Apr
10
2019
--

Google launches new security tools for G Suite users

Google today launched a number of security updates to G Suite, its online productivity and collaboration platform. The focus of these updates is on protecting a company’s data inside G Suite, both through controlling who can access it and through providing new tools for prevening phishing and malware attacks.

To do this, Google is announcing the beta launch of its advanced phishing and malware protection, for example. This is meant to help admins protect users from malicious attachment and inbound email spoofing, among other things.

The most interesting feature here, though, is the new security sandbox, another beta feature for G Suite enterprise users. The sandbox allows admins to add an extra layer of protection on top of the standard attachment scans for known viruses and malware. Those existing tools can’t fully protect you against zero-day ransomware or sophisticated malware, though. So instead of just letting you open the attachment, this tool executes the attachment in a sandbox environment to check if there are any security issues.

With today’s launch, Google is announcing the beta launch of its new security and alert center for admins. These tools are meant to create a single services that features best practice recommendations, but also a unified notifications center and tools to triage and take actions against threats, all with focus on collaboration among admins. Also new is a security investigation tool that mostly focuses on allowing admins to create automated workflows for sending notifications or assigning ownership to security investigations.

Apr
10
2019
--

Google extends its BeyondCorp security model to G Suite

BeyondCorp is Google’s model for securing networks not just through VPNs and other endpoint security techniques, but through a model that focuses on context-aware access policies that focus on the user’s identity, hardware and the context of the request. That has been Google’s internal security policy for a while now and over the last few months, it started bringing it to its own customers, too, starting with its Cloud Identity-Aware Proxy, which is now generally available, and its VPC Service Controls.

Today, the company is extending these context-aware access capabilities to its Cloud Identity user and device management service, as well as G Suite, its productivity suite. So while earlier implementation centered around protecting a company’s technical cloud infrastructure, this release focuses on devices and cloud-based apps like Gmail, Drive, Docs, Sheets and Calendar.

In this context, some devices, for example, may be more highly trusted because they have been enrolled in the Cloud Identity service and because a number of security policies are in place for it. That’s a different kind of security posture than a system that simply trusts users because they come through a specific VPN.

Context-aware access for G Suite apps is now in beta, but only for customers who subscribe to Cloud Identity Premium, G Suite Enterprise and G Suite Enterprise for Education.

With today’s release, Google also announced the BeyondCorp Alliance, which brings together a number of security and management partners. These include Check Point, Lookout, Palo Alto Networks, Symantec and VMware. According to Google, these companies are all working to bring device posture data to Google’s context-aware access engine.

Apr
03
2019
--

Okta unveils $50M in-house venture capital fund

Identity management software provider Okta, which went public two years ago in what was one of the first pure-cloud subscription-based company IPOs, wants to fund the next generation of identity, security and privacy startups.

At its big customer conference Oktane, where the company has also announced a new level of identity protection at the server level, chief operating officer Frederic Kerrest (pictured above, right, with chief executive officer Todd McKinnon) will unveil a $50 million investment fund meant to back early-stage startups leveraging artificial intelligence, machine learning and blockchain technology.

“We view this as a natural extension of what we are doing today,” Okta senior vice president Monty Gray told TechCrunch. Gray was hired last year to oversee corporate development, i.e. beef up Okta’s M&A strategy.

Gray and Kerrest tell TechCrunch that Okta Ventures will invest capital in existing Okta partners, as well as other companies in the burgeoning identity management ecosystem. The team managing the fund will look to Okta’s former backers, Sequoia, Andreessen Horowitz and Greylock, for support in the deal sourcing process.

Okta Ventures will write checks sized between $250,000 and $2 million to eight to 10 early-stage businesses per year.

“It’s just a way of making sure we are aligning all our work and support with the right companies who have the right vision and values because there’s a lot of noise around identity, ML and AI,” Kerrest said. “It’s about formalizing the support strategy we’ve had for years and making sure people are clear of the fact we are helping these organizations build because it’s helpful to our customers.”

Okta Ventures’ first bet is Trusted Key, a blockchain-based digital identity platform that previously raised $3 million from Founders Co-Op. Okta’s investment in the startup, founded by former Microsoft, Oracle and Symantec executives, represents its expanding interest in the blockchain.

“Blockchain as a backdrop for identity is cutting edge if not bleeding edge,” Gray said.

Okta, founded in 2009, had raised precisely $231 million from Sequoia, Andreessen Horowitz, Greylock, Khosla Ventures, Floodgate and others prior to its exit. The company’s stock has fared well since its IPO, debuting at $17 per share in 2017 and climbing to more than $85 apiece with a market cap of $9.6 billion as of Tuesday closing.

Apr
03
2019
--

Onfido, which verifies IDs using AI, nabs $50M from SoftBank, Salesforce, Microsoft and more

Security breaches, where malicious hackers obtain snippets of information that then get used to impersonate individuals in order to gain access to individuals’ and businesses’ sensitive financial and other private information, have become par for the course in the world of digital services. More than 2.7 billion records were  breached in a single incident this year in the US, and overall the damage from incidents like these potentially runs into the trillions of dollars globally.

Today, a startup called Onfido, which uses AI techniques combined with human verifiers to efficiently verify people are who they say they are when using digital services — is today announcing $50 million in funding to help address that ongoing — and growing — problem.

The funding comes on the heels of some very strong growth for the startup, which was founded in London but now operates most of its business out of San Francisco. In an interview, co-founder and CEO Husayn Kassai said that more than half of its customers, and most of its new growth, is coming out of the US.

Onfido uses computer vision and a number of other AI-based technologies to verify against some 4,500 different types of identity documents, using techniques like “facial liveness testing,” to see patterns invisible to the human eye, now has 1,500 businesses as customers, primarily in categories like marketplaces and communities, gaming and financial services, including companies like Remitly, Zipcar and Europcar; and in the last year, it had sales growth of 342 percent. Kassai said that it has to date verified “tens of millions” of IDs.

The money — a Series C2, technically — is coming from a group that includes top strategic tech investors. The round is being co-led by SoftBank Investment (SBI) and Salesforce Ventures, with M12 (the new name for Microsoft Ventures), FinVC and other unnamed new and previous investors are also participating. That’s a signal not just of how the biggest companies in that sector today are grappling with this problem, but also what approach they are using to solve it.

For SoftBank, the investment is separate from the Vision fund, founder and CEO Husayn Kassai noted, but it’s notable that a lot of the businesses that have been backed out of that fund — companies like Didi, Uber, Oyo, Lemonade, and others — fundamentally rely on people trusting that they are handling personal details securely while also carefully vetting suppliers on the platform (meaning, they need and use services like Onfido’s).

Meanwhile, both Microsoft and Salesforce have extensive enterprise businesses that could see multiple benefits from working with an identity verification provider, not just for their own purposes, but as a service that is sold on to its customers as part of a larger identity management and security offering.

The company is not revealing its valuation but has raised around $100 million to date and Kassai confirmed that it was an upround, with “a lot of happy investors.”

“We have strong metrics, and we have a long way to go in our growth,” he added.

There are a lot of companies today offering services to help offer secure services to authenticate users, for example, to help them log on to their work accounts or to access their online banking services. Onfido’s business focuses on the first step in all of this — customer onboarding — specifically around services geared towards consumers.

The opportunity that has opened up for it has been the result of more than just a rise in breaches. There’s also been a growing realization that a lot of the existing services that had been used for verification are simply not fit for purpose: either they too have been breached — as in the case of some of the bigger credit agencies like Equifax — or are not realistically efficient enough for how many online services run today, such as in the case of in-person verifications. (Onfido claims that its system can make a verification in as little as 15 seconds.)

Or, they are part of the new guard that has shifted its approach to the business of ID verificiation, either by choice or force. One would-be competitor from the past, Checkr, is now a partner of Onfido’s, Kassai noted. Others like Jumio — which is still grappling with the fallout from major illegal missteps from previous management — seem to still be trying to find their feet as standalone businesses.

“Fraud is rising and not going anywhere,” Kassai — who co-founded the company with Ruhul Amin and Eamon Jubbawy — said. “And the problem is that there are a dozen other companies that have not done a good enough job to detect it so far.” While no service is perfect — Onfido says that its “risk exposure” is 0.0195 percent — he says that the advantage of building its service on top of AI means that the algorithms use every experience to continue honing its accuracy. “What we learn from one client gets applied everywhere,” he notes.

“There has never been a more important time for companies to build trust with their customers by showing they are one step ahead of fraudsters,” said Frank van Veenendaal, the ex-vice chairman of Salesforce, who is joining the board with this round. “I believe Onfido has the unique opportunity to transform the digital identity market and deliver robust and scalable authentication-as-a-service, similar to how Salesforce transformed customer relationship management.”

Apr
03
2019
--

Container security startup Aqua lands $62M Series C

Aqua Security, a startup that helps customers launch containers securely, announced a $62 million Series C investment today led by Insight Partners.

Existing investors Lightspeed Venture Partners, M12 (Microsoft’s venture fund), TLV Partners and Shlomo Kramer also participated. With today’s investment, the startup’s investments since inception now total over $100 million, according to the company.

Early investors took a chance on the company when it was founded in 2015. Containers were barely a thing back then, but the founders had a vision of what was coming down the pike and their bet has paid off in a big way as the company now has first-mover advantage. As more companies turn to Kubernetes and containers, the need for a security product built from the ground up to secure this kind of environment is essential.

While co-founder and CEO Dror Davidoff says the company has 60 Fortune 500 customers, he’s unable to share names, but he can provide some clues like five of the world’s top banks. As companies like that turn to new technology like containers, they aren’t going to go whole hog without a solid security option. Aqua gives them that.

“Our customers are all taking very dramatic steps towards adoption of those new technologies, and they know that existing security tools that they have in place will not solve the problems,” Davidoff told TechCrunch. He said that most customers have started small, but then have expanded as container adoption increases.

You may thank that an ephemeral concept like a container would be less of a security threat, but Davidoff says that the open nature of containerization actually leaves them vulnerable to tampering. “Container lives long enough to be dangerous,” he said. He added, “They are structured in an open way, making it simple to hack, and once in, to do lateral movement. If the container holds sensitive info, it’s easy to have access to that information.”

Aqua scans container images for malware and makes sure only certified images can run, making it difficult for a bad actor to insert an insecure image, but the ephemeral nature of containers also helps if something slips through. DevOp can simply take down the faulty container and put a newly certified clean one quickly.

The company has 150 employees with offices in the Boston area and R&D in Tel Aviv in Israel. With the new influx of cash, the company plans to expand quickly, growing sales and marketing, customer support and expanding the platform into areas to cover emerging areas like serverless computing. Davidoff says the company could double in size in the next 12-18 months and he’s expecting 3x to 4x customer growth.

All of that money should provide fuel to grow the company as containerization spreads and companies look for a security solution to keep containers in production safe.

Apr
02
2019
--

How to handle dark data compliance risk at your company

Slack and other consumer-grade productivity tools have been taking off in workplaces large and small — and data governance hasn’t caught up.

Whether it’s litigation, compliance with regulations like GDPR or concerns about data breaches, legal teams need to account for new types of employee communication. And that’s hard when work is happening across the latest messaging apps and SaaS products, which make data searchability and accessibility more complex.

Here’s a quick look at the problem, followed by our suggestions for best practices at your company.

Problems

The increasing frequency of reported data breaches and expanding jurisdiction of new privacy laws are prompting conversations about dark data and risks at companies of all sizes, even small startups. Data risk discussions necessarily include the risk of a data breach, as well as preservation of data. Just two weeks ago it was reported that Jared Kushner used WhatsApp for official communications and screenshots of those messages for preservation, which commentators say complies with record keeping laws but raises questions about potential admissibility as evidence.

Apr
02
2019
--

Okta brings identity management to server level

Since it was founded in 2009, Okta has been focused on protecting identity — first for individuals in the cloud, and later at the device level. Today at its Oktane customer conference, the company announced a new level of identity protection at the server level.

The new tool, called Advanced Server Access, provides identity management for Windows and Linux Servers, whether they are in a data center or the cloud. The product supports major cloud infrastructure vendors like Amazon Web Services, Microsoft Azure and Google Cloud Platform, and gives IT the ability to protect access to servers, reduce the likelihood of identity theft and bring a level of automation to the server credential process.

As company founder and CEO Todd McKinnon points out, as every organization becomes a technology company building out their own applications, protecting servers becomes increasingly critical. “Identity is getting more and more important because there is more technology and zero trust in the network. You need to manage identity not just for users or devices. We are now applying our identity [experience] to the most critical resources for these emerging tech companies, their servers,” he said.

McKinnon explained that developers typically communicate with Linux servers via the SSH protocol. It required logging in of course, even before today’s announcement, but what Okta is doing is simplifying that in the same way it simplified logging into cloud applications for individuals.

People’s roles change over time, but instead of changing those roles at the identity layer to allow access to the server, in a typical shop the development or operations team creates an admin account with a superset of permissions and simply shares that. “That means the admin account has all the permissions, and also means they are sharing these credentials,” he said. If those credentials get stolen, the thief potentially has access to the entire universe of servers inside a company.

Okta’s idea is to bring a level of automation to the server identity management process, so that users maintain their own individual credentials and permissions in a more automated fashion, even as roles change across the entire server infrastructure a company manages. “It’s continuous, automatic, real-time checking of the state of the machine, and the state of the user and the permissions that makes it far more secure,” he said.

The tool is continuously monitoring this information to make sure nothing has changed such as another machine has taken over, avoiding man-in-the-middle attacks. It’s also making sure that there is no virus or malware, and that the person who is using the machine is who they say they are and has access at the level they are using it.

Okta went public almost exactly two years ago, and it needs to keep finding ways to expand its core identity services. Bringing it to the server level as this new product moves the idea of identity management deeper into a technology stack, and McKinnon hinted the company isn’t done yet.

“You might not think of server access as an identity opportunity, but the way we do it will make it clear that it really is an opportunity, and the same can be said for the next several innovations we will have after this,” he said.

Mar
20
2019
--

Microsoft Defender comes to the Mac

Microsoft today announced that it is bringing its Microsoft Defender Advanced Threat Protection (ATP) to the Mac. Previously, this was a Windows solution for protecting the machines of Microsoft 365 subscribers and assets of the IT admins that try to keep them safe. It was also previously called Windows Defender ATP, but given that it is now on the Mac, too, Microsoft decided to drop the “Windows Defender” moniker in favor or “Microsoft Defender.”

“For us, it’s all about experiences that follow the person and help the individual be more productive,” Jared Spataro, Microsoft’s corporate VP for Office and Windows, told me. “Just like we did with Office back in the day — that was a big move for us to move it off of Windows-only — but it was absolutely the right thing. So that’s where we’re headed.”

He stressed that this means that Microsoft is moving off its “Windows-centric approach to life.” He likened it to bringing the Office apps to the iPad and Android. “We’re just headed in that same direction of saying that it’s our intent that we can secure every endpoint so that this Microsoft 365 experience is not just Windows-centric,” Spataro said. Indeed, he argued that the news here isn’t even so much the launch of this service for the Mac but that Microsoft is reorienting the way it thinks about how it can deliver value for Microsoft 365 clients.

Given that Microsoft Defender is part of the Microsoft 365 package, you may wonder why those users would even care about the Mac, but there are plenty of enterprises that use a mix of Windows machines and Mac, and which provide all of their employees with Office already. Having a security solution that spans both systems can greatly reduce complexity for IT departments — and keeping up with security vulnerabilities on one system is hard enough to begin with.

In addition to the launch of the Mac version of Microsoft Defender ATP, the company also today announced the launch of new threat and vulnerability management capabilities for the service. Over the last few months, Microsoft had already launched a number of new features that help businesses proactively monitor and identify security threats.

“What we’re hearing from customers now is that the landscape is getting increasingly sophisticated, the volume of alerts that we’re starting to get is pretty overwhelming,” Spataro said. “We really don’t have the budget to hire the thousands of people required to sort through all this and figure out what to do.”

So with this new tool, Microsoft uses its machine learning smarts to prioritize threads and present them to its customers for remediation.

To Spataro, these announcements come down to the fact that Microsoft is slowly morphing into more of a security company than ever before. “I think we’ve made a lot more progress than people realize,” he said. “And it’s been driven by the market.” He noted that its customers have long asked Microsoft to help them protect their endpoints. Now, he argues, customers have realized that Microsoft is moving to this person-centric approach (instead of a Windows-centric one) and that the company may now be able to help them protect large parts of their systems. At the same time, Microsoft realized that it could use all of the billions of signals it gets from its users to better help its customers proactively.

Mar
18
2019
--

Slack hands over control of encryption keys to regulated customers

Slack announced today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool.

Geoff Belknap, chief security officer (CSO) at Slack, says the new tool should appeal to customers in regulated industries who might need tighter control over security. “Markets like financial services, healthcare and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs,” Belknap told TechCrunch.

Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app.

He said that regulated industries in particular have been requesting the ability to control their own encryption keys, including the ability to revoke them if it was required for security reasons. “EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them,” he said.

Screenshot: Slack

Belknap says this is especially important when customers involve people outside the organization, such as contractors, partners or vendors in Slack communications. “A big benefit of EKM is that in the event of a security threat or if you ever experience suspicious activity, your security team can cut off access to the content at any time if necessary,” Belknap explained.

In addition to controlling the encryption keys, customers can gain greater visibility into activity inside of Slack via the Audit Logs API. “Detailed activity logs tell customers exactly when and where their data is being accessed, so they can be alerted of risks and anomalies immediately,” he said. If a customer finds suspicious activity, it can cut off access.

EKM for Slack is generally available today for Enterprise Grid customers for an additional fee. Slack, which announced plans to go public last month, has raised more than $1 billion on a $7 billion valuation.

Mar
12
2019
--

Upcoming Webinar Thurs 3/14: Web Application Security – Why You Should Review Yours

Please join Percona’s Information Security Architect, David Bubsy, as he presents his talk Web Application Security – Why You Should Review Yours on March 14th, 2019 at 6:00 AM PDT (UTC-7) / 9:00 AM EDT (UTC-4).

Register Now

In this talk, we take a look at the whole stack and I don’t just mean LAMP.

We’ll cover what an attack surface is and some areas you may look to in order to ensure that you can reduce it.

For instance, what’s an attack surface?

Acronym Hell, what do they mean?

Vulnerability Naming, is this media naming stupidity or driving the message home?

Detection, Prevention and avoiding the boy who cried wolf are some further examples.

Additionally, we’ll cover emerging technologies to keep an eye on or even implement yourself to help improve your security posture.

There will also be a live compromise demo (or backup video if something fails) that covers compromising a PCI compliant network structure to reach the database system. Through this compromise you can ultimately exploit multiple failures to gain bash shell access over the MySQL protocol.

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com