Personal blog of Yzmir Ramirez

Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break into a company’s internal network, according to a warning issued by Homeland Security’s cybersecurity division.

An alert was published Friday by the government’s Cybersecurity and Infrastructure Security Agency following a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.

The VPN apps built by four vendors — Cisco, Palo Alto Networks, Pulse Secure and F5 Networks — improperly store authentication tokens and session cookies on a user’s computer. These aren’t your traditional consumer VPN apps used to protect your privacy, but enterprise VPN apps that are typically rolled out by a company’s IT staff to allow remote workers to access resources on a company’s network.

The apps generate tokens from a user’s password and are stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.

But with access to a user’s computer — such as through malware — an attacker could steal those tokens and use them to gain access to a company’s network with the same level of access as the user. That includes company apps, systems and data.

So far, only Palo Alto Networks has confirmed its GlobalProtect app was vulnerable. The company issued a patch for both its Windows and Mac clients.

Neither Cisco nor Pulse Secure have patched their apps. F5 Networks is said to have known about storing since at least 2013 but advised users to roll out two-factor authentication instead of releasing a patch.

CERT warned that hundreds of other apps could be affected — but more testing was required.

Armis is helping companies protect IoT devices on the network without using an agent, and it’s apparently a problem that is resonating with the market, as the startup reports 700 percent growth in the last year. That caught the attention of investors, who awarded them a $65 million Series C investment to help keep accelerating that growth.

Sequoia Capital led the round with help from new investors Insight Venture Partners and Intermountain Ventures. Returning investors Bain Capital Ventures, Red Dot Capital Partners and Tenaya Capital also participated. Today’s investment brings the total raised to $112 million, according to the company.

The company is solving a hard problem around device management on a network. If you have devices where you cannot apply an agent to track them, how do you manage them? Nadir Izrael, company co-founder and CTO, says you have to do it very carefully because even scanning for ports could be too much for older devices and they could shut down. Instead, he says that Armis takes a passive approach to security, watching and learning and understanding what normal device behavior looks like — a kind of behavioral fingerprinting.

“We observe what devices do on the network. We look at their behavior, and we figure out from that everything we need to know,” Izrael told TechCrunch. He adds, “Armis in a nutshell is a giant device behavior crowdsourcing engine. Basically, every client of Armis is constantly learning how devices behave. And those statistical models, those machine learning models, they get merged into master models.”

Whatever they are doing, they seem to have hit upon a security pain point. They announced a $30 million Series B almost exactly a year ago, and they went back for more because they were growing quickly and needed the capital to hire people to keep up.

That kind of growth is a challenge for any startup. The company expects to double its 125-person work force before the end of the year, but the company is working to put systems in place to incorporate those new people and service all of those new customers.

The company plans to hire more people in sales and marketing, of course, but they will concentrate on customer support and building out partnership programs to get some help from systems integrators, ISVs and MSPs, who can do some of the customer hand-holding for them.

Artificial intelligence applied to information security can engender images of a benevolent Skynet, sagely analyzing more data than imaginable and making decisions at lightspeed, saving organizations from devastating attacks. In such a world, humans are barely needed to run security programs, their jobs largely automated out of existence, relegating them to a role as the button-pusher on particularly critical changes proposed by the otherwise omnipotent AI.

Such a vision is still in the realm of science fiction. AI in information security is more like an eager, callow puppy attempting to learn new tricks – minus the disappointment written on their faces when they consistently fail. No one’s job is in danger of being replaced by security AI; if anything, a larger staff is required to ensure security AI stays firmly leashed.

Arguably, AI’s highest use case currently is to add futuristic sheen to traditional security tools, rebranding timeworn approaches as trailblazing sorcery that will revolutionize enterprise cybersecurity as we know it. The current hype cycle for AI appears to be the roaring, ferocious crest at the end of a decade that began with bubbly excitement around the promise of “big data” in information security.

But what lies beneath the marketing gloss and quixotic lust for an AI revolution in security? How did AL ascend to supplant the lustrous zest around machine learning (“ML”) that dominated headlines in recent years? Where is there true potential to enrich information security strategy for the better – and where is it simply an entrancing distraction from more useful goals? And, naturally, how will attackers plot to circumvent security AI to continue their nefarious schemes?

How did AI grow out of this stony rubbish?

The year AI debuted as the “It Girl” in information security was 2017. The year prior, MIT completed their study showing “human-in-the-loop” AI out-performed AI and humans individually in attack detection. Likewise, DARPA conducted the Cyber Grand Challenge, a battle testing AI systems’ offensive and defensive capabilities. Until this point, security AI was imprisoned in the contrived halls of academia and government. Yet, the history of two vendors exhibits how enthusiasm surrounding security AI was driven more by growth marketing than user needs.

Google today launched a number of security updates to G Suite, its online productivity and collaboration platform. The focus of these updates is on protecting a company’s data inside G Suite, both through controlling who can access it and through providing new tools for prevening phishing and malware attacks.

To do this, Google is announcing the beta launch of its advanced phishing and malware protection, for example. This is meant to help admins protect users from malicious attachment and inbound email spoofing, among other things.

The most interesting feature here, though, is the new security sandbox, another beta feature for G Suite enterprise users. The sandbox allows admins to add an extra layer of protection on top of the standard attachment scans for known viruses and malware. Those existing tools can’t fully protect you against zero-day ransomware or sophisticated malware, though. So instead of just letting you open the attachment, this tool executes the attachment in a sandbox environment to check if there are any security issues.

With today’s launch, Google is announcing the beta launch of its new security and alert center for admins. These tools are meant to create a single services that features best practice recommendations, but also a unified notifications center and tools to triage and take actions against threats, all with focus on collaboration among admins. Also new is a security investigation tool that mostly focuses on allowing admins to create automated workflows for sending notifications or assigning ownership to security investigations.

BeyondCorp is Google’s model for securing networks not just through VPNs and other endpoint security techniques, but through a model that focuses on context-aware access policies that focus on the user’s identity, hardware and the context of the request. That has been Google’s internal security policy for a while now and over the last few months, it started bringing it to its own customers, too, starting with its Cloud Identity-Aware Proxy, which is now generally available, and its VPC Service Controls.

Today, the company is extending these context-aware access capabilities to its Cloud Identity user and device management service, as well as G Suite, its productivity suite. So while earlier implementation centered around protecting a company’s technical cloud infrastructure, this release focuses on devices and cloud-based apps like Gmail, Drive, Docs, Sheets and Calendar.

In this context, some devices, for example, may be more highly trusted because they have been enrolled in the Cloud Identity service and because a number of security policies are in place for it. That’s a different kind of security posture than a system that simply trusts users because they come through a specific VPN.

Context-aware access for G Suite apps is now in beta, but only for customers who subscribe to Cloud Identity Premium, G Suite Enterprise and G Suite Enterprise for Education.

With today’s release, Google also announced the BeyondCorp Alliance, which brings together a number of security and management partners. These include Check Point, Lookout, Palo Alto Networks, Symantec and VMware. According to Google, these companies are all working to bring device posture data to Google’s context-aware access engine.

Identity management software provider Okta, which went public two years ago in what was one of the first pure-cloud subscription-based company IPOs, wants to fund the next generation of identity, security and privacy startups.

At its big customer conference Oktane, where the company has also announced a new level of identity protection at the server level, chief operating officer Frederic Kerrest (pictured above, right, with chief executive officer Todd McKinnon) will unveil a $50 million investment fund meant to back early-stage startups leveraging artificial intelligence, machine learning and blockchain technology.

“We view this as a natural extension of what we are doing today,” Okta senior vice president Monty Gray told TechCrunch. Gray was hired last year to oversee corporate development, i.e. beef up Okta’s M&A strategy.

Gray and Kerrest tell TechCrunch that Okta Ventures will invest capital in existing Okta partners, as well as other companies in the burgeoning identity management ecosystem. The team managing the fund will look to Okta’s former backers, Sequoia, Andreessen Horowitz and Greylock, for support in the deal sourcing process.

Okta Ventures will write checks sized between $250,000 and $2 million to eight to 10 early-stage businesses per year.

“It’s just a way of making sure we are aligning all our work and support with the right companies who have the right vision and values because there’s a lot of noise around identity, ML and AI,” Kerrest said. “It’s about formalizing the support strategy we’ve had for years and making sure people are clear of the fact we are helping these organizations build because it’s helpful to our customers.”

Okta Ventures’ first bet is Trusted Key, a blockchain-based digital identity platform that previously raised $3 million from Founders Co-Op. Okta’s investment in the startup, founded by former Microsoft, Oracle and Symantec executives, represents its expanding interest in the blockchain.

“Blockchain as a backdrop for identity is cutting edge if not bleeding edge,” Gray said.

Okta, founded in 2009, had raised precisely $231 million from Sequoia, Andreessen Horowitz, Greylock, Khosla Ventures, Floodgate and others prior to its exit. The company’s stock has fared well since its IPO, debuting at $17 per share in 2017 and climbing to more than $85 apiece with a market cap of $9.6 billion as of Tuesday closing.

Security breaches, where malicious hackers obtain snippets of information that then get used to impersonate individuals in order to gain access to individuals’ and businesses’ sensitive financial and other private information, have become par for the course in the world of digital services. More than 2.7 billion records were  breached in a single incident this year in the US, and overall the damage from incidents like these potentially runs into the trillions of dollars globally.

Today, a startup called Onfido, which uses AI techniques combined with human verifiers to efficiently verify people are who they say they are when using digital services — is today announcing $50 million in funding to help address that ongoing — and growing — problem.

The funding comes on the heels of some very strong growth for the startup, which was founded in London but now operates most of its business out of San Francisco. In an interview, co-founder and CEO Husayn Kassai said that more than half of its customers, and most of its new growth, is coming out of the US.

Onfido uses computer vision and a number of other AI-based technologies to verify against some 4,500 different types of identity documents, using techniques like “facial liveness testing,” to see patterns invisible to the human eye, now has 1,500 businesses as customers, primarily in categories like marketplaces and communities, gaming and financial services, including companies like Remitly, Zipcar and Europcar; and in the last year, it had sales growth of 342 percent. Kassai said that it has to date verified “tens of millions” of IDs.

The money — a Series C2, technically — is coming from a group that includes top strategic tech investors. The round is being co-led by SoftBank Investment (SBI) and Salesforce Ventures, with M12 (the new name for Microsoft Ventures), FinVC and other unnamed new and previous investors are also participating. That’s a signal not just of how the biggest companies in that sector today are grappling with this problem, but also what approach they are using to solve it.

For SoftBank, the investment is separate from the Vision fund, founder and CEO Husayn Kassai noted, but it’s notable that a lot of the businesses that have been backed out of that fund — companies like Didi, Uber, Oyo, Lemonade, and others — fundamentally rely on people trusting that they are handling personal details securely while also carefully vetting suppliers on the platform (meaning, they need and use services like Onfido’s).

Meanwhile, both Microsoft and Salesforce have extensive enterprise businesses that could see multiple benefits from working with an identity verification provider, not just for their own purposes, but as a service that is sold on to its customers as part of a larger identity management and security offering.

The company is not revealing its valuation but has raised around $100 million to date and Kassai confirmed that it was an upround, with “a lot of happy investors.”

“We have strong metrics, and we have a long way to go in our growth,” he added.

There are a lot of companies today offering services to help offer secure services to authenticate users, for example, to help them log on to their work accounts or to access their online banking services. Onfido’s business focuses on the first step in all of this — customer onboarding — specifically around services geared towards consumers.

The opportunity that has opened up for it has been the result of more than just a rise in breaches. There’s also been a growing realization that a lot of the existing services that had been used for verification are simply not fit for purpose: either they too have been breached — as in the case of some of the bigger credit agencies like Equifax — or are not realistically efficient enough for how many online services run today, such as in the case of in-person verifications. (Onfido claims that its system can make a verification in as little as 15 seconds.)

Or, they are part of the new guard that has shifted its approach to the business of ID verificiation, either by choice or force. One would-be competitor from the past, Checkr, is now a partner of Onfido’s, Kassai noted. Others like Jumio — which is still grappling with the fallout from major illegal missteps from previous management — seem to still be trying to find their feet as standalone businesses.

“Fraud is rising and not going anywhere,” Kassai — who co-founded the company with Ruhul Amin and Eamon Jubbawy — said. “And the problem is that there are a dozen other companies that have not done a good enough job to detect it so far.” While no service is perfect — Onfido says that its “risk exposure” is 0.0195 percent — he says that the advantage of building its service on top of AI means that the algorithms use every experience to continue honing its accuracy. “What we learn from one client gets applied everywhere,” he notes.

“There has never been a more important time for companies to build trust with their customers by showing they are one step ahead of fraudsters,” said Frank van Veenendaal, the ex-vice chairman of Salesforce, who is joining the board with this round. “I believe Onfido has the unique opportunity to transform the digital identity market and deliver robust and scalable authentication-as-a-service, similar to how Salesforce transformed customer relationship management.”

Aqua Security, a startup that helps customers launch containers securely, announced a $62 million Series C investment today led by Insight Partners.

Existing investors Lightspeed Venture Partners, M12 (Microsoft’s venture fund), TLV Partners and Shlomo Kramer also participated. With today’s investment, the startup’s investments since inception now total over $100 million, according to the company.

Early investors took a chance on the company when it was founded in 2015. Containers were barely a thing back then, but the founders had a vision of what was coming down the pike and their bet has paid off in a big way as the company now has first-mover advantage. As more companies turn to Kubernetes and containers, the need for a security product built from the ground up to secure this kind of environment is essential.

While co-founder and CEO Dror Davidoff says the company has 60 Fortune 500 customers, he’s unable to share names, but he can provide some clues like five of the world’s top banks. As companies like that turn to new technology like containers, they aren’t going to go whole hog without a solid security option. Aqua gives them that.

“Our customers are all taking very dramatic steps towards adoption of those new technologies, and they know that existing security tools that they have in place will not solve the problems,” Davidoff told TechCrunch. He said that most customers have started small, but then have expanded as container adoption increases.

You may thank that an ephemeral concept like a container would be less of a security threat, but Davidoff says that the open nature of containerization actually leaves them vulnerable to tampering. “Container lives long enough to be dangerous,” he said. He added, “They are structured in an open way, making it simple to hack, and once in, to do lateral movement. If the container holds sensitive info, it’s easy to have access to that information.”

Aqua scans container images for malware and makes sure only certified images can run, making it difficult for a bad actor to insert an insecure image, but the ephemeral nature of containers also helps if something slips through. DevOp can simply take down the faulty container and put a newly certified clean one quickly.

The company has 150 employees with offices in the Boston area and R&D in Tel Aviv in Israel. With the new influx of cash, the company plans to expand quickly, growing sales and marketing, customer support and expanding the platform into areas to cover emerging areas like serverless computing. Davidoff says the company could double in size in the next 12-18 months and he’s expecting 3x to 4x customer growth.

All of that money should provide fuel to grow the company as containerization spreads and companies look for a security solution to keep containers in production safe.

Slack and other consumer-grade productivity tools have been taking off in workplaces large and small — and data governance hasn’t caught up.

Whether it’s litigation, compliance with regulations like GDPR or concerns about data breaches, legal teams need to account for new types of employee communication. And that’s hard when work is happening across the latest messaging apps and SaaS products, which make data searchability and accessibility more complex.

Here’s a quick look at the problem, followed by our suggestions for best practices at your company.

Problems

The increasing frequency of reported data breaches and expanding jurisdiction of new privacy laws are prompting conversations about dark data and risks at companies of all sizes, even small startups. Data risk discussions necessarily include the risk of a data breach, as well as preservation of data. Just two weeks ago it was reported that Jared Kushner used WhatsApp for official communications and screenshots of those messages for preservation, which commentators say complies with record keeping laws but raises questions about potential admissibility as evidence.

Since it was founded in 2009, Okta has been focused on protecting identity — first for individuals in the cloud, and later at the device level. Today at its Oktane customer conference, the company announced a new level of identity protection at the server level.

The new tool, called Advanced Server Access, provides identity management for Windows and Linux Servers, whether they are in a data center or the cloud. The product supports major cloud infrastructure vendors like Amazon Web Services, Microsoft Azure and Google Cloud Platform, and gives IT the ability to protect access to servers, reduce the likelihood of identity theft and bring a level of automation to the server credential process.

As company founder and CEO Todd McKinnon points out, as every organization becomes a technology company building out their own applications, protecting servers becomes increasingly critical. “Identity is getting more and more important because there is more technology and zero trust in the network. You need to manage identity not just for users or devices. We are now applying our identity [experience] to the most critical resources for these emerging tech companies, their servers,” he said.

McKinnon explained that developers typically communicate with Linux servers via the SSH protocol. It required logging in of course, even before today’s announcement, but what Okta is doing is simplifying that in the same way it simplified logging into cloud applications for individuals.

People’s roles change over time, but instead of changing those roles at the identity layer to allow access to the server, in a typical shop the development or operations team creates an admin account with a superset of permissions and simply shares that. “That means the admin account has all the permissions, and also means they are sharing these credentials,” he said. If those credentials get stolen, the thief potentially has access to the entire universe of servers inside a company.

Okta’s idea is to bring a level of automation to the server identity management process, so that users maintain their own individual credentials and permissions in a more automated fashion, even as roles change across the entire server infrastructure a company manages. “It’s continuous, automatic, real-time checking of the state of the machine, and the state of the user and the permissions that makes it far more secure,” he said.

The tool is continuously monitoring this information to make sure nothing has changed such as another machine has taken over, avoiding man-in-the-middle attacks. It’s also making sure that there is no virus or malware, and that the person who is using the machine is who they say they are and has access at the level they are using it.

Okta went public almost exactly two years ago, and it needs to keep finding ways to expand its core identity services. Bringing it to the server level as this new product moves the idea of identity management deeper into a technology stack, and McKinnon hinted the company isn’t done yet.

“You might not think of server access as an identity opportunity, but the way we do it will make it clear that it really is an opportunity, and the same can be said for the next several innovations we will have after this,” he said.