger as CEO and Rasmus Holst as chief revenue officer — a bench that Wire expanded this week with three new hires from three other B2B businesses: a VP of EMEA sales from New Relic, a VP of finance from Contentful; and a VP of Americas sales from Xeebi.

Such growth comes with a price-tag attached to it, clearly. Which is why Wire is opening itself to more funding and more exposure in the US, but also more scrutiny and questions from those who counted on its services before the change.

Brogger said inbound interest has been strong and he expects the startup’s next round to close in the next two to three months.

Orcus RAT Author Charged in Malware Scheme

In July 2016, KrebsOnSecurity published a story identifying a Toronto man as the author of the Orcus RAT, a software product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. This week, Canadian authorities criminally charged him with orchestrating an international malware scheme.

An advertisement for Orcus RAT.

The accused, 36-year-old John “Armada” Revesz, has maintained that Orcus is a legitimate “Remote Administration Tool” aimed at helping system administrators remotely manage their computers, and that he’s not responsible for how licensed customers use his product.

In my 2016 piece, however, several sources noted that Armada and his team were marketing it more like a Remote Access Trojan, providing ongoing technical support and help to customers who’d purchased Orcus but were having trouble figuring out how to infect new machines or hide their activities online.

Follow-up reporting revealed that the list of features and plugins advertised for Orcus includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

Canadian investigators don’t appear to be buying Revesz’ claims. On Monday the Royal Canadian Mounted Police (RCMP) announced it had charged Revesz with operating an international malware distribution scheme under the company name “Orcus Technologies.”

“An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a ‘Remote Access Trojan’ type of virus,” the agency said in a statement.

The RCMP filed the charges eight months after executing a search warrant at Revesz’ home, where they seized several hard drives containing Orcus RAT customer names, financial transactions, and other information.

“The evidence obtained shows that this virus has infected computers from around the world, making thousands of victims in multiple countries,” the RCMP said.

Revesz did not respond to requests for comment.

If Revesz’s customers are feeling the heat right now, they probably should be. Several former customers of his took to Hackforums[.]net to complain about being raided by investigators who are trying to track down individuals suspected of using Orcus to infect computers with malware.

“I got raided [and] within the first 5 minutes they mention Orcus to me,” complained one customer on Hackforums[.]net, the forum where Revesz principally advertised his software. That user pointed to a March 2019 media advisory released by the Australian Federal Police, who said they’d executed search warrants there as part of an investigation into RAT technology conducted in tandem with the RCMP.

According to Revesz himself, the arrests and searches related to Orcus have since expanded to individuals in the United States and Germany.

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

It’s remarkable how many denizens of various hacking forums persist in believing that an end-user licensing agreement (EULA) or “terms of service” (TOS) disavowing any responsibility for what customers do with the product somehow absolves sellers of RAT programs of any liability when they then turn around and actively assist customers in using the tools to infect systems with malware.

Stop the Churn, Avoid Burnout | How To Keep Your Cybersecurity Personnel

According to recent research, the global cybersecurity workforce, currently estimated to be close to 3 million people, needs to grow by around 4 million or 62% in order to meet current demand. The shortage of cyber manpower has significant impact not only on organizations, which struggle to fill the ranks, but also security professionals, who have to cope with the pressures brought by understaffing. There are many indications that these professionals, who are in such high demand, suffer from stress, intensive workload and are likely to replace their current employer for a better paying job tomorrow.

Eight out of ten analysts say their SOC had experienced between 10% and 50% analyst churn in the past year. What are the reasons for these high churn rates, and what could a security manager do in order to combat this phenomenon? Let’s take a look.

image of stop the churn

Security is a Stressful Profession

In a <a href="survey covering the first 6 months of 2019, some 1500 of 6000 (25%) cybersecurity professionals said their organization had been the victim of a data breach, and 2160 (36%) of those who had not been breached believed their organization could currently be facing a breach without their knowledge.

In the light of such pressures, it’s perhaps not a great surprise that almost half (49%) of those surveyed reported that they are kept awake at night worrying about their organization’s cybersecurity.

On top of worries about imminent threats, staff also report that a lack of security awareness among their organization’s staff in general and a lack of buy-in regarding security best practices at the executive level contribute to increasing stress. Of major concern to cybersecurity professionals is that it is more often than not C-Suite executives that are most likely to disregard security safeguards, the very people most likely to be targeted in spearphishing and advanced threat actor attacks. 

Increased Workload Due to Lack of Manpower

66% of respondents claim that the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since organizations don’t have enough people, they simply pile more work onto those that they have. This leads to human error, misalignment of tasks to skills, and employee burnout.

69% of organisations say their cybersecurity teams are understaffed, and 17% of professionals said that they had considered leaving their current position due to a lack of resources.

The average enterprise SOC encounters anything between 10,000 and a million alerts per day. Many of these alerts are false positives. One survey found that more than half of respondents reported a rate of 50% or higher. Most now say they spend the majority of their time trying to manage the high volume of alerts.

Alert fatigue (a term coined by medical professionals) is now widely associated with passive detection and response security technologies. It causes stress, reduces productivity and, over time, leads to the psychological effects of depression and apathy. Obviously, these can greatly effect an employee’s will to remain in their position.  

What Can You Do To Retain Your Cybersecurity Staff?

The cybersecurity profession is fairly new, and it lacks a common, industry-wide, professional framework for career progression. However, there are still a wide-variety of respected certification programs, training courses and skills development platforms, not to mention an increasing number of hacker/security cons where training courses are often run alongside the presentation of papers and products. Despite the wealth of available resources, nearly half of surveyed SOC analysts say they get 20 or fewer hours of training per year. 

 

Invest In Skills To Keep Your People, & Improve Enterprise Security

Organizations would be wise to invest in building their teams’ professional knowledge. This could be achieved by periodic training at Cyber-ranges, tabletop exercises or on-prem simulations. Allowing staff to attend professional lectures and encouraging the consumption of professional materials like reverse engineering training and threat intelligence is also a great way to invest in skills.

In some quarters, managers fear that investing in employee training only equips the employee to move on to a more lucrative job elsewhere. Viewed in that light, training can be seen as a cost rather than an investment. The facts, however, suggest otherwise. The main factors employees state for being happy with their current employer is that they are valued by management, constantly challenged to improve their skills, and prefer to advance in position rather than start out somewhere new. 

Investing in skills doesn’t just have the pay-off of stemming churn in your SOC either. It means you’re actively improving the knowledgebase and in-house talent you already possess, which naturally makes a huge contribution to improved organizational security.

Educate Your Business – “Security Aren’t The Bad Guys”

Security analysts are people, and they work with, and provide services to other employees. For a long time, IT security people were perceived as the “bad guys” - technocrats whose interest in securing the organization outweighs their affection for their peers. How else can you explain their demand that you change your password every two weeks, and that they make you come to them to release a file your client has sent you? 

Educating the broader workforce on the importance of cybersecurity, and the fact that these cyber-practitioners are actually securing the entire organization, will go a long way to boost their morale and sense of value to the organization.   

Smarter Tech Works For Everybody

Security managers should invest in implementing the necessary procedures and tools to increase automation, reduce menial work and lower the frequency of alerts. Also, replacing older tech with modern security tools will give analysts professional satisfaction – they now work with the best tools in the business, and a modern UI is so much easier to work with, improving productivity and reducing frustration.   

 

Conclusion

Reducing attrition should be an organizational task. It is tempting to think that technology alone will solve the issue, but it won’t. People are the backbone of the security organization, and will remain such for many years. But given the scarcity of human resources, organizations must ensure that their people are utilized in the best way possible – meaning they are not wasting time chasing false positives or implementing difficult to use products. The people who are already employed must be well trained and equipped with the best tools to allow them to focus on the severe threats the organization is facing. They should also be appreciated throughout the organization. These actions will go a long way to reducing cybersecurity staff churn and improving efficiency and well-being within the business.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Lawyers hate timekeeping — Ping raises $13M to fix it with AI

Counting billable time in six-minute increments is the most annoying part of being a lawyer. It’s a distracting waste. It leads law firms to conservatively under-bill. And it leaves lawyers stuck manually filling out timesheets after a long day when they want to go home to their families.

Life is already short, as Ping CEO and co-founder Ryan Alshak knows too well. The former lawyer spent years caring for his mother as she battled a brain tumor before her passing. “One minute laughing with her was worth a million doing anything else,” he tells me. “I became obsessed with the idea that we spend too much of our lives on things we have no need to do — especially at work.”

That’s motivated him as he’s built his startup Ping, which uses artificial intelligence to automatically track lawyers’ work and fill out timesheets for them. There’s a massive opportunity to eliminate a core cause of burnout, lift law firm revenue by around 10% and give them fresh insights into labor allocation.

Ping co-founder and CEO Ryan Alshak (Image Credit: Margot Duane)

That’s why today Ping is announcing a $13.2 million Series A led by Upfront Ventures, along with BoxGroup, First Round, Initialized and Ulu Ventures. Adding to Ping’s quiet $3.7 million seed led by First Round last year, the startup will spend the cash to scale up enterprise distribution and become the new timekeeping standard.

I was a corporate litigator at Manatt Phelps down in LA and joke that I was voted the world’s worst timekeeper,” Alshak tells me. “I could either get better at doing something I dreaded or I could try and build technology that did it for me.”

The promise of eliminating the hassle could make any lawyer who hears about Ping an advocate for the firm buying the startup’s software, like how Dropbox grew as workers demanded easier file sharing. “I’ve experienced first-hand the grind of filling out timesheets,” writes Initialized partner and former attorney Alda Leu Dennis. “Ping takes away the drudgery of manual timekeeping and gives lawyers back all those precious hours.”

Traditionally, lawyers have to keep track of their time by themselves down to the tenth of an hour — reviewing documents for the Johnson case, preparing a motion to dismiss for the Lee case, a client phone call for the Sriram case. There are timesheets built into legal software suites like MyCase, legal billing software like TimeSolv and one-off tools like Time Miner and iTimeKeep. They typically offer timers that lawyers can manually start and stop on different devices, with some providing tracking of scheduled appointments, call and text logging, and integration with billing systems.

Ping goes a big step further. It uses AI and machine learning to figure out whether an activity is billable, for which client, a description of the activity and its codification beyond just how long it lasted. Instead of merely filling in the minutes, it completes all the logs automatically, with entries like “Writing up a deposition – Jenkins Case – 18 minutes.” Then it presents the timesheet to the user for review before they send it to billing.

The big challenge now for Alshak and the team he’s assembled is to grow up. They need to go from cat-in-sunglasses logo Ping to mature wordmark Ping.  “We have to graduate from being a startup to being an enterprise software company,” the CEO tells meThat means learning to sell to C-suites and IT teams, rather than just build a solid product. In the relationship-driven world of law, that’s a very different skill set. Ping will have to convince clients it’s worth switching to not just for the time savings and revenue boost, but for deep data on how they could run a more efficient firm.

Along the way, Ping has to avoid any embarrassing data breaches or concerns about how its scanning technology could violate attorney-client privilege. If it can win this lucrative first business in legal, it could barge into the consulting and accounting verticals next to grow truly huge.

With eager customers, a massive market, a weak status quo and a driven founder, Ping just needs to avoid getting in over its heads with all its new cash. Spent well, the startup could leap ahead of the less tech-savvy competition.

Alshak seems determined to get it right. “We have an opportunity to build a company that gives people back their most valuable resource — time — to spend more time with their loved ones because they spent less time working,” he tells me. “My mom will live forever because she taught me the value of time. I am deeply motivated to build something that lasts . . . and do so in her name.”

Loop Returns picks up $10 million in Series A led by FirstMark Capital

Loop Returns, the startup that helps brands handle returns from online purchases, has today announced the close of a $10 million Series A funding round led by FirstMark Capital. Lerer Hippeau and Ridge Ventures also participated in the round.

Loop started when Jonathan Poma, a co-founder and COO and president, was working at an agency and consulting with a big Shopify brand on how to improve their system for returns and exchanges. After partnering with longtime friend Corbett Morgan, Loop Returns was born.

Loop sits on top of Shopify to handle all of a brand’s returns. It first asks the customer if they’d like a different size in the item they bought, quickly managing an exchange. It then asks if the customer would prefer to exchange for a new item altogether, depositing the credit in that person’s account in real time so they can shop for something new immediately.

If an exchange isn’t in the cards, Loop will ask the customer if they’d prefer credit with this brand over a straight-up refund.

The goal, according to Poma and Morgan, is to turn the point of return into a moment where brands can create a life-loyal customer when handled quickly and properly.

The more we shop online, the more brands extend themselves financially, and returns are a big part of that. Returns account for 20 to 30% of e-commerce sales, which can become a terrible financial burden on a growing direct-to-consumer brand. And what’s more, the cost of acquiring those users in the first place also goes down the drain.

Loop Returns hopes to keep that customer in the fold by giving them post-purchase options that are more sticky and more lucrative for the brand than a refund.

The company thinks of it as Connection Infrastructure. Most brands already have a customer acquisition architecture, and Shopify and Amazon are ahead when it comes to the infrastructure around customer convenience. But the ties that bind customers to brands haven’t been optimized for the many D2C brands out there looking to make an impact.

“The big problem we’re trying to solve long term is connection infrastructure,” said Morgan. “Why does this brand matter? Why does it mean something to me? Why does the product matter? We want to enforce more mindfulness and meaning into buying.”

Of course, a more mindful shopper doesn’t yield as many returns. Poma and Morgan admit that the goal of their software is to minimize returns, the very reason for the software’s existence. After all, return volume is one of a handful of variables that help Loop Returns determine what it will charge its brand clients.

But the team is thinking about other layers of the connection infrastructure, with plans to launch a product in 2020 that also focuses on the connection point after purchase. Poma and Morgan believe, with an almost religious reverence, that the brands themselves will help lead shoppers and infrastructure providers to a better, more connected shopping experience.

“Brands are the torch bearers,” said Poma. “They will lead us to a more enlightened era of how we think about buying. Empowerment of the brand will lead us to a better consumerism.”

The co-founders stayed mum on any specific plans for the 2020 product, but did say they will use the funding to expand operations and further build out its current and future products.

Of course, Loop is playing in a crowded space. Not only are there other players thinking about post-purchase connection, but Shopify has itself built out tools to help with exchanges and returns, and even acquired Return Magic, a similar service, in the summer of 2018.

That said, Loop Returns believes there is a long way to go as it builds the “connection infrastructure,” and that one clear path forward is actual personalization. With data from returns and exchanges, Loop Returns is relatively well-positioned to take on personalization in a meaningful way.

For now, Loop Returns has more than 200 customers and has handled more than 2 million returns, working with brands like Brooklinen, Allbirds, PuraVida and more.

Work collaboration startup Notion cozies up to Silicon Valley’s top accelerators

Startups building work software for other startups have been a huge focus of investment in Silicon Valley as eager VCs hope to grab a piece of the next Slack. Notion Labs, a profitable work tools startup that recently hit a reported $800 million valuation, isn’t making it easy for VC firms to give them money, but they are partnering with some of them alongside top accelerators like Y Combinator in an effort to become another household name in work software.

Notion has north of 1 million users and has attracted thousands of young startups to its platform, which combines notes, wikis and databases into a versatile tool that can help small teams cut down on the number of enterprise software subscriptions they’re paying for. Notion charges startups $8 per employee (when billed annually) to use the service.

Over half of the startups from Y Combinator’s most recent batch are Notion customers, the company tells TechCrunch, and the startup seems intent to accelerate their adoption among small teams. They have approached and partnered with dozens of accelerators around the globe including Y Combinator, 500 Startups and TechStars to bring their portfolio startups onto Notion’s platform, offering admitted startups $1,000 in free services each.

The new program is part of the company’s efforts to embed their platform as an “operating system” for startups early-on and then scale as their customers do.

“I think we find ourselves in a really interesting spot where I think YC startups know about us and start with it,” COO Akshay Kothari says. “Our goal with the new program is getting to the point where if you’re a new company, you don’t even think about it, you just start with Notion.”

Notion COO Akshay Kothari

Notion COO Akshay Kothari

Kothari says their platform seems to work best for startups in the sub-50 and sub-100 employee range, but they do have larger customers like UK banking startup Monzo which has organized their 1,300+ employees around the platform. Notion itself is unsurprisingly a power user of its product, running everything but internal and external communications on its own software.

The company offers a couple pricing tiers depending on size, but individuals can also use the software for $5 per month, something that Kothari believes offers it advantages over other tools in driving adoption inside companies. “There are a lot of similarities between us and the early stages of Slack in terms of engineering and product design people loving it, tech and media loving it, but one unique thing about us is that you can use Notion alone. Slack alone would be a bit lonely.”

The company is pitching customers a vision of consolidated workplace services that are built so end-users can customize them to their needs. Notion’s pitch contrasts pretty heavily with the overarching enterprise SaaS trends which has seen a wealth of specialized software tools hitting the market.

Notion is working on tools to help it court larger enterprise customers as well, including offline access, better permission systems and an API that can help developers connect their services to the platform. Notion has been iterating its product rather quickly for a company that has 9 engineers and no PMs, but Kothari says that they don’t believe piling more money or doubling employees is going to be the key to scaling more quickly.

“We definitely want to create a large company, a company that could eventually go public or whatever is the right — you know it’s too early for a lot of that stuff. Our preference is to stay small,” he says. “[Notion] doesn’t have a board, it doesn’t have a whole lot of external voices, pretty much everyone in this office decides what we’re doing next.”

Notion has raised millions in funding from investors like First Round Capital, Ron and Ronny Conway, Elad Gill and most recently Daniel Gross. The Information‘s Amir Efrati reported earlier this year that Notion had raised a $10 million “angel round” at an $800 million valuation. The round was less about raising more cash than it was about closing convertible notes, Kothari tells TechCrunch, noting that Notion has been profitable for the last 12-18 months.

“I guess we were profitable before profitability became cool. I think profitability helps you to control destiny a lot better because you’re not out fundraising every year or 18 months,” Kothari says. “Interestingly now, I think it’s cool to be profitable again. When I joined Notion I would tell VCs or investors ‘Oh, we’re profitable,’ and they would be like ‘Oh, so you’re building a lifestyle company.’”

Kothari himself was an investor that dumped money into Notion founders Ivan Zhao and Simon Last’s idea to create a platform that would help non-engineers build software. That was 6 years ago after Kothari sold his previous startup to LinkedIn, he joined about a year ago as COO.

Some VCs may have been skeptical early-on, but the story of Notion over the past year has been VCs fighting to score a spot on their cap table. In January, The New York Times‘s Erin Griffith reported that VCs had “dug up Notion’s office address and sent its founders cookie dough, dog treats and physical letters” to court their interest. The unrequited VC yearning has earned Notion the reputation for being venture averse, something Kothari pushed back on a few times.

“So, again, for the record, we don’t hate venture capitalists.”

Patch Tuesday, November 2019 Edition

Microsoft today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of Windows and programs that run on top of it. The November updates include patches for a zero-day flaw in Internet Explorer that is currently being exploited in the wild, as well as a sneaky bug in certain versions of Office for Mac that bypasses security protections and was detailed publicly prior to today’s patches.

More than a dozen of the flaws tackled in this month’s release are rated “critical,” meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.

Perhaps the most concerning of those critical holes is a zero-day flaw in Internet Exploder Explorer (CVE-2019-1429) that has already seen active exploitation. Today’s updates also address two other critical vulnerabilities in the same Windows component that handles various scripting languages.

Microsoft also fixed a flaw in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program that could let malicious macros through.

Macros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to “enable macros” once they’ve opened a booby-trapped Office document delivered via email. Thus, Office has a feature called “disable all macros without notification.”

But Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as a vector for pushing malware. Will Dornan of CERT/CC reports that while Office 2016 and 2019 for Mac will still prompt the user before executing these older macro types, Office for Mac 2011 fails to warn users before opening them.

Other Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities — five of them critical — in the Windows Hyper-V, an add-on to the Windows Server OS (and Windows 10 Pro) that allows users to create and run virtual machines (other “guest” operating systems) from within Windows.

Although Adobe typically issues patches for its Flash Player browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including Animate, Illustrator, Media Encoder and Bridge. Also, I neglected to note last month that Adobe released a critical update for Acrobat/Reader that addressed at least 67 bugs, so if you’ve got either of these products installed, please be sure they’re patched and up to date.

Finally, Google recently fixed a zero-day flaw in its Chrome Web browser (CVE-2019-13720). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.

Now seems like a good time to remind all you Windows 7 end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Standard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.

The Quest for Visibility & Hunting Comes with an Unseen Opportunity Cost

There is so much emphasis in the cybersecurity market space on after-the-fact visibility into what bad things just happened. So much energy, time, money, strategy, and dialogue about it. The trouble is, it comes at a cost. For every moment we spend reacting, tracking down root cause analysis, examining forensics, peering at visibility, offsetting risks, running playbooks, and all the rest, we lose a moment to get ahead.

Some argue that prevention has failed us, and hence, we should retreat into reactive after-the-fact strategy and tooling. How many times must the bells of resilience and acceptable risk ring in our ears? Those concepts serve the business, and they are needed for us to message internally to other C-suite, directors, investors and customers alike. But these are not the concepts that should form the premise of our security strategy as CISOs and SECOPs.

Do we not realize the starkest of outcomes?  Even were we are able to have perfect visibility, perfect forensics, perfect root cause, perfect cyber insurance, and perfect human expertise and perfect cloud-based intelligence and visibility, we still would not have solved the one thing that will always overwhelm and outpace those controls?

Visibility After The Fact Means We Lost

Here we all are…on our heels, drowning in alert data, analysis paralysis, and burnout of even the greatest minds we have in our industry.

Here we are as an industry that continues to pour money and investments, time and strategy, into a massive security stack that strains SECOPs to the brink. We are digging ourselves into a hole that we may not be able to dig ourselves back out of if we don’t rapidly shift strategic focus.

Here we are thinking that hunting for threats already running in the environment is somehow proactive, empowering or worse, sexy.

If you are hunting around in an after-the-fact universe of events, you are not the Hunter…You are by definition, the Prey.
Here we are still chatting about breaches… because those are easy to tally the per-unit impact for, and subsequently offset via insurance. A 2013 story that we are still wrapping our heads around… as if tomorrow’s breaches will be the same low and slow TTP’s we fancy we might hunt for and get ahead of…by days? Weeks? Hours even?

Why would tomorrow’s breach need take any longer than today’s destructive worms?

Why would the same threat actors not employ both data theft and destruction into the same campaign? Oh wait, they already have been for the better part of 2019…

The Cloud Is No Place for Threat Hunting

Here we are, caught up in the Herculean move to the cloud. Yet, are we stopping to assess some of the most fundamentally basic weaknesses it will always have? For all of its virtues, the cloud will always be latent when it comes to addressing run-time threats on traditional IT endpoints. Even all the workloads we are moving to the cloud still have run-time security challenges that can outpace a cloud-to-cloud connection.

The cloud will always be a tethered affair. The cloud will always be on someone else’s steel, upon which there are up to a hundred sub operating systems, half of them Linux, and a large percentage of which have full access to the bus the OS is forced to entrust. The cloud will never be where your users are… the humans you are striving to protect. The cloud is homogeneously strong, and yet homogeneously weak. (See the latest OnApp discovery made by SkyLight!)  Most importantly, the cloud is a temptation… a temptation to build out intelligence platforms. And while it will always exceed in this capacity, it can never guarantee that the intelligence needed to make decisions and take actions faster than an adversary will be computed and delivered in time to actually make a difference in stopping today’s automated threats.

The key challenge for all security going forward can be reduced to this: can you make a high-enough confidence decision, or allow a high-enough confidence automated action, fast enough to matter, and without reliance upon a tether to the cloud?

By the year 2021, over 95% of all new vehicles will have autonomous automatic braking. Ask why this is so. Of course, the answer is because machines react faster than humans, never lose attention, never get tired. Now consider whether you would buy a car where this life-saving technology was being farmed out to a cloud server rather than being done locally on the machine. The point is we use the cloud where it makes sense to do so, and not where it doesn’t.

Why would anyone think it makes sense to try and beat malware anywhere else but on the machine right where the malware is located? The cloud has an underbelly exposed to many swords, chief among them is the time-penalty itself.

We Win On the Device

As this industry heads into 2021, let’s make sure we are lucid in this one critical regard.

We know that attacks have entropy… that they devolve into a fog of war, that they expand, that they cause exponential impact to an organization as every minute, every moment, goes by. 

And yet here we still are, heading into the year 2020, and we still haven’t solved the single most important challenge of our era; the process-level microsecond runtime universe the adversary has always had the upper hand in. They’ve been ahead of us there, and they’ve enjoyed it for far too long. The moment an unauthorized process completes tasks in memory… that very moment, is when we lose security control and are on our heels. Never mind zero days, call this moment zero, after which the pain begins.

What exasperates this even further is that this type of fast-moving threat is now found in both nation-state APT campaigns as well as commodity criminal/underground campaigns, making the sheer volume and diversity of the ‘speed” problem more profound than ever.

An Emotet-weaponized Word document is clicked, and in under three minutes, over 230 file events happen, 12 network connections to 9 malicious hosts are made, 46 new malicious processes spin up and 12 files are manipulated. And that is just on the patient zero host… before the same thing begins to play out host after host in the network, and before any secondary payloads or actions by a human attacker are commenced. This is a code on code battle being fought in the time domain of seconds and microseconds. And yet we see breach reports like 2019 IBM Cost of a Data Breach Report exclaim that the average time to identify a breach is 279 DAYS… a far cry from the 171 seconds (22s for Emotet and 149s for its payload) it takes Emotet to cause a severe impact. The same report offers hope, reminding us that hey, you can save $1.2M on average, if you simply contain the breach in under 200 days. Great…it will only cost you $2.7M at that point! 

All of this is orthogonal to the core challenge at hand: We need to get ahead of threats whether we are talking about ransomware or worm incidents that cost us $75B/year, or we are talking about after-the-fact breaches that cost us another $16B/year, or both. 

Let’s Remember This

The age of the slow-moving breach story has come and gone. Now, we must shift our strategies towards the current and future threat landscape, and realize that every minute we spend tooling for the after-the-fact past, is a minute lost in getting ahead of the adversary in ways that actually move the needle. In our quest to become merely “resilient”, we’ve exhausted the traditional means of risk offset, hindsight due-diligence and after-the-fact busy-ness. We are all collectively at the ultimate precipice, and it is time to leap off, and do so out of sheer necessity…because we cannot look forward and prepare, if we are constantly steeped in the past.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security