Cybereason raises $200 million for its enterprise security platform

Cybereason, which uses machine learning to increase the number of endpoints a single analyst can manage across a network of distributed resources, has raised $200 million in new financing from SoftBank Group and its affiliates. 

It’s a sign of the belief that SoftBank has in the technology, since the Japanese investment firm is basically doubling down on commitments it made to the Boston-based company four years ago.

The company first came to our attention five years ago when it raised a $25 million financing from investors, including CRV, Spark Capital and Lockheed Martin.

Cybereason’s technology processes and analyzes data in real time across an organization’s daily operations and relationships. It looks for anomalies in behavior across nodes on networks and uses those anomalies to flag suspicious activity.

The company also provides reporting tools to inform customers of the root cause, the timeline, the person involved in the breach or breaches, which tools they use and what information was being disseminated within and outside of the organization.

For co-founder Lior Div, Cybereason’s work is the continuation of the six years of training and service he spent working with the Israeli army’s 8200 Unit, the military incubator for half of the security startups pitching their wares today. After his time in the military, Div worked for the Israeli government as a private contractor reverse-engineering hacking operations.

Over the last two years, Cybereason has expanded the scope of its service to a network that spans 6 million endpoints tracked by 500 employees, with offices in Boston, Tel Aviv, Tokyo and London.

“Cybereason’s big data analytics approach to mitigating cyber risk has fueled explosive expansion at the leading edge of the EDR domain, disrupting the EPP market. We are leading the wave, becoming the world’s most reliable and effective endpoint prevention and detection solution because of our technology, our people and our partners,” said Div, in a statement. “We help all security teams prevent more attacks, sooner, in ways that enable understanding and taking decisive action faster.”

The company said it will use the new funding to accelerate its sales and marketing efforts across all geographies and push further ahead with research and development to make more of its security operations autonomous.

“Today, there is a shortage of more than three million level 1-3 analysts,” said Yonatan Striem-Amit, chief technology officer and co-founder, Cybereason, in a statement. “The new autonomous SOC enables SOC teams of the future to harness technology where manual work is being relied on today and it will elevate  L1 analysts to spend time on higher value tasks and accelerate the advanced analysis L3 analysts do.”

Most recently the company was behind the discovery of Operation SoftCell, the largest nation-state cyber espionage attack on telecommunications companies. 

That attack, which was either conducted by Chinese-backed actors or made to look like it was conducted by Chinese-backed actors, according to Cybereason, targeted a select group of users in an effort to acquire cell phone records.

As we wrote at the time:

… hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records — including times and dates of calls, and their cell-based locations — on at least 20 individuals.

Researchers at Boston-based Cybereason, who discovered the operation and shared their findings with TechCrunch, said the hackers could track the physical location of any customer of the hacked telcos — including spies and politicians — using the call records.

Lior Div, Cybereason’s co-founder and chief executive, told TechCrunch it’s “massive-scale” espionage.

Call detail records — or CDRs — are the crown jewels of any intelligence agency’s collection efforts. These call records are highly detailed metadata logs generated by a phone provider to connect calls and messages from one person to another. Although they don’t include the recordings of calls or the contents of messages, they can offer detailed insight into a person’s life. The National Security Agency  has for years controversially collected the call records of Americans from cell providers like AT&T and Verizon (which owns TechCrunch), despite the questionable legality.

It’s not the first time that Cybereason has uncovered major security threats.

Back when it had just raised capital from CRV and Spark, Cybereason’s chief executive was touting its work with a defense contractor who’d been hacked. Again, the suspected culprit was the Chinese government.

As we reported, during one of the early product demos for a private defense contractor, Cybereason identified a full-blown attack by the Chinese — 10,000 thousand usernames and passwords were leaked, and the attackers had access to nearly half of the organization on a daily basis.

The security breach was too sensitive to be shared with the press, but Div says that the FBI was involved and that the company had no indication that they were being hacked until Cybereason detected it.


By Jonathan Shieber

Slack makes some key security enhancements

As Slack makes its way deeper into the enterprise, it needs to layer on more sophisticated security measures like the encryption key management feature it released last year. Today, the company published a blog post outlining its latest security strategy, and while it still doesn’t include end-to-end encryption of Slack messaging, it is a big step forward.

For many companies, there is a minimum level of security they will require before they use a tool like Slack company-wide, and this is particularly true for regulated industries. Slack is trying to answer some of these concerns with today’s post.

As for end-to-end (E2E) encryption, Slack believes it would adversely affect the user experience and says there hasn’t been a lot of customer demand for it so far. “If we were to add E2E encryption, it would result in limited functionality in Slack. With EKM (encryption key management), you gain cryptographic controls, providing visibility and opportunity for key revocation with granularity, control and no sacrifice to user experience,” a Slack spokesperson told TechCrunch.

Today, the company provides the ability for admins to require Touch ID or Face ID or to enter a passcode on a mobile device. In addition, if a user reports a device stolen, admins can wipe Slack conversations remotely, although this is currently only available through an API.

What they have coming soon is a new administrative dashboard, where admins can manage all of this kind of security in a single place. They will even be able to detect if a person is using a jail-broken phone and shut down access to the phone. In addition, they will be able to force upgrades to the latest version of Slack by not allowing access until the person downloads the latest version.

Later this year, admins will be able to block files downloaded from Slack desktop that come from outside of a set of pre-approved IP addresses. And on the mobile side, they will be able to force file links to open in an approved browser.

All of these features are designed to make administrators feel more comfortable using Slack in a secure and reliable way. One of Slack’s big strengths is its ability to integrate with other pieces of the enterprise software ecosystem, but companies still want control over what files are shared and how they open across devices. These new tools go a long way toward easing those types of concerns.


By Ron Miller

Conflura snags $9M Series A to help stop cyber attacks in real time

Just yesterday, we experienced yet another major breach when Capital One announced it had been hacked and years of credit card  application information had been stolen. Another day, another hack, but the question is how can companies protect themselves in the face of an onslaught of attacks. Conflura, a Palo Alto startup wants to help with a new tool that purports to stop these kinds of attacks in real time.

Today the company, which launched last year, announced a $9 million Series A investment led by Lightspeed Venture Partners . It also has the backing of several influential technology execs including John W. Thompson, who is chairman of Microsoft and former CEO at Symantec, Frank Slootman, CEO at Snowflake and formerly CEO at ServiceNow and Lane Bess, former CEO of Palo Alto Networks.

What has attracted this interest is the company’s approach to cyber security. “Conflura is a real-time cyber security company. We are delivering the industry’s first platform to deterministically stop cyber attacks in real time,” company co-founder and CEO Abhijit Ghosh told TechCrunch.

To do that Ghosh says, his company’s solution watches across the customer’s infrastructure, finds issues and recommends ways to mitigate the attack. “We see the problem that there are too many solutions which have been used. What is required is a platform that has visibility across the infrastructure, and uses security information from multiple sources to make that determination of where the attacker currently is and how to mitigate that,” he explained.

Microsoft chairman John Thompson, who is also an investor, says this is more than just real-time detection or real-time remediation. “It’s not just the audit trail and telling them what to do. It’s more importantly blocking the attack in real time. And that’s the unique nature of this platform, that you’re able to use the insight that comes from the science of the data to really block the attacks in real time,” Thompson said.

It’s early days for Conflura as it has 19 employees and 3 customers using the platform so far. For starters, it will be officially launching next week at Black Hat. After that, it has to continue building out the product and prove that it can work as described to stop the types of attacks we see on a regular basis from happening.


By Ron Miller

Duo’s Wendy Nather to talk security at TC Sessions: Enterprise

When it comes to enterprise security, how do you move fast without breaking things?

Enter Duo’s Wendy Nather, who will join us at TC Sessions: Enterprise in San Francisco on September 5, where we will get the inside track on how to keep enterprise networks secure without slowing growth.

Nather is head of advisory CISOs at Duo Security, a Cisco company, and one of the most respected and trusted voices in the cybersecurity community as a regular speaker on a range of topics, from threat intelligence to risk analysis, incident response, data security and privacy issues.

Prior to her role at Duo, she was the research director at the Retail ISAC, and served as the research director of the Information Security Practice at independent analyst firm 451 Research.

She also led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation — now UBS.

Nather also co-authored “The Cloud Security Rules,” and was listed as one of SC Magazine’s Women in IT Security “Power Players” in 2014.

We’re excited to have Nather discuss some of the challenges startups and enterprises face in security — threats from both inside and outside the firewall. Companies large and small face similar challenges, from keeping data in to keeping hackers out. How do companies navigate the litany of issues and threats without hampering growth?

Who else will we have onstage, you ask? Good question! We’ll be joined by some of the biggest names and the smartest and most prescient people in the industry, including Bill McDermott at SAP, Scott Farquhar at Atlassian, Julie Larson-Green at Qualtrics, Aaron Levie at Box and Andrew Ng at Landing AI and many, many more. See the whole agenda right here.

Early-bird tickets are on sale right now! For just $249 you can see Nather and these other awesome speakers live at TC Sessions: Enterprise. But hurry, early-bird sales end on August 9; after that, prices jump up by $100. Book here.

If you’re a student on a budget, don’t worry, we’ve got a super-reduced ticket for just $75 when you apply for a student ticket right here.

Enterprise-focused startups can bring the whole crew when you book a Startup Demo table for just $2,000. Each table gives you a primo location to be seen by attendees, investors and other sponsors, in addition to four tickets to enjoy the show. We only have a limited amount of demo tables and we will sell out. Book yours here.


By Frederic Lardinois

Serverless, Inc expands free Framework to include monitoring and security

Serverless development has largely been a lonely pursuit until recently, but Serverless, Inc has been offering a free framework for intrepid programmers since 2015. At first, that involved development, deployment and testing, but today the company announced it is expanding into monitoring and security to make it an end-to-end tool — and it’s available for free.

Serverless computing isn’t actually server-free, but it’s a form of computing that provides a way to use only the computing resources you need to carry out a given function and no more. When the process is complete, the resources effectively go away. That has the potential to be more cost-effective than having a server that’s always on, regardless of whether you’re using it or not. That requires a new way of thinking about how developers write code.

While serverless offers a compelling value proposition, up until Serverless, Inc came along with some developer tooling, early adherents were pretty much stuck building their own tooling to develop, deploy and test their programs. Today’s announcement expands the earlier free Serverless, Inc Framework to provide a more complete set of serverless developer tools.

Company founder and CEO Austen Collins says that he has been thinking a lot about what developers need to develop and deploy serverless programs, and talking to customers. He says that they really craved a more integrated approach to serverless development than has been available until now.

“What we’re trying to do is build this perfectly integrated solution for developers and developer teams because we want to enable them to innovate as much as possible and be as autonomous as possible,” Collins told TechCrunch. He says at the same time, he recognizes that operations needs to connect to other tools and the Serverless Framework provides hooks into other systems as well.

Screenshot 2019 07 22 09.27.24

The new tooling includes an integrated environment, so that once you deploy, you can simply click an error or security event and drill down to a dashboard for more information about the issue. You can click for further detail to see the exact spot in the code where the issue occurred, which should make it easier to resolve more quickly.

While no tool is 100 percent comprehensive, and most large organizations, and even individual developers, will have a set of tools they prefer to use, this is an attempt to build a one-stop solution for serverless developers for the first time. That in itself is significant as serverless moves beyond early adopters and begins to become more of a mainstream kind of programming and deployment option. People starting now probably won’t want to cobble together their own toolkits and the Serverless, Inc. Framerwork gives them a good starting point.

Serverless, Inc. was founded by Collins in 2015 out of a need for serverless computing tooling. He has raised over $13.5 million since inception.


By Ron Miller

InCountry raises $15M for its cloud-based private data storage-as-a-service solution

The rise of data breaches, along with an expanding raft of regulations (now numbering 80 different regional regimes, and growing) have thrust data protection — having legal and compliant ways of handling personal user information — to the top of the list of things that an organization needs to consider when building and operating their businesses. Now a startup called InCountry, which is building both the infrastructure for these companies to securely store that personal data in each jurisdiction, as well as a comprehensive policy framework for them to follow, has raised a Series A of $15 million. The funding is coming in just three months after closing its seed round — underscoring both the attention this area is getting and the opportunity ahead.

The funding is being led by three investors: Arbor Ventures of Singapore, Global Founders Capital of Berlin, and Mubadala of Abu Dhabi. Previous investors Caffeinated Capital, Felicis Ventures, Charles River Ventures, and Team Builder Ventures (along with others that are not being named) also participated. It brings the total raised to date to $21 million.

Peter Yared, the CEO and founder, pointed out in an interview the geographic diversity of the three lead backers: he described this as a strategic investment, which has resulted from InCountry already expanding its work in each region. (As one example, he pointed out a new law in the UAE requiring all health data of its citizens to be stored in the country — regardless of where it originated.)

As a result, the startup will be opening offices in each of the regions and launching a new product, InCountry Border, to focus on encryption and data handling that keep data inside specific jurisdictions. This will sit alongside the company’s compliance consultancy as well as its infrastructure business.

“We’re only 28 people and only six months old,” Yared said. “But the proposition we offer — requiring no code changes, but allowing companies to automatically pull out and store the personally identifiable information in a separate place, without anything needed on their own back end, has been a strong pull. We’re flabbergasted with the meetings we’ve been getting.” (The alternative, of companies storing this information themselves, has become massively unpalatable, given all the data breaches we’ve seen, he pointed out.)

In part because of the nature of data protection, in its short six months of life, InCountry has already come out of the gates with a global viewpoint and global remit.

It’s already active in 65 countries — which means it’s already equipped to stores, processes, and regulates profile data in the country of origin in these markets — but that is actually just the tip of the iceberg. The company points out that more than 80 countries around the world have data sovereignty regulations, and that in the US, some 25 states already have data privacy laws. Violating these can have disastrous consequences for a company’s reputation, not to mention its bottom line: In Europe, earlier this month the UK data regulator is now fining companies the equivalent of hundreds of millions of dollars when they violate GDPR rules.

This ironically is translating into a big business opportunity for startups that are building technology to help companies cope with this. Just last week, OneTrust raised a $200 million Series A to continue building out its technology and business funnel — the company is a “gateway” specialist, building the welcome screens that you encounter when you visit sites to accept or reject a set of cookies and other data requests.

Yared says that while InCountry is very young and is still working on its channel strategy — it’s mainly working directly with companies at this point — there is a clear opportunity both to partner with others within the ecosystem as well as integrators and others working on cloud services and security to build bigger customer networks.

That speaks to the complexity of the issue, and the different entry points that exist to solve it.

“The rapidly evolving and complex global regulatory landscape in our technology driven world is a growing challenge for companies,” said Melissa Guzy of Arbor Ventures, in a statement. Guzy is joining the board with this round. “InCountry is the first to provide a comprehensive solution in the cloud that enables companies to operate globally and address data sovereignty. We’re thrilled to partner and support the company’s mission to enable global data compliance for international businesses.”

 

 


By Ingrid Lunden

Dust Identity secures $10M Series A to identify objects with diamond dust

The idea behind Dust Identity was originally born in an MIT lab where students developed a system of uniquely identifying objects using diamond dust. Since then, the startup has been working to create a commercial application for the advanced technology, and today it announced a $10 million Series A round led by Kleiner Perkins, which also led its $2.3 million seed round last year.

Airbus Ventures and Lockheed Martin Ventures, New Science Ventures, Angular Ventures and Castle Island Ventures also participated in the round. Today’s investment brings the total raised to $12.3 million.

The company has an unusual idea of applying a thin layer of diamond dust to an object with the goal of proving that object has not been tampered with. While using diamond dust may sound expensive, the company told TechCrunch last year at the time of its seed round funding that it uses low-cost industrial diamond waste, rather than the expensive variety you find in jewelry stores.

As CEO and co-founder Ophir Gaathon told TechCrunch last year, “Once the diamonds fall on the surface of a polymer epoxy, and that polymer cures, the diamonds are fixed in their position, fixed in their orientation, and it’s actually the orientation of those diamonds that we developed a technology that allows us to read those angles very quickly.”

Ilya Fushman, who is leading the investment for Kleiner, says the company is offering a unique approach to identity and security for objects. “At a time when there is a growing trust gap between manufacturers and suppliers, Dust Identity’s diamond particle tag provides a better solution for product authentication and supply chain security than existing technologies,” he said in a statement.

The presence of strategic investors Airbus and Lockheed Martin shows that big industrial companies see a need for advanced technology like this in the supply chain. It’s worth noting that the company partnered with enterprise computing giant SAP last year to provide a blockchain interface for physical objects, where they store the Dust Identity identifier on the blockchain. Although, the startup has a relationship with SAP, it remains blockchain agnostic, according to a company spokesperson.

While it’s still early days for the company, it has attracted the attention from a broad range of investors and intends to use the funding to continue building and expanding the product in the coming year. To this point, it has implemented pilot programs and early deployments across a range of industries including automotive, luxury goods, cosmetics and oil, gas and utilities


By Ron Miller

OneTrust raises $200M at a $1.3B valuation to help organizations navigate online privacy rules

GDPR, and the newer California Consumer Privacy Act, have given a legal bite to ongoing developments in online privacy and data protection: it’s always good practice for companies with an online presence to take measures to safeguard people’s data, but now failing to do so can land them in some serious hot water.

Now — to underscore the urgency and demand in the market — one of the bigger companies helping organizations navigate those rules is announcing a huge round of funding. OneTrust, which builds tools to help companies navigate data protection and privacy policies both internally and with its customers, has raised $200 million in a Series A led by Insight that values the company at $1.3 billion.

It’s an outsized round for a Series A, being made at an equally outsized valuation — especially considering that the company is only three years old — but that’s because, according to CEO Kabir Barday, of the wide-ranging nature of the issue, and OneTrust’s early moves and subsequent pole position in tackling it.

“We’re talking about an operational overhaul in a company’s practices,” Barday said in an interview. “That requires the right technology and reach to be able to deliver that at a low cost.” Notably, he said that OneTrust wasn’t actually in search of funding — it’s already generating revenue and could have grown off its own balance sheet — although he noted that having the capitalization and backing sends a signal to the market and in particular to larger organizations of its stability and staying power.

Currently, OneTrust has around 3,000 customers across 100 countries (and 1,000 employees), and the plan will be to continue to expand its reach geographically and to more businesses. Funding will also go towards the company’s technology: it already has 50 patents filed and another 50 applications in progress, securing its own IP in the area of privacy protection.

OneTrust offers technology and services covering three different aspects of data protection and privacy management.

Its Privacy Management Software helps an organization manage how it collects data, and it generates compliance reports in line with how a site is working relative to different jurisdictions. Then there is the famous (or infamous) service that lets internet users set their preferences for how they want their data to be handled on different sites. The third is a larger database and risk management platform that assesses how various third-party services (for example advertising providers) work on a site and where they might pose data protection risks.

These are all provided either as a cloud-based software as a service, or an on-premises solution, depending on the customer in question.

The startup also has an interesting backstory that sheds some light on how it was founded and how it identified the gap in the market relatively early.

Alan Dabbiere, who is the co-chairman of OneTrust, had been the chairman of Airwatch — the mobile device management company acquired by VMware in 2014 (Airwatch’s CEO and founder, John Marshall, is OneTrust’s other co-chairman). In an interview, he told me that it was when they were at Airwatch — where Barday had worked across consulting, integration, engineering and product management — that they began to see just how a smartphone “could be a quagmire of information.”

“We could capture apps that an employee was using so that we could show them to IT to mitigate security risks,” he said, “but that actually presented a big privacy issue. If [the employee] has dyslexia [and uses a special app for it] or if the employee used a dating app, you’ve now shown things to IT that you shouldn’t have.”

He admitted that in the first version of the software, “we weren’t even thinking about whether that was inappropriate, but then we quickly realised that we needed to be thinking about privacy.”

Dabbiere said that it was Barday who first brought that sensibility to light, and “that is something that we have evolved from.” After that, and after the VMware sale, it seemed a no-brainer that he and Marshall would come on to help the new startup grow.

Airwatch made a relatively quick exit, I pointed out. His response: the plan is to stay the course at OneTrust, with a lot more room for expansion in this market. He describes the issues of data protection and privacy as “death by 1,000 cuts.” I guess when you think about it from an enterprising point of view, that essentially presents 1,000 business opportunities.

Indeed, there is obvious growth potential to expand not just its funnel of customers, but to add in more services, such as proactive detection of malware that might leak customers’ data (which calls to mind the recently-fined breach at British Airways), as well as tools to help stop that once identified.

While there are a million other companies also looking to fix those problems today, what’s interesting is the point from which OneTrust is starting: by providing tools to organizations simply to help them operate in the current regulatory climate as good citizens of the online world.

This is what caught Insight’s eye with this investment.

“OneTrust has truly established themselves as leaders in this space in a very short timeframe, and are quickly becoming for privacy professionals what Salesforce became for salespeople,” said Richard Wells of Insight. “They offer such a vast range of modules and tools to help customers keep their businesses compliant with varying regulatory laws, and the tailwinds around GDPR and the upcoming CCPA make this an opportune time for growth. Their leadership team is unparalleled in their ambition and has proven their ability to convert those ambitions into reality.”

Wells added that while this is a big round for a Series A it’s because it is something of an outlier — not a mark of how Series A rounds will go soon.

“Investors will always be interested in and keen to partner with companies that are providing real solutions, are already established and are led by a strong group of entrepreneurs,” he said in an interview. “This is a company that has the expertise to help solve for what could be one of the greatest challenges of the next decade. That’s the company investors want to partner with and grow, regardless of fund timing.”


By Ingrid Lunden

Visa funds $40M for no-password crypto vault Anchorage

Visa and Andreessen Horowitz are betting even bigger on cryptocurrency, funding a big round for fellow Facebook Libra Association member Anchorage’s omnimetric blockchain security system. Instead of using passwords that can be stolen, Anchorage requires cryptocurrency withdrawals to be approved by a client’s other employees. Then the company uses both human and AI review of biometrics and more to validate transactions before they’re executed, while offering end-to-end insurance coverage.

This new-age approach to cryptocurrency protection has attracted a $40 million Series B for Anchorage led by Blockchain Capital and joined by Visa and Andreessen Horowitz. The round adds to Anchorage’s $17 million Series A that Andreessen led just six months ago, demonstrating extraordinary momentum for the security startup.

As a custodian, our work is focused on building financial plumbing that other companies depend on for their operations to run smoothly. In this regard we have always looked at Visa as a model” Anchorage co-founder and president Diogo Mónica tells me.

“Visa was ‘fintech’ before the term existed, and has always been on the vanguard of financial infrastructure. Visa’s investment in Anchorage is helpful not only to our company but to our industry, as a validation of the entire ecosystem and a recognition that crypto will play a key role in the future of global finance.”

Anchorage Crypto 1

Cold-storage, where assets are held in computers not connected to the Internet, has become a popular method of securing Bitcoin, Ether, and other tokens. But the problem is that this can prevent owners from participating in governance of certain cryptocurrency where votes are based on their holdings, or earning dividends. Anchorage tells me it’s purposefully designed to permit this kind of participation, helping clients to get the most out of their assets like capturing returns from staking and inflation, or joining in on-chain governance.

As 3 of the 28 founding members of the Libra Association that will govern the new Facebook-incubated cryptocurrency; Anchorage, Visa, and Andreessen Horowitz will be responsible for ensuring the stablecoin stays secure. While Facebook is building its own custodial wallet called Calibra for users, other Association members and companies hoping to dive into the ecosystem will need ways to protect their Libra stockpiles.

“Libra is exactly the kind of asset that Anchorage was created to hold” Mónica wrote the day Libra was revealed. “Our custody solution , so that asset-holders don’t face a trade-off between security and usability.” The company believes that custodians shouldn’t dictate what coins their clients hold, so it’s working to support all types of digital assets. Anchorage tells me that will include support for securing Libra in the future.

Libra Association Founding Partners

You’ve probably already used technology secured by Anchorage’s founders, who engineered Docker’s containers that are used by Microsoft, and Square’s first encrypted card reader. Mónica was at Square when he met his future Anchorage co-founder Nathan McCauley who’d been working on anti-reverse engineering tech for the U.S. military. When a company that had lost the password to a $1 million cryptocurrency account asked for their help with security, they recognized a recognized the need for a more idiot-proof take on asset protection.

“Anchorage applies the best of modern security engineering for a more advanced approach: we generate and store private keys in secure hardware so they are never exposed at any point in their life cycle, and we eliminate human operations that expose assets to risk” Mónica says. The startup competes with other crypto custody firms like Bitgo, Ledger, Coinbase, and Gemini.

Anchorage CryptocurrencyLast time we spoke, Anchorage was cagey about what I could reveal regarding how its transaction validation system worked. With the new funding, it’s feeling a little more secure about its market position and was willing to share more.

Anchorage ditches usernames, passwords, email addresses, and phone numbers completely. That way a hacker can’t just dump your coins into their account by stealing your private key or SIM-porting your number to their phone. Instead, clients whitelist devices held by their employees, who use the Anchorage app to submit transactions. You’d propose selling $10 million worth of Bitcoin or transferring it to someone else as payment, and a minimum of two-thirds of your designated co-workers would need to concur to form a quorum that approves the transfer.

But first, Anchorage would’s artificial intelligence and human staff would check for any suspicious signals that might indicate a hack in progress. It uses behavioral analysis (do you act like a real human and similar to how you have before), biometric signals (do you look like you), and network signals (is your device what and where it should be) to confirm the transaction is legitimate. The same process goes down if you try to add a new whitelisted device or change who has permission to do what.

The challenge will be scaling security to an ever-broadening range of digital assets, each with their own blockchain quirks and complex smart contracts. Even if Anchorage keeps coins safely in custody, those variables could expose assets to risk while in transit. Now with deeper pockets and the Visa vote of confidence, Anchorage could solve those problems as clients line up.

While most blockchain attention has focused on the cryptocurrencies themselves and the exchanges where you can buy and sell them, a second order of critical infrastructure startups is emerging. Companies like Anchorage could make Bitcoin, Ether, Libra, and more not just objects of speculation or the domain of experts, but safely functioning elements of the new world economy.


By Josh Constine

Vulcan Cyber announces $10M Series A to automate security patching efforts

Many software vulnerabilities are already known, and vendors have even issued patches, but the problem is there are so many patches that it’s often difficult for companies to keep up. Vulcan Cyber wants to help by bringing a level of automation to the patching operation, and in the process reduce exposure to known risks.

Today, it announced a $10 million Series A round from Ten Eleven Ventures and YL Ventures .

In a typical scenario, security researchers find vulnerabilities, the vendors disclose them and patch them. From there it’s up to individual companies to take care of downloading and installing the patch, but Vulcan Cyber co-founder and CEO Yaniv Bar-Dayan says the number of patches has been growing at a furious pace with 6000 patches in 2016, 16,000 in 2017 and 18,000 last year. And that growth trajectory is continuing this year, he says.

Vulcan’s ultimate mission is to help companies remediate security vulnerabilities from their infrastructure. They do this by bringing a level of automation to the process, recognizing that humans can’t keep up with these numbers. “We automate the process of prioritization and deployment to remediate more vulnerabilities faster,” Bar-Dayan explained. What’s more, he said that Vulcan does this without risking business operations, while reducing risk and costs.

Highest risk packages

Vulcan Cyber risk prioritization view. Screenshot: Vulcan Cyber

The company raised a $4 million seed round last year, bringing the total raised to $14 million so far. As TechCrunch’s Frederic Lardinois pointed out while writing about that seed round, it’s able to achieve this level of automation, while working with the tools developers and security teams typically work with anyway.

“Vulcan Cyber plays nicely with all of the major cloud platforms, as well as tools like Puppet, Chef and Ansible, as well as GitHub and Bitbucket. It also integrates with a number of major security testing tools and vulnerability scanners, including Black Duck, Nessus, Fortify, Tripwire, Checkmarx, Rapid7 and Veracode,” Lardinois wrote.

The company was founded last year and has 25 employees. It plans to continue building its engineering team in Israel with the money from this round, as well as opening an office in San Francisco for sales, marketing and customer success.


By Ron Miller

WeWork acquires Waltz, an app that lets users access different spaces with a single credential

WeWork announced today that it will acquire Waltz, a building access and security management startup, for an undisclosed amount. Waltz’s smartphone app and reader allows users to enter different properties with a single credential and will make it easier for WeWork’s enterprise clients, such as GE Healthcare and Microsoft, to manage their employees’ on-demand memberships to WeWork spaces.

WeWork’s announcement said “with deep expertise in mobile access and system integrations, Waltz has the most advanced and sophisticated products to provide that single credential to our members and to help us better connect them with our spaces.” Waltz was founded in 2015 by CEO Matt Kopel and has offices in New York and Montreal. After the acquisition, Waltz will be integrated into WeWork, but maintain its current customer base.

WeWork has been on an acquisition spree over the past year as it evolves from co-working spaces to a software-as-a-service provider. Companies it has bought include office management platforms Teem (for $100 million) and Managed by Q, as well as Euclid, a “spatial analytics platform” that allows companies to analyze the use of workspaces by their employees and participation at meetings and other events.

Likewise, Waltz isn’t just an alternative to keys or access cards. Its cloud-based management portal gives companies data about who enters and exits their buildings and also allows teams to set “Door Groups,” which restricts the use of some spaces to certain people. According to Waltz’s help site, it can also be used to make revenue through ads displayed in its app.


By Catherine Shu

Some sage security advice after Radiohead’s unreleased music hack

Bad news: Radiohead was hacked.

Last week, a hacker stole the band’s lead singer Thom Yorke’s private minidisk archive from the band’s third album and subsequent major worldwide hit, “OK Computer.” The hacker demanded $150,000 or they’d release it to the public.

Stuck between a ransom and a hard place, Radiohead released the tapes themselves.

The recordings were “never intended for public consumption” and “only tangentially interesting,” the band said in a post on Facebook. But “instead of complaining – much – or ignoring it, we’re releasing all 18 hours on Bandcamp” in aid of Extinction Rebellion, a climate change group.

Until the end of the month, the stolen recordings will be available for £18 ($23).

There is, though, a lesson to be learned. Holding files for ransom is more common today than ever thanks to ransomware. The event isn’t too dissimilar from a ransomware event. Pay the ransom or lose your files — or worse, have them spread all over the internet. That’s a business’ worst nightmare. We’ve seen ransomware destroy the computer networks of some of the largest companies around the world, like Arizona Beverages, Norsk Hydro and shipping giant Maersk. Ransomware is now a multibillion-dollar business, and it’s growing.

But in any ransom-type situation, the FBI has long told victims of ransomware to never pay. Security experts agree. Simply put, you run the risk of losing your files even if they pay the demand.

ProPublica recently found that even some of the largest ransomware recovery companies are quietly paying the ransom — and passing on the costs to the victim — with mixed results. In many cases, paying the demand failed to recover the files.

If there’s one takeaway from the Radiohead hack, it’s never pay the ransom. Better yet, plan for the worst and have a backup just in case.

Two years after WannaCry, a million computers remain at risk


By Zack Whittaker

Liberty’s challenge to UK state surveillance powers reveals shocking failures

A legal challenge to the UK’s controversial mass surveillance regime has revealed shocking failures by the main state intelligence agency, which has broad powers to hack computers and phones and intercept digital communications, in handling people’s information.

The challenge, by rights group Liberty, led last month to an initial finding that MI5 had systematically breached safeguards in the UK’s Investigatory Powers Act (IPA) — breaches the Home Secretary, Sajid Javid, euphemistically couched as “compliance risks” in a carefully worded written statement that was quietly released to parliament.

Today Liberty has put more meat on the bones of the finding of serious legal breaches in how MI5 handles personal data, culled from newly released (but redacted) documents that it says describe the “undoubtedly unlawful” conduct of the UK’s main security service which has been retaining innocent people’s data for years.

The series of 10 documents and letters from MI5 and the Investigatory Powers Commissioner’s Office (IPCO), the body charged with overseeing the intelligence agencies’ use of surveillance powers, show that the spy agency has failed to meet its legal duties for as long as the IPA has been law, according to Liberty.

The controversial surveillance legislation passed into UK law in November 2016 — enshrining a system of mass surveillance of digital communications which includes a provision that logs of all Internet users’ browsing activity be retained for a full year, accessible to a wide range of government agencies (not just law enforcement and/or spy agencies).

The law also allows the intelligence agencies to maintain large databases of personal information on UK citizens, even if they are not under suspicion of any crime. And sanctions state hacking of devices, networks and services, including bulk hacking on foreign soil. It also gives U.K. authorities the power to require a company to remove encryption, or limit the rollout of end-to-end encryption on a future service.

The IPA has faced a series of legal challenges since making it onto the statute books, and the government has been forced to amend certain aspects of it on court order — including beefing up restrictions on access to web activity data. Other challenges to the controversial surveillance regime, including Liberty’s, remain ongoing.

The newly released court documents include damning comments on MI5’s handling of data by the IPCO — which writes that: “Without seeking to be emotive, I consider that MI5’s use of warranted data… is currently, in effect, in ‘special measures’ and the historical lack of compliance… is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose’”.”

Liberty also says MI5 knew for three years of failures to maintain key safeguards — such as the timely destruction of material, and the protection of legally privileged material — before informing the IPCO.

Yet a key government sales pitch for passing the legislation was the claim of a ‘world class’ double-lock authorization and oversight regime to ensure the claimed safeguards on intelligence agencies powers to intercept and retain data.

So the latest revelations stemming from Liberty’s legal challenge represent a major embarrassment for the government.

“It is of course paramount that UK intelligence agencies demonstrate full compliance with the law,” the home secretary wrote in the statement last month, before adding his own political spin: “In that context, the interchange between the Commissioner and MI5 on this issue demonstrates that the world leading system of oversight established by the Act is working as it should.”

Liberty comes to the opposite conclusion on that point — emphasizing that warrants for bulk surveillance were issued by senior judges “on the understanding that MI5’s data handling obligations under the IPA were being met — when they were not”.

“The Commissioner has pointed out that warrants would not have been issued if breaches were known,” it goes on. “The Commissioner states that “it is impossible to sensibly reconcile the explanation of the handling of arrangements the Judicial Commissioners [senior judges] were given in briefings…with what MI5 knew over a protracted period of time was happening.”

So, basically, it’s saying that MI5 — having at best misled judges, whose sole job it is to oversee its legal access to data, about its systematic failures to lawfully handle data — has rather made a sham of the entire ‘world class’ oversight regime.

Liberty also flags what it calls “a remarkable admission to the Commissioner” — made by MI5’s deputy director general — who it says acknowledges that personal data collected by MI5 is being stored in “ungoverned spaces”. It adds that the MI5 legal team claims there is “a high likelihood [of material] being discovered when it should have been deleted, in a disclosure exercise leading to substantial legal or oversight failure”.

“Ungoverned spaces” is not a phrase that made it into Javid’s statement last month on MI5’s “compliance risks”.

But the home secretary did acknowledge: “A report of the Investigatory Powers Commissioner’s Office suggests that MI5 may not have had sufficient assurance of compliance with these safeguards within one of its technology environments.”

Javid also said he had set up “an independent review to consider and report back to me on what lessons can be learned for the future”. Though it’s unclear whether that report will be made public. 

We reached out to the Home Office for comment on the latest revelations from Liberty’s litigation. But a spokesman just pointed us to Javid’s prior statement. 

In a statement, Liberty’s lawyer, Megan Goulding, said: “These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history.

“It is unacceptable that the public is only learning now about these serious breaches after the Government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner, who oversees the Government’s surveillance regime.

“And, despite a light being shone on this deplorable violation of our rights, the Government is still trying to keep us in the dark over further examples of MI5 seriously breaching the law.”


By Natasha Lomas

Vectra lands $100M Series E investment for AI-driven network security

Vectra, a seven-year old company that helps customers detect intrusions at the network level, whether in the cloud or on premises, announced a $100 million Series E funding round today led by TCV. Existing investors including Khosla Ventures and Accel also participated in the round, which brings the total raised to over $200 million, according to the company.

As company CEO Hitesh Sheth explained, there are two primary types of intrusion detection. The first is end point detection and the second is his company’s area of coverage, network detection and response or NDR.  He says that by adding a layer of artificial intelligence, it improves the overall results.

“One of the keys to our success has been applying AI to network traffic, the networking side of NDR, to look for the signal in the noise. And we can do this across the entire infrastructure, from the data center to the cloud all the way into end user traffic including IoT,” he explained.

He said that as companies move their data to the cloud, they are looking for ways to ensure the security of their most valuable data assets, and he says his company’s NDR solution can provide that. In fact, securing the cloud side of the equation is one of the primary investment focuses for this round.

Tim McAdam from lead investor TVC, says that the AI piece is a real differentiator for Vectra and one that attracted his firm to invest in the company. He said that while he realized that AI is an overused term these days, after talking to 30 customers he heard over and over again that Vectra’s AI-driven solution was a differentiator over competing products. “All of them have decided to standardize on the Vectra Cognito because to a person, they spoke of the efficacy and the reduction of their threat vectors as a result of standardizing on Vectra,” McAdam told TechCrunch.

The company was founded in 2012 and currently has 240. That is expected to double in the year to 18 months with this funding.


By Ron Miller

FireEye snags security effectiveness testing startup Verodin for $250M

When FireEye reported its earnings last month, the outlook was a little light, so the security vendor decided to be proactive and make a big purchase. Today, the company announced it has acquired Verodin for $250 million. The deal closed today.

The startup had raised over $33 million since it opened its doors 5 years ago, according to Crunchbase data, and would appear to have given investors a decent return. With Verodin, FireEye gets a security validation vendor, that is, a company that can run a review against the existing security setup and find gaps in coverage.

That would seem to be a handy kind of tool to have in your security arsenal, and could possibly explain the price tag. Perhaps, it could also help set FireEye apart from the broader market, or fill in a gap in its own platform.

FireEye CEO Kevin Mandia certainly sees the potential of his latest purchase. “Verodin gives us the ability to automate security effectiveness testing using the sophisticated attacks we spend hundreds of thousands of hours responding to, and provides a systematic, quantifiable, and continuous approach to security program validation,” he said in a statement.

Chris Key, Verodin co-founder and chief executive officer, sees the purchase through the standard acquisition lens. “By joining FireEye, Verodin extends its ability to help customers take a proactive approach to understanding and mitigating the unique risks, inefficiencies and vulnerabilities in their environments,” he said in a statement. In other words, as part of a bigger company, we’ll do more faster.

While FireEye plans to incorporate Verodin into its on-prem and managed services, it will continue to sell the solution as a stand-alone product, as well.


By Ron Miller