Security

Auto Added by WPeMatico

Axis Security raises $32M to help companies stay secure while working from home

Axis Security launched last year with the idea of helping customers enable contractors and third parties to remotely access a company’s systems in a safe way, but when the pandemic hit, they saw another use case, one which had been on their road map: helping keep systems secure when employees were working from home.

Today, the company announced a $32 million Series B investment led by Canaan Partners, with participation from existing investors Ten Eleven Ventures and Cyberstarts. Today’s round brings the total raised to $49 million, according to Axis.

Gil Azrielant, co-founder and CTO, says that the company was able to make the shift to a work from home security scenario so quickly because it had built the product from the ground up to support this vision eventually. The pandemic just accelerated that approach.

“We decided to focus on third parties and contractors at first, but we saw where the puck was going and definitely [designed] the infrastructure to become a full-blown, secure access product. So the infrastructure was there, and we just had to add a few things that were planned for later,” Azrielant told TechCrunch.

He says that the company’s product uses the notion of Zero Trust, which, as the name suggests, assumes you can’t trust anyone on your system, and work from there. Using a rules-based engine, customers can create a secure environment based on your role.

“What you can see, or what you can do, or what you can download or get to is fully controlled by our Application Access Cloud. This is based on what device you’re using, where you are, who you are, what role you’re in, and what you usually do and don’t do to determine the level of access you are going to get,” he said.

As the startup emerged from stealth last March just three days after the pandemic shutdown began in California, it had two main customers — a hotel chain and a pharmaceutical company — and CEO Dor Knafo says that as COVID took hold, “necessity became the mother of adoption.”

He added, “Both accounts came to us and asked us to start pursuing all these employee access use cases, and to us that was incredible because that gave them the push they needed to see the [remote access] vision just as vividly as we do,” he said. Today it has added to that initial pair, and, while it wouldn’t share an exact number, it reports it has tens of customers.

Today, the startup has 38 employees almost evenly split between San Mateo, California and Tel Aviv, Israel, with plans to accelerate hiring to reach 100 people next year. As the company scales, Knafo says that he is trying to build a more diverse group as it moves to hire more people in the coming year.

“Today, we have incentive internally to help us hire in a more diverse way. We invest heavily in that, and we continue to [keep that at top of mind] for everyone in the company,” Knafo said.

Azrielant added that the pandemic has shown employees don’t have to be located near the offices, which have been closed for much of this year, and that opens up more possibilities to build a more diverse workforce because they can hire from anywhere.

With a product that has much utility right now, the company will be using the new influx of cash to help build out its sales and marketing operations and expand sales outside of North America.

“With COVID accelerating and with a shift to work from anywhere, we’ll definitely focus on bringing our products to more enterprises, which are facing this urgent challenge of working from home,” Knafo said.

Powered by WPeMatico

Privacy data management innovations reduce risk, create new revenue channels

Mark Settle
Contributor

Mark Settle is a seven-time CIO, three-time CIO 100 award winner and two-time book author. His most recent book is “Truth from the Valley: A Practical Primer on IT Management for the Next Decade.”

Tomer Y. Avni
Contributor

Tomer Y. Avni is an MBA/MS student at the Harvard Business School and the Harvard School of Engineering and Applied Sciences.

Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.

Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.

Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.

The first wave of innovation

A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:

Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.

Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.

Powered by WPeMatico

Selling a startup can come with an emotional cost

Every founder dreams of building a substantial company. For those who make it through the myriad challenges, it typically results in an exit. If it’s through an acquisition, that can mean cashing in your equity, paying back investors and rewarding long-time employees, but it also usually results in a loss of power and a substantially reduced role.

Some founders hang around for a while before leaving after an agreed-upon time period, while others depart right away because there is simply no role left for them. However it plays out, being acquired can be an emotional shock: The company you spent years building is no longer under your control,

We spoke to a couple of startup founders who went through this experience to learn what the acquisition process was like, and how it feels to give up something after pouring your heart and soul into building it.

Knowing when it’s time to sell

There has to be some impetus to think about selling: Perhaps you’ve reached a point where growth stalls, or where you need to raise a substantial amount of cash to take you to the next level.

For Tracy Young, co-founder and former CEO at PlanGrid, the forcing event was reaching a point where she needed to raise funds to continue.

After growing a company that helped digitize building plans into a $100 million business, Young ended up selling it to Autodesk for $875 million in 2018. It was a substantial exit, but Young said it was more of a practical matter because the path to further growth was going to be an arduous one.

“When we got the offer from Autodesk, literally we would have had to execute flawlessly and the world had to stay good for the next three years for us to have the same outcome,” she said at a panel on exiting at TechCrunch Disrupt last week.

“As CEO, [my] job is to choose the best path forward for all stakeholders of the company — for our investors, for our team members, for our customers — and that was the path we chose.”

For Rami Essaid, who founded bot mitigation platform Distil Networks in 2011, slowing growth encouraged him to consider an exit. The company had reached around $25 million run rate, but a lack of momentum meant that shifting to a broader product portfolio would have been too heavy a lift.

Powered by WPeMatico

Perigee infrastructure security solution from former NSA employee moves into public beta

Perigee founder Mollie Breen used to work for NSA where she built a security solution to help protect the agency’s critical infrastructure. She spent the last two years at Harvard Business School talking to Chief Information Security Officers (CISOs) and fine-tuning that idea she started at NSA into a commercial product.

Today, the solution that she built moves into public beta and will compete at TechCrunch Disrupt Battlefield with other startups for $100,000 and the Disrupt Cup.

Perigree helps protect things like heating and cooling systems or elevators that may lack patches or true security, yet are connected to the network in a very real way. It learns what normal behavior looks like from an operations system when it interacts with the network, such as what systems it interacts with and which individual employees tend to access it. It can then determine when something seems awry and stop an anomalous activity before it reaches the network. Without a solution like the one Breen has built, these systems would be vulnerable to attack.

Perigee is a cloud-based platform that creates a custom firewall for every device on your network,” Breen told TechCrunch. “It learns each device’s unique behavior, the quirks of its operational environment and how it interacts with other devices to prevent malicious and abnormal usage while providing analytics to boost performance.”

Perigee HVAC fan dashboard view

Image Credits: Perigee

One of the key aspects of her solution is that it doesn’t require an agent, a small piece of software on the device, to make it work. Breen says this is especially important since that approach doesn’t scale across thousands of devices and can also introduce bugs from the agent itself. What’s more, it can use up precious resources on these devices if they can even support a software agent.

“Our sweet spot is that we can protect those thousands of devices by learning those nuances and we can do that really quickly, scaling up to thousands of devices with our generalized model because we take this agentless-based approach,” she said.

By creating these custom firewalls, her company is able to place security in front of the device preventing a hacker from using it as a vehicle to get on the network.

“One thing that makes us fundamentally different from other companies out there is that we sit in front of all of these devices as a shield,” she said. That essentially stops an attack before it reaches the device.

While Breen acknowledges that her approach can add a small bit of latency, it’s a tradeoff that CISOs have told her they are willing to make to protect these kinds of operational systems from possible attacks. Her system is also providing real-time status updates on how these devices are operating, giving them centralized device visibility. If there are issues found, the software recommends corrective action.

It’s still very early for her company, which Breen founded last year. She has raised an undisclosed amount of pre-seed capital. While Perigee is pre-revenue with just one employee, she is looking to add paying customers and begin growing the company as she moves into a wider public beta.

Powered by WPeMatico

JupiterOne raises $19M Series A to automate cyber asset management

Asset management might not be the most exciting talking topic, but it’s often an overlooked area of cyber-defenses. By knowing exactly what assets your company has makes it easier to know where the security weak spots are.

That’s the problem JupiterOne is trying to fix.

“We built JupiterOne because we saw a gap in how organizations manage the security and compliance of their cyber assets day to day,” said Erkang Zheng, the company’s founder and chief executive.

The Morrisville, North Carolina-based startup, which spun out from healthcare cloud firm LifeOmic in 2018, helps companies see all of their digital and cloud assets by integrating with dozens of services and tools, including Amazon Web Services, Cloudflare and GitLab, and centralizing the results into a single monitoring tool.

JupiterOne says it makes it easier for companies to spot security issues and maintain compliance, with an aim of helping companies prevent security lapses and data breaches by catching issues early on.

The company already has Reddit, Databricks and Auth0 as customers, and just secured $19 million in its Series A, led by Bain Capital Ventures and with participation from Rain Capital and its parent company LifeOmic.

As part of the deal, Bain partner Enrique Salem will join JupiterOne’s board. “We see a large multi-billion-dollar market opportunity for this technology across mid-market and enterprise customers,” he said. Asset management is slated to be a $8.5 billion market by 2024.

Zheng told TechCrunch the company plans to use the funds to accelerate its engineering efforts and its go-to-market strategy, with new product features to come.

Powered by WPeMatico

Verkada adds environmental sensors to cloud-based building operations toolkit

As we go deeper into the pandemic, many buildings sit empty or have limited capacity. During times like these, having visibility into the state of the building can give building operations peace of mind. Today, Verkada, a startup that helps operations manage buildings via the cloud, announced a new set of environmental sensors to give customers even greater insight into building conditions.

The company had previously developed cloud-based video cameras and access control systems. Verkada CEO and co-founder of Filip Kaliszan says today’s announcement is about building on these two earlier products.

“What we do today is cameras and access control — cameras, of course provide the eyes and the view into building in spaces, while access control controls how you get in and out of these spaces,” Kaliszan told TechCrunch. Operations teams can manage these devices from the cloud on any device.

The sensor pack that the company is announcing today layers on a multi-function view into the state of the environment inside a building. “The first product that we’re launching along this environmental sensor line is the SV11, which is a very powerful unit with multiple sensors on board, all of which can be managed in the cloud through our Verkada command platform. The sensors will give customers insight into things like air quality, temperature, humidity, motion and occupancy of the space, as well as the noise level,” he said.

There is a clear strategy behind the company’s product road map. The idea is to give building operations staff a growing picture of what’s going on inside the space. “You can think of all the data being combined with the other aspects of our platform, and then begin delivering a truly integrated building and setting the standard for enterprise building security,” Kaliszan said.

These tools, and the ability to access all the data about a building remotely in the cloud, obviously have even more utility during the pandemic. “I think we’re fortunate that our products can help customers mitigate some of the effects of the pandemic. So we’ve seen a lot of customers use our tools to help them manage through the pandemic, which is great. But when we were originally designing this environmental sensor, the rationale behind it were these core use cases like monitoring server rooms for environmental changes.”

The company, which was founded in 2016, has been doing well. It has 4,200 customers and roughly 400 employees. It is still growing and actively hiring and expects to reach 500 by the end of the year. It has raised $138.9 million, the most recent coming January this year, when it raised an $80 million Series C investment led Felicis Ventures on a $1.6 billion valuation.

Powered by WPeMatico

Extra Crunch Friday roundup: Edtech funding surges, Poland VC survey, inside Shift’s SPAC plan, more

I live in San Francisco, but I work an East Coast schedule to get a jump on the news day. So I’d already been at my desk for a couple of hours on Wednesday morning when I looked up and saw this:

What color is the sky this morning pic.twitter.com/nt5dZp5wWc

— Walter Thompson (@YourProtagonist) September 9, 2020

As unsettling as it was to see the natural environment so transformed, I still got my work done. This is not to boast: I have a desk job and a working air filter. (People who make deliveries in the toxic air or are homeschooling their children while working from home during a global pandemic, however, impress the hell out of me.)

Not coincidentally, two of the Extra Crunch stories that ran since our Tuesday newsletter tie directly into what’s going on outside my window:

As this guest post predicted, a suboptimal attempt I made to track a delayed package using interactive voice response (IVR) indeed poisoned my customer experience, and;

Sheltering in place to avoid the novel coronavirus — and wildfire smoke — is fueling growth in the video-game industry, perhaps one factor in Unity Software Inc.’s plan to go public ahead of competitor Epic Games. In a two-part series, we looked at how the company has expanded beyond games and shared a detailed financial breakdown.

We covered a lot of ground this week, so scroll down or visit the recently redesigned Extra Crunch home page. If you’d like to receive this roundup via email each Tuesday and Friday, please click here.

Thanks very much for reading Extra Crunch; I hope you have a relaxing and safe weekend.

Walter Thompson
Senior Editor
@yourprotagonist


Bear and bull cases for Unity’s IPO

In a two-part series that ran on TechCrunch and Extra Crunch, former media columnist Eric Peckham returned to share his analysis of Unity Software Inc.’s S-1 filing.

Part one is a deep dive that explains how the company has grown beyond gaming to develop multiple revenue streams and where it’s headed.

For part two on Extra Crunch, he studied the company’s numbers to offer some context for its approximately $11 billion valuation.


10 Poland-based investors discuss trends, opportunities and the road ahead

The Palace of Culture and Science is standing reminder of communism in Warsaw, Masovian Voivodeship, Poland.

Image Credits: Edwin Remsberg (opens in a new window) / Getty Images

As we’ve covered previously, the COVID-19 pandemic is making the world a lot smaller.

Investors who focus on their own backyards still have an advantage, but the ability to set up a quick coffee meeting with a promising investor is no longer one of them.

Even though some VCs are cutting first checks after Zoom calls, regional investors’ personal networks are still a trump card. Tourists will always rely on guide books, however, which is why we continue to survey investors around the world.

A Dealroom report issued this summer determined that 97 VC funds backed more than 1,600 funding rounds in Poland last year. With over 2,400 early- and late-stage startups and 400,000 engineers in the country, it’s easy to see why foreign investors are taking notice.

Editor-at-large Mike Butcher reached out to several investors who focus on Warsaw and Poland in general to learn more about the startups fueling their interest across fintech, gaming, security and other sectors:

  • Bryony Cooper, managing partner, Arkley Brinc VC
  • Anna Wnuk-Błażejczyk, investor relations manager, Experior.vc
  • Rafał Roszak, investment director, YouNick Mint
  • Michal Mroczkowski, partner, Market One Capital
  • Marcus Erken, partner, Sunfish Partners
  • Borys Musielak, partner, SMOK Ventures
  • Mathias Åsberg, partner, Nextgrid
  • Kuba Dudek, SpeedUp Venture Capital Group
  • Marcin Laczynski, partner, Next Road Ventures
  • Michał Rokosz, partner, Inovo Venture Partners

We’ll run the conclusion of his survey next Tuesday.


Brands that hyper-personalize will win the next decade

Customer Relationship Management and Leader Concepts on Whiteboard

Image Credits: cnythzl (opens in a new window) / Getty Images

Even for fledgling startups, creating a robust customer service channel — or at least one that doesn’t annoy people — is a reliable way to keep users in the sales funnel.

Using AI and automation is fine, but now that consumers have grown used to asking phones and smart speakers to predict the weather and read recipe instructions, their expectations are higher than ever.

If you’re trying to figure out what people want from hyper-personalized customer experiences and how you can operationalize AI to give them what they’re after, start here.


VCs pour funding into edtech startups as COVID-19 shakes up the market

For today’s edition of The Exchange, Natasha Mascarenhas joined Alex Wilhelm to examine how the pandemic-fueled surge of interest in edtech is manifesting on the funding front.

The numbers suggest that funding will far surpass the sector’s high-water mark set in 2018, so the duo studied the numbers through August 31, which included a number of mega-rounds that exceeded $100 million.

“Now the challenge for the sector will be keeping its growth alive in 2021, showing investors that their 2020 bets were not merely wagers made during a single, overheated year,” they conclude.


How to respond to a data breach

Digital Binary Code on Red Background. Cybercrime Concept

Image Credits: WhataWin (opens in a new window) / Getty Images

The odds are low that someone’s going to enter my home and steal my belongings. I still lock my door when I leave the house, however, and my valuables are insured. I’m an optimist, not a fool.

Similarly: Is your startup’s cybersecurity strategy based on optimism, or do you have an actual response plan in case of a data breach?

Security reporter Zack Whittaker has seen some shambolic reactions to security lapses, which is why he turned in a post-mortem about a corporation that got it right.

“Once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies,” says Zack.


Shift’s George Arison shares 6 tips for taking your company public via a SPAC

Number 6 By Railroad Tracks During Sunset

Image Credits: Eric Burger/EyeEm (opens in a new window) / Getty Images

There’s a lot of buzz about special purpose acquisition companies these days.

Used-car marketplace Shift announced its SPAC in June 2020, and is on track to complete the process in the next few months, so co-founder/co-CEO George Arison wrote an Extra Crunch guest post to share what he has learned.

Step one: “If you go the SPAC route, you’ll need to become an expert at financial engineering.”


Dear Sophie: What is a J-1 visa and how can we use it?

Image Credits: Sophie Alcorn

Dear Sophie:

I am a software engineer and have been looking at job postings in the U.S. I’ve heard from my friends about J-1 Visa Training or J-1 Research.

What is a J-1 status? What are the requirements to qualify? Do I need to find a U.S. employer willing to sponsor me before I apply for one? Can I get a visa? How long could I stay?

— Determined in Delhi


As direct listing looms, Palantir insiders are accelerating stock sales

While we count down to the September 23 premiere of NYSE: PLTR, Danny Crichton looked at the “robust secondary market” that has allowed some investors to acquire shares early.

“Given the number of people involved and the number of shares bought and sold over the past 18 months, we can get some insight regarding how insiders perceive Palantir’s value,” he writes.


Use ‘productive paranoia’ to build cybersecurity culture at your startup

Vector illustration of padlocks and keys in a repeating pattern against a blue background.

Image Credits: JakeOlimb / Getty Images

Zack Whittaker interviewed Bugcrowd CTO, founder and chairman Casey Ellis about the best practices he recommends for creating a startup culture that takes security seriously.

“It’s an everyone problem,” said Ellis, who encouraged founders to promote the notion of “productive paranoia.”

Now that the threat envelope includes everyone from marketing to engineering, employees need to “internalize the fact that bad stuff can and does happen if you do it wrong,” Ellis said.

Powered by WPeMatico

Use ‘productive paranoia’ to build cybersecurity culture at your startup

As any startup grows, getting new products out the door and securing that next round of funding are always top priorities.

But security, all too often, falls by the wayside. After all, why would you invest money in something that you hope never happens when you could be funneling cash back into the business?

Fostering a corporate culture that embraces cybersecurity best practices keeps customer data safe and your company’s reputation intact. But security isn’t something you can easily tack on later. It must be ingrained in your company’s culture, and it’s so much easier to start in the early days of your company than scrambling in the aftermath of a data breach.

But how do you get there?

At TechCrunch Early Stage, we asked Casey Ellis, founder, chairman and chief technology officer at Bugcrowd, to share his ideas for how startups can improve their security posture.

Bugcrowd helps companies dip into a huge pool of cybersecurity talent — including hackers and security researchers — to find vulnerabilities. By helping companies identify flaws, they can shore up their defenses before malicious hackers break in. Few know better than Ellis — who’s run Bugcrowd for close to a decade — which policies, procedures and protections companies have put in place to get there.

Extra Crunch subscribers can log in and watch the video below.

Powered by WPeMatico

It’s time to better identify the cost of cybersecurity risks in M&A deals

Rob Gurzeev
Contributor

Rob Gurzeev is CEO and co-founder of CyCognito, a company focused on giving CISOs the advantage over attackers.

Over the past decade, a number of high-profile cybersecurity issues have arisen during mega-M&A deals, heightening concerns among corporate executives.

In 2017, Yahoo disclosed three data breaches during its negotiation to sell its internet business to Verizon [Disclosure: Verizon Media is TechCrunch’s parent company]. As a result of the disclosures, Verizon subsequently reduced its purchase price by $350 million, approximately 7% of the purchase price, with the sellers assuming 50% of any future liability arising from the data breaches.

While the consequences of cyber threats were soundly felt by Yahoo’s shareholders and widely covered in the news, it was an extraordinary event that raised eyebrows among M&A practitioners but did not fundamentally transform standard M&A practices. However, given the high potential cost from cyber threats and the high frequency of incidents, acquirers need to find more comprehensive and expedient methods to address these risks.

Today, as conversations accelerate around cybersecurity matters during an M&A process, corporate executives and M&A professionals will point to improved processes and outsourced services for identifying and preventing security issues. Despite the heightened awareness among financial executives and a greater range of outsourced solutions for addressing cybersecurity threats, acquirers continue to report increasing numbers of cybersecurity incidents at acquired targets, often after the target has already been acquired. Despite this, acquirers continue to focus due diligence activities on finance, legal, sales and operations and typically see cybersecurity as an ancillary area.

While past or potential cyber threats are no longer ignored in the due diligence process, the fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats.

The current lack of focus on cybersecurity issues can be partially attributed to the dynamics of the M&A market. Most middle-market companies (which constitute the nominal majority of M&A transactions) will typically be sold in an auction process where an investment bank is engaged by the seller to maximize value by fostering competitive dynamics between interested bidders. In order to increase competitiveness, bankers will typically drive a deal process forward as quickly as possible. Under tight time constraints, buyers are forced to prioritize their due diligence activities or risk falling behind in a deal process.

A typical deal process for a private company will move as follows:

  • Selling company’s investment bankers contact potential buyers, providing a confidential information memorandum (CIM), which contains summary information on a company’s history, operations and historical and projected financial performance. Potential buyers are typically given three to six weeks to review materials before deciding to move forward. Unless there is a previously known cybersecurity issue, a CIM will typically not address potential or current cybersecurity issues.
  • After the initial review period, indications of interest (IOI) are due from all interested bidders, who will be asked to indicate valuation and deal structure (cash, stock, etc.).
  • After IOIs have been submitted, the investment banker will work with the sellers to select top bidders. Key criteria that are evaluated include valuation, as well as other considerations such as timing, certainty of closing and credibility of buyer to complete the transaction.
  • Bidders selected to move forward are typically given four to six weeks after the IOI date to drill deeper into key diligence issues, review information in the seller’s data room, conduct a management presentation or Q&A with the target’s management and perform site visits. This is the first stage when cybersecurity issues could be most efficiently addressed.
  • Letter of Intent is due, when bidders reaffirm valuation and propose exclusivity periods wherein one bidder is selected on an exclusive basis to complete their due diligence and close the deal.
  • Once an LOI is signed, bidders typically have 30-60 days to complete the negotiation of definitive agreements that will outline in detail all terms of an acquisition. At this stage, acquirers have another opportunity to address cybersecurity issues, often using third-party resources, with the benefit of investing significant expenses with the greater certainty provided by the exclusivity period. The degree to which third party resources are directed toward cybersecurity relative to other priorities varies greatly, but generally speaking, cybersecurity is not a high-priority item.
  • Closing occurs concurrent with signing definitive agreements, or in other cases, closing occurs after signing often due to regulatory approvals. In either case, once a deal is signed and all key terms are determined buyers can no longer unilaterally back out of a deal.

In such a process, acquirers must balance internal resources to thoroughly evaluate a target with moving quickly enough to remain competitive. At the same time, the primary decision makers in an M&A transaction will tend to come from finance, legal, strategy or operating backgrounds and rarely will have meaningful IT or cybersecurity experience. With limited time and little background in cybersecurity, M&A teams tend to focus on more urgent transactional areas of the deal process, including negotiating key business terms, business and market trend analysis, accounting, debt financing and internal approvals. With only 2-3 months to evaluate a transaction before signing, cybersecurity typically only receives a limited amount of focus.

When cybersecurity issues are evaluated, they are heavily reliant on disclosures from the seller regarding past issues and internal controls that are in place. Of course, sellers cannot disclose what they do not know, and most organizations are ignorant of attackers who may already be in their networks or significant vulnerabilities that are unknown to them. Unfortunately, this assessment is a one-way conversation that is reliant on truthful and comprehensive disclosures from sellers, lending new meaning to the phrase caveat emptor. For this reason, it’s no coincidence that a recent poll of IT professionals by Forescout showed that 65% of respondents expressed buyer’s remorse due to cybersecurity issues. Only 36% of those polled felt that they had adequate time to evaluate cybersecurity threats.

While most M&A processes do not typically prioritize cybersecurity, M&A processes will often focus squarely on cybersecurity issues when known issues occur during or prior to an M&A process. In the case of Verizon’s acquisition of Yahoo, the disclosure of three major data breaches led to a significant reduction of purchase price, as well as changes in key terms, including stipulations that the seller would bear half the costs of any future liabilities arising from these data breaches. In April 2019, Verizon and the portion of Yahoo that was not acquired would end up splitting a $117 million settlement for the data breach. In a more recent example, Spirit AeroSystems’ acquisition of Asco has been pending since 2018 with a delayed closing largely due to a ransomware attack on Asco. In June 2019, Asco experienced a ransomware attack that forced temporary factory closures, ultimately causing a 25% purchase price reduction of $150 million from the original $604 million.

In both the case of Spirit and Verizon’s acquisitions, cybersecurity issues were largely addressed through valuation and deal structure, which limits financial losses, but does little to prevent future issues for a buyer, including loss of confidence among customers and investors. Similar to Spirit and Verizon’s acquisitions, acquirers will typically utilize structural elements of a deal to limit the economic losses. Various mechanisms and structures — including representations, warranties, indemnifications and asset purchases — can be utilized to effectively transfer the direct economic liabilities of an identifiable cybersecurity issue. However, they cannot compensate for the greater loss that would occur from reputational risk or loss of important trade secrets.

What the Spirit and Verizon examples demonstrate is that there is quantifiable value associated with cybersecurity risk. Acquirers who do not actively assess their M&A targets are potentially introducing a risk into their transaction without a mitigation. Given a limited timeline and the inherently opaque nature of a target’s cybersecurity issues, acquirers would benefit greatly from outsourced solutions that would require no reliance upon, or input from a target.

The scope of such an assessment ideally uncovers previously unknown deficiencies in the target’s security and exposure of business systems and key assets, including data and company secrets or intellectual property. Without such knowledge, acquirers go into deals partially blinded. Of course, industry best practice is to reduce risk. Adding this measure of cybersecurity assessment is an excellent practice today and likely a mandatory requirement in the future.

Powered by WPeMatico

StackRox nabs $26.5M for a platform that secures containers in Kubernetes

Containers have become a ubiquitous cornerstone in how companies manage their data, a trend that has only accelerated in the last eight months with the larger shift to cloud services and more frequent remote working due to the coronavirus pandemic. Alongside that, startups building services to enable containers to be used better are also getting a boost.

StackRox, which develops Kubernetes-native security solutions, says that its business grew by 240% in the first half of this year, and on the back of that, it is announcing today that it has raised $26.5 million to expand its business into international markets and continue investing in its R&D.

The funding, which appears to be a Series C, has an impressive list of backers. It is being led by Menlo Ventures, with Highland Capital Partners, Hewlett-Packard Enterprise, Sequoia Capital and Redpoint Ventures also participating. Sequoia and Redpoint are previous investors, and the company has raised around $60 million to date.

HPE is a strategic backer in this round:

“At HPE, we are working with our customers to help them accelerate their digital transformations,” said Paul Glaser, VP, Hewlett Packard Enterprise, and head of Pathfinder. “Security is a critical priority as they look to modernize their applications with containers. We’re excited to invest in StackRox and see it as a great fit with our new software HPE Ezmeral to help HPE customers secure their Kubernetes environments across their full application life cycle. By directly integrating with Kubernetes, StackRox enables a level of simplicity and unification for DevOps and Security teams to apply the needed controls effectively.”

Kamal Shah, the CEO, said that StackRox is not disclosing its valuation, but he confirmed it has definitely gone up. For some context, according to PitchBook data, the company was valued at $145 million in its last funding round, a Series B in 2018. Its customers today include the likes of Priceline, Brex, Reddit, Zendesk and Splunk, as well as government and other enterprise customers, in a container security market that analysts project will be worth some $2.2 billion by 2024, up from $568 million last year.

StackRox got its start in 2014, when containers were starting to pick up momentum in the market. At the time, its focus was a little more fragmented, not unlike the container market itself — it provided solutions that could be used with Docker containers as well as others. Over time, Shah said that the company chose to hone its focus just on Kubernetes, originally developed by Google and open-sourced, and now essentially the de facto standard in containerisation.

“We made a bet on Kubernetes at a time when there were multiple orchestrators, including Mesosphere, Docker and others,” he said. “Over the last two years Kubernetes has won the war and become the default choice, the Linux of the cloud and the biggest open-source cloud application. We are all Kubernetes all the time because what we see in the market are that a majority of our customers are moving to it. It has over 35,000 contributors to the open-source project alone, it’s not just Red Hat (IBM) and Google.” Research from CNCF estimates that nearly 80% of organizations that it surveyed are running Kubernetes in production.

That is not all good news, however, with the interest underscoring a bigger need for Kubernetes-focused security solutions for enterprises that opt to use it.

Shah says that some of the typical pitfalls in container architecture arise when they are misconfigured, leading to breaches; as well as around how applications are monitored; how developers use open-source libraries; and how companies implement regulatory compliance. Other security vulnerabilities that have been highlighted by others include the use of insecure container images; how containers interact with each other; the use of containers that have been infected with rogue processes; and having containers not isolated properly from their hosts.

But, Shah noted, “Containers in Kubernetes are inherently more secure if you can deploy correctly.” And to that end that is where StackRox’s solutions attempt to help: The company has built a multi-purposes toolkit that provides developers and security engineers with risk visibility, threat detection, compliance tools, segmentation tools and more. “Kubernetes was built for scale and flexibility, but it has lots of controls, so if you misconfigure it, it can lead to breaches. So you need a security solution to make sure you configure it all correctly,” said Shah.

He added that there has been a definite shift over the years from companies considering security solutions as an optional element into one that forms part of the consideration at the very core of the IT budget — another reason why StackRox and competitors like TwistLock (acquired by Palo Alto Networks) and Aqua Security have all seen their businesses really grow.

“We’ve seen the innovation companies are enabling by building applications in containers and Kubernetes. The need to protect those applications, at the scale and pace of DevOps, is crucial to realizing the business benefits of that innovation,” said Venky Ganesan, partner, Menlo Ventures, in a statement. “While lots of companies have focused on securing the container, only StackRox saw the need to focus on Kubernetes as the control plane for security as well as infrastructure. We’re thrilled to help fuel the company’s growth as it dominates this dynamic market.”

“Kubernetes represents one of the most important paradigm shifts in the world of enterprise software in years,” said Corey Mulloy, general partner, Highland Capital Partners, in a statement. “StackRox sits at the forefront of Kubernetes security, and as enterprises continue their shift to the cloud, Kubernetes is the ubiquitous platform that Linux was for the Internet era. In enabling Kubernetes-native security, StackRox has become the security platform of choice for these cloud-native app dev environments.”

Powered by WPeMatico