How to Defeat Adversaries With Real-Time Cyber Threat Intelligence

/0 Comments/in /by

To respond effectively to an incident, it is essential to understand the big picture: how, when, and why an incident occurred. This is critical because the moment you begin containing a threat, it may set off alarm bells for adversaries, triggering them to accelerate an attack or stealthily change techniques. Responding to a threat without understanding the big picture can lead to an infinite loop where we contain a threat only to wait for the adversary to leverage the same attack methodology again. This is the reason why at least in theory, SOC analysts spend time analyzing how, when, and why an incident occurs.

Unfortunately, in reality, SOC analysts don’t often have the time required to perform these types of in-depth analyses because their incident queues are full, and metrics like average time for mean time to detect (MTTD) or mean time to respond (MTTR), continues to increase. So the question becomes how can an organization acquire the intelligence they need without adding even more work to an already overloaded team?

Enriched Intelligence Through Singularity Signal

Earlier this month, we announced Singularity Signal, our cyber threat intelligence (CTI) platform, and shortly after we announced the general availability of threat intelligence reports for all Singularity Complete customers. Today, we are excited to announce enhancements in how we provide real-time enriched intelligence through Singularity Signal.

Singularity Signal combines artificial- and human-based intelligence to provide context, enrichment, and actionability to cyber data, empowering organizations to stay a step ahead with unparalleled insight into the attacker mindset. The platform performs tactic, technique, and procedure (TTP) analysis and correlation of all incoming threats at scale and in real time through the Singularity Signal AI Engine.

By leveraging the Singularity Signal AI Engine, security professionals can offload much of the previously labor-intensive work that they didn’t have time to get to before. That translates to instant, enriched intelligence for your organization to help you navigate through even the most sophisticated attacks. Singularity Signal is your dedicated AI-based threat researcher who knows your environment and aids your SOC analysts to respond to threats more effectively.

See Enriched Intelligence in Action

From the SentinelOne Singularity Platform console, navigate to the incident that you want to investigate. At a glance, you will gain information on when the threat was first seen, when it was last seen, and the scope of the breach. Additionally, in the Threat Indicators section, you can access real-time TTP analysis and correlation performed by the Singularity Signal AI Engine. At your fingertips, you immediately gain vital insights on each TTP mapped towards the MITRE ATT&CK framework.

In the example above, you are looking at an incident within the SentinelOne management console. Here you can quickly identify that this is a detection of a ransomware campaign, and by leveraging the Singularity Signal AI Engine you are able to get enriched intelligence on what, how, and when the incident occurred as well as insights on how each step of the adversary maps to the tactics, techniques, and procedures (TTP)’s of the MITRE ATT&CK framework.

Sometimes, you may be in a situation where you need additional information—that’s when proactive or reactive threat hunting is critical. Historically, in order to succeed, SOC analysts needed to first familiarize themselves with an often very complex threat hunting platform, the respective data schema of their telemetry sources, then how to build threat hunting queries for Indicator of Compromise (IOC), Indicator of Attack (IOA), or specific adversary lookup. SentinelOne’s Deep Visibility capability pairs direct access to all the structured data of an organization with an easy-to-learn query language, making it a powerful tool for threat hunters.

In the example above, we are in the Deep Visibility feature within the SentinelOne management console. With just one line, we can look up all the endpoints on who might have a particular file based on an hash value.

Next, save time building threat hunting queries by simply leveraging SentinelOne Hunter to instantly look up threat hunting queries for specific adversaries, TTPs, and other types of IOC and IOAs.

By simply using the search function in Hunter, you are quickly able to find relevant threat hunting queries. In this example, I looked for all the threat hunting queries related to the adversary group named Hafnium. I can again take this query and run it instantly in Deep Visibility within the SentinelOne management console with one click.

Summary

The cyber threat landscape continues to evolve rapidly. As a result, in many organizations, the time to detect and contain a threat continues to increase. Most security teams today are too overloaded with long incident queues to perform in-depth, meaningful analysis as part of their incident investigation. Singularity Signal leverages the Signal AI Engine to perform real-time threat modeling, incident correlation, and TTP analysis at scale, delivering enriched intelligence that you can use to respond more effectively to threats.

To explore more ways Singularity Signal is helping enterprises around the world take a new approach to threat intelligence, read more here.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Quantexa raises $153M to build out AI-based big data tools to track risk and run investigations

/0 Comments/in /by

As financial crime has become significantly more sophisticated, so too have the tools that are used to combat it. Now, Quantexa — one of the more interesting startups that has been building AI-based solutions to help detect and stop money laundering, fraud, and other illicit activity — has raised a growth round of $153 million, both to continue expanding that business in financial services and to bring its tools into a wider context, so to speak: linking up the dots around all customer and other data.

“We’ve diversified outside of financial services and working with government, healthcare, telcos and insurance,” Vishal Marria, its founder and CEO, said in an interview. “That has been substantial. Given the whole journey that the market’s gone through in contextual decision intelligence as part of bigger digital transformation, was inevitable.”

The Series D values the London-based startup between $800 million and $900 million on the heels of Quantexa growing its subscriptions revenues 108% in the last year.

Warburg Pincus led the round, with existing backers Dawn Capital, AlbionVC, Evolution Equity Partners (a specialist cybersecurity VC), HSBC, ABN AMRO Ventures and British Patient Capital also participating. The valuation is a significant hike up for Quantexa, which was valued between $200 million and $300 million in its Series C last July. It has now raised over $240 million to date.

Quantexa got its start out of a gap in the market that Marria identified when he was working as a director at Ernst & Young tasked with helping its clients with money laundering and other fraudulent activity. As he saw it, there were no truly useful systems in the market that efficiently tapped the world of data available to companies — matching up and parsing both their internal information as well as external, publicly available data — to get more meaningful insights into potential fraud, money laundering and other illegal activities quickly and accurately.

Quantexa’s machine learning system approaches that challenge as a classic big data problem — too much data for a humans to parse on their own, but small work for AI algorithms processing huge amounts of that data for specific ends.

Its so-called “Contextual Decision Intelligence” models (the name Quantexa is meant to evoke “quantum” and “context”) were built initially specifically to address this for financial services, with AI tools for assessing risk and compliance and identifying financial criminal activity, leveraging relationships that Quantexa has with partners like Accenture, Deloitte, Microsoft and Google to help fill in more data gaps.

The company says its software — and this, not the data, is what is sold to companies to use over their own datasets — has handled up to 60 billion records in a single engagement. It then presents insights in the form of easily digestible graphs and other formats so that users can better understand the relationships between different entities and so on.

Today, financial services companies still make up about 60% of the company’s business, Marria said, with 7 of the top 10 UK and Australian banks and 6 of the top 14 financial institutions in North America among its customers. (The list includes its strategic backer HSBC, as well as Standard Chartered Bank and Danske Bank.)

But alongside those — spurred by a huge shift in the market to relying significantly more on wider data sets, to businesses updating their systems in recent years, and the fact that, in the last year, online activity has in many cases become the “only” activity — Quantexa has expanded more significantly into other sectors.

“The Financial crisis [of 2007] was a tipping point in terms of how financial services companies became more proactive, and I’d say that the pandemic has been a turning point around other sectors like healthcare in how to become more proactive,” Marria said. “To do that you need more data and insights.”

So in the last year in particular, Quantexa has expanded to include other verticals facing financial crime, such as healthcare, insurance, government (for example in tax compliance), and telecoms/communications, but in addition to that, it has continued to diversify what it does to cover more use cases, such as building more complete customer profiles that can be used for KYC (know your customer) compliance or to serve them with more tailored products. Working with government, it’s also seeing its software getting applied to other areas of illicit activity, such as tracking and identifying human trafficking.

In all, Quantexa has “thousands” of customers in 70 markets. Quantexa cites figures from IDC that estimate the market for such services — both financial crime and more general KYC services — is worth about $114 billion annually, so there is still a lot more to play for.

“Quantexa’s proprietary technology enables clients to create single views of individuals and entities, visualized through graph network analytics and scaled with the most advanced AI technology,” said Adarsh Sarma, MD and co-head of Europe at Warburg Pincus, in a statement. “This capability has already revolutionized the way KYC, AML and fraud processes are run by some of the world’s largest financial institutions and governments, addressing a significant gap in an increasingly important part of the industry. The company’s impressive growth to date is a reflection of its invaluable value proposition in a massive total available market, as well as its continued expansion across new sectors and geographies.”

Interestingly, Marria admitted to me that the company has been approached by big tech companies and others that work with them as an acquisition target — no real surprises there — but longer term, he would like Quantexa to consider how it continues to grow on its own, with an independent future very much in his distant sights.

“Sure, an acquisition to the likes of a big tech company absolutely could happen, but I am gearing this up for an IPO,” he said.

The Good, the Bad and the Ugly in Cybersecurity – Week 28

/0 Comments/in /by

The Good

This week sees another victory for law enforcement in the fight against cybercrime. An approximately two-year long investigation dubbed ‘Operation Lyrebird’ has culminated in the capture of an individual with a long trail of fraud and cybercrime offenses. The suspect was taken into custody by the Moroccan police according to INTERPOL. The individual, who goes by the hacker alias “Dr HeX”, is tied to a number of activities including credit card fraud, website intrusions, phishing attacks and more. He is also known as the creator of a multi-script tool called ‘ZombiBot’, which exists in various versions.

“Dr HeX” has been active, in current capacity, since at least 2009, but more recently was known for phishing kits. These ‘kits’ are sold to low-level actors for very little money. They serve to simplify and automate as much of the phishing attack process as possible. Typical phishing kits include templates for masquerading as various well-known websites such as bank login pages, shopping login pages, and company portals) along with the requisite scripts and config files to properly trick and redirect victims. These items are often sold in open forums, Telegram channels and the like.

During the course of their investigation, investigators were able to follow a rather direct trail of OSINT clues to identify “Dr HeX”. Once they tied the ‘Dr HeX’ moniker to a valid email address, they were quickly able to identify the individual and confirm his ties to multiple additional phishing and fraud campaigns. Hats off to the Morroccan Police, INTERPOL, and Group-IB on the successful operation.

The Bad

It did not take cybercriminals long to begin using the Kaseya attack as a social engineering lure. Within two days of the incident, spam campaigns were observed which lure victims into installing Cobalt Strike payloads masquerading as security updates from Kaseya. From that point, anything is possible with regards to data theft or additional code execution.

The scope of this attack is quite large, as is the accompanying flurry of information for, about, and around it. The attackers are very much preying on the ‘state of confusion’ (or shock for some). At the end of the day, we can always expect the adversary to capitalize on anything at all times.

Also this week, our researchers discovered a potential new RaaS-in-the-making in the form of something calling itself “EP918” Ransomware service. The actor(s) behind this early-stage setup claim to be offering a “powerful FUD ransomware” for between $300 and $500. At the lower tier, the ransomware is available as a “script to be embedded in a website”. The upper tier offers buyers a unique ransomware payload embedded in a malicious PDF file. It is then up to the buyer to distribute the malware as they see fit. Both Bitcoin (BTC) and Monero (XMR) payments are supported. While many of these underground Ransomware-as-a-Service offerings ironically turn out to be scams aimed at (would-be) criminals, others are genuine ransomware services that are later seen in real-world attacks. SentinelLabs will be keeping its eye on this one.

The Ugly

If there is one event that dominated our landscape this week, it would have to be the wide-reaching attack against Kaseya VSA. Attackers leveraged a sly combination of LOLBins, Microsoft Defender and a zero-day exploit to distribute the REvil ransomware to thousands of endpoints. This was a well-staged attack, with very deliberate timing as well (holiday weekend in the United States). This attack became quite complex rather quickly, affecting both Kaseya and the connected customers they provide services to. There is a level of trust there that these attackers are taking direct advantage of.

It is believed that this is one of the largest mass-scale ransomware-deployments to date. REvil has yet to fully ‘comment’ apart from a very short update on their public “blog” in which they claim “more than a million systems were infected”. For a mere $70 million (later revised to $50 million) in Bitcoin, the gang offer “everyone will be able to recover from attack in less than an hour”.

Following the initial incident, Kaseya has been releasing frequent updates via both video and their blogs. At this stage most of the services for On-Premise customers are back online and SaaS services should not be far behind. That said, the issue is still unfolding and there will be much to learn in the coming weeks.

Incidents like this illustrate the need to have full visibility and understanding into your infrastructure, shared and otherwise. A good deal of security is built on a certain level of assumed “trust”. It is wise to not take that trust for granted and continually review your ties and connections to third party dependencies. Understand and analyse your ingress points from both the outside and from the perspective of connected vendors and partners. The action being taken on this issue has been ‘good’. But the ‘ugliness’ here lies in the knowledge that this will not be the last attack of this nature.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

3 analysts weigh in: What are Andy Jassy’s top priorities as Amazon’s new CEO?

/0 Comments/in /by

It’s not easy following a larger-than-life founder and CEO of an iconic company, but that’s what former AWS CEO Andy Jassy faces this week as he takes over for Jeff Bezos, who moves into the executive chairman role. Jassy must deal with myriad challenges as he becomes the head honcho at the No. 2 company on the Fortune 500.

How he handles these challenges will define his tenure at the helm of the online retail giant. We asked several analysts to identify the top problems he will have to address in his new role.

Ensure a smooth transition

Handling that transition smoothly and showing investors and the rest of the world that it’s business as usual at Amazon is going to be a big priority for Jassy, said Robin Ody, an analyst at Canalys. He said it’s not unlike what Satya Nadella faced when he took over as CEO at Microsoft in 2014.

Handling the transition smoothly and showing investors and the rest of the world that it’s business as usual at Amazon is going to be a big priority for Jassy.

“The biggest task is that you’re following Jeff Bezos, so his overarching issue is going to be stability and continuity. … The eyes of the world are on that succession. So managing that I think is the overall issue and would be for anyone in the same position,” Ody said.

Forrester analyst Sucharita Kodali said Jassy’s biggest job is just to keep the revenue train rolling. “I think the biggest to-do is to just continue that momentum that the company has had for the last several years. He has to make sure that they don’t lose that. If he does that, I mean, he will win,” she said.

Maintain company growth

As an online retailer, the company has thrived during COVID, generating $386 billion in revenue in 2020, up more than $100 billion over the prior year. As Jassy takes over and things return to something closer to normal, will he be able to keep the revenue pedal to the metal?

Cloud security platform Netskope boosts valuation to $7.5B following $300M raise

/0 Comments/in /by

Netskope, focused on Secure Access Service Edge architecture, announced Friday a $300 million investment round on a post-money valuation of $7.5 billion.

The oversubscribed insider investment was led by ICONIQ Growth, which was joined by other existing investors, including Lightspeed Venture Partners, Accel, Sequoia Capital Global Equities, Base Partners, Sapphire Ventures and Geodesic Capital.

Netskope co-founder and CEO Sanjay Beri told TechCrunch that since its founding in 2012, the company’s mission has been to guide companies through their digital transformation by finding what is most valuable to them — sensitive data — and protecting it.

“What we had before in the market didn’t work for that world,” he said. “The theory is that digital transformation is inevitable, so our vision is to transform that market so people could do that, and that is what we are building nearly a decade later.”

With this new round, Netskope continues to rack up large rounds: it raised $340 million last February, which gave it a valuation of nearly $3 billion. Prior to that, it was a $168.7 million round at the end of 2018.

Similar to other rounds, the company was not actively seeking new capital, but that it was “an inside round with people who know everything about us,” Beri said.

“The reality is we could have raised $1 billion, but we don’t need more capital,” he added. “However, having a continued strong balance sheet isn’t a bad thing. We are fortunate to be in that situation, and our destination is to be the most impactful cybersecurity company in the world.

Beri said the company just completed a “three-year journey building the largest cloud network that is 15 milliseconds from anyone in the world,” and intends to invest the new funds into continued R&D, expanding its platform and Netskope’s go-to-market strategy to meet demand for a market it estimated would be valued at $30 billion by 2024, he said.

Even pre-pandemic the company had strong hypergrowth over the past year, surpassing the market average annual growth of 50%, he added.

Today’s investment brings the total raised by Santa Clara-based Netskope to just over $1 billion, according to Crunchbase data.

With the company racking up that kind of capital, the next natural step would be to become a public company. Beri admits that Netskope could be public now, though it doesn’t have to do it for the traditional reasons of raising capital or marketing.

“Going public is one day on our path, but you probably won’t see us raise another private round,” Beri said.

To guard against data loss and misuse, the cybersecurity conversation must evolve

Netskope hauls in another $340M investment on nearly $3B valuation

 

Spike in “Chain Gang” Destructive Attacks on ATMs

/0 Comments/in /by

Last summer, financial institutions throughout Texas started reporting a sudden increase in attacks involving well-orchestrated teams that would show up at night, use stolen trucks and heavy chains to rip Automated Teller Machines (ATMs) out of their foundations, and make off with the cash boxes inside. Now it appears the crime — known variously as “ATM smash-and-grab” or “chain gang” attacks — is rapidly increasing in other states.

Four different ATM “chain gang” attacks in Texas recently. Image: Texas Bankers Association.

The Texas Bankers Association documented at least 139 chain gang attacks against Texas financial institutions in the year ending November 2020. The association says organized crime is the main source of the destructive activity, and that Houston-based FBI officials have made more than 50 arrests and are actively tracking about 250 individuals suspected of being part of these criminal rings.

From surveillance camera footage examined by fraud investigators, the perpetrators have followed the same playbook in each incident. The bad guys show up in the early morning hours with a truck or tractor that’s been stolen from a local construction site.

Then two or three masked men will pry the front covering from the ATM using crowbars, and attach heavy chains to the cash machine. The canisters of cash inside are exposed once the crooks pull the ATM’s safe door off using the stolen vehicle.

In nearly all cases, the perpetrators are done in less than five minutes.

Tracey Santor is the bond product manager for Travelers, which insures a large number of financial institutions against this type of crime. Santor said investigators questioning some of the suspects learned that the smash-and-grabs are used as a kind of initiation for would-be gang members.

“One of the things they found out during the arrest was the people wanting to be in the gang were told they had to bring them $250,000 within a week,” Santor said. “And they were given instructions on how to do it. I’ve also heard of cases where the perpetrators put construction cones around the ATM so it looks to anyone passing by that they’re legitimately doing construction at the site.”

Santor said the chain gang attacks have spread to other states, and that in the year ending June 2021 Travelers saw a 257 percent increase in the number of insurance claims related to ATM smash-and-grabs.

That 257 percent increase also includes claims involving incidents where attackers will crash a stolen car into a convenience store, and then in the ensuing commotion load the store’s ATM into the back of the vehicle and drive away.

In addition to any cash losses — which can often exceed $200,000 — replacing destroyed ATMs and any associated housing can take weeks, and newer model ATMs can cost $80,000 or more.

“It’s not stopping,” Santor said of the chain gang attacks. “In the last year we counted 32 separate states we’ve seen this type of attack in. Normally we are seeing single digits across the country. 2021 is going to be the same or worse for us than last year.”

Increased law enforcement scrutiny of the crime in Texas might explain why a number of neighboring states are seeing a recent uptick in the number of chain gang attacks, said Elaine Dodd, executive vice president of the fraud division for the Oklahoma Bankers Association.

“We have a lot of it going on here now and they’re getting good at it,” Dodd said. “The numbers are surging. I think since Texas has focused law enforcement attention on this it’s spreading like fingers out from there.”

Chain gang members at work on a Texas bank ATM. Image: Texas Bankers Association.

It’s not hard to see why physical attacks against ATMs are on the rise. In 2019, the average amount stolen in a traditional bank robbery was just $1,797, according to the FBI.

In contrast, robbing ATMs is way less risky and potentially far more rewarding for the perpetrators. That’s because bank ATMs can typically hold hundreds of thousands of dollars in cash.

Dodd said she hopes to see more involvement from federal investigators in fighting chain gang attacks, and that it would help if more of these attacks were prosecuted as bank robberies, which can carry stiff federal penalties. As it is, she said, most incidents are treated as property crimes and left to local investigators.

“We had a rash of three attacks recently and contacted the FBI, and were told, ‘We don’t work these,’” Dodd said. “The FBI looks at these attacks not as bank robbery, but just the theft of cash.”

In January, Texas lawmakers are introduced legislation that would make destroying an ATM a third degree felony offense. Such a change would mean chain gang members could be prosecuted with the same zeal Texas applies to people who steal someone’s livestock, a crime which is punishable by 2-10 years in prison and a fine of up to $10,000 (or both).

“The bottom line is, right now bank robbery is a felony and robbing an unattended ATM is not,” Santor said.

KrebsOnSecurity checked in with the European ATM Security Team (EAST), which maintains statistics about fraud of all kinds targeting ATM operators in Europe. EAST Executive Director Lachlan Gunn said overall physical attacks on ATMs in Europe have been a lot quieter since the pandemic started.

“Attacks fell right away during the lockdowns and have started to pick up a little as the restrictions are eased,” Gunn said. “So no major spike here, although [the United States is] further ahead when it comes to the easing of restrictions.”

Gunn said the most common physical attacks on European ATMs continue to involve explosives —  such as gas tanks and solid explosives that are typically stolen from mining and construction sites.

“The biggest physical attack issue in Europe remains solid explosive attacks, due to the extensive collateral damage and the risk to life,” Gunn said.

The Texas Bankers Association report, available here (PDF), includes a number of recommended steps financial institutions can take to reduce the likelihood of being targeted by chain gangs.

Dropbox is reimagining the workplace with Dropbox Studios

/0 Comments/in /by

The pandemic has been a time for a lot of reflection on both a personal and business level. Tech companies in particular are assessing whether they will ever again return to a full-time, in-office approach. Some are considering a hybrid approach and some may not go back to a building at all. Amidst all this, Dropbox has decided to reimagine the office with a new concept they are introducing this week called Dropbox Studios.

Dropbox CEO and co-founder Drew Houston sees the pandemic as a forcing event, one that pushes companies to rethink work through a distributed lens. He doesn’t think that many businesses will simply go back to the old way of working. As a result, he wanted his company to rethink the office design with one that did away with cube farms with workers spread across a landscape of cubicles. Instead, he wants to create a new approach that takes into account that people don’t necessarily need a permanent space in the building.

“We’re soft launching or opening our Dropbox Studios [this] week in the U.S., including the one in San Francisco. And we took the opportunity as part of our focus to reimagine the office into a collaborative space that we call a studio,” Houston told me.

Houston says that the company really wanted to think about how to incorporate the best of working at home with the best of working at the office collaborating with colleagues. “We focused on having really great curated in-person experiences, some of which we coordinate at the company level and then some of which you can go into our studios, which have been refitted to support more collaboration,” he said.

Dropbox Studio coffee shop

Dropbox Studio coffee shop. Image Credits: Dropbox

To that end, they have created a lot of soft spaces with a coffee shop to create a casual feel, conference rooms for teams to have what Houston called “on-site off-sites” and classrooms for organized group learning. The idea is to create purpose-built spaces for what would work best in an office environment and what people have been missing from in-person interactions since they were forced to work at home by the pandemic, while letting people accomplish more individual work at home.

As tech offices begin to reopen, the workplace could look very different

The company is planning on dedicated studios in major cities like San Francisco, Seattle, Tokyo and Tel Aviv with smaller on-demand spaces operated by partners like WeWork in other locations.

Dropbox Studio Classroom

Dropbox Studio classroom space. Image Credits: Dropbox

As Houston said when he appeared at TechCrunch Disrupt last year, his company sees this as an opportunity to be on the forefront of distributed work and act as an example and a guide to help other companies as they undertake similar journeys.

“When you think more broadly about the effects of the shift to distributed work, it will be felt well beyond when we go back to the office. So we’ve gone through a one-way door. This is maybe one of the biggest changes to knowledge work since that term was invented in 1959,” Houston said last year.

He recognizes that they have to evaluate how this is going to work and iterate on the design as needed, just as the company iterates on its products and they will be evaluating the new spaces and the impact on collaborative work and making adjustments when needed. To help others, Dropbox is releasing an open-source project plan called the Virtual First Toolkit.

The company is going all-in with this approach and will be subletting much of its existing office space as it moves to this new way of working and its space requirements change dramatically. It’s a bold step, but one that Houston believes his company is uniquely positioned to undertake, and he wants Dropbox to be an example to others on how to reinvent the way we work.

Dropbox CEO Drew Houston says the pandemic forced the company to reevaluate what work means

Rootly nabs $3.2M seed to build SRE incident management solution inside Slack

/0 Comments/in /by

As companies look for ways to respond to incidents in their complex microservices-driven software stacks, SREs — site reliability engineers — are left to deal with the issues involved in making everything work and keeping the application up and running. Rootly, a new early-stage startup wants to help by building an incident-response solution inside of Slack.

Today the company emerged from stealth with a $3.2 million seed investment. XYZ Venture Capital led the round with participation from 8VC, Y Combinator and several individual tech executives.

Rootly co-founder and CEO Quentin Rousseau says that he cut his SRE teeth working at Instacart. When he joined in 2015, the company was processing hundreds of orders a day, and when he left in 2018 it was processing thousands. It was his job to make sure the app was up and running for shoppers, consumers and stores even as it scaled.

He said that while he was at Instacart, he learned to see patterns in the way people responded to an issue and he had begun working on a side project after he left looking to bring the incident response process under control inside of Slack. He connected with co-founder JJ Tang, who had started at Instacart after Rousseau left in 2018, and the two of them decided to start Rootly to help solve these unique problems that SREs face around incident response.

“Basically we want people to manage and resolve incidents directly in Slack. We don’t want to add another layer of complexity on top of that. We feel like there are already so many tools out there and when things are chaotic and things are on fire, you really want to focus quickly on the resolution part of it. So we’re really trying to be focused on the Slack experience,” Rousseau explained.

The Rootly solution helps SREs connect quickly to their various tools inside Slack, whether that’s Jira or Zendesk or DataDog or PagerDuty, and it compiles an incident report in the background based on the conversation that’s happening inside of Slack around resolving the incident. That will help when the team meets for an incident post-mortem after the issue is resolved.

4 women in engineering discuss harassment, isolation and perseverence

The company is small at the moment with fewer than 10 employees, but it plans to hire some engineers and sales people over the next year as they put this capital to work.

Tang says that they have built diversity as a core component of the company culture, and it helps that they are working with investor Ross Fubini, managing partner at lead investor XYZ Venture Capital. “That’s also one of the reasons why we picked Ross as our lead investor. [His firm] has probably one of the deepest focuses around [diversity], not only as a fund, but also how they influence their portfolio companies,” he said.

Fubini says there are two main focuses in building diverse companies including building a system to look for diverse pools of talent, and then building an environment to help people from underrepresented groups feel welcome once they are hired.
“One of our early conversations we had with Rootly was how do we both bring a diverse group in and benefit from a diverse set of people, and what’s going to both attract them, and when they come in make them feel like this is a place that they belong,” Fubini explained.

The company is fully remote right now with Rousseau in San Francisco and Tang in Toronto, and the plan is to remain remote whenever offices can fully reopen. It’s worth noting that Rousseau and Tang are members of the current Y Combinator batch.

How you react when your systems fail may define your business

 

Achieving digital transformation through RPA and process mining

/0 Comments/in /by
Alp Uguray
Contributor

Alp Uguray is an award-winning technologist, adviser and investor with 2x UiPath (MVP) Most Valuable Professional Award and is a globally recognized expert on intelligent automation, AI (artificial intelligence), RPA, process mining and enterprise digital transformation.

Understanding what you will change is most important to achieve a long-lasting and successful robotic process automation transformation. There are three pillars that will be most impacted by the change: people, process and digital workers (also referred to as robots). The interaction of these three pillars executes workflows and tasks, and if integrated cohesively, determines the success of an enterprisewide digital transformation.

Robots are not coming to replace us, they are coming to take over the repetitive, mundane and monotonous tasks that we’ve never been fond of. They are here to transform the work we do by allowing us to focus on innovation and impactful work. RPA ties decisions and actions together. It is the skeletal structure of a digital process that carries information from point A to point B. However, the decision-making capability to understand and decide what comes next will be fueled by RPA’s integration with AI.

From a strategic standpoint, success measures for automating, optimizing and redesigning work should not be solely centered around metrics like decreasing fully loaded costs or FTE reduction, but should put the people at the center.

We are seeing software vendors adopt vertical technology capabilities and offer a wide range of capabilities to address the three pillars mentioned above. These include powerhouses like UiPath, which recently went public, Microsoft’s Softomotive acquisition, and Celonis, which recently became a unicorn with a $1 billion Series D round. RPA firms call it “intelligent automation,” whereas Celonis targets the execution management system. Both are aiming to be a one-stop shop for all things related to process.

We have seen investments in various product categories for each stage in the intelligent automation journey. Process and task mining for process discovery, centralized business process repositories for CoEs, executives to manage the pipeline and measure cost versus benefit, and artificial intelligence solutions for intelligent document processing.

For your transformation journey to be successful, you need to develop a deep understanding of your goals, people and the process.

Define goals and measurements of success

From a strategic standpoint, success measures for automating, optimizing and redesigning work should not be solely centered around metrics like decreasing fully loaded costs or FTE reduction, but should put the people at the center. To measure improved customer and employee experiences, give special attention to metrics like decreases in throughput time or rework rate, identify vendors that deliver late, and find missed invoice payments or determine loan requests from individuals that are more likely to be paid back late. These provide more targeted success measures for specific business units.

The returns realized with an automation program are not limited to metrics like time or cost savings. The overall performance of an automation program can be more thoroughly measured with the sum of successes of the improved CX/EX metrics in different business units. For each business process you will be redesigning, optimizing or automating, set a definitive problem statement and try to find the right solution to solve it. Do not try to fit predetermined solutions into the problems. Start with the problem and goal first.

Understand the people first

To accomplish enterprise digital transformation via RPA, executives should put people at the heart of their program. Understanding the skill sets and talents of the workforce within the company can yield better knowledge of how well each employee can contribute to the automation economy within the organization. A workforce that is continuously retrained and upskilled learns how to automate and flexibly complete tasks together with robots and is better equipped to achieve transformation at scale.

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software

/0 Comments/in /by

Last week cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.

On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).

According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild.

Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.

As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.

The Kaseya customer support and billing portal. Image: Archive.org.

Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.

“It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!”

The official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant.

“This is worse because the CVE calls for an authenticated user,” Holden said. “This was not.”

Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online.

“It was deprecated but left up,” Sanders said.

In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.

“We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down – and will no longer be enabled or used by Kaseya.”

“At this time, there is no evidence this portal was involved in the VSA product security incident,” the statement continued. “We are continuing to do forensic analysis on the system and investigating what data is actually there.”

The REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack.

But Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims.

“The problem is that they don’t have our data, they have our customers’ data,” Sanders said. “We’ve been counseled not to do that by every ransomware negotiating company we’ve dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.”

In a video posted to Youtube on July 6, Kaseya CEO Fred Voccola said the ransomware attack had “limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.”

“While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” Voccola said.

The zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Institute for Vulnerability Disclosure (DIVD).

In a July 4 blog post, DIVD’s Victor Gevers wrote that Kaseya was “very cooperative,” and “asked the right questions.”

“Also, partial patches were shared with us to validate their effectiveness,” Gevers wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Still, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya told customers on July 7 that it was working “through the night” to push out an update.

Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools.

“We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote.