The Good, the Bad and the Ugly in Cybersecurity – Week 11

The Good

It seems as though we have been on a roll the last few months with notable cybercrime arrests. This week, South Korean police announced the arrest of a 20-year old individual suspected of distributing and operating GandCrab ransomware.

Authorities did not reveal the name of the individual but say he was an ‘affiliate’ (aka customer) of GandCrab RaaS rather than the developer or primary seller. The unnamed male has been charged with distributing GandCrab, via phising emails, to targets primarily across South Korea. Between February and June of 2019, the suspect allegedly targeted approximately 6,000 addresses with phishing emails pretending to come from official entities such as local police stations, the Constitutional Court and the Bank of Korea. Victims were instructed to pay around $1300 in Bitcoin.

The attacker, who took 7% of the haul from each paying victim with the rest going to the GandCrab operators, is said to have only made about $10,500 (12M Won) from approximately 120 victims. Law enforcement were able to track the activities of the accused via cryptocurrency transactions. Despite common misconceptions, Bitcoin transactions are not anonymous. It would appear as though the suspect did not account for that, allowing authorities to easily determine the source and destination of key transactions. GandCrab is now retired, having been replaced with numerous, more intimidating, threats. However, this is a nice reminder that law enforcement is always on the trail, and they will catch up.

The Bad

The bad news this week is of course the current, ongoing, attacks against Microsoft Exchange servers across the world. The issue is now even more complex. While we have the original actor(s) continuing their campaign of locating and compromising servers, we now also have unrelated attackers attempting to scan for and take advantage of the in-place webshells. In addition to all this, we have started to observe multiple variations of PoC (Proof-of-Concept) code appear for some of the relevant vulnerabilities.

One particular example may have been particularly dangerous had it not been pulled from Github by Microsoft. That particular PoC was a combination attack leveraging CVE-2021-26855 and CVE-2021-27065. It also appears to have been the first functional (with a few tweaks) PoC to accurately exploit the pertinent flaws. Just hours after it was posted, it was pulled from Github. However, it is known that while the code was available it was accessed and pulled more than enough times for variants and reposts to begin appearing.

The bottom line is that priority should be placed on patching these exposed servers ASAP (if it has not been done already). Reducing or eliminating exposure is key. We wish all the infosec warriors out there all the best as they continue to work to ensure coverage from this threat. For those seeking additional guidance on the Hafnium/Exchange issues, we have posted a full blog covering the threat and recommendations for mitigation.

The Ugly

This week a rather disturbing disclosure emerged concerning Silicon Valley surveillance company Verkada, Inc. It is reported that a group of hackers was able to gain access to camera data and live feeds for nearly 150,000 Verkada cameras, some of which were installed in very sensitive locations. These included premises belonging to companies such as Cloudflare, Tesla, Intel, and Nissan. The hackers were also able to gain access to cameras in multiple prisons and healthcare entities, allowing unfettered visibility into some most sensitive areas.

The methodology behind the hack appears to be rather unsophisticated and highlights one of the oldest issues in information security: the use (and leaking) of default credentials or hardcoded “Super User / Super Admin” accounts.

The individuals involved in the breach, a ‘hacking’ collective calling themselves “APT 69420 Arson Cats”, were able to find a working “Super Admin” credential set exposed in the clear on the internet. With that account, they were able to gain access to the myriad data available to Verkada. However, it is also reported that the hackers could have potentially taken things a step further if desired.

In a statement to Bloomberg.com, the group stated that they were “able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code…in some instances, allow(ing) them to pivot and obtain access to the broader corporate network of Verkada’s customers or hijack the cameras and use them as a platform to launch future hacks”.

At the end of the day, this is a fairly scary reminder that our need for protection extends to all devices…not just traditional endpoints. The scope and definition of IoT is widening everyday, as is the requirement to secure these devices. If you are not already taking steps to ensure full visibility of all your “Smart” devices and their security, this may be a good time to review policies and stay safe!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Assembled, an operating system for support teams, raises $16.6M

From the point of view of a consumer, customer service sometimes feels like a monolith, but behind the scenes it can be a very fragmented business, with dozens of companies providing various different tools to help agents do their jobs.

Today, a startup founded by three Stripe alums that has set out to build a platform that helps organizations manage that spaghetti of customer service IT, and use it more efficiently, is announcing a round of funding to continue growing its business.

Assembled, which has built a platform that it describes as the “operating system” for support teams, has raised $16.6 million, a Series A that it plans to use to continue expanding its team and platform, and to bring on more customers.

The round is being led by Emergence Capital, the VC that specializes in enterprise startups, backing other communications-centric companies in its time like Salesforce, Zoom, Yammer, ServiceMax, SalesLoft and Lithium. Stripe, Basis Set Ventures and Felicis Ventures also participated. Stripe has a strong connection to Assembled. It is a customer. It led Assembled’s $3.1 million seed round a year ago.

And, it was the company where the three co-founders met and built the earliest version of the product it offers today. CEO Brian Sze was one of the first employees, overseeing business operations, where he built the customer support platform that inspired him to eventually leave to found Assembled. His two co-founders, brothers Ryan and John Wang, were engineers at the payments and financial services behemoth.

Assembled’s current platform is priced in tiers starting at $15 per agent per month. Integrating with Salesforce, Zendesk, Intercom, Kustomer, Gladly and other services by way of API integrations, it provides not just a way to manage and view customer support data from different sources in one place, but alongside that it provides tools focused on the support teams themselves. This includes tools to manage and roster teams, analyze team performance, and forecast demand depending on different factors in order to be better prepared.

As with all other aspects of how organizations work, customer service and people management are being digitally transformed. Typically, Sze said that many companies still use spreadsheets to manage and plan customer support rosters. That is now gradually shifting into what he describes as “support ops” where a strategic person is tasked not just with handling what is happening with incoming customer support right now, but also needs to figure out what will happen in the next year, and the tools that might help cope with that. “That is our emergent buyer,” Sze said.

“The sheer number of channels being supported is much bigger, when you consider email, messaging, phone lines, social media and more,” said Sze, adding that the pandemic had a particularly strong effect on Assembled’s business. It saw a big bump in especially in Q3 of last year, when its customer base doubled. “I think it came down to support being one of the most critical teams at the organization.”

Assembled today has a number of tech companies, and tech-first consumer companies as customers, including Stripe, GoFundMe, challenger bank Monzo, Google-owned Looker, D2C clothing brand Everlane and Harrys. It has grown customers five-fold in the last year, said Sze, while revenues have grown 300% (absolute numbers for both were not disclosed).

The concept of an “operating system” for customer support makes a lot of sense when you think about how the role has evolved over the years.

In the decades before the internet and digital interactions became the norm, support either focused on in-person visits, or phone-based interactions where you might find yourself calling toll-free numbers, sitting on hold for a long time, maybe being shuffled from one person to another depending on the nature of your issue.

Over time, those systems picked up some automated responses and companies started getting better systems in place to triage those calls. Then, as marketing became “marketing tech” and sales took on a software life of its own, those customer support people started to pick up more responsibilities, not just listening to customers but turning around and offering to sell them things, too, or take stock of customer satisfaction and overall sentiment. Then more channels for connecting came with the internet. Then came more efficient tools, cloud-based services, mobile services, and more to handle all of the above, and so on.

All of these iterations often came with different pieces of software, and while some companies have set out to build one-stop shops to take everything on, Assembled takes a Slack-like approach, making it easy to bring in data and manage different tools from one place, providing a place to bring them all together to help them work more harmoniously. At the same time, it provides a way to manage the teams of people who are there to work with those pieces of software. This is because, when it comes to customer support, it’s always as much about the teams running it as it is the software they are using (hence: “assmebled”).

The company’s approach has been especially relevant in the last year. Not only have teams — including customer service teams — been forced to work remotely, but they have generally seen a surge of traffic from customers who are going online for all of their services, and using digital tools when they need to get in touch with organizations. Still, the opportunity for Assembled is that by and large, there are still a large proportion of businesses that are still playing catch up here.

“Today’s customer support teams operate in a dynamic, increasingly remote environment vastly different from that of a decade ago,” said Jake Saper, Emergence General Partner, in a statement. “But it’s shocking to learn how many support teams are still operating out of spreadsheets. At Emergence, we believe that Support Ops will become a critical complement to support teams, much like DevOps has become for developers. Having initially built their product to manage Stripe’s support function, we believe the Assembled team is the world’s best to build the core operating platform for Support Ops.”

Valuation is not being disclosed.


Early Stage is the premier ‘how-to’ event for startup entrepreneurs and investors. You’ll hear first-hand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company-building: Fundraising, recruiting, sales, product market fit, PR, marketing and brand building. Each session also has audience participation built-in – there’s ample time included for audience questions and discussion. Use code “TCARTICLE at checkout to get 20 percent off tickets right here.

Google Cloud launches a new support option for mission critical workloads

Google Cloud today announced the launch of a new support option for its Premium Support customers that run mission-critical services on its platform. The new service, imaginatively dubbed Mission Critical Services (MCS), brings Google’s own experience with Site Reliability Engineering to its customers. This is not Google completely taking over the management of these services, though. Instead, the company describes it as a “consultative offering in which we partner with you on a journey toward readiness.”

Initially, Google will work with its customers to improve — or develop — the architecture of their apps and help them instrument the right monitoring systems and controls, as well as help them set and raise their service-level objectives (a key feature in the Site Reliability Engineering philosophy).

Later, Google will also provide ongoing check-ins with its engineers and walk customers through tune-ups architecture reviews. “Our highest tier of engineers will have deep familiarity with your workloads, allowing us to monitor, prevent, and mitigate impacts quickly, delivering the fastest response in the industry. For example, if you have any issues–24-hours-a-day, seven-days-a-week–we’ll spin up a live war room with our experts within five minutes,” Google Cloud’s VP for Customer Experience, John Jester, explains in today’s announcement.

This new offering is another example of how Google Cloud is trying to differentiate itself from the rest of the large cloud providers. Its emphasis today is on providing the high-touch service experiences that were long missing from its platform, with a clear emphasis on the needs of large enterprise customers. That’s what Thomas Kurian promised to do when he became the organization’s CEO and he’s clearly following through.

 


Early Stage is the premier ‘how-to’ event for startup entrepreneurs and investors. You’ll hear first-hand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company-building: Fundraising, recruiting, sales, product market fit, PR, marketing and brand building. Each session also has audience participation built-in – there’s ample time included for audience questions and discussion. Use code “TCARTICLE at checkout to get 20 percent off tickets right here.

ServiceNow adds new no-code capabilities

As we’ve made our way through this pandemic, it has forced businesses to rethink and accelerate trends. One such trend is the movement to no-code tools to allow line-of-business users to create apps and workflows without engineering help. To help answer that demand, ServiceNow released a couple of new tools today as part of their latest release.

Dave Wright, the chief innovation officer at ServiceNow, says that COVID has forced more teams to work in a distributed fashion, and that has in turn has advanced the idea of putting software building into the hands of every employee.

“So because people haven’t had the same support networks and are distributed, you need to be able to produce software that has a consumer grade feel to it. And if you could get that in place, then you can get people to use the system. If you get people to use the system, then you start to get better employee productivity and employee engagement,” Wright explained.

This has typically revolved around the three main areas of focus on the ServiceNow platform — customer service, IT and HR — but in order to step outside those three categories, the company has decided to develop a new area called Creator Workflows, which are designed to help workers build new workflows suited to their needs.

Low code/no code is hot

The company has come up with a couple of new tools to help these Creators: AppEngine Studio and AppEngine Templates, which work together to help these folks build these no-code workflows wherever they work across an organization.

AppEngine studio provides the main development environment where users can drag and drop the components they need to build workflows that make sense for them. The templates take that ease of use a step further by providing a framework for some common tasks.

The new release also incorporates a couple of recent acquisitions: Loom Systems and Attivio. The company has taken the latter and repurposed it to be a platform-wide search tool called AI Search.

“It allows you to deliver contextualized consumer grade results. So it means that we can personalize the results that you get from a search back to you so that it’s more relevant to you and more focused on giving you that context that you really need to make sure you get actionable information,” he said.

Another company that they purchased was Loom Systems, which gave the company an AIOps component and the ability to inject that AI across the platform. Gab Menachem, who was CEO and co-founder at Loom prior to the acquisition, says the process of becoming part of ServiceNow has been smooth.

“Vendors in this space find themselves kind of giving customers a science project. In ServiceNow the whole focus of this year has been to incorporate [Loom] into the workflow and make work flow naturally, so that employee productivity would be boosted, and the engagement will be high. And that’s what we focus on, and I think it was a really easy transition into a big company because it just made all of our customers a lot happier,” Menachem said.

This new tooling is available starting today.

Indy-based High Alpha Capital launches new $110M fund

We know that a lot of elements go into the formation of a startup ecosystem. When your city is outside of the major coastal tech centers, it takes a deliberate effort to get such a system off the ground. For Indianapolis, Indiana, it started with the creation of ExactTarget in 2000. When that company was sold to Salesforce for $2.5 billion in 2013, it helped bring a bushel of cash into the startup system.

Today, the venture capital firm that connects back to that ExactTarget acquisition, High Alpha Capital, announced a new $110 million fund. The company concentrates on B2B SaaS startups. Kristian Andersen, partner and co-founder at High Alpha sees the fund in the context of the pandemic and the changes it has brought to how businesses are run.

“We are living in a [time] of almost unrivaled disruption, which has created a host of challenges for individuals, businesses, and society as a whole. In spite (or possibly because) of those challenges, we’re more confident and motivated than ever to help support the next generation of founders as they seek to transform the world through the marriage of entrepreneurship and technology,” Andersen said.

Of course, cash is a key ingredient in any startup system recipe. ExactTarget’s founders were flush with it after the acquisition and Scott Dorsey, one of the firm’s founders says they wanted to build a system from the ground up that included education, a system to encourage entrepreneurship, math skills, a pool of engineering talent and of course, a venture capital firm to drive investment.

“I think of the recipe as talent, capital, support and mentorship. So talent has to be a sharp focus, which is certainly is for us at High Alpha and across the Indianapolis market. The second piece is capital, and markets like Indy often don’t have access to capital and that’s been important that we’re raising our own funds,” he said.

He added, “Thirdly, I think it’s just support and mentorship and that’s really what High Alpha is built to do. We have 40 of us on the team with SaaS experts across design, marketing, product engineering, finance and HR —  all Centers of Excellence you need to start and scale a SaaS company,” he said.

The firm is divided into two parts. The first is High Alpha Studio, which is a kind of incubator for really early stage founders and the second is High Alpha Capital, which is the focus of today’s announcement.

This is third fund for the company. The first was High Alpha One worth $21 million. The second one, High Alpha Two was worth $85 million. Combined with today’s announcement, the total raised across the three funds is $216 million. While the first two funds’ investments were mostly in the Indy area, the plan with the newest one is to expand beyond the region with at least some of the investments.

The firm concentrates on enterprise B2B SaaS companies from pre-seed through Series A investments, so concentrating on early stage companies that it can help nurture and learn from their experiences building ExactTarget into a successful company.

Among the companies they invested in include Attentive, SalesLoft, Zylo, Terminus, The Mom Project, Lessonly, LogicGate, MetaCX and Socio.

Hiding Among Friends | How To Beat The New Breed of Supply Chain Attacks

If there’s any good to come out of the recent FireEye/SolarWinds breach, it may just be a long-overdue focus of attention on the risk to enterprises from the supply chain. Just as in the past WannaCry and NotPetya forced enterprises to review policies regarding offline backup and recovery as a means of combatting the devastating effects of the ransomware threat (and forced ransomware operators to change their tactics), so we might hope for a similar positive reaction in light of this recent cybersecurity crisis.

The plethora of new malware strains (e.g., SUNBURST, SUPERNOVA, GoldMax, Sibot, and GoldFinder) that have emerged in the wake of the SolarWinds breach should force all enterprises to sit up and take the supply chain attack vector seriously.

In this post, we discuss what supply chain attacks are, what types of threat actors conduct them, and how enterprises can more effectively mitigate against them.

What Are Supply Chain Attacks?

The MITRE ATT&CK framework defines supply chain attacks as a method in which “Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise”. MITRE provides a structured analysis of causes, effects, mechanisms and defensive strategies for supply chain compromise.

Supply chain attacks can take place at any stage in the supply chain including:

  • Manipulation of development tools
  • Manipulation of a development environment
  • Manipulation of source code repositories (public or private)
  • Manipulation of source code in open-source dependencies
  • Manipulation of software update/distribution mechanisms
  • Compromised/infected system images (multiple cases of removable media infected at the factory)
  • Replacement of legitimate software with modified versions
  • Sales of modified/counterfeit products to legitimate distributors
  • Shipment interdiction

An APT’s Preferred MO

Supply chain attacks have become a preferred method of operation for nation state campaigns. China has long been abusing U.S. supply chains to infiltrate and steal sensitive information, and Chinese-based APT Hafnium is thought to be responsible for the recent exploitation of Microsoft Exchange server zero days, a flaw in a third-party product that countless organizations rely on.

Recent news of Russian involvement in campaigns in Lithuania and the Ukraine illustrate that state-backed actors there have also mastered the art of supply chain abuse.

DPRK hackers have also utilized such techniques in a campaign against French targets between 2017 to 2020 manifested by hacking French company Centreon and using its IT monitoring software to infiltrate a host of targets.

Financial Motivation for Supply Chain Attacks

Given the complexity of pulling off a successful supply chain attack, it is tempting to assume that they are solely the province of nation-state APT campaigns. However, such attacks are sometimes committed by sophisticated cybercriminals for purely financial gain.

Cybercriminals looking to breach lucrative targets will seek the path of least resistance, and sometimes this means gaining entrance into heavily defended organizations by working their way up the supply chain. There, they could identify less well-defended entities with weaker security mechanisms and utilize these to gain entry to their chosen target.

Arguably, one of the most infamous third-party data thefts through a supply chain attack — and one which raised the profile of this kind of vector — was the 2013 breach of retailer Target Stores. Credit card information of some 41 million customers and personal information of some 70 million customers was stolen. The attackers breached Target’s systems by stealing the login credentials of a heating and ventilation contractor that had access to the retailers’ network.

And Target is far from alone, of course. Numerous other companies have been breached through their supply chain or breached in order to serve as an entry point to one or more of their clients. In 2019, IT outsourcing and consulting giant Wipro was breached and used as jumping-off point to target at least a dozen of its customers’ systems.

A survey conducted in June 2020 by Opinion Matters for BlueVoyant states that 80% of organizations have had a breach that was caused by one of their vendors. The supply chain risk is not limited to the technology or digital provider sectors either: a recent survey conducted by PWC in the UK manufacturing sector shows that supply chain risk is of great concern to the majority (63%) of participants.

SolarWinds, Microsoft Hacks – Far Reaching Effects For Us All

Comparing “traditional” supply chain attacks and commercially motivated ones with the recent SolarWinds and Microsoft hacks, it is clear that attackers have upped their game to a whole new level, both in sophistication and tactics.

“Traditional” supply chain attacks crept into the enterprise via a weaker link, but that was mostly done in a rather direct manner: typically, by obtaining credentials and using them to connect to the enterprise, or even by physically inserting infected devices from the vendor to the end-target (as in the case of the Stuxnet cyber attack, which utilized infected USB thumb drives).

Inside the Mind of the SUNBURST Adversary
A Podcast with SentinelLabs Principal Threat Researcher Marco Figueroa

These newer attacks go much deeper. They identify a vendor with a huge footprint, invest heavily (Microsoft estimates that 1000 software engineers worked on creating the malware used in the SolarWinds breach) and gain access to thousands of victims in one fell swoop. That may or may not be mere collateral damage, depending on the threat actor’s objectives. Compromising such highly trusted vendors, if done well and with sufficient stealth, can allow a threat actor to operate freely for months or even years.

How to Mitigate Supply Chain Attacks?

There are several frameworks for handling supply chain risk, such as the recently published NIST initiative “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry“, but when even trusted vendors like Microsoft, FireEye and SolarWinds can’t get this right, what chances are there for organizations with far fewer resources?

As recent incidents have shown, the complexity of the supply chain and the lack of visibility into all an organization’s dependencies are key risk factors. Take, for example, the case of software vendor Accellion, whose FTA application – a legacy product once popular for storing and sharing large files – had been replaced by the vendor but not by many of its clients. FTA was used to hack entities such as Singtel, the Australian medical research institute QIMR Berghofer, the Washington state auditor, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, the University of Colorado, and Qualys.

Likewise, Chinese hackers were able to exploit vulnerabilities in Microsoft Exchange server products that first shipped – and perhaps have been quietly forgotten in some organizations – as long ago as 2013. Windows Defender – itself tasked with protecting Windows devices – was recently found to contain a privilege escalation vulnerability that lay undiscovered for twelve years. And there are likely many other such vulnerabilities and perhaps ITW exploitations occurring even now that will only be exposed at some point in the future.

So what can be done? We can’t expect organizations to review vendor source code and identify such vulnerabilities themselves. However, we can adopt another NIST guidance related to Cyber Supply Chain Best Practices, and that is “Develop your defenses based on the principle that your systems will be breached”.

The basic principle to help avoid becoming a victim of a software supply chain attack is to have security software that doesn’t rely on reputation for detection, as it is that very trust in reputation that is being abused by the attackers.

For that reason, be sure to avoid or replace security solutions that rely heavily on whitelisting with a modern, behavioural AI solution that can recognize novel threats at machine-speed, no matter whether the source is ‘trusted’ or not. SentinelOne Singularity does not rely on traditional anti-virus signatures to spot malicious attacks, but rather uses a combination of static machine learning analysis and dynamic behavioral analysis to protect systems from attacks – even ones emanating from “trusted” sources that may actually have been compromised somewhere in their own supply chain.

Conclusion

Recent supply chain attacks have hit an exposed nerve in the security community – the sheer scope and potential damage they can cause is simply too big to ignore. President Biden’s executive order on the security of the supply chain is perhaps the most telling evidence of the deep impact the SolarWinds attack has had on public and private organizations, but whether this order and the ensuing actions will trickle down and improve the state of supply chain security is a ‘wait-and-see’ game few organizations can afford to play.

Each enterprise needs to get its own house in order, and there is no better place to start than by reviewing cybersecurity requirements, gaining visibility into supply chain dependencies, and deploying a modern XDR platform that can identify the next breach and contain it even if it originates deep down from within the company’s own supply chain.

Want to know more about how SentinelOne can help? See here for more resources related to SUNBURST, contact us for more information, or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

DataGrail snares $30M Series B to help deal with privacy regulations

DataGrail, a startup that helps customers understand where their data lives in order to help comply with a growing body of privacy regulations, announced a $30 million Series B today.

Felicis Ventures led the round with help from Basis Set Ventures, Operator Collective and previous investors. One of the interesting aspects of this round was the participation from several strategic investors including HubSpot, Okta and Next47, the venture firm backed by Siemens. The company has now raised over $39 million, according to Crunchbase data.

That investor interest could stem from the fact that DataGrail helps organizations find data by building connectors to popular applications and then helps ensure that they are in compliance with customer privacy regulations such as GDPR, CCPA and similar laws.

“DataGrail [is really] the first integrated solution with over 900 integrations (up from 180 in 2019) to different apps and infrastructure platforms that allow the product to detect when new apps or new infrastructure platforms are added, and then also perform automated data discovery across those applications,” company CEO and co-founder Daniel Barber explained to me. This helps users find customer data wherever it lives and enables them to comply with legal requirements to manage and protect that data.

Victoria Treyger, general partner at lead investors Felicis Ventures says that one of the things that attracted her to DataGrail was that she had to help implement GDPR regulations at a previous venture and felt the pain first hand. She said that her firm tends to look for startups in large markets where the product or service being offered is a critical need, rather an option, and she believes that DataGrail is an example of that.

“I really liked the fact that privacy management is such a hard problem, and it is not optional. As a business, you have to manage privacy requests, which you may do manually or you may do it with a solution like DataGrail,” Treyger told me.

HubSpot’s Andrew Lindsay, who is SVP of corporate and business development, says his company is both a customer and an investor because DataGrail is helping HubSpot customers navigate the complexity of privacy regulation. “DataGrail’s unique ecosystem approach, where they are integrating with key Saas and business applications is an easy way for many of our joint customers to protect their customers’ privacy,” Lindsay said.

The company has 40 employees today with plans to grow to 90 or 100 by the end of this year. It’s worth noting that Treyger is joining the Board, which already has 3 other women. That shows shows a commitment to gender diversity at the board level that is not typical for startups.

Could Marc Benioff be the next CEO to move to executive chairman?

Last month Jeff Bezos announced he would step down as CEO of Amazon later this year, moving into the executive chairman role, while passing the baton to AWS CEO Andy Jassy. Could Marc Benioff, co-founder, chairman and CEO at Salesforce be the next big-name executive to make a similar move?

A Reuter’s story published on Monday suggested that could be the case. Citing unnamed sources, the story indicated that Benioff’s CEO exit could happen this year. Further those same sources suggested that current Salesforce president and COO Bret Taylor is the likely heir apparent.

We wrote a story at the end of last year speculating on possible successors to Benioff, were he to step away from the CEO role. There were a number of worthy candidates, several of whom, like Taylor, came to the company via an acquisition. All the same, we thought that Taylor seemed to be the most likely candidate to replace Benioff.

We asked Salesforce for a comment on the Reuter’s story. A company spokesperson told us that the company doesn’t comment on rumors or speculation.

While the entire scenario fits firmly in the rumor and speculation column, it is not entirely unlikely either. What would it mean if Benioff stepped away and what if Taylor was truly the next in line? And how would that swap compare with the Bezos decision were it to happen?

Similar yet different

Salesforce and Amazon are both companies founded in the 1990s, each looking to shake up its industry.

For Amazon, it was changing the way goods (starting with books) were bought and sold. And for Benioff the goal was changing the way software was sold. Bezos famously founded his company in his garage. Benioff built his in a rented apartment. From these humble beginnings both have built iconic companies and accumulated enormous wealth. You could understand why either could be ready to step away from the daily grind of running a company after all these years.

Bezos announced that veteran executive Andy Jassy, who runs the company’s cloud arm, would be his replacement when the handoff comes. Jassy knows the organization’s priority mix as he’s been working at the company for more than two decades. He’s locked into the culture and helped take AWS from idea to $50 billion juggernaut.

While Benioff hasn’t made any actual firm pronouncement, we have seen Bret Taylor — who joined the company in 2016 when Salesforce purchased his startup Quip for $750 million — move quickly up the ladder.

Laurie McCabe, co-founder and analyst at SMB Group, who has been following Salesforce since its earliest days, says that if Benioff were to leave, he would obviously leave big shoes to fill. But she agreed that everything seems to point to Taylor as his successor should that happen.

“Salesforce has been grooming Taylor for awhile. He has some stellar credentials both at Salesforce, his own start-up, Quip, that Salesforce acquired, and at Facebook. There’s no doubt in my mind he can lead Salesforce forward, but he’ll bring a different more low-key style to the role. And I’m sure Benioff will stay very involved […],” McCabe said.

Two different situations

Brent Leary, founder and principal analyst at CRM Essentials says that while he believes Taylor could be chosen as Benioff’s successor, and would be qualified to lead the company, he’s taken a very different path from Jassy.

“I think Benioff moving on could be different from Bezos in the sense that Jassy has been at Amazon for over 20 years and was there to basically see and be part of most of the story. […] But if Taylor were to succeed Benioff there’s not as much [history] at Salesforce with him not being on board until the Quip acquisition in 2016,” Leary said.

Leary wonders if this relatively short history with the company could create some political friction in the organization if he were chosen to succeed Benioff. “I’m not saying that this would happen, but choosing one of the many possible heirs that have come via a number of high profile acquisitions could possibly lead to high level turnover from those not picked to succeed Benioff,” he said.

But Holger Mueller, an analyst at Constellation Research says that if you look at the range of candidates available, he believes that Taylor would be the best choice. “I don’t expect any issue because there is no one with a similar or even better background, which is when there are problems — that or when people are in an open competition as it used to be at GE,” he said.

We don’t know for sure what the final outcome will be, but if Benioff does decide to join Bezos and takes the executive chairman mantle at the company, it makes sense that the person to replace him will be Taylor. But for now, it remains in the realm of speculation, and we’ll just to wait and see if that’s what comes to pass.


Early Stage is the premier ‘how-to’ event for startup entrepreneurs and investors. You’ll hear first-hand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company-building: Fundraising, recruiting, sales, product market fit, PR, marketing and brand building. Each session also has audience participation built-in – there’s ample time included for audience questions and discussion. Use code “TCARTICLE at checkout to get 20 percent off tickets right here.

YL Ventures sells its stake in cybersecurity unicorn Axonius for $270M

YL Ventures, the Israel-focused cybersecurity seed fund, today announced that it has sold its stake in cybersecurity asset management startup Axonius, which only a week ago announced a $100 million Series D funding round that now values it at around $1.2 billion.

ICONIQ Growth, Alkeon Capital Management, DTCP and Harmony Partners acquired YL Venture’s stake for $270 million. This marks YL’s first return from its third $75 million fund, which it raised in 2017, and the largest return in the firm’s history.

With this sale, the company’s third fund still has six portfolio companies remaining. It closed its fourth fund with $120 million in committed capital in the middle of 2019.

Unlike YL, which focuses on early-stage companies — though it also tends to participate in some later-stage rounds — the investors that are buying its stake specialize in later-stage companies that are often on an IPO path. ICONIQ Growth has invested in the likes of Adyen, CrowdStrike, Datadog and Zoom, for example, and has also regularly partnered with YL Ventures on its later-stage investments.

“The transition from early-stage to late-stage investors just makes sense as we drive toward IPO, and it allows each investor to focus on what they do best,” said Dean Sysman, co-founder and CEO of Axonius. “We appreciate the guidance and support the YL Ventures team has provided during the early stages of our company and we congratulate them on this successful journey.”

To put this sale into perspective for the Silicon Valley and Tel Aviv-based YL Ventures, it’s worth noting that it currently manages about $300 million. Its current portfolio includes the likes of Orca Security, Hunters and Cycode. This sale is a huge win for the firm.

Its most headline-grabbing exit so far was Twistlock, which was acquired by Palo Alto Networks for $410 million in 2019, but it has also seen exits of its portfolio companies to Microsoft, Proofpoint, CA Technologies and Walmart, among others. The fund participated in Axonius’ $4 million seed round in 2017 up to its $58 million Series C round a year ago.

It seems like YL Ventures is taking a very pragmatic approach here. It doesn’t specialize in late-stage firms — and until recently, Israeli startups always tended to sell long before they got to a late-stage round anyway. And it can generate a nice — and guaranteed — return for its own investors, too.

“This exit netted $270 million in cash directly to our third fund, which had $75 million total in capital commitments, and this fund still has six outstanding portfolio companies remaining,” Yoav Leitersdorf, YL Ventures’ founder and managing partner, told me. “Returning multiple times that fund now with a single exit, with the rest of the portfolio companies still there for the upside is the most responsible — yet highly profitable path — we could have taken for our fund at this time. And all this while diverting our energies and means more towards our seed-stage companies (where our help is more impactful), and at the same time supporting Axonius by enabling it to bring aboard such excellent late-stage investors as ICONIQ and Alkeon — a true win-win-win situation for everyone involved!”

He also noted that this sale achieved a top-decile return for the firm’s limited partners and allows it to focus its resources and attention toward the younger companies in its portfolio.

Tackle nabs $35M Series B to help companies navigate cloud marketplaces

Each of the big three cloud vendors — Amazon, Microsoft and Google — has a marketplace where software vendors can sell their wares. It seems like an easy enough proposition to throw your software up there and be done with it, but it turns out that it’s not quite that simple, requiring a complex set of business and technical tasks.

Tackle, a startup that wants to help ease the process of getting a product onto one of these marketplaces, announced a $35 million Series B today. Andreessen Horowitz led the investment with help from existing investor Bessemer Venture Partners. The company reports it has now raised $48.5 million.

Company founder Dillon Woods says that at previous jobs, he found that it took several months with a couple of engineers dedicated to the task to get a product onto the AWS marketplace, and he noticed that it was a similar set of tasks each time.

“What I saw [in my previous jobs] was that we were kind of redoing the same work. And I thought everybody out there was probably reinventing the same wheel. And so when I started Tackle, my goal was to create a software platform that would take that time down to one or two days. So it’s really a no-code solution, and it makes it much more of a business decision, rather than this big technical integration project,” Woods told me.

While you may think it’s a pretty simple task to put an app on one of these marketplaces, Woods points out that the AWS user guide explaining the ins and outs is a 700-page pdf. He says that it’s not just the technical complexity of setting up the various API calls to get it connected, there is also the business side of selling in the marketplace, and that requires additional APIs.

“There’s not just the initial sale. There could be things later like upgrades, refunds, cancellations — maybe you need to do overage charges against that same contract. And so there are all of these downstream things that happen that all require API integration, and Tackle takes care of all of that for you,” Woods explained.

CEO John Jahnke says that the company usually starts with one product in one marketplace, which acts as a kind of proof of concept for the customer, then builds up from there. Once customers see what Tackle can do, they can expand usage.

It seems to be working, with the startup reporting that it tripled annual recurring revenue (ARR), although it didn’t want to share a specific number. It also doubled headcount and the number of customers and was responsible for over $200 million in transactions across the three cloud marketplaces.

Jahnke didn’t share the exact number of customers, but he said there were currently hundreds on the platform, including companies like Snowflake, GitHub, New Relic and PagerDuty.

The company currently has 67 employees spread across 25 states, with plans to almost double that by the end of 2021. He says that it’s essential to put systems in place to build a diverse company now.

“How we scale through this next 100% increase in headcount is going to define the mix of the company into the future. If we can get this right right now and continue to extend on the foundation for diversity and inclusion that we started and make it a real part of our conversation at some scale, we think we’ll be set up as we go from 100 employees to 1,000 employees over the long period of time to continue to grow and create opportunities for people wherever they are,” Jahnke said.

Martin Casado, general partner at lead investor a16z, says this type of selling has become essential for businesses and that’s why he wanted to invest in the company. “Cloud marketplaces have become a primary channel for selling software quickly and conveniently. Tackle is the leading player for enabling companies to sell software through the cloud,” he said.