Snaplogic raises $72M more for its enterprise data integration platform

Cloud services and the adoption of apps that rely on them continue to grow in popularity, but a persistent theme in enterprise technology has been that a lot of organizations still continue to use legacy software and architectures, for reasons of cost, migration headaches and simply because sometimes, if it ain’t broke, don’t fix it. That doesn’t mean they couldn’t benefit from a better way of integrating some of those workflows, and better leveraging the data coming out of those different apps, and today a startup that’s built a service to help them do that has raised a growth round of funding.

Snaplogic, which has built an integration platform that lets enterprises bring in and integrate both legacy and cloud apps to better monitor them and let them work together, has closed $72 million in growth financing, money that it will be using to expand its business globally. According to analysis from PitchBook, this latest funding comes at a $260 million pre-money valuation, which would work out to about $332 million post-money. We are checking with Snaplogic to see if it can confirm those numbers directly.

This latest round, which brings the total raised by Snaplogic to $208 million, is being led by growth equity VC Arrowroot Capital, with participation also from Golub Capital and existing investors. Past investors are an illustrious group that has included a mix of financial and strategic backers such as Andreessen Horowitz, Vitruvian (which led its previous round), Capital One, Ignition Parnters, Microsoft and a number of others.

The company is not disclosing how big its customer base is currently. In its last round in 2016, it had grown to 700 enterprises, adding 300 in just one year, which was an especially big amount of growth. Current customers feature a number of big names like Adobe, Verizon (which owns TechCrunch), AstraZeneca, Bristol-Myers Squibb, Emirates, Schneider Electric, Siemens, Sony and Wendy’s. It describes the bigger integration market as a $30 billion opportunity.

The defining characteristic in that list is that these are businesses that pre-date the big cloud revolution, and so they are more likely than not grappling with a mix of new and legacy apps that need to be balanced against one another, brought together in some instances to work together and harnessed in terms of their data to help in a company’s wider efforts around big data for projects in areas like application integration, data integration, API management, B2B integration and data engineering.

“This is an exciting time for SnapLogic,” said Gaurav Dhillon, CEO at Snaplogic, in a statement. “We’re extremely proud to have built a modern and innovative solution that is solving really hard problems for our enterprise customers. This latest investment is a testament to the hard work and ongoing support of our customers, partners, and employees around the world. Together, we’ll continue to chart the way forward, making integration even faster and easier so enterprises can realize their data-driven ambitions.”

There has been an interesting wave of startups that have emerged specifically to tackle the opportunity of providing tools to businesses that are still using old kit and older software to give them the ability to take advantage of new innovations in computing and how to use their bigger pool of data. Others include Workato (which itself has raised money in the last year), MuleSoft (now a part of Salesforce) and Microsoft itself, and in that context, Snaplogic has been taking a very measured approach in how it raises capital and expands.

“Our approach is to do successive up rounds with straightforward terms rather than chase a big slug with onerous terms,” Dhillon told TechCrunch once. He’s a repeat entrepreneur and has a track record of conservative but sound growth. “We built Informatica with just $13.5 million, so my approach is to raise funds as needed.”

It’s an approach that is resonating with investors. “SnapLogic is attacking a huge and surging market opportunity with a uniquely modern and powerful platform,” said Matthew Safaii, founder and managing partner at Arrowroot Capital, in a statement. “They’ve built an amazing product, work with an impressive roster of customers, and are led by an experienced executive team. As SnapLogic sets its sights on continued product leadership and global expansion, we look forward to partnering with them to help get their pioneering integration platform into the hands of even more enterprises around the globe.”

“SnapLogic is reinventing application and data integration for the modern era,” said Robert Sverbilov, director at Golub Capital, added. “We are excited to support SnapLogic’s next generation SaaS application integration platform and to help secure its footing as a leader in the iPaaS (Integration Platform as a Service) vertical.”

India’s Fyle bags $4.5M to expand its expense management platform in the US, other international markets

Fyle, a Bangalore-headquartered startup that operates an expense management platform, has extended its previous financing round to add $4.5 million of new investment as it looks to court more clients in overseas markets.

The additional $4.5 million tranche of investment was led by U.S.-based hedge fund Steadview Capital, the startup said. Tiger Global, Freshworks and Pravega Ventures also participated in the round. The new tranche of investment, dubbed Series A1, means that the three-and-a-half-year-old startup has raised $8.7 million as part of its Series A financing round, and $10.5 million to date.

The SaaS startup offers an expense management platform that makes it easier for employees of a firm to report their business expenses. The eponymous service supports a range of popular email providers, including G Suite and Office 365, and uses a proprietary technology to scan and fetch details from emails, Yash Madhusudhan, co-founder and CEO of Fyle, demonstrated to TechCrunch last week.

A user, for instance, could open a flight ticket email and click on Fyle’s Chrome extension to fetch all details and report the expense in a single click in real-time. As part of today’s announcement, Madhusudhan unveiled an integration with WhatsApp . Users will now be able to take pictures of their tickets and other things and forward it to Fyle, which will quickly scan and report expense filings for them.

These integrations come in handy to users. “Eighty percent to ninety percent of a user’s spending patterns land on their email and messaging clients. And traditionally it has been a pain point for them to get done with their expense filings. So we built a platform that looks at the challenges faced by them. At the same time, our platform understands frauds and works with a company’s compliances and policies to ensure that the filings are legitimate,” he said.

“Every company today could make use of an intelligent expense platform like Fyle. Major giants already subscribe to ERP services that offer similar capabilities as part of their offerings. But as a company or startup grows beyond 50 to 100 people, it becomes tedious to manage expense filings,” he added.

Fyle maintains a web application and a mobile app, and users are free to use them. But the rationale behind introducing integrations with popular services is to make it easier than ever for them to report filings. The startup retains its algorithms each month to improve their scanning abilities. “The idea is to extend expense filing to a service that people already use,” he said.

International expansion

Until late last year, Fyle was serving customers in India. Earlier this year, it began searching for clients outside the nation. “Our philosophy was if we are able to sell in India remotely and get people to use the product without any training, we should be able to replicate this in any part of the world,” he said.

And that bet has worked. Fyle has amassed more than 300 clients, more than 250 of which are from outside of India. Today, the startup says it has customers in 17 nations, including the U.S. and the U.K. Furthermore, Fyle’s revenue has grown by five times in the last five months, said Madhusudhan, without disclosing the exact figures.

To accelerate its momentum, the startup is today also launching an enterprise version of Fyle that will serve the needs of major companies. The enterprise version supports a range of additional security features, such as IP restriction and a single sign-in option.

Fyle will use the new capital to develop more product solutions and integrations and expand its footprint in international markets, Madhusudhan said. The startup, which just recently set up its sales and marketing team, will also expand the headcount, he said.

Moving forward, Madhusudhan said the startup would also explore tie-ups with ERP providers and other ways to extend the reach of Fyle.

In a statement, Ravi Mehta, MD at Steadview Capital, said, “intelligent and automated systems will empower businesses to be more efficient in the coming decade. We are excited to partner with Fyle to transform one of the core business processes of expense management through intelligence and automation.”

Kong acquires Insomnia, launches Kong Studio for API development

API and microservices platform Kong today announced that it has acquired Insomnia, a popular open-source tool for debugging APIs. The company, which also recently announced that it had raised a $43 million Series C round, has already put this acquisition to work by using it to build Kong Studio, a tool for designing, building and maintaining APIs for both REST and GraphQL endpoints.

As Kong CEO and co-founder Augusto Marietti told me, the company wants to expand its platform to cover the full service life cycle. So far, it has mostly focused on the runtime, but now it wants to enable developers to also design and test their services. “We looked at the space and Insomnia is the number one open source API testing platform,” he told me. “And we thought that by having Insomnia in our portfolio, we will get the pre-production part of things and on top of that, we’ll be able to build Kong Studio, which is kind of the other side of Insomnia that allows you to design APIs.”

For Oct. 2 Kong News Kong Service Control Platform

Insomnia launched in 2015, as a side project of its sole developer, Greg Schier. Schier quit his job in 2016 to focus on Insomnia full-time and then open-sourced it in 2017. Today, the project has 100 contributors and the tool is used by “hundreds of thousands of developers,” according to Schier.

Marietti says both the open-source project and the paid Insomnia Plus service will continue to operate as before.

In addition to Kong Studio and the Insomnia acquisition, the company also today launched the latest version of its Enterprise service, the aptly named Kong Enterprise 2020. New features here include support for REST, Kafka Streams and GraphQL. Kong also launched Kong Gateway 2.0 with additional GraphQL support and the ability to write plugins in Go.

Osano makes business risk and compliance (somewhat) sexy again

A new startup is clearing the way for other companies to better monitor and manage their risk and compliance with privacy laws.

Osano, an Austin, Texas-based startup, bills itself as a privacy platform startup, which uses a software-as-a-service solution to give businesses real-time visibility into their current privacy and compliance posture. On one hand, that helps startups and enterprises large and small insight into whether or not they’re complying with global or state privacy laws, and manage risk factors associated with their business such as when partner or vendor privacy policies change.

The company launched its privacy platform at Disrupt SF on the Startup Battlefield stage.

Risk and compliance is typically a fusty, boring and frankly unsexy topic. But with ever-changing legal landscapes and constantly moving requirements, it’s hard to keep up. Although Europe’s GDPR has been around for a year, it’s still causing headaches. And stateside, the California Consumer Privacy Act is about to kick in and it is terrifying large companies for fear they can’t comply with it.

Osano mixes tech with its legal chops to help companies, particularly smaller startups without their own legal support, to provide a one-stop shop for businesses to get insight, advice and guidance.

“We believe that any time a company does a better job with transparency and data protection, we think that’s a really good thing for the internet,” the company’s founder Arlo Gilbert told TechCrunch.

Gilbert, along with his co-founder and chief technology officer Scott Hertel, have built their company’s software-as-a-service solution with several components in mind, including maintaining its scorecard of 6,000 vendors and their privacy practices to objectively grade how a company fares, as well as monitoring vendor privacy policies to spot changes as soon as they are made.

One of its standout features is allowing its corporate customers to comply with dozens of privacy laws across the world with a single line of code.

You’ve seen them before: The “consent” popups that ask (or demand) you to allow cookies or you can’t come in. Osano’s consent management lets companies install a dynamic consent management in just five minutes, which delivers the right consent message to the right people in the best language. Using the blockchain, the company says it can record and provide searchable and cryptographically verifiable proof-of-consent in the event of a person’s data access request.


“There are 40 countries with cookie and data privacy laws that require consent,” said Gilbert. “Each of them has nuances about what they consider to be consent: what you have to tell them; what you have to offer them; when you have to do it.”

Osano also has an office in Dublin, Ireland, allowing its corporate customers to say it has a physical representative in the European Union — a requirement for companies that have to comply with GDPR.

And, for corporate customers with questions, they can dial-an-expert from Osano’s outsourced and freelance team of attorneys and privacy experts to help break down complex questions into bitesize answers.

Or as Gilbert calls it, “Uber, but for lawyers.”

The concept seems novel but it’s not restricted to GDPR or California’s upcoming law. The company says it monitors international, federal and state legislatures for new laws and changes to existing privacy legislation to alert customers of upcoming changes and requirements that might affect their business.

In other words, plug in a new law or two and Osano’s customers are as good as covered.

Osano is still in its pre-seed stage. But while the company is focusing on its product, it’s not thinking too much about money.

“We’re planning to kind of go the binary outcome — go big or go home,” said Gilbert, with his eye on the small- to medium-sized enterprise. “It’s greenfield right now. There’s really nobody doing what we’re doing.”

The plan is to take on enough funding to own the market, and then focus on turning a profit. So much so, Gilbert said, that the company is registered as a B Corporation, a more socially conscious and less profit-driven approach of corporate structure, allowing it to generate profits while maintaining its social vision.

The company’s idea is strong; its corporate structure seems mindful. But is it enough of an enticement for fellow startups and small businesses? It’s either dominate the market or bust, and only time will tell.

Harness launches Continuous Insights to measure software team performance

Jyoti Bansal, CEO and co-founder at Harness, has always been frustrated by the lack of tools to measure software development team performance. Harness is a tool that provides Continuous Delivery as a Service, and its latest offering, Continuous Insights, lets managers know exactly how their teams are performing.

Bansal says a traditional management maxim says that if you can’t measure a process, you can’t fix it, and Continuous Insights is designed to provide a way to measure engineering effectiveness. “People want to understand how good their software delivery processes are, and where they are tracking right now, and that’s what this product, Continuous Insights, is about,” Bansal explained.

He says that it is the first product in the market to provide this view of performance without pulling weeks or months of data. “How do you get data around what your current performance is like, and how fast you deliver software, or where the bottlenecks are, and that’s where there are currently a lot of visibility gaps,” he said. He adds, “Continuous Insights makes it extremely easy for engineering teams to clearly measure and track software delivery performance with customizable, dashboards.”

Harness measures four key metrics as defined by DevOps Research and Assessment (DORA) in their book Accelerate. These include deployment frequency, lead time, mean-time-to-recovery and failure change rate. “Any organization that can do a better job with these would would really out-innovate their peers and competitors,” he said. Conversely, companies doing badly on these four metrics are more likely to fall behind in the market.

ContinuousInsights 2

Image: Harness

By measuring these four areas, it not only provides a way to track performance, he sees it as a way to gamify these metrics where each team tries to outdo one another around efficiency. While you would think that engineering would be the most data-driven organization, he says that up until now it has lacked the tooling. He hopes that Harness users will be able to bring that kind of rigor to engineering.

Annual Extra Crunch members can receive $1,000 in AWS credits

We’re excited to announce a new partnership with Amazon Web Services for annual members of Extra Crunch. Starting today, qualified annual members can receive $1,000 in AWS credits. You also must be a startup founder to claim this Extra Crunch community perk.

AWS is the premier service for your application hosting needs, and we want to make sure our community is well-resourced to build. We understand that hosting and infrastructure costs can be a major hurdle for tech startups, and we’re hoping that this offer will help better support your team.

What’s included in the perk:

  • $1,000 in AWS Promotional Credit valid for 1 year
  • 2 months of AWS Business Support
  • 80 credits for self-paced labs

Applications are processed in 7-10 days, once an application is received. Companies may not be eligible for AWS Promotional Credits if they previously received a similar or greater amount of credit. Companies may be eligible to be “topped up” to a higher credit amount if they previously received a lower credit.

In addition to the AWS community perk, Extra Crunch members also get access to how-tos and guides on company building, intelligence on what’s happening in the startup ecosystem, stories about founders and exits, transcripts from panels at TechCrunch events, discounts on TechCrunch events, no banner ads on TechCrunch.com and more. To see a full list of the types of articles you get with Extra Crunch, head here.

You can sign up for annual Extra Crunch membership here.

Once you are signed up, you’ll receive a welcome email with a link to the AWS offer. If you are already an annual Extra Crunch member, you will receive an email with the offer at some point today. If you are currently a monthly Extra Crunch subscriber and want to upgrade to annual in order to claim this deal, head over to the “my account” section on TechCrunch.com and click the “upgrade” button.

This is one of several new community perks we’ve been working on for Extra Crunch members. Extra Crunch members also get 20% off all TechCrunch event tickets (email extracrunch@techcrunch.com with the event name to receive a discount code for event tickets). You can learn more about our events lineup here. You also can read about our Brex community perk here.

Deep Insight into “FIN7” Malware Chain: From Office Macro Malware to Lightweight JS Loader

The Zero2Hero malware course continues with Vitali Kremez dissecting the ‘Fin7’ malware chain, which leverages malicious Office Macros and lightweight JS Loader scripts.

feature image fin7

“FIN7” is a financially motivated advanced persistent group operating out of Eastern Europe. Since 2015, this group has continued to be extremely successful and formidable targeting various businesses seeking large-scale point-of-sale (PoS) compromises and network intrusion impacting global enterprises. The group is also known and notorious for its stealthy techniques and sophisticated and persistent approach. 

Global corporations impacted by the group are primarily part of the restaurant, gaming, and hospitality industries. Some of the victims of this group include such restaurant chains as Chipotle Mexican Grill, Chili’s, and Arby’s.

Source: DOJ

Most interestingly, this group used a front company “Combi Security” (reportedly based in Russia and Israel) to recruit various hackers to join their activities. This front company allowed the group to sustain their hacking activities and truly professionalized their hacking approach. 

Despite the previous arrests of three members of the FIN7 group in January 2018, the group and/or its remnants still remained active on the financial crime landscape.

Source: DOJ

It is notable that the group still deploys lightweight JavaScript backdoor with communication over HTTPS mimicking Content Delivery Network (CDN) domains. 

Additionally, they still leverage JavaScript backdoor via renamed wscript.exe with the actual JavaScript code called “errors.txt,” for example.

FIN7: From First-Stage Microsoft Office VBA Macro Loader to JS Loader

The FIN7 Microsoft document loaders do not rely on any exploits but simply require a social engineering trick to “Enable Content” to activate macros. Notably, to avoid process whitelisting of wscript, the macro logic copies the original JavaScript execution engine wscript.exe in %LOCALAPPDATA% and leverages a possible anti-analysis routine of checking the system drive size via GetDrive.TotalSize of more than 2456 bytes to possibly thwart anti-sandbox check. 

The actual obfuscated Javascript backdoor is stored in UserForm object, which is also written to a disc as “errors.txt” in %TEMP%. The final execution of the backdoor is performed via this following command:

%LOCALAPPDATA%mses.exe //b /e:jscript %temp%errors.txt

Once it is done, the document macro runs a message box displaying “Decryption error” via MsgBox("Decryption error").

Reversing Steps:

1. Extract the VBA macro via olevba;

2. Debug in Office VBA to retrieve decoded script;

3. Extract and prettify obfuscated JavaScript backdoor from userform object;

4. Modify JS code close to eval() and run script via Internet Explorer debugger, for example; 

5. Debug, extract and beautify the full FIN7 JS backdoor.

FIN7 JS Loader/Backdoor XOR Encryption & Custom Encoding

The crypt_controller function accepts two parameters of type and request.

a. If type parameter equals “decrypt”, the request is processed via decodeURIComponent splitting the request with separator ")*(" and then retrieving encryption_key(second element[1]) from split request. If there’s no encryption_key split, it pulls it as a random value via (Math.floor(Math.random() * 9000) + 1000).toString().split("");.

The decoding routine is a simple XOR loop decoding the content as follows joining the result_string via .join command.

var output = [];

    for (var i = 0; i < request.length; i++) {

        var charCode = request.charCodeAt(i) ^ 

encryption_key[i % encryption_key.length].charCodeAt(0);

        output.push(String.fromCharCode(charCode));
    }

b. If type parameter equals “encrypt”,  the result_string is joined with ")*(" and passed to encodeURIComponent.

FIN7 Second-Stage Machine & Network Profiling Script

In the aftermath of the initial call, the group deploys a custom “profiling” script meant to fingerprint the machine and the network environment more closely.

The malware checks for the presence of virtual machine, queries active directory, operating system, screen resolution, user account control (UAC) level, and retrieves a process list.

Finally, it formats the data and appends to “action=add_info” request, which is sent to the server.

 

Indicators of Compromise (IOCs):

Microsoft Office First-Stage VBA Macro “.doc” Documents:
SHA256: 6e1230088a34678726102353c622445e1f8b8b8c9ce1f025d11bfffd5017ca82
SHA256: f5f8ab9863dc12d04731b1932fc3609742de68252c706952f31894fc21746bb8
SHA256: 63ff5d9c9b33512f0d9f8d153c02065c637b7da48d2c0b6f7114deae6f6d88aa

C2:
googleapi-cdn[.]com
bing-cdn[.]com
cisco-cdn[.]com

Recent Microsoft Office First-Stage VBA Macro “.xlsb” Documents:
SHA256: 5fa5970548b43ae7d93d758a1eef1f12fd76891e36538e3ac170d5ab30906b5c
SHA256: 60dfe419dcba6dfe16d24f663b3393deeffdedbe4da468be63c63ec4b914d485
SHA256: 2ce1cfc137c0bcc82577cc77074c82154d81a7370491c85d43622af5186ef058

Recent C2:
realtek-cdn[.]com


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

T4 wants to transform market research data with a combination of AI and humans

When T4 co-founder and CEO Maks Khurgin was working at Bain and Company, he ran into a common problem for analysts looking for market data. He spent way too much time searching for it and felt there had to be a better way. He decided to build a centralized market data platform himself, and T4 was born. This week the company competes in the TechCrunch Disrupt SF Startup Battlefield.

What he created with the help of his long-time friend and CTO, Yev Spektor, was built on a couple of key components. The first is an industry classification system, a taxonomy, that organizes markets by industries and sub-industries. Using search and aggregation tools powered by artificial intelligence, it scours the web looking for information sources that match their taxonomy labels.

As they researched the tool, the founders realized that the AI could only get them so far. There were always pieces that it missed. So they built a second part to provide a way for human indexers to fill in those missing parts to offer as comprehensive a list of sources as possible.

“AI alone cannot solve this problem. If we bring people into this and avoid the last mile delivery problem, then you can actually start organizing this information in a much better way than anyone else had ever done,” Khurgin explained.

It seems simple enough, but it’s a problem that well-heeled companies like Bain have been trying to solve for years, and there was a lot of skepticism when Khurgin told his superiors he was leaving to build a product to solve this problem. “I had a partner at Bain and Company actually tell me, “You know, every consulting firm has tried to do something like this — and they failed. Why do you think you can do this?””

He knew that figuring out the nature of the problem and why the other attempts had failed was the key to solving the puzzle. He decided to take the challenge, and on his 30th birthday, he quit his job at Bain and started T4 the next day — without a product yet, mind you.

This was not the first time he had left a high-paying job to try something unconventional. “Last time I left a high paying job, actually after undergrad, I was a commodities derivatives trader for a financial [services company]. I left that to pursue a lifelong dream of being in the Marine Corps,” Khurgin said.

T4 DSC00953

T4 was probably a less risky proposition, but it still took a leap of faith that only a startup founder can understand, who believes in his idea. “I felt the problem first-hand, and the the big kind of realization that I had was that there is actually a finite amount of information out there. Market research is created by humans, and you don’t necessarily have to take a pure AI approach,” he said.

The product searches for all of the related information on a topic, finds all of the data related to a category and places it in an index. Users can search by topic and find all of the free and paid reports related to that search. The product shows which reports are free and which will cost you money, and like Google, you get a title and a brief summary.

The company is just getting started with five main market categories so far, including cloud computing, cybersecurity, networking, data centers and eSports. The founders plan to add additional categories over time, and have a bold goal for the future.

“Our long-term vision is that we become your one-stop shop to find market research in the same way that if you need to buy something, you go to Amazon, or you need financial data, you go on Bloomberg or Thomson. If you need market research, our vision is that T4 is the place that you go,” Khurgin said.


It’s Not a WAR It’s Our Own Fault!

Rewind the clock, back in the 90s and early to mid-2000s the world was a different place. There wasn’t a cyber security industry, there weren’t highly specialized roles with cool colours. There were just the IT crowd. In large organizations, you may have had an IT security role but based on my experience in the UK this was a rarity not the norm.

Learning how to defend came from hard lessons and gruelling configuration management exercises and even then most organisations I visited still didn’t have the basics covered. The idea of a host-based firewall probably seemed insane until Nachi/MSBlaster came along and devasted organisations. I remember commenting at the time that someone could just have watched the world burn by wiping data with it… not realising how close to real life that could have been.

image of not a war

Fast forward 10 years to a post STUXNET era of 2017 and we saw again how the lack of security awareness and consideration reared its ugly head. WannaCry felt like a repeat of MS Blaster but this time we had a sinkhole. Even if the payload was spreading, the encryption routine would check if the sinkhole existed and responded and if so it would NOT run the encryption routine. This worked for many organizations however some (and one very large bogy) pulled their network connections in a panic. Trapping a highly dangerous worm inside their network and re-activating the payload.

Slowly the world is waking up to the fact that businesses and organizations are fundamentally missing something when it comes to protecting all the things! Our old ways of deploying technology and security have failed us miserably. The naysayer gatekeeper of old, obsessed with firewall change controls and declining anything and everything without considering business and human impact (whilst not completely eradicated) are well on their way out.

However, the land of milk and honey isn’t, for most organizations, exactly implemented here today! Almost daily there is a major breach exposed alongside the countless volume of scams and ransomware attacks. Why is this? We’ve got the knowledge, tools and expertise… I know I speak to people on the frontlines every day on the internet! As a friend of mine said, you Cyber, Eat, Sleep, Repeat!

We hear too often in the news and industry about APT that and Nation-state this. 0-Days sounds uber-cool and if you believe the marketing hype your business is being targeted by multi-million-pound gangs of Nazgul looking ‘hackers’ (it’s cybercriminals, hacking isn’t a bad thing!!) and you need the latest blinky boxen to protect yourselves.

Wake up people, the legacy approach and a FUD led marketing exercise isn’t fucking working!

A New Way

Your masses of paperwork (I’m not saying paperwork isn’t important, it is!) and your shitty approach to flow, gatekeeper mindsets and lack of understanding of what the actual risks are to your business by scrimping on the essentials or focusing on niche edge cases not only increases your chances of failure it also puts your employees, customers and members of the public at risk.

I’m not asking for you to burn millions, or disabling your use of the technology you and your business relies upon in the modern world, in fact it’s the opposite.

Security improvement starts with communication and realising that you need to take an iterative risk based approach. Security isn’t ever ‘done’ and if you try and fix everything at once your likely going to have some major issues. New models or working include taking a principles based approach and moving the security work throughout the development lifecycle (sometimes referred to as shifting left) to design and build security into your products and services from the start and in an iterative fashion, because waiting till the end to ‘do a pentest’ is likely going to hard your security posture. Security as a people and business first enabler is going to have far more success than the yesteryears fear, uncertainty and doubt machine which says ‘no’ to everything whilst watching the eventual bypass of the ‘controls’ that have been forced upon them.

Putting Those $$$ to Work

Anyone want to know how long it takes to block the mainstream attacks? The answer is, well not very long! I’m not going to detail everything; however, let’s take a look (anyone who is familiar with Cyber Essentials should recognise a lot of these):

  • Identify your assets and crown jewels
  • Stop blaming ‘The users’
    • Train people but also put in controls so they have a reduced likelihood and impact on the event they lose a cred of have a vuln explode on their endpoint!
    • Consider not only adopting standard cyber security awareness training (it has it’s place but just throwing out a CBT video and a phishing simulation isn’t exactly the whole point! That’s not exactly a great communication tool, consider using gamification and maybe running a capture the flag experience or other educational vehicle)
  • Backup your data
    • Ensure there is no way for this to be affected by ransomware
  • Patch (I know it’s not easy, but if you do regular (automated) deployments it’s a lot simpler overall!)
  • Deploy a hardened configuration
    • It’s getting easier with Windows 10 (thanks Ned and others in the MS team!)
    • Use admin jump boxes and stop everything being able to connect to everything
    • Deploy LAPS
  • Use a password manager and where you can use MFA
  • Check your domain/users haven’t had their creds leaked all over the web and run regular password audits
  • Don’t run with admin rights
  • Encrypt your disks on PC and Mobile endpoints
  • Implement human enabling password policies
  • Monitor the really important stuff (like crown jewel access and authentication logs etc.)
  • Use the right tools, just deploying an AV solution with no central visibility and control is a sure fire way to increase the cost of an incident and extend time-to-resolution
    • Endpoints are the perimeter, you need to be able to protect, detect, respond and recover on each device.
  • Segment your networks (even if you are flat, segment using host based firewalls)
  • Control your internet exposure and implement protective controls (if you have WordPress combine it with MFA (DUO for example is really simple and easy to use and deploy)
  • A pentest once a year is a really insane way to try and ‘manage’ your cyber security
    • Do vulnerability assessments
    • Defend based on real vectors, stop removing everything from scope and also test the test systems first
    • White box is a thing, it’s cheaper and finds more vulns!
  • Make everyone part of the security team
    • Run workshops, awareness sessions, live demos and build a culture of security responsibility and awareness. Leverage your IT team peers and the wider business, develop security champions to extend your reach!

Keep going, cyber security isn’t a destination, it’s a never-ending process. The more you work on it, the simpler it becomes! Go for small incremental improvements with fast and regular releases over monolithic hardening projects.

Conclusion

The list above is long and I’m not even scratching the surface. Security isn’t easy but it doesn’t have to be the monster of the past. I could draw out a load of TCO analysis and risk assessments but that’s for another day. My message to you, if you are setting strategy or working in a position whereby you have budgetary control, is help us consider and implement security practises at the inception stages of programmes and projects. Get priorities, funding sorted and let’s not just focus on developers, let’s have security governed, managed and implemented by the business decision makers. Let’s go out there from the start in a way which not only adds business value but protects our families, friends, employees and customers by delivering them the technology of tomorrow without compromising peoples security and privacy today!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Render challenges the cloud’s biggest vendors with cheaper, managed infrastructure

Render, a participant in the TechCrunch Disrupt SF Startup Battlefield, has a big idea. It wants to take on the world’s biggest cloud vendors by offering developers a cheaper alternative that also removes a lot of the complexity around managing cloud infrastructure.

Render’s goal is to help developers, especially those in smaller companies, who don’t have large DevOps teams, to still take advantage of modern development approaches in the cloud. “We are focused on being the easiest and most flexible provider for teams to run any application in the cloud,” CEO and founder Anurag Goel explained.

He says that one of the biggest pain points for developers and startups, even fairly large startups, is that they have to build up a lot of DevOps expertise when they run applications in the cloud. “That means they are going to hire extremely expensive DevOps engineers or consultants to build out the infrastructure on AWS,” he said. Even after they set up the cloud infrastructure, and move applications there, he points out that there is ongoing maintenance around patching, security and identity access management. “Render abstracts all of that away, and automates all of it,” Goel said.

It’s not easy competing with the big players on scale, but he says so far they have been doing pretty well, and plan to move much of their operations to bare metal servers, which he believes will help stabilize costs further.

render DSC02051

“Longer term, we have a lot of ideas [about how to reduce our costs], and the simplest thing we can do is to switch to bare metal to reduce our costs pretty much instantly.” He says the way they have built Render will make that easier to do. The plan now is to start moving their services to bare metal in the fourth quarter this year.

Even though the company only launched in April, it is already seeing great traction. “The response has been great. We’re now doing over 100 million HTTP requests every week. And we have thousands of developers and startups and everyone from people doing small hobby projects to even a major presidential campaign,” he said.

Although he couldn’t share the candidate’s name, he said they were using Render for everything including their infrastructure for hosting their web site and their back-end administration. “Basically all of their cloud infrastructure is on Render,” he said.

Render has raised a $2.2 million seed round and is continuing to add services to the product, including several new services it will announce this week around storage, infrastructure as code and one-click deployment.