6 CISOs share their game plans for a post-pandemic world

Like all business leaders, chief information security officers (CISOs) have shifted their roles quickly and dramatically during the COVID-19 pandemic, but many have had to fight fires they never expected.

Most importantly, they’ve had to ensure corporate networks remain secure even with 100% of employees suddenly working from home. Controllers are moving millions between corporate accounts from their living rooms, HR managers are sharing employees’ personal information from their kitchen tables and tens of millions of workers are accessing company data using personal laptops and phones.

This unprecedented situation reveals once and for all that security is not only about preventing breaches, but also about ensuring fundamental business continuity.

While it might take time, everyone agrees the pandemic will end. But how will the cybersecurity sector look in a post-COVID-19 world? What type of software will CISOs want to buy in the near future, and two years down the road?

To find out, I asked six of the world’s leading CISOs to share their experiences during the pandemic and their plans for the future, providing insights on how cybersecurity companies should develop and market their solutions to emerge stronger:

The security sector will experience challenges, but also opportunities

The good news is, many CISOs believe that cybersecurity will weather the economic storm better than other enterprise software sectors. That’s because security has become even more top of mind during the pandemic; with the vast majority of corporate employees now working remotely, a secure network has never been more paramount, said Rinki Sethi, CISO at Rubrik. “Many security teams are now focused on ensuring they have controls in place for a completely remote workforce, so endpoint and network security, as well as identity and access management, are more important than ever,” said Sethi. “Additionally, business continuity and disaster recovery planning are critical right now — the ability to respond to a security incident and have a robust plan to recover from it is top priority for most security teams, and will continue to be for a long time.”

That’s not to say all security companies will necessarily thrive during this current economic crisis. Adrian Ludwig, CISO at Atlassian, notes that an overall decline in IT budgets will impact security spending. But the silver lining is that some companies will be acquired. “I expect we will see consolidation in the cybersecurity markets, and that most new investments by IT departments will be in basic infrastructure to facilitate work-from-home,” said Ludwig. “Less well-capitalized cybersecurity companies may want to begin thinking about potential exit opportunities sooner rather than later.”


By Walter Thompson

Google Cloud earns defense contract win for Anthos multi-cloud management tool

Google dropped out of the Pentagon’s JEDI cloud contract battle fairly early in the game, citing it was in conflict with its “AI principals.” However, today the company announced a new 7 figure contract with DoD’s Defense Innovation Unit (DIU), a big win for the cloud unit and CEO Thomas Kurian.

While the company would not get specific about the number, the new contract involves using Anthos, the tool the company announced last year to secure DIU’s multi-cloud environment. In spite of the JEDI contract involving a single vendor, the DoD has always used solutions from all three major cloud vendors — Amazon, Microsoft and Google — and this solution will provide a way to monitor security across all three environments, according to the company.

“Multi-cloud is the future. The majority of commercial businesses run multi-cloud environments securely and seamlessly, and this is now coming to the federal government as well,” Mike Daniels, VP of Global Public Sector at Google Cloud told TechCrunch.

The idea is to manage security across three environments with help from cloud security vendor Netskope, which is also part of the deal.”The multi-cloud solution will be built on Anthos, allowing DIU to run web services and applications across Google Cloud, Amazon Web Services,  and Microsoft Azure — while being centrally managed from the Google Cloud Console,” the company wrote in a statement.

Daniels says that while this is a deal with DIU, he could see it expanding to other parts of DoD. “This is a contract with the DIU, but our expectation is that the DoD will look at the project as a model for how to implement their own security posture.”

Google Cloud Platform remains way back in the cloud infrastructure pack in third place with around 8% market share. For context, AWS has around 33% market share and Microsoft has around 18%.

While JEDI, a $10 billion, winner-take-all prize remains mired in controversy and an on-going battle between The Pentagon, Amazon and Microsoft, this deal shows that the defense department is looking at advanced technology like Anthos to help it manage a multi-cloud world regardless of what happens with JEDI.


By Ron Miller

Expel lands $50M Series D as security operations increases in importance

Even in these trying economic times, there are some services that companies can’t do without. Having good security tools is one of them. Expel, a 4-year old startup that offers security operations as a service, announced a $50 million Series D financing today.

CapitalG led the round with participation from existing investors Battery Ventures, Greycroft, Index Ventures, Paladin Capital Group and Scale Venture Partners. The company has now raised almost $117 million, according to Pitchbook data.

It’s never easy finding quality security talent to help protect a large organization. The idea behind Expel is to give customers a set of tools to help use automation to reduce the number of people required to keep an organization safe.

Most companies struggle to find experienced security employees, so it’s using automation to solve a real pain point for them. While co-founder and CEO Dave Merkel says you still need to staff the security operations center, you can do it with fewer people with his platform.

“You may have a 24×7 Security Operations Center, but you don’t need the number of people everybody else does to protect your customers because Workbench does all of the heavy lifting for you. So instead of a SOC with 100 people, maybe you’ve got one with 15 people, and that gives tremendous leverage through this platform, and the platform ensures that you can provide high quality security without having to continually grow headcount,” Merkel explained.

Merkel sees the same economy everyone else does, but he believes that companies will continue to invest in security because they have to.

“Security tends to be a need as opposed to a want in many organizations, and so we still do see business happening. We will be using some of the money to continue to invest smartly in sales and marketing, but we’ll just need to be deliberate to make sure that we’re picking the right things that are still effective right now,” he said.

One thing that’s remarkable about this round is that Expel didn’t go looking for this new money. In fact, CapitalG came knocking, according to CapitalG general partner Gene Frantz.

“We sought out Expel, first and foremost. It wasn’t that Expel sought out to raise money and they called a bunch of people. We called them, and that was in response to a bunch of thematic work that we continually do in the security space,” Frantz told TechCrunch.

That work involved three main areas, where Expel happened to check all the boxes. The first was the threat landscape becoming ever more treacherous. The second was information overload from a variety of security products, and finally the dearth of experienced security personnel to deal with the first two problems.

“And so our bet is that this is the company in the space that actually will take on and address these challenges,” Frantz said.

Merkel describes having a company like CapitalG come to him as a humbling experience for him and his co-founders, especially under the current circumstances.

“It’s tremendous validation, but it is also humbling. We’re pretty thankful to be in that position, and we want to make sure that we do the right things to continue to honor the opportunity that we see in front of us.”


By Ron Miller

Zoom consultant Alex Stamos weighs in on Keybase acquisition

When Zoom started having security issues in March, they turned to former Facebook and Yahoo! Security executive Alex Stamos, who signed on as a consultant to work directly with CEO Eric Yuan.

The goal was to build a more cohesive security strategy for the fast-growing company. One of the recommendations that came out of those meetings was building end-to-end encryption into the paid tier of the product. Those discussions led to the company buying Keybase this morning.

Stamos says in the big build versus buy debate that companies tend to go through when they are evaluating options, this fell somewhere in the middle. While they bought a company with a lot of expertise, it will still require Keybase engineers working with counterparts from Zoom and consultants like Stamos to build a final encrypted product.

“The truth is that what Zoom wants to do with end-to-end encryption, nobody’s really done, so there’s no product that you could just slap onto Zoom to turn it into key encryption. That’s going to have to be thought out from the beginning for the specific needs of an enterprise,” Stamos told TechCrunch.

But what they liked about Keybase in particular is that they have already thought through similar problems with file encryption and encrypted chat, and they want to turn the Keybase engineers loose on this problem.

“The design is going to be something that’s totally new. The great thing about Keybase is that they have already been through this process of thinking through and then crafting a design that is usable by normal people and that provides functionality while being somewhat invisible,” he said.

Because it’s a work in progress, it’s not possible to say when that final integration will happen, but Stamos did say that the company intends to publish a paper on May 22nd outlining its cryptographic plan moving forward, and then will have a period of public discussion before finalizing the design and moving into the integration phase.

He says that the first goal is to come up with a more highly secure version of Zoom meetings with end-to-end encryption enabled. At least initially, this will only be available for people using the Zoom client or Zoom-enabled hardware. You won’t be able to encrypt someone calling in, for instance.

As for folks who may be worried about Keybase being owned by Zoom, Stamos says, “The whole point of the Keybase design is that you don’t have to trust who owns their servers.”


By Ron Miller

Zoom acquires Keybase to get end-to-end encryption expertise

Zoom announced this morning that it has acquired Keybase, a startup with encryption expertise. It did not reveal the purchase price.

Keybase, which has been building encryption products for several years including secure file sharing and collaboration tools, should give Zoom some security credibility as it goes through pandemic demand growing pains.

The company has faced a number of security issues in the last couple of months as demand as soared and exposed some security weaknesses in the platform. As the company has moved to address these issues, having a team of encryption experts on staff should help the company build a more secure product.

In a blog post announcing the deal, CEO Eric Yuan said they acquired Keybase to give customers a higher level of security, something that’s increasingly important to enterprise customers as more operations are relying on the platform, working from home during the pandemic.

“This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses,” Yuan wrote.

He added that that tools will be available for all paying customers as soon as it is incorporated into the product. “Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees,” he wrote.

Under the terms of the deal, the Keybase will become a subsidiary of Zoom and co-founder and Max Krohn will lead the Zoom security engineering team, reporting directly to Yuan to help build the security product. The other almost two dozen employees will become Zoom employees. The vast majority are security engineers.

It’s not clear what will happen to Keybase’s products, but the company did say Zoom is working with Keybase to figure that out.

Keybase was founded in 2014 and has raised almost $11 million according to Crunchbase data.


By Ron Miller

Dtex, a specialist in insider threat cybersecurity, raises $17.5M

A lot of enterprise cybersecurity efforts focus on malicious hackers that work on behalf of larger organizations, be they criminal groups or state actors — and for good reason, since the majority of incidents these days come from phishing and other malicious techniques that originate outside the enterprise itself.

But there has also been a persistent, and now growing, focus also on “insider threats” — that is, breaches that start from within organizations themselves. And today a startup that specialises in this area is announcing a round of growth funding to expand its reach.

Dtex, which uses machine learning to monitor network activity within the perimeter and around all endpoints to detect unusual patterns or behaviour around passwords or data movement, is today announcing that it has raised $17.5 million in funding.

The round is being led by new investor Northgate Capital with Norwest Venture Partners and Four Rivers Group, both previous investors, also participating. Prior to this, the San Jose-based startup had raised $57.5 million, according to data from PitchBook, while CrunchBase puts the total raised at $40 million.

CEO Bahman Mahbod said the startup is not disclosing valuation except to say that it’s “very excited” about it.

For some context, the company works with hundreds of large enterprises, primarily in the financial, critical infrastructure, government and defence sectors. The plan is to now extend further into newer verticals where it’s started to see more activity more recently: pharmaceuticals, life sciences and manufacturing. Dtex says that over the past 12 months, 80% of its top customers have been increasing their level of engagement with the startup.

Dtex’s focus on “insider” threats sounds slightly sinister at first: is the implication here that people are more dishonest and nefarious these days and thus need to be policed and monitored much more closely for wrongdoing? The answer is no. There are no more dishonest people today than there ever have been, but there are a lot more opportunities to make mistakes that result in security breaches:

The working world has been on a long-term trend of becoming increasingly digitised in all of its interactions, and bringing on a lot more devices onto those networks. Across both “knowledge” and front-line workers, we now have a vastly larger number of devices being used to help workers do their jobs or just keep in touch with the company as they work, with many of them being brought by the workers themselves rather than being provisioned by the companies. There has also been a huge increase in cloud services,

And in the realm of “knowledge” workers, we’re seeing a lot more remote or peripatetic working, where people don’t have fixed desks and often work outside the office altogether — something that has skyrocketed in recent times with stay-at-home orders put in place to mitigate the spread of COVID-19 cases.

All of this translates into a much wider threat “horizon” within organizations themselves, before even considering the sophistication of external malicious hackers.

And the current state of business has exacerbated that. Mahbod tells us that Dtex is currently seeing spikes in unusual activity from the rise in home workers, who sometimes circumvent VPNs and other security controls, thus committing policy violations; as well as more problems arising from the fact that home networks have been compromised and that is leaving work networks, accessed from home, more vulnerable. These started, he said, with COVID-19 phishing attacks but have progressed to undetected malware from drive-by downloads.

And, inevitably, he added that there has been a rise in intentional data theft and accidental loss arising in cases where organizations have had to lay people off or run a round of furloughs, but might still result from negligence rather than intentional actions.

There are a number of other cybersecurity companies that provide ways to detect insider threats — they include CloudKnox and Obsidian Security, along with a number of larger and established vendors. But Mabhod says that Dtex “is the only company with ‘next-generation’ capabilities that are cloud-first, AI/ML baked-in, and enterprise scalable to millions of users and devices, which it sells as DMAP+.

“Effectively, Next-Gen Insider Threat solutions must replace legacy Insider Threat point solutions which were borne out of the UAM, DLP and UEBA spaces,” he said.

Those providing legacy approaches of that kind include Forcepoint with its SureView product and Proofpoint with its ObserveIT product. Interestingly, CyberX, which is currently in the process of getting acquired by Microsoft (according to reports and also our sources), also includes insider threats in its services.

This is one reason why investors have been interested.

“Dtex has built a highly scalable platform that utilizes a cloud-first, lightweight endpoint architecture, offering clients a number of use cases including insider threat prevention and business operations intelligence,” said Thorsten Claus, partner, Northgate Capital, in a statement. Northgate has a long list of enterprise startups in its portfolio that represent potential customers but also a track record of experience in assessing the problem at hand and building products to address it. “With Dtex, we have found a fast-growing, long-term, investible operation that is not just a band-aid collection of tools, which would be short-lived and replaced.”


By Ingrid Lunden

Enterprise companies find MLOps critical for reliability and performance

Enterprise startups UIPath and Scale have drawn huge attention in recent years from companies looking to automate workflows, from RPA (robotic process automation) to data labeling.

What’s been overlooked in the wake of such workflow-specific tools has been the base class of products that enterprises are using to build the core of their machine learning (ML) workflows, and the shift in focus toward automating the deployment and governance aspects of the ML workflow.

That’s where MLOps comes in, and its popularity has been fueled by the rise of core ML workflow platforms such as Boston-based DataRobot. The company has raised more than $430 million and reached a $1 billion valuation this past fall serving this very need for enterprise customers. DataRobot’s vision has been simple: enabling a range of users within enterprises, from business and IT users to data scientists, to gather data and build, test and deploy ML models quickly.

Founded in 2012, the company has quietly amassed a customer base that boasts more than a third of the Fortune 50, with triple-digit yearly growth since 2015. DataRobot’s top four industries include finance, retail, healthcare and insurance; its customers have deployed over 1.7 billion models through DataRobot’s platform. The company is not alone, with competitors like H20.ai, which raised a $72.5 million Series D led by Goldman Sachs last August, offering a similar platform.

Why the excitement? As artificial intelligence pushed into the enterprise, the first step was to go from data to a working ML model, which started with data scientists doing this manually, but today is increasingly automated and has become known as “auto ML.” An auto-ML platform like DataRobot’s can let an enterprise user quickly auto-select features based on their data and auto-generate a number of models to see which ones work best.

As auto ML became more popular, improving the deployment phase of the ML workflow has become critical for reliability and performance — and so enters MLOps. It’s quite similar to the way that DevOps has improved the deployment of source code for applications. Companies such as DataRobot and H20.ai, along with other startups and the major cloud providers, are intensifying their efforts on providing MLOps solutions for customers.

We sat down with DataRobot’s team to understand how their platform has been helping enterprises build auto-ML workflows, what MLOps is all about and what’s been driving customers to adopt MLOps practices now.

The rise of MLOps


By Walter Thompson

Decrypted: Chegg’s third time unlucky, Okta’s new CSO Rapid7 beefs up cloud security

Ransomware is getting sneakier and smarter.

The latest example comes from ExecuPharm, a little-known but major outsourced pharmaceutical company that confirmed it was hit by a new type of ransomware last month. The incursion not only encrypted the company’s network and files, hackers also exfiltrated vast amounts of data from the network. The company was handed a two-for-one threat: pay the ransom and get your files back or don’t pay and the hackers will post the files to the internet.

This new tactic is shifting how organizations think of ransomware attacks: it’s no longer just a data-recovery mission; it’s also now a data breach. Now companies are torn between taking the FBI’s advice of not paying the ransom or the fear their intellectual property (or other sensitive internal files) are published online.

Because millions are now working from home, the surface area for attackers to get in is far greater than it was, making the threat of ransomware higher than ever before.

That’s just one of the stories from the week. Here’s what else you need to know.

THE BIG PICTURE


Chegg hacked for the third time in three years

Education giant Chegg confirmed its third data breach in as many years. The latest break-in affected past and present staff after a hacker made off with 700 names and Social Security numbers. It’s a drop in the ocean when compared to the 40 million records stolen in 2018 and an undisclosed number of passwords taken in a breach at Thinkful, which Chegg had just acquired in 2019.

Those 700 names account for about half of its 1,400 full-time employees, per a filing with the Securities and Exchange Commission. But Chegg’s refusal to disclose further details about the breach — beyond a state-mandated notice to the California attorney general’s office — makes it tough to know exactly went wrong this time.


By Zack Whittaker

Okta COVID-19 app usage report finds it’s not just collaboration seeing a huge uptick

Okta released a special COVID-19 edition of its app usage report today, and you don’t need a Ph. D. in statistics to guess what they found. Indeed, Zoom surged 110% on the Okta network, leading the way in usage growth just as you would expect, but another whole class of tools besides collaboration also saw huge increases in usage.

As Okta wrote in the report, “We see growth in two major areas: collaboration tools, especially video conferencing apps, and network security tools such as VPNs that extend secure access to remote workers.”

These plumbing tools might not be as sexy as the collaboration tools or boast triple digit growth like Zoom did, but they are seeing a substantial increase in usage as company IT departments try to bring some order to a widely distributed workforce.

As Okta pointed out in the report, bad actors have been looking to take advantage of the situation, as they tend to do, and these folks do love to sew some chaos.

Image Credit: Okta

The biggest winners here beyond collaboration tools were VPN businesses with Palo Alto Networks GlobalProtect and Cisco AnyConnect coming in at 94% and 86% usage increases respectively. But they weren’t the only tools growing, as Okta reported the Citrix ADC load balancing tool and ProofPoint’s security training apps also showed strong gains.

It’s probably not surprising that these kinds of tools are seeing an increase in usage with so many employees working from home, but it is interesting to see which vendors are benefiting from the move.

It’s also worth noting that Okta can point to a clear demarcation date when usage began to tick up. It’s easy to forget now, but March 6th was the last day of “normal” app usage before we started to see usage of these tools start to surge.

Image Credit: Okta

While reports of this kind are somewhat limited because of the focus on a particular set of customers and the tools they use, it does give you a sense of general trends in technology involving 8,000 Okta customers and 6,500 app integrations.


By Ron Miller

Rapid7 is acquiring DivvyCloud for $145M to beef up cloud security

Rapid7 announced today after the closing bell that it will be acquiring DivvyCloud, a cloud security and governance startup for $145 million in cash and stock.

With Divvy, the company moves more deeply into the cloud, something that Lee Weiner, chief innovation officer says the company has been working towards, even before the pandemic pushed that agenda.

Like any company looking at expanding its offering, it balanced building versus buying and decided that buying was the better way to go. “DivvyCloud has a fantastic platform that really allows companies the freedom to innovate as they move to the cloud in a way that manages their compliance and security,” Weiner told TechCrunch.

CEO Corey Thomas says it’s not possible to make a deal right now without looking at the economic conditions due to the pandemic, but he says this was a move they felt comfortable making.

“You have to actually think about everything that’s going on in the world. I think we’re in a fortunate position in that we have had the benefit of both growing in the past couple years but also getting the business more efficient,” Thomas said.

He said that this acquisition fits in perfectly with what he’s been hearing from customers about what they need right now. “One area of new projects that is actually going forward is how people are trying to figure out how to digitize their operations in a world where they aren’t sure how soon employees will be able to congregate and work together. And so from that context, focusing on the cloud and supporting our customers’ journey to the cloud has become an even more important priority for the organization,” he said.

Brian Johnson, CEO and co-founder at DivvyCloud says that is precisely what his company offers, and why it should fit in well with the Rapid7 family. “We help customers achieve rapid innovation in the cloud while ensuring they remain secure, well governed and compliant,” he said. That takes a different playbook than when customers were on prem, particularly requiring automation and real-time remediation.

With DivvyCloud, Rapid 7 is getting a 7-year old company with 70 employees and 54 customers. It raised $27.5 million on an $80 million post-money valuation, according to PitchBook data. All of the employees will become part of the Rapid7 organization when the deal closes, which is expected to happen some time this quarter.

The companies say that as they come together, they will continue to support existing Divvy customers, while working to integrate it more deeply into the Rapid7 platform.


By Ron Miller

ForgeRock nabs $93.5M for its ID management platform, gears up next for an IPO

For better or worse, digital identity management services — the process of identifying and authenticating users on networks to access services — has become a ubiquitous part of interacting on the internet, all the more so in the recent weeks as we have been asked to carry out increasingly more of our lives online.

Used correctly, they help ensure that it’s really you logging into your online banking service; used badly, you feel like you can’t innocently watch something silly on YouTube without being watched yourself. Altogether, they are a huge business: worth $16 billion today according to Gartner but growing at upwards of 30% and potentially as big as $30.5 billion by 2024, according to the latest forecasts.

Now, a company called ForgeRock, which has built a platform that is used to help make sure that those accessing services really are who they say are, and help organizations account for how their services are getting used, is announcing a big round of funding to continue expanding its business amid a huge boost in demand.

The company is today announcing that it has raised $93.5 million in funding, a Series E it will use to continue expanding its product and take it to its next step as a business, specifically investing in R&D, cloud services and its ForgeRock Identity Cloud, and general global business development.

The round is being led by Riverwood Capital, and Accenture Ventures, as well as previous investors Accel, Meritech Capital, Foundation Capital and KKR Growth, also participated.

Fran Rosch, the startup’s CEO, said in an interview that this will likely be its final round of funding ahead of an IPO, although given the current static of affairs with a lot of M&A, there is no timing set for when that might happen. (Notably, the company had said its last round of funding — $88 million in 2017 — would be its final ahead of an IPO, although that was under a different CEO.)

This Series E brings the total raised by the company to $230 million. Rosch confirmed it was raised as a material upround, although he declined to give a valuation. For some context, the company’s last post-money valuation was $646.50 million per PitchBook, and so this round values the company at more than $730 million.

ForgeRock has annual recurring revenues of more than $100 million, with annual revenues also at over $100 million, Rosch said. It operates in an industry heavy with competition, with some of the others vying for pole position in the various aspects of identity management including Okta, LastPass, Duo Serurity and Ping Identity.

But within that list it has amassed some impressive traction. In total it has 1,100 enterprise customers, who in turn collectively manage 2 billion identities through ForgeRock’s platform, with considerably more devices also authenticated and managed on top of that.

Customers include the likes of the BBC — which uses ForgeRock to authenticate and log not just 45 million users but also the devices they use to access its iPlayer on-demand video streaming service — Comcast, a number of major banks, the European Union and several other government organizations. ForgeRock was originally founded in Norway about a decade ago, and while it now has its headquarters in San Francisco, it still has about half its employees and half its customers on the other side of the Atlantic.

Currently ForgeRock provides services to businesses related to identity management including password and username creation, identity governance, directory services, privacy and consent gates, which they in turn provide both to their human customers as well as to devices accessing their services, but we’re in a period of change right now when it comes to identity management. It stays away from direct-to-consumer password management services and Rosch said there are no plans to move into that area.

These days, we’ve become more aware of privacy and data protection. Sometimes, it’s been because of the wrong reasons, such as giant security breaches that have leaked some aspect of our personal information into a giant database, or because of a news story that has uncovered how our information has unwittingly been used in ‘legit’ commercial schemes, or other ways we never imagined it would.

Those developments, combined with advances in technology, are very likely to lead us to a place over time where identity management will become significantly more shielded from misuse. These could include more ubiquitous use of federated identities, “lockers” that store our authentication credentials that can be used to log into services but remain separate from their control, and potentially even applications of blockchain technology.

All of this means that while a company like ForgeRock will continue to provide its current services, it’s also investing big in what it believes will be the next steps that we’ll take as an industry, and society, when it comes to digital identity management — something that has had a boost of late.

“There are a lot of interesting things going on, and we are working closely behind the scenes to flesh them out,” Rosch said. “For example, we’re looking at how best to break up data links where we control identities to get access for a temporary period of time but then pull back. It’s a powerful trend that is still about four to five years out. But we are preparing for this, a time when our platform can consume decentralised identity, on par with logins from Google or Facebook today. That is an interesting area.”

He notes that the current market, where there has been an overall surge for all online services as people are staying home to slow the speed of the coronavirus pandemic, has seen big boosts in specific verticals.

Its largest financial services and banking customers have seen traffic up by 50%, and digital streaming has been up by 300%, and government services have also been spiking, in part because many services that hadn’t been online are now developing online presences or seeing much more traffic from digital channels than before. Unsurprisingly, its customers in hotel and travel, as well as retail, have seen drops, he added.

“ForgeRock’s comprehensive platform is very well-positioned to capitalize on the enormous opportunity in the Identity & Access Management market,” said Jeff Parks, co-founder and managing partner of Riverwood Capital, in a statement. “ForgeRock is the leader in solving a wide range of workforce and consumer identity use cases for the Global 2000 and is trusted by some of the largest companies to manage millions of user identities. We have seen the growth acceleration and are thrilled to partner with this leadership team.” Parks is joining the board with this round.


By Ingrid Lunden

Bridgecrew announces $14M Series A to automate cloud security

In today’s grim economic climate, companies are looking for ways to automate wherever they can. Bridgecrew, an early-stage startup that makes automated cloud security tooling aimed at engineers, announced a $14 million Series A today.

Battery Ventures led the round with participation from NFX, the company’s $4 million seed investor. Sorensen Ventures, DNX Ventures, Tectonic Ventures, and Homeward Ventures also participated. A number of individual investors also helped out. The company has raised a total of $18 million.

Bridgecrew CEO and co-founder Idan Tendle says that it is becoming easier to provision cloud resources, but that security tends to be more challenging. “We founded Bridgecrew because we saw that there was a huge bottleneck in security engineering, in DevSecOps, and how engineers were running cloud infrastructure security,” Tendle told TechCrunch.

They found that a lot issues involved misconfigurations, and while there were security solutions out there to help, they were expensive, and they weren’t geared towards the engineers who were typically being charged with fixing the security issues, he said.

The company decided to solve that problem by coming up with a solution geared specifically for the way engineers think and operate. “We do that by codifying the problem, by codifying what the engineers are doing. We took all the tasks that they needed to do to protect around remediation of their cloud environment and we built a playbook,” he explained.

The playbooks are bits of infrastructure as code that can resolve many common problems quickly. When they encounter a new problem, they build a playbook and then that becomes part of the product. He says that 90% of the issues are fairly generic like following AWS best practices or ensuring SOC-2 compliance, but the engineers are free to tweak the code if they need to.

Tendle says he is hiring and sees his product helping companies looking to reduce costs through automation. “We are planning to grow fast. The need is huge and the COVID-19 implications mean that more and more companies will be moving to cloud and trying to reduce costs, and we help them do that by reducing the barriers and bottlenecks for cloud security.”

The company was founded 14 months ago and has 100 playbooks available. It’s keeping the crew lean for now with 16 employees, but it has plans to double that by the end of the year.


By Ron Miller

German security firm Avira has been acquired by Investcorp at a $180M valuation

Mergers and acquisitions largely grinded to a halt at the end of March, in the wake of the coronavirus pandemic spreading around the world, but today comes news of a deal out of Europe that underscores where pockets of activity are still happening. Avira, a cybersecurity company based out of Germany that provides antivirus, identity management and other tools both to consumers and as a white-label offering from a number of big tech brands, has been snapped up by Investcorp Technology Partners, the PE division of Investcorp Bank. Investcorp’s plan is to help Avira make acquisitions in a wider security consolidation play.

The financial terms of the acquisition are not being disclosed in the companies’ joint announcement, but the CEO of Avira, Travis Witteveen, and ITP’s MD, Gilbert Kamieniecky, both said it gives Avira a total valuation of $180 million. The deal will involve ITP taking a majority ownership in the company, with Avira founder Tjark Auerbach retaining a “significant” stake of the company in the deal, Kamieniecky added.

Avira is not a tech startup, or not in the typical sense. It was founded in 1986, and has been bootstrapped, in that it seems never to have taken any outside investment as it has grown. Witteveen said that it has “tens of millions” of users today of its own-branded products — its anti-virus software has been resold by the likes of Facebook (as part of its now-dormant antivirus marketplace) — and many more via the white-label deals it makes with big names. Strategic partners today include NTT, Deutsche Telekom, IBM, Canonical, and more.

He said that the company has had many strategic approaches for acquisition from the ranks of tech companies, and also from more typical investors, but these were not routes that it has wanted to follow, since it wanted to grow as its own business, and needed more of a financial injection to do that than what it could get from more standard VC deals.

“We wanted a partnership where someone could step in and support our organic growth, and the inorganic [acquisition] opportunity,” he said.

The plan will be to make more acquisitions to expand Avira’s footprint, both in terms of products and especially to grow its geographic footprint: today the company is active in Asia, Europe and to a lesser extent in the US, while Investcorp has a business that also extends deep into the Middle East.

Cybersecurity, meanwhile, may never go out of style as an investment and growth opportunity in tech. Not only have cyber threats become more sophisticated and ubiquitous and targeted at individual consumers and businesses over the last several years, but our increasing reliance on technology and internet-connected systems will increase the demand and need to keep these safe from malicious attacks.

That has become no more apparent than in recent weeks, when much of the world’s population has been confined to shelter in place. People have in turn spent unprecedented amounts of time online using their phones, computers and other devices to read news, communicate with their families and friends, entertain themselves, and do critical work that they may have in part done in the past offline.

“In the current market you can imagine a lot are concerned about the uncertainties of the technology landscape, but this is one that continues to thrive,” said Kamieniecky. “In security we have seen companies develop quite rapidly and quickly, and here we have an opportunity to do that.”

Avira has been somewhat of a consolidator up to now, buying companies like SocialShield (which provided online security specifically for younger and social media users), while ITP, with Investcorp having some $34 billion under management, has made many acquisitions (and divestments) over the years, with some of the tech deals including Ubisense, Zeta Interactive and Dialogic.


By Ingrid Lunden

Box adds automated malware detection to Box Shield security product

With more folks working at home than ever, and many on machines outside the purview of IT and security teams, it’s becoming increasingly imperative to find creative ways to protect them from harm. Today, Box announced it was adding automated malware detection tools to Box Shield, the security product it announced last year.

Aaron Levie, CEO at Box, says that it’s important to find new ways of thinking about security, especially with millions of people suddenly working at home using cloud solutions.

“As people have begun working from home in greater numbers, you’re seeing an increase in malware and phishing attacks. [Bad actors] are starting to spread these security vulnerabilities in a much more aggressive manner, and so we’re launching Box Shield with malware protection built-in with advanced tools and policies around that malware detection,” he said.

The company is taking a three-pronged approach with this solution. For starters, it will let users view a file without actually having to download it first, while indicating if there is a risk associated with it. Next, it will actually prevent users from downloading a file with malware attached, and finally it will alert the security team when a file with malware has been uploaded to Box.

The idea is to keep the file from infecting whatever device that employees are working on, alerting end users when there is a problem, while letting them see the content of the file gives them all the information they need to know if the file is actually legitimate in the first place.

It’s so much easier right now to be spreading this kind of malicious package with people working from home, and sharing files at a far greater rate than ever before. This new feature is designed to give everyone in the loop from the end user to the IT security team some confidence that they can know when files are infected or not and keep them from proliferating inside of Box.


By Ron Miller

Zoom will enable waiting rooms by default to stop Zoombombing

Zoom is making some drastic changes to prevent rampant abuse as trolls attack publicly-shared video calls. Starting April 5th, it will require passwords to enter calls via Meeting ID, since these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees.

The changes could prevent “Zoombombing”, a term I coined two weeks ago to describe malicious actors entering Zoom calls and disrupting them by screensharing offensive imagery. New Zoombombing tactics have since emerged, like spamming the chat thread with terrible GIFs, using virtual backgrounds to spread hateful messages, or just screaming profanities and slurs. Anonymous forums have now become breeding grounds for organized trolling efforts to raid calls.

Just imagine the most frightened look on all these people’s faces. That’s what happened when Zoombombers attacked the call.

The FBI has issued a warning about the Zoombombing problem after children’s online classes, alcoholics anonymous meetings, and private business calls were invaded by trolls. Security researchers have revealed many ways that attackers can infiltrate a call.

The problems stem from Zoom being designed for trusted enterprise use cases rather than cocktail hours, yoga classes, roundtable discussions, and classes. But with Zoom struggling to scale its infrastructure as its daily user count has shot up from 10 million to 200 million over the past month due to coronavirus shelter-in-place orders, it’s found itself caught off guard.

Zoom CEO Eric Yuan apologized for the security failures this week and vowed changes. But at the time, the company merely said it would default to making screensharing host-only and keeping waiting rooms on for its K-12 education users. Clearly it determined that wasn’t sufficient, so now waiting rooms are on by default for everyone.

Zoom communicated the changes to users via an email sent this afternoon that explains “we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.”

The company also explained that “For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.” Some other precautions users can take include disabling file transfer, screensharing, or rejoining by removed attendees.

NEW YORK, NY – APRIL 18: Zoom founder Eric Yuan reacts at the Nasdaq opening bell ceremony on April 18, 2019 in New York City. The video-conferencing software company announced it’s IPO priced at $36 per share, at an estimated value of $9.2 billion. (Photo by Kena Betancur/Getty Images)

The shift could cause some hassle for users. Hosts will be distracted by having to approve attendees out of the waiting room while they’re trying to lead calls. Zoom recommends users resend invites with passwords attached for Meeting ID-based calls scheduled for after April 5th. Scrambling to find passwords could make people late to calls.

But that’s a reasonable price to pay to keep people from being scarred by Zoombombing attacks. The rash of trolling threatened to sour many people’s early experiences with the video chat platform just as it’s been having its breakout moment. A single call marred by disturbing pornography can leave a stronger impression than 100 peaceful ones with friends and colleagues. The old settings made sense when it was merely an enterprise product, but it needed to embrace its own change of identity as it becomes a fundamental utility for everyone.

Technologists will need to grow better at anticipating worst-case scenarios as their products go mainstream and are adapted to new use cases. Assuming everyone will have the best intentions ignores the reality of human nature. There’s always someone looking to generate a profit, score power, or cause chaos from even the smallest opportunity. Building development teams that include skeptics and realists, rather than just visionary idealists, could keep ensure products get safeguarded from abuse before rather than after a scandal occurs.


By Josh Constine