Ping Identity files for $100M IPO on Nasdaq under the ticker ‘Ping’

Source: Tech News – Enterprise

Some eight months after it was reported that Ping Identity’s owners Vista Equity had hired bankers to explore a public listing, today Ping Identity took the plunge: the Colorado-based online ID management company has filed an S-1 form indicating that it plans to raise up to $100 million in an IPO on the Nasdaq exchange under the ticker “Ping.”

While the initial S-1 filing doesn’t have an indication of price range, Ping is said to be looking at a valuation of between $2 billion and $3 billion in this listing.

The company has been around since 2001, founded by Andre Durand (who is still the CEO), and it was acquired by Vista in 2016 for about $600 million — at a time when a clutch of enterprise companies that looked like strong IPO candidates were going the private equity route and staying private instead.

But more recently, there has been a surge in demand for better IT security linked to identity and authentication management, so it seems that Vista Equity is selling up. The PE firm is taking advantage of the fact that the market’s currently very strong for tech IPOs, but there is so much M&A in enterprise right now (just yesterday VMware acquired not one but two companies, Carbon Black for $2.1 billion and Pivotal for $2.7 billion) that I can’t help but wonder if something might move here too.

The S-1 reveals a number of details on the company’s financials, indicating that it’s currently unprofitable but on a steady growth curve. Ping had revenues of $112.9 million in the first six months of 2019, versus $99.5 million in the same period a year before. Its loss has been shrinking in recent years, with a net loss of $3.1 million in the first six months of this year versus $5.8 million a year before (notably in 2017 overall it was profitable with a net income of $19 million. It seems that the change is due to acquisitions and investing for growth).

Its annual run rate, meanwhile, $198 million for the first six months of the year, compared to $159.6 million in the same period a year ago.

The area of identity and access management has become a cornerstone of enterprise IT, with companies looking for efficient and secure ways to centralise how not just their employees, but their customers, their partners and various connected devices on their networks can be authenticated across their cloud and on-premise applications.

The demand for secure solutions covering all the different aspects of a company’s IT stack has grown rapidly over recent years, spurred not just by an increased move to centralised applications served through the cloud, but also by the drastic rise in breaches where malicious hackers have exploited vulnerabilities and loopholes in companies’ sign-on screens.

Ping has been one of the bigger companies building services in this area and tackling all of those use cases, competing with the likes of Okta, OneLogin, AuthO, Cisco, and dozens more off-the-shelf and custom-built solutions.

The company offers its services on an SaaS basis, covering services like secure sign-on, multi-factor authentication, API access security, personalised and unified profile directories, data governance and AI-based security policies. It claims to be the pioneer of “Intelligent Identity”, using AI to help its system analyse user, device and network behavior to better identify potentially malicious activity.

More to come.

 

 


Ping Identity files for 0M IPO on Nasdaq under the ticker ‘Ping’

Box introduces Box Shield with increased security controls and threat protection

Source: Tech News – Enterprise

Box has always had to balance the idea of sharing content broadly while protecting it as it moved through the world, but the more you share, the more likely something can go wrong, such as misconfigured shared links that surfaced earlier this year. In an effort to make the system more secure, the company announced Box Shield today in Beta, a set of tools to help employees sharing Box content better understand who they are sharing with, while helping the security team see when content is being misused.

Link sharing is a natural part of what companies do with Box, and as Chief Product- and Chief Strategy Officer Jeetu Patel says, you don’t want to change the way people use Box. Instead, he says it’s his job to make it easier to make it secure and that is the goal with today’s announcement.

“We’ve introduced Box Shield, which embeds these content controls and protects the content in a way that doesn’t compromise user experience, while ensuring safety for the administrator and the company, so their intellectual property is protected,” Patel explained.

He says this involves two components. The first is about raising user awareness and helping them understand what they’re sharing. In fact, sometimes companies use Box as a content management backend to distribute files like documentation on the internet on purpose. They want them to be indexed in Google. Other times, however, it’s through misuse of the file sharing component, and Box wants to fix that with this release by making it clear who they are sharing with and what that means.

They’ve updated the experience on the web and mobile products to make it much clearer through messaging and interface design what the sharing level they have chosen means. Of course, some users will ignore all these messages, so there is a second component to give administrators more control.

2. Box Shield Smart Access

Box Shield access controls. Photo: Box

This involves helping customers build guardrails into the product to prevent leakage of an entire category of documents that you would never want leaked like internal business plans, salary lists or financial documents, or even to granularly protect particular files or folders. “The second thing we’re trying to do is make sure that Box itself has some built-in security guardrails and boundary conditions that can help people reduce the risk around employee negligence or inadvertent disclosures, and then make sure that you have some very precision-based, granular security controls that can be applied to classifications that you’ve set on content,” he explained.

In addition, the company wants to help customers detect when employees are abusing content, perhaps sharing sensitive data like customers lists with a personal account, and flag these for the security team. This involves flagging anomalous downloads, suspicious sessions or unusual locations inside Box.

The tool can also work with existing security products already in place, so that whatever classification has been applied in Box travels with a file, and anomalies or misuse, can be captured by the company’s security apparatus before the file leaves the company’s boundaries.

While Patel acknowledges, there is no way to prevent user misuse or abuse in all cases, by implementing Box Shield, the company is attempting to provide customers with a set of tools to help them reduce the possibility of it going undetected. Box Shield is in private Beta today and will be released in the Fall.


Box introduces Box Shield with increased security controls and threat protection

Facebook’s human-AI blend for audio transcription is now facing privacy scrutiny in Europe

Source: Microsoft more

Facebook’s lead privacy regulator in Europe is now asking the company for detailed information about the operation of a voice-to-text feature in Facebook’s Messenger app and how it complies with EU law.

Yesterday Bloomberg reported that Facebook uses human contractors to transcribe app users’ audio messages — yet its privacy policy makes no clear mention of the fact that actual people might listen to your recordings.

A page on Facebook’s help center also includes a “note” saying “Voice to Text uses machine learning” — but does not say the feature is also powered by people working for Facebook listening in.

A spokesperson for Irish Data Protection Commission told us: “Further to our ongoing engagement with Google, Apple and Microsoft in relation to the processing of personal data in the context of the manual transcription of audio recordings, we are now seeking detailed information from Facebook on the processing in question and how Facebook believes that such processing of data is compliant with their GDPR obligations.”

Bloomberg’s report follows similar revelations about AI assistant technologies offered by other tech giants, including Apple, Amazon, Google and Microsoft — which have also attracted attention from European privacy regulators in recent weeks.

What this tells us is that the hype around AI voice assistants is still glossing over a far less high tech backend. Even as lashings of machine learning marketing guff have been used to cloak the ‘mechanical turk’ components (i.e. humans) required for the tech to live up to the claims.

This is a very old story indeed. To wit: A full decade ago, a UK startup called Spinvox, which had claimed to have advanced voice recognition technology for converting voicemails to text messages, was reported to be leaning very heavily on call centers in South Africa and the Philippines… staffed by, yep, actual humans.

Returning to present day ‘cutting-edge’ tech, following Bloomberg’s report Facebook said it suspended human transcriptions earlier this month — joining Apple and Google in halting manual reviews of audio snippets for their respective voice AIs. (Amazon has since added an opt out to the Alexa app’s settings.)

We asked Facebook where in the Messenger app it had been informing users that human contractors might be used to transcribe their voice chats/audio messages; and how it collected Messenger users’ consent to this form of data processing — prior to suspending human reviews.

The company did not respond to our questions. Instead a spokesperson provided us with the following statement: “Much like Apple and Google, we paused human review of audio more than a week ago.”

Facebook also described the audio snippets that it sent to contractors as masked and de-identified; said they were only collected when users had opted in to transcription on Messenger; and were only used for improving the transcription performance of the AI.

It also reiterated a long-standing rebuttal by the company to user concerns about general eavesdropping by Facebook, saying it never listens to people’s microphones without device permission nor without explicit activation by users.

How Facebook gathers permission to process data is a key question, though.

The company has recently, for example, used a manipulative consent flow in order to nudge users in Europe to switch on facial recognition technology — rolling back its previous stance, adopted in response to earlier regulatory intervention, of switching the tech off across the bloc.

So a lot rests on how exactly Facebook has described the data processing at any point it is asking users to consent to their voice messages being reviewed by humans (assuming it’s relying on consent as its legal basis for processing this data).

Bundling consent into general T&Cs for using the product is also unlikely to be compliant under EU privacy law, given that the bloc’s General Data Protection Regulation requires consent to be purpose limited, as well as fully informed and freely given.

If Facebook is relying on legitimate interests to process Messenger users’ audio snippets in order to enhance its AI’s performance it would need to balance its own interests against any risk to people’s privacy.

Voice AIs are especially problematic in this respect because audio recordings may capture the personal data of non-users too — given that people in the vicinity of a device (or indeed a person on the other end of the phone line who’s leaving you a message) could have their personal data captured without ever having had the chance to consent to Facebook contractors getting to hear it.

Leaks of Google Assistant snippets to the Belgian press recently highlighted both the sensitive nature of recordings and the risk of reidentification posed by such recordings — with journalists able to identify some of the people in the recordings.

Multiple press reports have also suggested contractors employed by tech giants are routinely overhearing intimate details captured via a range of products that include the ability to record audio and stream this personal data to the cloud for processing.


Facebook’s human-AI blend for audio transcription is now facing privacy scrutiny in Europe

Slack makes some key security enhancements

Source: Tech News – Enterprise

As Slack makes its way deeper into the enterprise, it needs to layer on more sophisticated security measures like the encryption key management feature it released last year. Today, the company published a blog post outlining its latest security strategy, and while it still doesn’t include end-to-end encryption of Slack messaging, it is a big step forward.

For many companies, there is a minimum level of security they will require before they use a tool like Slack company-wide, and this is particularly true for regulated industries. Slack is trying to answer some of these concerns with today’s post.

As for end-to-end (E2E) encryption, Slack believes it would adversely affect the user experience and says there hasn’t been a lot of customer demand for it so far. “If we were to add E2E encryption, it would result in limited functionality in Slack. With EKM (encryption key management), you gain cryptographic controls, providing visibility and opportunity for key revocation with granularity, control and no sacrifice to user experience,” a Slack spokesperson told TechCrunch.

Today, the company provides the ability for admins to require Touch ID or Face ID or to enter a passcode on a mobile device. In addition, if a user reports a device stolen, admins can wipe Slack conversations remotely, although this is currently only available through an API.

What they have coming soon is a new administrative dashboard, where admins can manage all of this kind of security in a single place. They will even be able to detect if a person is using a jail-broken phone and shut down access to the phone. In addition, they will be able to force upgrades to the latest version of Slack by not allowing access until the person downloads the latest version.

Later this year, admins will be able to block files downloaded from Slack desktop that come from outside of a set of pre-approved IP addresses. And on the mobile side, they will be able to force file links to open in an approved browser.

All of these features are designed to make administrators feel more comfortable using Slack in a secure and reliable way. One of Slack’s big strengths is its ability to integrate with other pieces of the enterprise software ecosystem, but companies still want control over what files are shared and how they open across devices. These new tools go a long way toward easing those types of concerns.


Slack makes some key security enhancements

Cybereason raises $200 million for its enterprise security platform

Source: Tech News – Enterprise

Cybereason, which uses machine learning to increase the number of endpoints a single analyst can manage across a network of distributed resources, has raised $200 million in new financing from SoftBank Group and its affiliates. 

It’s a sign of the belief that SoftBank has in the technology, since the Japanese investment firm is basically doubling down on commitments it made to the Boston-based company four years ago.

The company first came to our attention five years ago when it raised a $25 million financing from investors, including CRV, Spark Capital and Lockheed Martin.

Cybereason’s technology processes and analyzes data in real time across an organization’s daily operations and relationships. It looks for anomalies in behavior across nodes on networks and uses those anomalies to flag suspicious activity.

The company also provides reporting tools to inform customers of the root cause, the timeline, the person involved in the breach or breaches, which tools they use and what information was being disseminated within and outside of the organization.

For co-founder Lior Div, Cybereason’s work is the continuation of the six years of training and service he spent working with the Israeli army’s 8200 Unit, the military incubator for half of the security startups pitching their wares today. After his time in the military, Div worked for the Israeli government as a private contractor reverse-engineering hacking operations.

Over the last two years, Cybereason has expanded the scope of its service to a network that spans 6 million endpoints tracked by 500 employees, with offices in Boston, Tel Aviv, Tokyo and London.

“Cybereason’s big data analytics approach to mitigating cyber risk has fueled explosive expansion at the leading edge of the EDR domain, disrupting the EPP market. We are leading the wave, becoming the world’s most reliable and effective endpoint prevention and detection solution because of our technology, our people and our partners,” said Div, in a statement. “We help all security teams prevent more attacks, sooner, in ways that enable understanding and taking decisive action faster.”

The company said it will use the new funding to accelerate its sales and marketing efforts across all geographies and push further ahead with research and development to make more of its security operations autonomous.

“Today, there is a shortage of more than three million level 1-3 analysts,” said Yonatan Striem-Amit, chief technology officer and co-founder, Cybereason, in a statement. “The new autonomous SOC enables SOC teams of the future to harness technology where manual work is being relied on today and it will elevate  L1 analysts to spend time on higher value tasks and accelerate the advanced analysis L3 analysts do.”

Most recently the company was behind the discovery of Operation SoftCell, the largest nation-state cyber espionage attack on telecommunications companies. 

That attack, which was either conducted by Chinese-backed actors or made to look like it was conducted by Chinese-backed actors, according to Cybereason, targeted a select group of users in an effort to acquire cell phone records.

As we wrote at the time:

… hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records — including times and dates of calls, and their cell-based locations — on at least 20 individuals.

Researchers at Boston-based Cybereason, who discovered the operation and shared their findings with TechCrunch, said the hackers could track the physical location of any customer of the hacked telcos — including spies and politicians — using the call records.

Lior Div, Cybereason’s co-founder and chief executive, told TechCrunch it’s “massive-scale” espionage.

Call detail records — or CDRs — are the crown jewels of any intelligence agency’s collection efforts. These call records are highly detailed metadata logs generated by a phone provider to connect calls and messages from one person to another. Although they don’t include the recordings of calls or the contents of messages, they can offer detailed insight into a person’s life. The National Security Agency  has for years controversially collected the call records of Americans from cell providers like AT&T and Verizon (which owns TechCrunch), despite the questionable legality.

It’s not the first time that Cybereason has uncovered major security threats.

Back when it had just raised capital from CRV and Spark, Cybereason’s chief executive was touting its work with a defense contractor who’d been hacked. Again, the suspected culprit was the Chinese government.

As we reported, during one of the early product demos for a private defense contractor, Cybereason identified a full-blown attack by the Chinese — 10,000 thousand usernames and passwords were leaked, and the attackers had access to nearly half of the organization on a daily basis.

The security breach was too sensitive to be shared with the press, but Div says that the FBI was involved and that the company had no indication that they were being hacked until Cybereason detected it.


Cybereason raises 0 million for its enterprise security platform

Conflura snags $9M Series A to help stop cyber attacks in real time

Source: Tech News – Enterprise

Just yesterday, we experienced yet another major breach when Capital One announced it had been hacked and years of credit card  application information had been stolen. Another day, another hack, but the question is how can companies protect themselves in the face of an onslaught of attacks. Conflura, a Palo Alto startup wants to help with a new tool that purports to stop these kinds of attacks in real time.

Today the company, which launched last year, announced a $9 million Series A investment led by Lightspeed Venture Partners . It also has the backing of several influential technology execs including John W. Thompson, who is chairman of Microsoft and former CEO at Symantec, Frank Slootman, CEO at Snowflake and formerly CEO at ServiceNow and Lane Bess, former CEO of Palo Alto Networks.

What has attracted this interest is the company’s approach to cyber security. “Conflura is a real-time cyber security company. We are delivering the industry’s first platform to deterministically stop cyber attacks in real time,” company co-founder and CEO Abhijit Ghosh told TechCrunch.

To do that Ghosh says, his company’s solution watches across the customer’s infrastructure, finds issues and recommends ways to mitigate the attack. “We see the problem that there are too many solutions which have been used. What is required is a platform that has visibility across the infrastructure, and uses security information from multiple sources to make that determination of where the attacker currently is and how to mitigate that,” he explained.

Microsoft chairman John Thompson, who is also an investor, says this is more than just real-time detection or real-time remediation. “It’s not just the audit trail and telling them what to do. It’s more importantly blocking the attack in real time. And that’s the unique nature of this platform, that you’re able to use the insight that comes from the science of the data to really block the attacks in real time,” Thompson said.

It’s early days for Conflura as it has 19 employees and 3 customers using the platform so far. For starters, it will be officially launching next week at Black Hat. After that, it has to continue building out the product and prove that it can work as described to stop the types of attacks we see on a regular basis from happening.


Conflura snags M Series A to help stop cyber attacks in real time

Duo’s Wendy Nather to talk security at TC Sessions: Enterprise

Source: Tech News – Enterprise

When it comes to enterprise security, how do you move fast without breaking things?

Enter Duo’s Wendy Nather, who will join us at TC Sessions: Enterprise in San Francisco on September 5, where we will get the inside track on how to keep enterprise networks secure without slowing growth.

Nather is head of advisory CISOs at Duo Security, a Cisco company, and one of the most respected and trusted voices in the cybersecurity community as a regular speaker on a range of topics, from threat intelligence to risk analysis, incident response, data security and privacy issues.

Prior to her role at Duo, she was the research director at the Retail ISAC, and served as the research director of the Information Security Practice at independent analyst firm 451 Research.

She also led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation — now UBS.

Nather also co-authored “The Cloud Security Rules,” and was listed as one of SC Magazine’s Women in IT Security “Power Players” in 2014.

We’re excited to have Nather discuss some of the challenges startups and enterprises face in security — threats from both inside and outside the firewall. Companies large and small face similar challenges, from keeping data in to keeping hackers out. How do companies navigate the litany of issues and threats without hampering growth?

Who else will we have onstage, you ask? Good question! We’ll be joined by some of the biggest names and the smartest and most prescient people in the industry, including Bill McDermott at SAP, Scott Farquhar at Atlassian, Julie Larson-Green at Qualtrics, Aaron Levie at Box and Andrew Ng at Landing AI and many, many more. See the whole agenda right here.

Early-bird tickets are on sale right now! For just $249 you can see Nather and these other awesome speakers live at TC Sessions: Enterprise. But hurry, early-bird sales end on August 9; after that, prices jump up by $100. Book here.

If you’re a student on a budget, don’t worry, we’ve got a super-reduced ticket for just $75 when you apply for a student ticket right here.

Enterprise-focused startups can bring the whole crew when you book a Startup Demo table for just $2,000. Each table gives you a primo location to be seen by attendees, investors and other sponsors, in addition to four tickets to enjoy the show. We only have a limited amount of demo tables and we will sell out. Book yours here.


Duo’s Wendy Nather to talk security at TC Sessions: Enterprise

Serverless, Inc expands free Framework to include monitoring and security

Source: Tech News – Enterprise

Serverless development has largely been a lonely pursuit until recently, but Serverless, Inc has been offering a free framework for intrepid programmers since 2015. At first, that involved development, deployment and testing, but today the company announced it is expanding into monitoring and security to make it an end-to-end tool — and it’s available for free.

Serverless computing isn’t actually server-free, but it’s a form of computing that provides a way to use only the computing resources you need to carry out a given function and no more. When the process is complete, the resources effectively go away. That has the potential to be more cost-effective than having a server that’s always on, regardless of whether you’re using it or not. That requires a new way of thinking about how developers write code.

While serverless offers a compelling value proposition, up until Serverless, Inc came along with some developer tooling, early adherents were pretty much stuck building their own tooling to develop, deploy and test their programs. Today’s announcement expands the earlier free Serverless, Inc Framework to provide a more complete set of serverless developer tools.

Company founder and CEO Austen Collins says that he has been thinking a lot about what developers need to develop and deploy serverless programs, and talking to customers. He says that they really craved a more integrated approach to serverless development than has been available until now.

“What we’re trying to do is build this perfectly integrated solution for developers and developer teams because we want to enable them to innovate as much as possible and be as autonomous as possible,” Collins told TechCrunch. He says at the same time, he recognizes that operations needs to connect to other tools and the Serverless Framework provides hooks into other systems as well.

Screenshot 2019 07 22 09.27.24

The new tooling includes an integrated environment, so that once you deploy, you can simply click an error or security event and drill down to a dashboard for more information about the issue. You can click for further detail to see the exact spot in the code where the issue occurred, which should make it easier to resolve more quickly.

While no tool is 100 percent comprehensive, and most large organizations, and even individual developers, will have a set of tools they prefer to use, this is an attempt to build a one-stop solution for serverless developers for the first time. That in itself is significant as serverless moves beyond early adopters and begins to become more of a mainstream kind of programming and deployment option. People starting now probably won’t want to cobble together their own toolkits and the Serverless, Inc. Framerwork gives them a good starting point.

Serverless, Inc. was founded by Collins in 2015 out of a need for serverless computing tooling. He has raised over $13.5 million since inception.


Serverless, Inc expands free Framework to include monitoring and security

How US national security agencies hold the internet hostage

Source: Microsoft more

Team Telecom, a shadowy US national security unit tasked with protecting America’s telecommunications systems, is delaying plans by Google, Facebook and other tech companies for the next generation of international fiber optic cables.

Team Telecom is comprised of representatives from the departments of Defense, Homeland Security, and Justice (including the FBI), who assess foreign investments in American telecom infrastructure, with a focus on cybersecurity and surveillance vulnerabilities.

Team Telecom works at a notoriously sluggish pace, taking over seven years to decide that letting China Mobile operate in the US would “raise substantial and serious national security and law enforcement risks,” for instance. And while Team Telecom is working, applications are stalled at the FCC.

The on-going delays to submarine cable projects, which can cost nearly half a billion dollars each, come with significant financial impacts. They also cede advantage to connectivity projects that have not attracted Team Telecom’s attention – such as the nascent internet satellite mega-constellations from SpaceX, OneWeb and Amazon .

Team Telecom’s investigations have long been a source of tension within Silicon Valley. Google’s subsidiary GU Holdings Inc has been building a network of international submarine fiber-optic cables for over a decade. Every cable that lands on US soil is subject to Team Telecom review, and each one has faced delays and restrictions.