Judge dismisses Oracle lawsuit over $10B Pentagon JEDI cloud contract

Oracle has been complaining about the procurement process around the Pentagon’s $10 billion, decade-long JEDI cloud contract, even before the DoD opened requests for proposals last year. It went so far as to file a lawsuit in December, claiming a potential conflict of interest on the part of a procurement team member. Today, that case was dismissed in federal court.

In dismissing the case, Federal Claims Court Senior Judge Eric Bruggink ruled that the company had failed to prove a conflict in the procurement process, something the DOD’s own internal audits found in two separate investigations. Judge Bruggink ultimately agreed with the DoD’s findings:

We conclude as well that the contracting officer’s findings that an organizational conflict of interest does not exist and that individual conflicts of interest did not impact the procurement, were not arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law. Plaintiff’s motion for judgment on the administrative record is therefore denied.

The company previously had filed a failed protest with the Government Accountability Office (GAO), which also ruled that the procurement process was fair and didn’t favor any particular vendor. Oracle had claimed that the process was designed to favor cloud market leader AWS.

It’s worth noting that the employee in question was a former AWS employee. AWS joined the lawsuit as part of the legal process, stating at the time in the legal motion, “Oracle’s Complaint specifically alleges conflicts of interest involving AWS. Thus, AWS has direct and substantial economic interests at stake in this case, and its disposition clearly could impair those interests.”

Today’s ruling opens the door for the announcement of a winner of the $10 billion contract, as early as next month. The DoD previously announced that it had chosen Microsoft and Amazon as the two finalists for the winner-take-all bid.

11 Bad Habits That Destroy Your Cybersecurity Efforts

In one of my discussions with Lester Godsey, CISO for the City of Mesa, about the role of the CISO, he said “Start by eating your vegetables”. Like many other fields in life, there is nothing better than the words of the wise and experienced. Enterprise security, like a healthy body, needs to rest on solid foundations. Although we were discussing the use of Artificial Intelligence and other advanced technologies that can help us face the risks cyber threats are posing to our way of life, the reality is that too many organizations are really behind on the basic security tasks that can improve their cyber resistance. In this post, I will cover 11 of the most common security gaps that can affect your enterprise.

11 Bad Habits That Destroy Your Cybersecurity Efforts

1. Reused Passwords

When your users register for other services on the web, too many of them will reuse their corporate passwords. In other words, when attackers are able to harvest passwords from weak websites external to your enterprise network, they can gain access to your users’ passwords and use these to breach your network. LogMeIn survey shows 59% of people use the same password everywhere.

Recommended Action: Insist on 2FA and MFA authentication, educate about security hygiene and encourage the use of unique passwords created by password management software.

2. Weak Passwords

One of the most popular passwords policies in corporate use is that passwords must include starting with a number and use a character with a Shift. This encourages many users, who are averse to learning whole new password phrases every 90 days, to only change the last character. 2q2w3e4r% becomes 2q2w3e4r^, which then becomes 2q2w3e4r& and so on every 3 months. Attackers know to look for these patterns and can easily gain access to your network with them. According to the recent Verizon Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Recommended Action: Invest in employee education and safe password practices. Mandate strong passwords and reconsider whether your password policy is really helping or harming your security efforts.

3. Social Networking

The amount of data your users are sharing with the world on social media allows attackers to learn a lot about your business and to profile your users for targeted phishing. Whether it’s Facebook allowing others to harvest user data, or just your staff posting detailed resumes on LinkedIn, it’s all data that attackers can use to craft targeted emails that can lead to a network compromise.

Recommended Action: Use simulated phishing campaigns on your workforce and make sure your security solution can recognize malicious code execution even from trusted processes.

4. Delayed Patching

Every month we hear about more and more vulnerabilities that are discovered and then patched – both on the OS level and at the application layer. Once a patch becomes available, they are quickly reverse engineered by cybercriminals to develop exploits that work well on any unpatched devices. Threat actors work fast, while users are typically slow to update and upgrade. The effort of patching often and patching early is not going away, and requires constant attention by IT and SecOps.

Recommended Action: Patching is just one of many protection layers, not a silver bullet that can completely protect your devices. Deploy an advanced EDR solution as a last line of defense against undiscovered vulnerabilities and new attack vectors.

Use software that can help automate patching to ensure all your endpoints are up-to-date.

5. Internet of Things (IoT)

Connecting more and more devices to your enterprise network, without considering the security factor, is a major risk. Many of these devices have old firmware that is easy to exploit, and they then become the weakest link in your armour and open up a route to your assets. Some IoT devices even include operational backdoors, like hardcoded admin credentials intended for maintenance but easily repurposed by threat actors. If you don’t know what devices are connected to your network, how can you defend against them when they turn malicious?

Recommended Action: Visibility across your entire network is vital, so look for and deploy a security solution that can meet that minimum requirement.

6. Linux

Many organisations are packed with Linux-based servers and services that are designed to provide maximum productivity, but if they are not managed properly, those boons can come at the expense of security. With unpatched distros vulnerable to attacks from maliciously crafted TCP packets, or long-standing but little-known privilege escalations, attackers will quickly find their way into unmanaged Linux devices.

Recommended Action: Deploy security software that is multi-platform and which can mitigate vulnerabilities in operating system software.

7. Legacy AV

It’s not a secret that traditional antivirus, a technology that was built to solve a problem that evolved from file-based viruses but turned into an endless stream of nation state level malware, including in-memory and lateral movement, does not save you from cyber threats. It’s true that over time, legacy vendors like Trend Micro, Symantec and McAfee have evolved to provide affordable IT solutions, but we see day-in and day-out how much money enterprise (and city halls) are paying for relying on weak security solutions.

Recommended Action: Active EDR solutions are the best way to protect your endpoints against ransomware and other attacks.

8. Unnecessary Rights

When attackers penetrate your network, they will look immediately for admin accounts as they will allow an easy way to move laterally to find their targets. Too many organizations fail to follow the maxim of “least privilege”. In other words, all users – right up to the CEO – should only have the rights to do what they need to do. A bank doesn’t give the Marketing Director the keys to the vault, and you shouldn’t be giving her – or anyone else – the keys to access critical parts of your network if that’s not in their job description.

Recommended Action: Removing unnecessary privileges whenever possible will reduce your attack surface dramatically.

9. Supply Chain Attacks

We select cloud vendors, manage our business intelligence through external services, manage our HR with external vendors and generally outsource more often than ever before. A legitimate software vendor pushes out what looks like a trustworthy software update to users, but it’s really a destructive instrument of cyber threats, in scale.

Recommended Action: Plug the holes that whitelisting and digital certificates create with a security solution that autonomously detects malicious code execution, whatever its source.

10. Temp Employees, Contractors & Others

The reality for the enterprise today is that it is always understaffed. While we outsource more often than ever before, we sometimes don’t have the means to enforce the right security controls and manage access to its absolute minimum. The result is we give unauthorized users access to our assets, opening the door for both internal threats and making ourselves an easy target for hackers to exploit.

Recommended Action: Take the burden off your over-worked teams by deploying software to manage access control.

11. Plugins

Chrome, Drive, Firefox and others. We allow our users to install plugins without knowing who is behind them, granting access to mailboxes, shared documents and other PII information in the business. These can offer an easy way for threat actors to compromise your business at scale, harvest your data and steal your intellectual property.

Recommended Action: Plugins are no different from any other executable software and should be monitored by a good EDR security solution.

Conclusion

The headlines always focus on the zero day vulnerabilities utilizing advanced attacks on the Enterprise, but it is too easy to compromise many of our networks when the basics aren’t even in place.  Who needs advanced attacks when an enterprise hasn’t secured its devices from routine vectors that have been known for years? The above list represents easy to implement methods to upscale your cybersecurity resistance. Manage your endpoints, manage your users and protect your business from the ground up. As Lester Godsey wisely said, “Start by eating your vegetables!”


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

OneTrust raises $200M at a $1.3B valuation to help organizations navigate online privacy rules

GDPR, and the newer California Consumer Privacy Act, have given a legal bite to ongoing developments in online privacy and data protection: it’s always good practice for companies with an online presence to take measures to safeguard people’s data, but now failing to do so can land them in some serious hot water.

Now — to underscore the urgency and demand in the market — one of the bigger companies helping organizations navigate those rules is announcing a huge round of funding. OneTrust, which builds tools to help companies navigate data protection and privacy policies both internally and with its customers, has raised $200 million in a Series A led by Insight that values the company at $1.3 billion.

It’s an outsized round for a Series A, being made at an equally outsized valuation — especially considering that the company is only three years old — but that’s because of the wide-ranging nature of the issue, according to CEO Kabir Barday, and OneTrust’s early moves and subsequent pole position in tackling it.

“We’re talking about an operational overhaul in a company’s practices,” Barday said in an interview. “That requires the right technology and reach to be able to deliver that at a low cost.” Notably, he said that OneTrust wasn’t actually in search of funding — it’s already generating revenue and could have grown off its own balance sheet — although he noted that having the capitalization and backing sends a signal to the market and in particular to larger organizations of its stability and staying power.

Currently, OneTrust has around 3,000 customers across 100 countries (and 1,000 employees), and the plan will be to continue to expand its reach geographically and to more businesses. Funding will also go toward the company’s technology: it already has 50 patents filed and another 50 applications in progress, securing its own IP in the area of privacy protection.

OneTrust offers technology and services covering three different aspects of data protection and privacy management.

Its Privacy Management Software helps an organization manage how it collects data, and it generates compliance reports in line with how a site is working relative to different jurisdictions. Then there is the famous (or infamous) service that lets internet users set their preferences for how they want their data to be handled on different sites. The third is a larger database and risk management platform that assesses how various third-party services (for example advertising providers) work on a site and where they might pose data protection risks.

These are all provided either as a cloud-based software as a service, or an on-premises solution, depending on the customer in question.

The startup also has an interesting backstory that sheds some light on how it was founded and how it identified the gap in the market relatively early.

Alan Dabbiere, who is the co-chairman of OneTrust, had been the chairman of Airwatch — the mobile device management company acquired by VMware in 2014 (Airwatch’s CEO and founder, John Marshall, is OneTrust’s other co-chairman). In an interview, he told me that it was when they were at Airwatch — where Barday had worked across consulting, integration, engineering and product management — that they began to see just how a smartphone “could be a quagmire of privacy issues.”

“We could capture apps that an employee was using so that we could show them to IT to mitigate security risks,” he said, “but that actually presented a big privacy issue. If [the employee] has dyslexia [and uses a special app for it] or if the employee used a dating app, you’ve now shown things to IT that you shouldn’t have.”

He admitted that in the first version of the software, “we weren’t even thinking about whether that was inappropriate, but then we quickly realised that we needed to be thinking about privacy.”

Dabbiere said that it was Barday who first brought that sensibility to light, and “that is something that we have evolved from.” After that, and after the VMware sale, it seemed a no-brainer that he and Marshall would come on to help the new startup grow.

Airwatch made a relatively quick exit, I pointed out. His response: the plan is to stay the course at OneTrust, with a lot more room for expansion in this market. He describes the issues of data protection and privacy as “death by 1,000 cuts.” I guess when you think about it from an enterprising point of view, that essentially presents 1,000 business opportunities.

Indeed, there is obvious growth potential to expand not just its funnel of customers, but to add more services, such as proactive detection of malware that might leak customers’ data (which calls to mind the recently fined breach at British Airways), as well as tools to help stop that once identified.

While there are a million other companies also looking to fix those problems today, what’s interesting is the point from which OneTrust is starting: by providing tools to organizations simply to help them operate in the current regulatory climate as good citizens of the online world.

This is what caught Insight’s eye with this investment.

“OneTrust has truly established themselves as leaders in this space in a very short time frame, and are quickly becoming for privacy professionals what Salesforce became for salespeople,” said Richard Wells of Insight. “They offer such a vast range of modules and tools to help customers keep their businesses compliant with varying regulatory laws, and the tailwinds around GDPR and the upcoming CCPA make this an opportune time for growth. Their leadership team is unparalleled in their ambition and has proven their ability to convert those ambitions into reality.”

Wells added that while this is a big round for a Series A it’s because it is something of an outlier — not a mark of how Series A rounds will go soon.

“Investors will always be interested in and keen to partner with companies that are providing real solutions, are already established and are led by a strong group of entrepreneurs,” he said in an interview. “This is a company that has the expertise to help solve for what could be one of the greatest challenges of the next decade. That’s the company investors want to partner with and grow, regardless of fund timing.”

Signavio raises $177M at a $400M valuation for its business process automation solutions

Robotic Process Automation has been the name of the game in enterprise software lately — with organizations using advances in machine learning algorithms and other kinds of AI alongside big-data analytics to speed up everything from performing mundane tasks to more complex business decisions.

To underscore the opportunity and growth in the market, today a startup in the wider segment of process automation is announcing a significant fundraise. Signavio, a company founded out of Berlin that provides tools for business process management — “providing the ‘P’ in RPA,” as the company describes it — has picked up an investment of $177 million at what we understand is a valuation of $400 million.

This round is large on its own, but even more so considering that before this the company — founded in 2009 — had only raised around $50 million, according to data from PitchBook. This latest capital injection is being led by Apax Digital (the growth equity team of Apax Partners), with DTCP. It notes that existing investor Summit Partners is also keeping a stake in the business with this deal.

The company was founded by a team of alums from the Hasso Plattner Institute in Potsdam, Germany, who used research they did there for creating the world’s first web modeler for business process management and analytics as the template for Signavio’s own Process Manager. (The name “Signavio” seems to be a portmanteau of “navigating through signals,” which essentially explains the basics of what BPM aims to do to help a business with its decision making.)

Partly because it’s raised so little money, Signavio has been somewhat under the radar, but it has seen a huge amount of growth. It says that revenues in the last 12 months have grown by more than 70%, and its software is used by more than one million users across 1,300 customers — with clients including SAP, DHL, Liberty Mutual, Deloitte, Comcast and Puma. It counts Silicon Valley as its second HQ these days; that trajectory will be followed further with this latest funding: Signavio says the funding in part will be going to international expansion of the business.

“10 years ago, we set out on a journey to tackle the time-consuming practices that limit business productivity,” said Dr. Gero Decker, CEO and co-founder of Signavio, in a statement. “This significant new investment further validates our approach to solve business problems faster and more efficiently, unleashing the power of process through our unique Business Transformation Suite. We are thrilled to welcome Apax Digital as our new lead partner, and look forward to building upon our success to date by leveraging our partners’ operating capabilities and global platforms for our international expansion.”

The other area of investment will be the company’s technology suite. While BPM has been around for years as a concept — and indeed there are a number of other companies that provide tools that are compared sometimes to Signavio’s, such as from biggies like IBM and Microsoft through to Kissflow and others — what’s interesting is how it’s had a surge of interest more recently as organizations increasingly start to add more automation into their IT infrastructure, in part to reduce the human labor needed for more mundane back-office tasks, and in part to reduce costs and speed up processes.

Robotic process automation companies like UiPath and Blue Prism bring some of the same processing tools to the table as Signavio, although the argument is that the latter — which says it helps to “mine, model, monitor, manage and maintain” customers’ data — provides a more sophisticated level of data crunching that can be used for RPA, or for other ends. (It also works with several of the big RPA players, mainly Blue Prism but also UiPath and Automation Anywhere.)

“As businesses have become more global, and workforces more distributed, business processes have proliferated, and become more complex,” noted Daniel O’Keefe, managing partner, and Mark Beith, managing director, of Apax Digital, in a joint statement. “Signavio’s cloud-native suite allows employees across an enterprise to collaborate and transform their businesses by digitizing, optimizing and ultimately automating their processes. We are tremendously excited to partner with the Signavio team and to support their vision.” The two will also be joining Signavio’s board with this round.

Swit, a collaboration suite that offers ‘freedom from integrations,’ raises $6 million in seed funding

A marketplace dominated by Slack and Microsoft Teams, along with a host of other smaller workplace communication apps, might seem to leave little room for a new entrant, but Swit wants to prove that wrong. The app combines messaging with a roster of productivity tools, like task management, calendars and Gantt charts, to give teams “freedom from integrations.” Originally founded in Seoul and now based in the San Francisco Bay Area, Swit announced today that it has raised a $6 million seed round led by Korea Investment Partners, with participation from Hyundai Venture Investment Corporation and Mirae Asset Venture Investment.

Along with an investment from Kakao Ventures last year, this brings Swit’s total seed funding to about $7 million. Swit’s desktop and mobile apps were released in March and since then more than 450 companies have adopted it, with 40,000 individual registered users. The startup was launched last year by CEO Josh Lee and Max Lim, who previously co-founded auction.co.kr, a Korean e-commerce site acquired by eBay in 2001.

While Slack, which recently went public, has become so synonymous with the space that “Slack me” is now part of workplace parlance at many companies, Lee says Swit isn’t playing catch-up. Instead, he believes Swit benefits from “last mover advantage,” solving the shortfalls of other workplace messaging, collaboration and productivity apps by integrating many of their functions into one hub.

“We know the market is heavily saturated with great unicorns, but many companies need multiple collaboration apps and there is nothing that seamlessly combines them, so users don’t have to go back and forth between two platforms,” Lee tells TechCrunch. Many employees rely on Slack or Microsoft Teams to chat with one another, on top of several project management apps, like Asana, Jira, Monday and Confluence, and email to communicate with people at other companies (Lee points to a M.io report that found most businesses use at least two messaging apps and four to seven collaboration tools).

Lee says he used Slack for more than five years and during that time, his teammates added integrations from Asana, Monday, GSuite and Office365, but were unsatisfied with how they worked.

“All we could do with the integrations was receive mostly text-based notifications and there were also too many overlapping features,” he says. “We realized that working with multiple environments reduced team productivity and increased communication overhead.” In very large organizations, teams or departments sometimes use different messaging and collaboration apps, creating yet more friction.

Swit’s goal is to cover all those needs in one app. It comes with integrated Kanban task management, calendars and Gantt charts, and at the end of this year about 20 to 30 bots and apps will be available in its marketplace. Swit’s pricing tier currently has free and standard tiers, with a premium tier for enterprise customers planned for fall. The premium version will have full integration with Office365 and GSuite, allowing users to drag-and-drop emails into panels or convert them into trackable tasks.

While being a late-mover gives Swit certain advantages, it also means it must convince users to switch from their current apps, which is always a challenge when it comes to attracting enterprise clients. But Lee is optimistic. After seeing a demo, he says 91% of potential users registered on Swit, with more than 75% continuing to use it every day. Many of them used Asana or Monday before, but switched to Swit because they wanted to more easily communicate with teammates while planning tasks. Some are also gradually transitioning over from Slack to Swit for all their messaging (Swit recently released a Slack migration tool that enables teams to move over channels, workspaces and attachments. Migration tools for Asana, Trello and Jira are also planned).

In addition to “freedom from integrations,” Lee says Swit’s competitive advantages include being developed from the start for small businesses as well as large enterprises that still frequently rely on email to communicate across different departments or locations. Another differentiator is that all of Swit’s functions work on both desktop and mobile, which not all integrations in other collaboration apps can.

“That means if people integrate multiple apps into a desktop app or web browser, they might not be able to use them on mobile. So if they are looking for data, they have to search app by app, channel by channel, product by product, so data and information is scattered everywhere, hair on fire,” Lee says. “We provide one centralized command center for team collaboration without losing context and that is one of our biggest sources of customer satisfaction.”