Security
Auto Added by WPeMatico
Auto Added by WPeMatico
SolarWinds is back in hot water after a shareholder lawsuit accused the company of poor security practices, which they say allowed hackers to break into at least nine U.S. government agencies and hundreds of companies.
The lawsuit said SolarWinds used an easily guessable password “solarwinds123” on an update server, which was subsequently breached by hackers “likely Russian in origin.” SolarWinds chief executive Sudhakar Ramakrishna, speaking at a congressional hearing in March, blamed the weak password on an intern.
There are countless cases of companies bearing the brunt from breaches caused by vendors and contractors across the supply chain.
Experts are still trying to understand just how the hackers broke into SolarWinds servers. But the weak password does reveal wider issues about the company’s security practices — including how the easily guessable password was allowed to be set to begin with.
Even if the intern is held culpable, SolarWinds still faces what’s known as vicarious liability — and that can lead to hefty penalties.
Powered by WPeMatico
Aqua Security, a Boston- and Tel Aviv-based security startup that focuses squarely on securing cloud-native services, today announced that it has raised a $135 million Series E funding round at a $1 billion valuation. The round was led by ION Crossover Partners. Existing investors M12 Ventures, Lightspeed Venture Partners, Insight Partners, TLV Partners, Greenspring Associates and Acrew Capital also participated. In total, Aqua Security has now raised $265 million since it was founded in 2015.
The company was one of the earliest to focus on securing container deployments. And while many of its competitors were acquired over the years, Aqua remains independent and is now likely on a path to an IPO. When it launched, the industry focus was still very much on Docker and Docker containers. To the detriment of Docker, that quickly shifted to Kubernetes, which is now the de facto standard. But enterprises are also now looking at serverless and other new technologies on top of this new stack.
“Enterprises that five years ago were experimenting with different types of technologies are now facing a completely different technology stack, a completely different ecosystem and a completely new set of security requirements,” Aqua CEO Dror Davidoff told me. And with these new security requirements came a plethora of startups, all focusing on specific parts of the stack.
What set Aqua apart, Dror argues, is that it managed to 1) become the best solution for container security and 2) realized that to succeed in the long run, it had to become a platform that would secure the entire cloud-native environment. About two years ago, the company made this switch from a product to a platform, as Davidoff describes it.
“There was a spree of acquisitions by CheckPoint and Palo Alto [Networks] and Trend [Micro],” Davidoff said. “They all started to acquire pieces and tried to build a more complete offering. The big advantage for Aqua was that we had everything natively built on one platform. […] Five years later, everyone is talking about cloud-native security. No one says ‘container security’ or ‘serverless security’ anymore. And Aqua is practically the broadest cloud-native security [platform].”
One interesting aspect of Aqua’s strategy is that it continues to bet on open source, too. Trivy, its open-source vulnerability scanner, is the default scanner for GitLab’s Harbor Registry and the CNCF’s Artifact Hub, for example.
“We are probably the best security open-source player there is because not only do we secure from vulnerable open source, we are also very active in the open-source community,” Davidoff said (with maybe a bit of hyperbole). “We provide tools to the community that are open source. To keep evolving, we have a whole open-source team. It’s part of the philosophy here that we want to be part of the community and it really helps us to understand it better and provide the right tools.”
In 2020, Aqua, which mostly focuses on mid-size and larger companies, doubled the number of paying customers and it now has more than half a dozen customers with an ARR of over $1 million each.
Davidoff tells me the company wasn’t actively looking for new funding. Its last funding round came together only a year ago, after all. But the team decided that it wanted to be able to double down on its current strategy and raise sooner than originally planned. ION had been interested in working with Aqua for a while, Davidoff told me, and while the company received other offers, the team decided to go ahead with ION as the lead investor (with all of Aqua’s existing investors also participating in this round).
“We want to grow from a product perspective, we want to grow from a go-to-market [perspective] and expand our geographical coverage — and we also want to be a little more acquisitive. That’s another direction we’re looking at because now we have the platform that allows us to do that. […] I feel we can take the company to great heights. That’s the plan. The market opportunity allows us to dream big.”
Powered by WPeMatico
Security firm McAfee announced this morning that it will be selling its enterprise business to a consortium led by the private equity firm Symphony Technology Group for $4 billion.
It should pair well with RSA, another enterprise-focused security company the private equity firm purchased last February for $2 billion.
McAfee President and Chief Executive Officer Peter Leav says that his company has decided to direct the firm’s resources to the consumer side of the business. “This transaction will allow McAfee to singularly focus on our consumer business and to accelerate our strategy to be a leader in personal security for consumers,” he said in a statement.
The company has been making some moves in the last year, returning to the public markets after a decade as a private company. In January, the company reportedly laid off a couple of hundred employees and shut down its software development center in Tel Aviv.
Although Symphony did not point directly to the RSA acquisition, the two investments create a large combined legacy security business for the firm, both of which have strong brand recognition, but might have lost some of their edge to more modern competitors in the marketplace.
Looking at McAfee’s latest earning’s report, Q42020, which the company reported on February 24, 2021, the consumer business grew at a much brisker rate than the enterprise side of the house. The former was up 23% YoY, while the latter grew at a far slower 5% rate.
As for the entire year, the company reported $2.9 billion in total FY2020 revenue, up 10% YoY. That broke down to $1.6 billion in consumer net revenue up 20% YoY, and $1.3 billion in enterprise net revenue, an increase of just 1% for the full year.
The company has a complex history, starting life in the 1980s selling firewall software. It eventually went public before being purchased by Intel for $7.7 billion in 2010 and going private again. In 2014, the company changed names to Intel Security before Intel sold a majority stake to TPG in 2017 for $4.2 billion and changed the name back to McAfee.
The transaction is expected to close by the end of this year, subject to regulatory oversight.
Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion.
Powered by WPeMatico
Robotic process automation (RPA) is making a major impact across every industry. But many don’t know how common the technology is and may not realize that they are interacting with it regularly. RPA is a growing megatrend — by 2022, Gartner predicts that 90% of organizations globally will have adopted RPA and its received over $1.8 billion in investments in the past two years alone.
Due to the shift to remote work, companies across every industry have implemented some form of RPA to simplify their operations to deal with an influx of requests. For example, when major airlines were bombarded with cancellation requests at the onset of the pandemic, RPA became essential to their customer service strategy.
Throughout 2021, security teams will begin to realize the unconsidered security challenges of robotic process automation.
According to Forrester, one major airline had over 120,000 cancellations during the first few weeks of the pandemic. By utilizing RPA to handle the influx of cancellations, the airline was able to simplify its refund process and assist customers in a timely matter.
Delivering this type of streamlined cancellation process with such high demand would have been extremely challenging, if not impossible, without RPA technology.
The multitude of other RPA use cases that have popped up since COVID-19 have made it evident that RPA isn’t going away anytime soon. In fact, interest in the usage of RPA is at an unprecedented high. Gartner inquiries related to RPA increased over 1,000% during 2020 as companies continue to invest.
However, there’s one big issue that’s commonly overlooked when it comes to RPA — security. Like we’ve seen with other innovations, the security aspect of RPA isn’t implemented in the early stages of development — leaving organizations vulnerable to cybercriminals.
If the security vulnerabilities of RPA aren’t addressed quickly, there will be a string of significant RPA breaches in 2021. However, by realizing that these new “digital coworkers” have identities of their own, companies can secure RPA before they make the headlines as the latest major breach.
With RPA, digital workers are created to take over repetitive manual tasks that have been traditionally performed by humans. Their interaction directly with business applications mimics the way humans use credentials and privilege — ultimately giving the robot an identity of its own. An identity that is created and operates much faster than any human identity but doesn’t eat, sleep, take holidays, go on strike or even get paid.
Powered by WPeMatico
When Okta announced that it was acquiring Auth0 yesterday for $6.5 billion, the deal raised eyebrows. After all, it’s a substantial amount of money for one identity and access management (IAM) company to pay to buy another, similar entity. But the deal ultimately brings together two companies that come at identity from different sides of the market — and as such could be the beginning of a beautiful identity friendship.
The deal ultimately brings together two companies that come at identity from different sides of the market — and as such could be the beginning of a beautiful identity friendship.
On a simple level, Okta delivers identity and access management (IAM) to companies who use the service to provide single-sign-on access for employees to a variety of cloud services — think Gmail, Salesforce, Slack and Workday.
Meanwhile, Auth0 is a developer tool providing coders with easy API access to single-sign-on functionality. With just a couple of lines of code, the developer can deliver IAM tooling without having to build it themselves. It’s a similar value proposition to what Twilio offers for communications or Stripe for payments.
The thing about IAM is that it’s not exciting, but it is essential. That could explain why such a large number of dollars are exchanging hands. As Auth0 co-founder and CEO Eugenio Pace told TechCrunch’s Zack Whittacker in 2019, “Nobody cares about authentication, but everybody needs it.”
Putting the two companies together generates a fairly comprehensive approach to IAM covering back end to front end. We’re going to look at why this deal matters from an identity market perspective, and if it was worth the substantial price Okta paid to get Auth0.
When you think about identity and access management, it’s about making sure you are who you say you are, and that you have the right to enter and access a set of applications. That’s why it’s a key part of any company’s security strategy.
Gartner found that IAM was a $12 billion business last year with projected growth to over $13.5 billion in 2021. To give you a sense of where Okta and Auth0 fit, Okta just closed FY2021 with over $800 million in revenue. Meanwhile Auth0 is projected to close this year with $200 million in annual recurring revenue.
Image Credits: Gartner
Among the top players in this market according to Gartner’s November 2020 Magic Quadrant market analysis are Ping Identity, Microsoft and Okta in that order. Meanwhile Gartner listed Auth0 as a key challenger in their market grid.
Michael Kelly, a Gartner analyst, told TechCrunch that Okta and Auth0 are both gaining something from the deal.
“For Okta, while they have a very good product, they have marketing muscle and adoption rates that are not available to smaller vendors like Auth0. When having [IAM] conversations with clients, Okta is almost always on the short list. Auth0 will immediately benefit from being associated with the larger Okta brand, and Okta will likewise now have credibility in the deals that involve a heavy developer focused buyer,” Kelly told me.
Okta co-founder and CEO Todd McKinnon said he was enthusiastic about the deal precisely because of the complementary nature of the two companies’ approaches to identity. “How a developer interacts with the service, and the flexibility they need is different from how the CIO wants to work with [identity]. So by giving customers this choice and support, it’s really compelling,” McKinnon explained.
Powered by WPeMatico
As Okta announced earnings today after the bell, it revealed that it’s buying cloud identity startup Auth0 for a hefty $6.5 billion. The company had a valuation of $1.92 billion when it raised $120 million led by Salesforce Ventures last July.
With Auth0, Okta gets a cloud identity company that helps developers embed identity management into applications, adding an entirely new dimension to its identity platform. Okta co-founder and CEO Todd McKinnon says the acquisition gives his company broad coverage in the identity space and the acquisition has the power to lift identity to a first-class cloud category along with infrastructure, enterprise software like collaboration and CRM and others.
“There are a few other [primary cloud categories], but one of those has to be identity. And for identity to rise to that status, it has to cover all the use cases. It’s got to be both workforce and customer. So workforce [has been] our [primary] business traditionally, and customer is newer,” McKinnon told me.
The customer piece involves having your customers use Okta/Auth0 on the back end to sign onto your platform, rather using it as just your corporate credentials. Having coverage across both areas is what has McKinnon so excited.
Eugenio Pace, co-founder and CEO Auth0 sees his company together with Okta as powerful combination in the identity management space, and he’s not just hyping the deal when he says that. “Together, we can offer our customers workforce and customer identity solutions with exceptional speed, simplicity, security, reliability and scalability. By joining forces, we will accelerate our customers’ innovation and ability to meet the needs and demands of consumers, businesses and employees everywhere,” Pace said in a statement.
Pace and co-founder Matias Woloski came from Microsoft where they worked until launching their startup in 2013. As McKinnon points out this is a substantial company with 800 employees. It is expected to reach $200 million in revenue this year.
“So they have this mindset of building a service that is flexible and API-driven and great tools for developers and all the extensibility or customizability, that developers would need. And you can’t, you can’t do that later, you have to start from the beginning
McKinnon says while they share some common customers, there will be net new ones as well and the nature of the two companies coverage areas means that they can sell Auth0 into traditional Okta customers and vice versa. The combined entities could fill in a soup-to-nuts kind of identity offering.
As Pace told TechCrunch’s Zack Whittaker in 2019, it has always been focused on developers:
“We’re not profitable because we’ve chosen to reinvest and continue to sustain the high scale of growth,” he said. “But we are more efficient every day — in the way we acquire customers, the way we service customers, in the way we ship new design capabilities.”
The question is how much this will change under the Okta, but Auth0 users can breathe a sigh of relief in that McKinnon says that the company will operate as an independent unit inside of Okta as they look for paths to integration in the coming months. What’s more, McKinnon says he has a relationship with the two founders going back years and it sounds like there is an element of trust there.
Okta had a pretty good quarter too while it was at it, announcing $234.7 million in revenue up 40% year over year, but Wall Street appears to be unhappy with the deal with the stock price down 6.9% in after hours trading.
Auth0 was founded in 2013 and raised over $300 million along the way. In addition to Salesforce Ventures, other investors included Sapphire Ventures, Bessemer Venture Partners and Meritech Capital Partners.
Powered by WPeMatico
When a hacker broke into the computer systems of the Oldsmar, Florida water supply last month, it sent up red flags across the operational tech world, whether that’s utilities or oil and gas pipelines. Xage, a security startup that has been building a solution to help protect these hard-to-secure operations, announced a Zero Trust remote access cloud solution today that could help prevent these kinds of attacks.
Duncan Greatwood, CEO at Xage, says flat out that if his company’s software was in place in Oldsmar, that hack wouldn’t have happened. Smaller operations like the one in Oldsmar tend to be one-person IT shops running older remote access software that’s vulnerable to hacking on a number of levels.
“It’s not difficult to compromise a virtual network computing (VNC) connection. It’s not difficult to compromise a stale account that’s been left on a jump box. What we started to do last year was deliver what we call a Zero Trust remote access solution to these kinds of customers,” Greatwood told me.
This involves controlling access device by device and person by person by determining who can do what based on them authenticating themselves and proving who they are. “It doesn’t rely on knowledge of a device password or a VPN zone password,” he explained.
The solution goes further with a secure traversal tunnel, which relies on a tamper-proof certificate to prevent hackers from getting from the operations side of the house — whether that’s a utility grid, water supply or oil and gas pipeline — to the IT side where they could then begin to muck about with the operational technology.
Xage also uses a distributed ledger as a core part of its solution to help protect identity policies, logs and other key information across the platform. “Having a distributed ledger means that rather than an attacker having to compromise just a single node, it would have to compromise a majority of the nodes simultaneously, and that’s very difficult [if not impossible] to do,” he said.
What’s more, the ledgers operate independently across locations in a hierarchy with a global ledger that acts as the ultimate rules enforcer. That means even if a location goes offline, the rules will be enforced by the main system whenever it reconnects.
They introduced an on-premise version of the Zero Trust remote access system last October, but with this kind of technology difficult to configure and maintain, some customers were looking for a managed solution like the one being introduced today. With the cloud solution, customers get a hosted solution accessible via a web browser with much faster deployment.
“What we’ve done with the cloud solution is made it really simple for people to adopt us by hosting the management software and the core Xage fabric nodes in this Xage cloud, and we’re really dramatically reducing that time to value for a remote access solution for OT,” Greatwood said.
You might be thinking that CISOs might not trust a cloud solution for these sensitive kinds of environments, and he admits that there is some caution in this market, even though they understand the benefits of moving to the cloud. To help ease these concerns, they can do a PoC in the cloud and there is a transfer tool to move back on prem easily if they are not comfortable with the cloud approach. So far he says that no early customers have chosen to do that, but the option is there.
Xage was founded in 2017 and has raised $16 million so far, according to Crunchbase data.
Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, legal, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included in each for audience questions and discussion.
Powered by WPeMatico
An iPhone hacking team has released a new jailbreak tool for almost every iPhone, including the most recent models, by using the same vulnerability that Apple last month said was under active attack by hackers.
The Unc0ver team released its latest jailbreak this weekend, and says it works on iOS 11 (iPhone 5s and later) to iOS 14.3, which Apple released in December.
Jailbreaking is a cat-and-mouse game between security researchers who want greater control and customizations over their phones, and Apple, which says it locks down iPhones for security. Hackers build jailbreak tools by finding and exploiting vulnerabilities that can lift some of the restrictions that Apple puts in place, like installing apps outside of its app store, which most Android users are already used to.
In a tweet, the jailbreak group said it used its “own exploit” for CVE-2021-1782, a kernel vulnerability that Apple said was one of three flaws that “may have been actively exploited” by hackers. By targeting the kernel, the hackers are able to get deep hooks into the underlying operating system.
Apple fixed the vulnerability in iOS 14.4, released last month, which also prevents the jailbreak from working on later versions. It was a rare admission that the iPhone was under active attack by hackers, but the company declined to say who the hackers were and who they were targeting. Apple also granted anonymity to the researcher who submitted the bug.
The group’s last jailbreak, which supported iPhones running iOS 11 to iOS 13.5, was fixed in a matter of days last year. Apple works quickly to understand and fix the vulnerabilities found by jailbreak groups, since these same vulnerabilities can be exploited maliciously.
Security experts generally advise iPhone users against jailbreaking because it makes the device more vulnerable to attacks. And while keeping your phone up to date may introduce security fixes that remove the jailbreak, it’s one of the best ways of keeping your device secure.
Early Stage is the premiere “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company-building: Fundraising, recruiting, sales, legal, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included in each for audience questions and discussion.
Powered by WPeMatico
SailPoint, an identity management company that went public in 2017, announced it was going to be acquiring Intello, an early-stage SaaS management startup. The two companies did not share the purchase price.
SailPoint believes that by helping its customers locate all of the SaaS tools being used inside a company, it can help IT make the company safer. Part of the problem is that it’s so easy for employees to deploy SaaS tools without IT’s knowledge, and Intello gives them more visibility and control.
In fact, the term “shadow IT” developed over the last decade to describe this ability to deploy software outside of the purview of IT pros. With a tool like Intello, they can now find all of the SaaS tools and point the employees to sanctioned ones, while shutting down services the security pros might not want folks using.
Grady Summers, EVP of product at SailPoint, says that this problem has become even more pronounced during the pandemic as many companies have gone remote, making it even more challenging for IT to understand what SaaS tools employees might be using.
“This has led to a sharp rise in ungoverned SaaS sprawl and unprotected data that is being stored and shared within these apps. With little to no visibility into what shadow access exists within their organization, IT teams are further challenged to protect from the cyber risks that have increased over the past year,” Summers explained in a statement. He believes that with Intello in the fold, it will help root out that unsanctioned usage and make companies safer, while also helping them understand their SaaS spend better.
Intello has always seen itself as a way to increase security and compliance and has partnered in the past with other identity management tools like Okta and OneLogin. The company was founded in 2017 and raised $5.8 million according to Crunchbase data. That included a $2.5 million extended seed in May 2019.
Yesterday, another SaaS management tool, Torii, announced a $10 million Series A. Other players in the SaaS management space include BetterCloud and Blissfully, among others.
Powered by WPeMatico
A couple of weeks ago SentinelOne announced it was acquiring high-speed logging platform Scalyr for $155 million. Just this morning CrowdStrike struck next, announcing it was buying unlimited logging tool Humio for $400 million.
In Humio, CrowdStrike gets a company that will provide it with the ability to collect unlimited logging information. Most companies have to pick and choose what to log and how long to keep it, but with Humio, they don’t have to make these choices, with customers processing multiple terabytes of data every single day.
Humio CEO Geeta Schmidt writing in a company blog post announcing the deal described her company in similar terms to Scalyr, a data lake for log information:
“Humio had become the data lake for these enterprises enabling searches for longer periods of time and from more data sources allowing them to understand their entire environment, prepare for the unknown, proactively prevent issues, recover quickly from incidents, and get to the root cause,” she wrote.
That means with Humio in the fold, CrowdStrike can use this massive amount of data to help deal with threats and attacks in real time as they are happening, rather than reacting to them and trying to figure out what happened later, a point by the way that SentinelOne also made when it purchased Scalyr.
“The combination of real-time analytics and smart filtering built into CrowdStrike’s proprietary Threat Graph and Humio’s blazing-fast log management and index-free data ingestion dramatically accelerates our [eXtended Detection and Response (XDR)] capabilities beyond anything the market has seen to date,” CrowdStrike CEO and co-founder George Kurtz said in a statement.
While two acquisitions don’t necessarily make a trend, it’s clear that security platform players are suddenly seeing the value of being able to process the large amounts of information found in logs, and they are willing to put up some cash to get that capability. It will be interesting to see if any other security companies react with a similar move in the coming months.
Humio was founded in 2016 and raised just over $31 million, according to Pitchbook Data. Its most recent funding round came in March 2020, a $20 million Series B led by Dell Technologies Capital. It would appear to be a decent exit for the startup.
CrowdStrike was founded in 2011 and raised over $480 million before going public in 2019. The deal is expected to close in the first quarter, and is subject to typical regulatory oversight.
Powered by WPeMatico