cybersecurity

Arlington Tech Firm Distil Networks Raises $21 Million

By Adrian Cruz

The Ballston office of Distil NetworksAn tech company with offices in Arlington has raised more than $21 million in its latest round of financing.

Distil Networks, a startup that wages war on online bots, announced the sum of its Series C fundraising period earlier today. The company said it has raised $65 million to date.

The firm will use the money to “bolster global marketing and sales efforts, strengthen core offerings, and double the current workforce over the next 12-18 months,” according to a press release.

Currently headquartered in San Francisco, Distil Networks builds tools to thwart malicious online bots that “are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, account takeovers, competitive data mining, online fraud, and downtime,” the release said.

The company’s clients include Thomson Reuters, Yelp, Staples, easyJet and Stubhub.

More from the Distil Networks press release:

Distil Networks, Inc., the global leader in bot detection and mitigation, today announced that it has closed $21 million in Series C financing. The funding included participation from Silicon Valley Bank and existing venture investors Bessemer Venture Partners, Foundry Group, and TechStars. The new round brings Distil’s total funding to $65 million to date. The company plans to use the investment to bolster global marketing and sales efforts, strengthen core offerings, and double the current workforce over the next 12-18 months. 

Bad bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, account takeovers, competitive data mining, online fraud, and downtime. Distil’s 2016 Bad Bot Landscape Report confirms that bots are gaining sophistication, finding that 88 percent of all bad bot traffic has one or more characteristics of an Advanced Persistent Bot (APB).

“As bots learn to better mimic human behavior and become harder to detect, solutions must innovate rapidly to thwart attacks,” said Rami Essaid, CEO and co-founder of Distil Networks. “Our investors understand the enormous challenge that web properties face when it comes to defending proprietary information while maintaining a positive user experience, and they have chosen to support Distil in our pursuit to create a safer web. With this round of funding, we are looking forward to building upon our momentum and continuing to lead the market with our advanced protection against bot activity.”

Since closing Series B financing in June of 2015, Distil has hit several key milestones, including:

Launching Distil API Security to reduce risk and downtime across critical API attack vectors.

Acquiring ScrapeSentry and their expert team of analysts to provide real-time, proactive website traffic analysis, customized reporting, and engineering assistance to enterprise customers.

Securing 100+ enterprise customers, including B&H Photo, Wayfair, and Glassdoor.

Expanding global reach with office opening in London and growing total employee headcount to 140, with built out teams in managed services, support, and data science.

“Since I joined the board of Distil, I’ve been continually impressed by the company’s ability to develop new products, streamline deployment, and exceed sales objectives,” said David Cowan, partner at Bessemer Venture Partners. “Naturally, I was eager to double down.”

Advanced Persistent Bots (APBs) have several advanced capabilities such as mimicking human behavior, loading JavaScript and external resources, cookie support, browser automation, and spoofing IP addresses and user agents. Their persistency aspect comes from their process for evading detection. For example, an APB might use 1000 IP addresses to make one request each, instead of one IP address to make 1000 requests, rendering impotent IP-centric defenses. According to Gartner, “fraudsters are also spreading their attacks over thousands of IP addresses — many of which are purposefully chosen to originate in locations that appear legitimate (for example, in the same geographic area that a target victim lives in). They are also slowing down their scripted attacks to move at the pace of an average human.”

Arlington County Plugs Home Services Security Vulnerability

By ARLnow.com

Arlington Dept. of Environmental Services web formArlington County has plugged a vulnerability in its automated services system for homeowners, after the vulnerability was brought to officials’ attention by ARLnow.com and a local IT services provider.

The vulnerability was in a phone system and website used by the Arlington Dept. of Environmental Services to automate waste pickup scheduling and water service changes.

The phone system would allow a caller to enter either an account number or their address. When one entered an address, however, the system would then provide that homeowner’s name and account number.

With the account number, one could theoretically go online and shut off the home’s water service, or order a big pile of mulch to be delivered to their yard and billed to their account.

ARLnow.com tested the vulnerability and came one click away from sending a big mulch pile to the front yard of a national media personality who lives in Arlington. Through a spokeswoman, that individual declined to comment or be identified in this article.

Within a week of ARLnow.com notifying the county, the automated phone system had been taken offline — callers now only have the option of speaking to a customer service representative — and some account number fields were removed from online forms.

“Our approach is customer-focused and to make it convenient for residents to make service requests, order mulch and report problems through the County website or by telephone,” said Dept. of Environmental Services spokeswoman Jessica Baxter. “It is a philosophy our customers value based on their feedback.”

“To date, we have not had a problem with people misusing the system,” Baxter continued. “As with any system, we are always looking for ways to improve while balancing the needs of our customers. Thanks for bringing this matter to our attention.”

Alexander Chamandy, the founder of Arlington-based IT services firm Envescent, LLC, was the first to spot the vulnerability.

“I discovered this unauthorized information disclosure issue by accident when scheduling a curbside pickup with Arlington,” he said. “It was disconcerting that one’s account information, name, address and other details could be shared with an unauthorized party. Because identity theft and data breaches are on the rise I felt it was important to alert ARLnow.com and Arlington County.”

McAuliffe to Talk Cybersecurity Jobs at Washington-Lee High School

By Heather Mongilio

Terry McAuliffe speaks in front of Arlington DemocratsGov. Terry McAuliffe is going back to high school.

The Virginia governor will be speaking to students at Washington-Lee High School (1301 N. Stafford Street) about career paths in cybersecurity tomorrow, Oct. 28, from 1:15-3 p.m.

McAuliffe will be joined by a panel of cyber security professionals who will talk about the different jobs in cybersecurity as well as the resources students need to pursue a career.

“The nation is in need of a strong cybersecurity workforce. The demand for skilled cyber professionals is at an all-time high, and will only increase as our country and world grow more dependent on cyber and information technology,” Arlington Public Schools said in a statement.

The panelists will talk about the average day of a cybersecurity specialist, what interested them in a cyber career and how they got their start. They will also perform a Wi-Fi Watering Hole attack demonstration.

The event is co-sponsored by the Department of Homeland Security as part of National Cyber Security Awareness Month 2015.

SEC Cybersecurity Guidance for Investment Managers

Alex ChamandyThe following post is written and sponsored by Alexander G. Chamandy of Envescent, LLC, the IT services provider to ARLnow.com.

In April 2015, the SEC issued a Cybersecurity Guidance update for registered investment companies and investment advisers.

The guidelines provided best practices for mitigating information leakage risks and improving data security. Too often many smaller investment houses may not have knowledgeable staff to implement and manage cybersecurity policies.

The cornerstones of cybersecurity 

The best practices are shaped around four key principles: compartmentalization; encryption; restricting remote access; and, controlling the usage of devices that may compromise internal security. The most critical considerations set forth are:

  • Data encryption: Backups, portable computers, data that flows outside of the company;
  • Network and system firewalls: Both hardware and software firewalls for network endpoints and individual systems;
  • Restricting the use of removable storage media (e.g., flash drives);
  • Deploying software that monitors technology systems for unauthorized intrusions;
  • Network segregation to restrict access; and
  • “System hardening” with the purpose of ensuring individual systems are locked down against attack.

Create a plan and follow through with it

To accomplish these essentials, you need to put in place both a policy and budget for active cybersecurity, consistent with the size and technological complexity of the operation. The basic important thought is that every system, network appliance, server, Internet connection, remote office (and its equipment) as well as portable devices, backups and other areas where data is transmitted or stored will need individual attention by a knowledgeable cybersecurity expert.

Investment managers without the needed internal cybersecurity expertise typically seek help of an outside consultant to deal effectively with this critical issue, and minimize potential exposure. An outside opinion most likely will shed light on overlooked but critical areas – such as the firmware version of a vulnerable network appliance, or remote ports that are exposed which don’t need to be open. These types of “invisible” or ignored issues may lead to large-scale breaches and other maladies.

Staying secure pays off in the long run

The primary goal of the SEC’s cybersecurity guidance is to help set forth a common framework for institutional best practices, casting light on commonly overlooked security flaws and spelling-out common sense steps to address them.

More importantly, however, it is a critical change in the landscape of the our regulatory and legal environment. With all of the recent (and ongoing) breaches — and given what is at stake for investment managers if their systems are hacked — it makes sense to shape and adopt a cybersecurity plan. It makes even more sense to put the plan into action before cybersecurity becomes a problem for your operation.

View the SEC Cybersecurity Guideline Update here: http://www.sec.gov/investment/im-guidance-2015-02.pdf

About the author

Alexander G. Chamandy is a seasoned IT professional with 20 years of industry experience and a lifelong Arlington resident. He has deep expertise helping small businesses with a number of IT issues, including cybersecurity, data recovery, networking, deploying and maintaining servers as well as open source software.

If your small business needs IT supportconsulting or website design contact Envescent, LLC. Our company has helped over 15,000 clients in the Washington, DC area and beyond since 1999.

The views and opinions expressed in the column are those of the author and do not necessarily reflect the views of ARLnow.com.

Obama to Visit Ballston Tuesday

By ARLnow.com

President Obama speaks at Washington-Lee High SchoolPresident Obama will tour a federal cybersecurity office in Arlington Tuesday afternoon.

Obama is scheduled to visit the Ballston-based National Cybersecurity and Communications Integration Center, which is part of the Dept. of Homeland Security.

The president “will talk about efforts to increase information-sharing between companies and the government and to improve collaboration against threats,” according to the LA Times.

The visit is expected to result in significant temporary road closures in Arlington. It comes a day after terrorist supporters hacked the Twitter and YouTube accounts of United States Central Command.

Morning Notes

By ARLnow.com

Corgi eyes a graduation cake (Flickr pool photo by Eric)

Rip Sullivan Running for Delegate — Richard “Rip” Sullivan is the first candidate to announce his candidacy to replace the retiring Del. Bob Brink. Sullivan, a Democrat and a Fairfax County resident, said he’s running “to fight the Tea Party Republicans trying to roll back social and economic progress in Virginia.” [Rip Sullivan for Delegate]

Metro Fare Increase Takes Effect — Metrorail fares have been raised an average of 10 cents as of Sunday. Other changes include hikes to Metrobus fares, MetroAccess fares and Metro parking rates. [WMATA]

Arlington-Based Agency Works to Foil Hackers — Reporters were recently given a tour of the National Cybersecurity and Communications Integration Center, a Department of Homeland Security-run hub for the U.S. government’s coordinated response to cyber attacks. The highly secure and classified office is located in a “non-descript” office building in Ballston, above a chain restaurant. [Bloomberg, InformationWeek]

‘Airbnb for Boats’ in D.C. — A service called Boatbound has launched in the D.C. area. It allows boat owners to rent out their boats to non-boat owners. The going rate for most boats on Boatbound is $200-500 per day. [Washington City Paper]

Flickr pool photo by Eric

Former Attorney Trying to Make Email More Secure

By Ethan Rothstein

Startup Monday header

Editor’s Note: Sponsored by Monday Properties and written by ARLnow.com, Startup Monday is a weekly column that profiles Arlington-based startups and their founders. The Ground Floor, Monday’s office space for young companies in Rosslyn, is now open. The Metro-accessible space features a 5,000-square-foot common area that includes a kitchen, lounge area, collaborative meeting spaces, and a stage for formal presentations.

Nveloped's secure email deliveryNikhil Palekar’s angel-funded startup was born with a fax.

A few years ago, Palekar had to send some files to his doctor, and because email wasn’t secure enough for medical records, Palekar had to send a fax. Living in a one-bedroom apartment as a student in law school, he had no fax machine, but he didn’t see why there wasn’t a way to securely send files — or information — from his Gmail account.

“It seemed like there was a need for the service,” Palekar said. “I didn’t know why there couldn’t be an easy way to send stuff like this over email.”

Palekar had a background in computer science before he decided to attend law school, so he set about thinking of how to create a secure email service. After graduating law school and taking a job as a patent lawyer in Washington, D.C., Palekar started develop prototypes for his eventual product. In 2011, he left his job and started working full-time to launch Nveloped.

Nveloped founder and CEO Nikhil Palekar

Palekar has a practiced explanation for how Nveloped works. Normal email, he says, gets sent from one address, copied numerous times and delivered to the recipient. With Nveloped, clients instead send email recipients the equivalent of “an empty container.”

“When you open the message, that’s when we deliver the content,” Palekar said. “We provide access to that content dynamically.”

Before Palekar built anything, he said he had to look holistically at the problem he was trying to solve.

“It was trying to understand the deficiencies of regular email, which is really coming to light these days,” he said. “The first step was fully understanding why it was broken. The next step was how do you solve this in a way that’s easy for the sender and the receiver. Preserving a pleasant user experience was very important.”

In the summer of 2012, Palekar moved from his Arlington apartment for three months to Seattle to grow Nveloped at TechStars, a technology accelerator that provided Palekar with mentorship and connections that have proven vital.

Nveloped email expiration optionHe’s since moved back to the area, and with the help of people he’s met through TechStars, as well as the D.C. area startup community, Nveloped has raised $400,000 in angel funding and he said he has 10-20 clients. Palekar is the only full-time worker for the company, but he does have part-time and contract help for his growing business. He’s in the process of looking for a coworking office space in Arlington or D.C.

Most of Nveloped’s clients are in healthcare and financial services, and there are also clients with proprietary content — think of a news site that charges for its content — who wouldn’t want its subscribers forwarding email anyone could open without paying.

Despite TechStars’ reputation — it has accelerators in a half-dozen cities around the country — Palekar said finding clients who entrusted him with their email security was a challenge, but perhaps not as difficult as some would expect.

“The early stages are difficult, but there are people who know they need a solution to this problem,” he said. “Part of this process was giving people context for your product and showing them its value.”

Even though Palekar was already in the D.C. area, he said this is the best city in the country for his particular tech startup. His clients are from all over the country, he said, but as he takes on new business it’s likely it comes more from this region.

“D.C. is really growing as a startup community,” he said. “As things develop further, there are going to be areas where D.C. is very strong, and cybersecurity is one of them.”

Morning Notes

By ARLnow.com

Cybersecurity Center to Open in Ballston — Virginia Tech and defense contractor L-3 Communications are set to jointly open a cybersecurity research center in Ballston on Friday. The center will be located at the Virginia Tech Research Center building at 900 N. Glebe Road. [Washington Post]

Arlington Gearing Up for Nov. Election — In anticipation of election day on Nov. 6, Arlington County is encouraging residents to register to vote and, if necessary, vote absentee. The deadline for voter registration is Oct. 15, and the deadline for absentee ballots is Oct. 30. This year, the county is also allowing voters to cast their absentee ballot in person, at three absentee polling places: Courthouse Plaza, Barcroft Sports and Fitness Center, and the Madison Community Center. [Arlington County]

Generals, Patriots Win — The Washington-Lee Generals and the Yorktown Patriots both emerged victorious in local high school football action over the weekend. Yorktown defeated the Stuart Raiders 41-3, and Washington-Lee downed the winless Wakefield Warriorts 49-14. Bishop O’Connell, meanwhile, suffered its first loss, at the hands of the visiting DeMatha Stags. The Stags won 41-10. [Sun Gazette]

New Books By Arlington Authors — Two recently-released books by Arlington authors are receiving good reviews. Radical Chapters by Arlington resident and McClatchy Washington Bureau reporter Michael Doyle received an upbeat review by Palo Alto Weekly. The book details the life and times of a Roy Kepler, who was both a prominent peace activist and a groundbreaking bookstore owner.  Darkbeast, by Arlington author Morgan Keyes, has picked up a number of good reviews on Amazon.com. The novel follows twelve-year-old Keara, who runs away from home rather than sacrifice Caw, her magical raven darkbeast.

Flickr pool photo by Maryva2

Rep. Moran Hosts Cybersecurity Summit

By Katie Pyzyk

Leaders in the cybersecurity industry gathered at the Virginia Tech Research Center in Ballston this morning to attend a forum hosted by Rep. Jim Moran (D).

Discussion revolved around cyber threats America faces and how best to address the problems as funding dwindles. Speakers noted it’s important to look ahead and focus on what threats may arise, as opposed to those already known.

“We get used to what the current threat level is, and forget how rapidly that can change, ” said Rear Admiral Samuel Cox, Director of Intelligence for U.S. Cyber Command.

Cox said although it doesn’t appear that groups like Al Qaeda have an immediate ability to wage a large scale cyber attack, that’s quickly changing. He stressed America’s need to be prepared to go on the offensive, instead of simply defending itself against cyber attacks.

“Our job is to plan to do things we hope we never, ever have to do,” Cox said.

During her keynote remarks, Teri Takai, the Department of Defense Chief Information Officer, spoke of the recently announced intention to expand a program to help bridge the information gap between government entities and the private sector. Currently, the DoD has a partnership with 37 companies, in which classified information about potential cyber attacks is shared among all the participants. The goal is to expand that number to 200 companies this year. Takai believes the approval from the White House may come in as little as 60 days.

“This is important because this really looks beyond just the DoD world,” Takai said.

Takai said there’s an active effort to look at how to best assess risk in the government’s supply chain. That includes not only ensuring the security of computer hardware and software in use, but also knowing everyone who has access to the network and what they have access to.

Moran said a significant sticking point in information sharing is that private businesses often keep quiet when their systems are hacked. He said at some point, private firms will realize they can’t protect themselves on their own, and will have to be part of the team. He believes the situation requires more collaboration than what exists right now.

“Private firms don’t want to reveal when they’ve been hit and how much they’ve lost,” Moran said. “The government is going to have to play a bigger role.”

Moran reiterated the need for priorities to shift toward cyber from the traditional “boots on the ground” approach to security. He’s confident that as plans for increasing information sharing about cyber security expand, the money to implement such plans will follow.