Sarah Guo, Kobie Fuller & Casey Aylward headline investor panel at TC Sessions: SaaS

While SaaS has become the default way to deliver software in 2021, it still takes a keen eye to find the companies that will grow into successful businesses, maybe even more so with so much competition. That’s why we’re bringing together three investors to discuss what they look for when they invest in SaaS startups.

For starters, we’ll have Sarah Guo, who has been a partner at Greylock since 2013 where she concentrates on AI, cybersecurity, infrastructure and the future of work — all in a SaaS context of course. Among her investments are Obsidian, Clubhouse and Awake. Her exits include Demisto, which Palo Alto acquired for $560 million in 2019 and Skyhigh Networks, which McAfee bought for $400 million in 2018.

Prior to joining Greylock, she worked for Goldman Sachs investing in growth-stage companies and advising SaaS companies like Dropbox and Workday.

Next we’ll have Kobie Fuller, a partner at Upfront Ventures, who looks at SaaS as well as AR and VR. Fuller has been at Upfront since 2016 when he joined after a three-year stint at Accel. He oversaw a pair of billion dollar exits while at Accel including ExactTarget to Salesforce for $2.5 billion and Oculus to Facebook for $2 billion. Upfront investments include Bevy, community building software, which recently got a $40 million investment with 20% of that coming from 25 Black investors.

Finally, we’ll have Casey Aylward, a principal at Costanoa Ventures where she concentrates on early-stage enterprise startups. Among her investments have been Aserto, Bigeye and Cyral. She tends to concentrate on developer tools. “My entire career so far has been focused on developers: whether it was building tools for developers, building software myself or now investing in enabling technologies for the next generation of technical users,” she wrote on her bio page.

This prestigious group will share their thoughts at TC Sessions: SaaS, a one-day virtual event that will examine the state of SaaS to help startup founders, developers and investors understand the state of play and what’s next. We hope you’ll join us.

The single-day event will take place 100% virtually on October 27 and will feature actionable advice, Q&A with some of SaaS’s biggest names and plenty of networking opportunities. Importantly, $75 Early Bird passes are now on sale. Book your passes today to save $100 before prices go up.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-c594f6a45f3ff3eabbf91af2a7d9403e’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-c594f6a45f3ff3eabbf91af2a7d9403e’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

Pleo raises $150M at a $1.7B valuation for its new approach to managing expenses for SMBs

Whether you are part of the accounting department, or just any employee at an organization, managing expenses can be a time-consuming and error-filled, yet also quite mundane, part of your job. Today, a startup called Pleo — which has built a platform that can help some of that work more smoothly, by way of a vertically integrated system that includes payment cards, expense management software, and integrated reimbursement and pay-out services — is announcing a big round of growth funding to expand its business after seeing strong traction.

The Copenhagen-based startup has raised $150 million — money that it will be using to continue building out more features for its users, and for business development. The round, which sets a record for being the largest Series C for a Danish startup, values Pleo at $1.7 billion, the startup has confirmed.

There are around 17,000 small and medium businesses now using Pleo, with companies at the medium end of that numbering around 1,000 employees. Now with Pleo moving into slightly larger customers (up to 5,000 employees, CEO Jeppe Rindom, said), the startup has set an ambitious target of reaching 1 million users by 2025, a very lucrative goal, considering that expenses management is estimated to be a $80 billion market in Europe (with the global opportunity, of course, even bigger).

It will also be using the funds simply to expand its business. Pleo has around 330 employees today spread across London, Stockholm, Berlin and Madrid, as well as in Copenhagen, and it will be using some of the investment to grow that team and its reach.

Bain Capital Ventures and Thrive Capital co-led this round, a Series C. Previous backers, including Creandum, Kinnevik, Founders, Stripes and Seedcamp, also participated. Stripes led the startup’s Series B in 2019. It looks like this round was oversubscribed: the original intention had been to raise just $100 million.

Like other business processes, managing expenses and handling company spending has come a long way in the last many years.

Gone are the days where expenses inevitably involved collecting paper receipts and inputting them manually into a system in order to be reimbursed; now, expense management software links up with company-issued cards and taps into a range of automation tools to cut out some of the steps in the process, integrating with a company’s internal accounting policies to shuffle the process along a little less painfully. And there are a number of companies in this space, from older players like SAP’s Concur through to startups on the cusp of going public like Expensify as well as younger entrants bringing new technology into the process.

But, there is still lots more room for improvement. Rindom, Pleo’s CEO who co-founded the company with CTO Niccolo Perra, said the pair came up with the idea for Pleo on the back of years of working in fintech — both were early employees at the B2B supply chain startup Tradeshift — and seeing first-hand how short-changed, so to speak, small and medium businesses in particular were when it came to tools to handle their expenses.

Pleo’s approach has been to build, from the ground up, a system for those smaller businesses that integrate all the different stages of how an employee might spend money on behalf of the company.

Pleo starts with physical and virtual payment cards (which can be used in, for example, Apple Wallet) that are issued by Pleo (in partnership with MasterCard) to buy goods and services, which in turn are automatically itemized according to a company’s internal accounting systems, with the ability to work with e-receipts, but also let people use their phones to snap pictures of receipts when they are only on paper, if required. This is pretty much table stakes for expense software these days, but Pleo’s platform is going a couple of steps beyond that.

Users (or employers) can integrate a users’ own banking details to make it easier to get reimbursed when they have had to pay for something out of their own pocket; or conversely to pay for something that shouldn’t have been charged on the card. And if there are invoices to be paid at a later date from the time of purchase, these too can be actioned and set up within Pleo rather than having to liaise separately with an accounts payable department to get those settled. Higher priced tiers (beyond the basic service for up to five users) also lets a company set spending limits for individual users. Pricing is based on number of users, per month.

Pleo also has built fraud protection services into the platform to detect, for example, cases when a card number might have been compromised and is being used for non-work purposes.

What’s notable is that the startup has built all of the tech that it uses, including the payments feature, from the ground up, to have full control over the features and specifically to be able to add more of them more flexibly over time.

“In the beginning we ran with a partner in services like payments, but it didn’t allow us to move fast enough,” Rindom said in an interview. “So we decided to take all of that in-house.”

It seems like this opens the door to a lot of possibilities for how Pleo might evolve in the years ahead now that it’s focused on hyper-growth. However, Rindom added that whatever the next steps might be, they will remain focused on continuing to solve the expenses problem.

“When it comes to our infrastructure we use it only for ourselves,” he said. “We have no plans of selling [for example, payments] as a service, even if we do have a lot of other ideas for broadening our offerings.” Indeed, the ability to pay invoices was launched only in April of this year. “We come up with things all the time, but will launch only those relevant to customers.” For now, at least.

That focus and perhaps even more than that the execution and customer traction are what have brought investors around to backing a fintech out of Copenhagen.

“The future of work empowers employees with the tools they need to be effective, productive, and successful,” said Keri Gohman, a partner at Bain Capital Ventures, in a statement. “Pleo understands this critical shift for modern companies toward employee centricity—providing workers with a fun-to-use spend management app that automatically tracks their corporate spending and generates expense reports, paired with the powerful tools businesses need to create full visibility and management of every penny spent.”

Bain has been a pretty active investor in European fintech, also backing GoCardless in its recent round. “BCV invests in founders who aren’t afraid to tackle big problems, and Jeppe and Nicco saw a big challenge that employers faced—tracking all corporate spending and reconciling expenses back to the general ledger—and solved it with elegant technology that both employers and employees love,” added Merritt Hummer, a partner at Bain Capital Ventures.

Thrive is also a notable backer here, and it will be interesting to see how and if Pleo links up with others in the VC’s portfolio, which include companies like Plaid, Gong and Trade Republic.

“Pleo has already transformed the way that over 17,000 companies think about managing their expenses, saving them time and lowering costs while increasing transparency,” noted Kareem Zaki, a general partner at Thrive Capital, in a statement. “We are excited to partner closely with the Pleo team to help drive their next phase of growth.”

The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good

Remember Gozi? Well, you’d be forgiven if you’d forgotten, but this particular piece of banking malware was rife around the turn of the decade, causing trouble in at least eight countries, including the US, the UK and several European nations. While the world of cyber security may have moved on, law enforcement didn’t forget. Back in 2016, the cops caught up with two of the malware as a service (MaaS) authors and this week, they nabbed a third.

On Tuesday, it was reported that Mihai Ionut Paunescu was arrested in Bogota, Colombia on charges relating to designing hosting systems that were used to share Gozi files with affiliates without being detected. Paunescu and pals allegedly charged criminals $500/week for use of their malware, which was used to steal bank account passwords and subsequently millions of dollars from victims. It’s not the first time Paunescu has been caught. In 2012, the Romanian national was arrested in his own country but escaped extradition. He’s unlikely to be so lucky this time around.

Meanwhile, more bad news for crims this week as Europol cyber cops took down DoubleVPN. The so-called ‘super secure’ service was a favorite on Russian and English-speaking cybercrime forums, where it was heavily recommended for those seeking to hide their identity and location while undertaking ransomware, phishing and other malicious activities.

Before it was taken down, the DoubleVPN website claimed that it kept no customer logs. However, according to the notice posted by authorities on the now seized site, the cops grabbed personal information and logs relating to all DoubleVPN customers. “DoubleVPN’s owners failed to provide the services they promised”, the notice ominously stated.

The Bad

APT28, aka the 85th GTsSS of the GRU, is rarely out of the news for long, and it’s an adversary we’re well used to dealing with. This week, the NSA, FBI and other U.S cybersecurity agencies revealed that the Russian military intelligence unit has been making a beeline for enterprise cloud environments since at least mid-2019.

According to the advisory, the threat actor used a Kubernetes cluster as a springboard for attacking hundreds of private and public sector targets worldwide. Much of their activity took the form of anonymized brute force and password spraying attacks against organizations using Microsoft Office 365 cloud services, combined with exploiting known CVEs such as CVE 2020-0688 and CVE 2020-17144.


Source

The attacks originating from the Kubernetes cluster were primarily routed through TOR and commercial VPN services, although the advisory notes that some were delivered directly from nodes in the cluster. Targets included government and military organizations, political organizations, energy companies, logistics companies as well as law firms, media and higher education institutions.

Authorities warn that the campaign is almost certainly ongoing. Organizations are urged to adopt and expand the use of MFA and ensure that access controls have time-out and lock-out features, use strong passwords and a Zero Trust security model. More information on specific TTPs and IoCs are available here.

The Ugly

Question: what do you get when you add a zero-day to a freshly minted exploit and the accidental release of both by security researchers? Answer: a very ugly day in cybersecurity. What is now being dubbed PrintNightmare is a remote code execution vulnerability in the Windows Print Spooler service. The service is enabled by default on Windows Server editions, with the exception of Windows Server Core, and is likely to affect the majority of enterprises.

Most importantly, the bug is not fixed in the latest Microsoft patch and CISA advises all enterprises to disable the Windows Print Spooler service in Domain controllers, Active Directory admin systems, and all other systems that do not print. This can be effected with PowerShell via

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Or more succinctly via Windows cmd with:

net stop spooler

On Thursday, Microsoft assigned the bug to CVE-2021-34527 and further advised admins to disable inbound remote printing through Group Policy. The OS vendor also said they were aware of in-the-wild attacks but gave no further details.

The bug came to light when Chinese cybersecurity outfit Sangfor released PoC code on Github for what they thought was a different vuln that had been included in Microsoft’s most recent Patch Tuesday. Researchers from the company intend to present at this year’s Black Hat about multiple Spooler vulns, but mistakenly released code related to a different vuln from that included in the patch. Subsequently, the PoC was removed from GitHub but not before others had cloned and forked the repo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Jim Whitehurst steps down as president at IBM just 14 months after taking role

In a surprise announcement today, IBM announced that Jim Whitehurst, who came over in the Red Hat deal, would be stepping down as company president just 14 months after taking over in that role.

IBM didn’t give a lot of details as to why he was stepping away, but acknowledged his key role in helping bring the 2018 $34 billion Red Hat deal to fruition and helping bring the two companies together after the deal closed. “Jim has been instrumental in articulating IBM’s strategy, but also, in ensuring that IBM and Red Hat work well together and that our technology platforms and innovations provide more value to our clients,” the company stated.

He will stay on as a senior adviser to Krishna, but it begs the question why he is leaving after such a short time in the role, and what he plans to do next. Oftentimes after a deal of this magnitude closes, there is an agreement as to how long key executives will stay. It could be simply that the period has expired and Whitehurst wants to move on, but some saw him as the heir apparent to Krishna and the move comes as a surprise when looked at in that context.

“I am surprised because I always thought Jim would be next in line as IBM CEO. I also liked the pairing between a lifer IBMer and an outsider,” Patrick Moorhead, founder and principal analyst at Moor Insight & Strategies told TechCrunch.

Regardless, it leaves a big hole in Krishna’s leadership team as he works to transform the company into one that is primarily focused on hybrid cloud. Whitehurst was undoubtedly in a position to help drive that change through his depth of industry knowledge and his credibility with the open source community from his time at Red Hat. He is not someone who would be easily replaced and the announcement didn’t mention anyone filling his role.

When IBM bought Red Hat in 2018 for $34 billion, it led to a cascading set of changes at both companies. First Ginni Rometty stepped down as CEO at IBM and Arvind Krishna took over. At the same time, Jim Whitehurst, who had been Red Hat CEO moved to IBM as president and long-time employee Paul Cormier moved into his role.

At the same time, the company also announced some other changes including that long-time IBM executive Bridget van Kralingen announced she too was stepping away, leaving her role as senior vice president of global markets. Rob Thomas, who had been senior vice president of IBM cloud and data platform, will step in to replace Van Kraligen.

Another 0-Day Looms for Many Western Digital Users

Some of Western Digital’s MyCloud-based data storage devices. Image: WD.

Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.

At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.

Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But just days before the event Western Digital released MyCloud OS 5, which eliminated the bug they found. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device.

Nevertheless, in February 2021, the duo published this detailed YouTube video, which documents how they discovered a chain of weaknesses that allows an attacker to remotely update a vulnerable device’s firmware with a malicious backdoor — using a low-privileged user account that has a blank password.

The researchers said Western Digital never responded to their reports. In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital said. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”

Western Digital ignored questions about whether the flaw found by Domanski and Ribeiro was ever addressed in OS 3. A statement published on its support site March 12, 2021 says the company will no longer provide further security updates to the MyCloud OS 3 firmware.

“We strongly encourage moving to the My Cloud OS5 firmware,” the statement reads. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” A list of MyCloud devices that can support OS 5 is here.

But according to Domanski, OS 5 is a complete rewrite of Western Digital’s core operating system, and as a result some of the more popular features and functionality built into OS3 are missing.

“It broke a lot of functionality,” Domanski said of OS 5. “So some users might not decide to migrate to OS 5.”

In recognition of this, the researchers have developed and released their own patch that fixes the vulnerabilities they found in OS 3 (the patch needs to be reapplied each time the device is rebooted). Western Digital said it is aware of third parties offering security patches for My Cloud OS 3.

“We have not evaluated any such patches and we are unable to provide any support for such patches,” the company stated.

A snippet from the video showing the researchers uploading their malicious firmware via a remote zero-day flaw in MyCloud OS 3.

Domanski said MyCloud users on OS 3 can virtually eliminate the threat from this attack by simply ensuring that the devices are not set up to be reachable remotely over the Internet. MyCloud devices make it super easy for customers to access their data remotely, but doing so also exposes them to attacks like last month’s that led to the mass-wipe of MyBook Live devices.

“Luckily for many users they don’t expose the interface to the Internet,” he said. “But looking at the number of posts on Western Digital’s support page related to OS3, I can assume the userbase is still considerable. It almost feels like Western Digital without any notice jumped to OS5, leaving all the users without support.”

Dan Goodin at Ars Technica has a fascinating deep dive on the other zero-day flaw that led to the mass attack last month on MyBook Live devices that Western Digital stopped supporting in 2015. In response to Goodin’s report, Western Digital acknowledged that the flaw was enabled by a Western Digital developer who removed code that required a valid user password before allowing factory resets to proceed.

Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”

If attackers get around to exploiting this OS 3 bug, Western Digital might soon be paying for data recovery services and trade-ins for a whole lot more customers.

After bootstrapping since 2002, Articulate raises $1.5B on $3.75B valuation

Most companies don’t announce their first venture investment after almost 20 years in the business, nor do they announce that round is the equivalent of a good startup’s entire private fundraising history. But Articulate, a SaaS training and development platform, is not your typical company and today it announced a whopping $1.5 billion investment on a $3.75 billion valuation.

You can call it Series A if you must label it, but whatever it is, it’s a hefty investment by any measure. General Atlantic led the round with participation from Blackstone Growth and Iconiq Growth. GA claims it’s one of the largest A rounds ever, and I’m willing to bet it’s right.

CEO Adam Schwartz founded the company with his life savings in 2002 and hasn’t taken a dime of outside investment since. “Our software enables organizations to develop, deliver, and analyze online training that is engaging and effective for enterprises and SMBs,” Schwartz explained.

He says that the company started back in 2002 as a plug-in for PowerPoint. Today it is a software service with the goal of helping enable everyone to deliver training, even if they aren’t a training professional. Articulate actually has two main products, one is a set of tools for companies building training that connects to an enterprise learning management system or LMS. The other is aimed at SMBs or departments in an enterprise.

Its approach seems to be working with the company reporting it has 106,000 customers across 161 countries including every single one of the Fortune 100. Schwartz was loath to share any additional metrics, but did say they hope to use this money to grow 10x over the next several years.

Company president Lucy Suros, who has been with the organization for a decade, says even with this success, they see plenty of opportunity for growth and they felt taking this capital now would really enable them to accelerate.

“We are the most dominant player by far in course authoring apps, but when you look at that whole ecosystem and you think about where companies are in transforming from instructor-led training to online training, they’re still really in the early innings so there’s a lot of opportunity,” she said.

Anton Levy, co-president and managing director at General Atlantic, who is leading the investment for the firm, says that this is a “big, bold, incredible business” and that’s why they’re making an investment of this size and scope. “The reason we’re stepping up in such a large way, and what’s such a large check for us, is because of the business they’ve built, the team they’ve built, and frankly the market opportunity that they’re playing in and their ambition,” he said.

Today the company has 300 employees and they have been working as a remote company long before COVID. With the new capital, that number could triple over the next several years. Suros says that when she started at the company, there were 50 employees, mostly male engineers and she went to work to make it a more diverse work environment.

“We’ve put emphasis and a lot of just structural things in place to ensure that we are bringing more [diverse] people to the table, and then supporting folks once they’re here,” she said. With the new capital, the company announced a lot of new benefits and she said those were developed with the idea of helping break down barriers for under-represented groups in their ranks including covering gender transition-related costs.

She says that one of the benefits of becoming more visible as a company is being able to talk about and their human-centered organization framework, the set of principles the company put in place to define its values. “[We think about] how that can impact the employees and drive human flourishing for its own sake, and that also happens to lead to better business outcomes. But we’re really also interested in it from [the standpoint that] we want to be good and do good in the world and promote human flourishing at work,” she said.

The company seems to have been doing just fine up until now, but with this kind of capital, it aims to take the business to another level, while trying to be good corporate citizens as they do that.

To guard against data loss and misuse, the cybersecurity conversation must evolve

Data breaches have become a part of life. They impact hospitals, universities, government agencies, charitable organizations and commercial enterprises. In healthcare alone, 2020 saw 640 breaches, exposing 30 million personal records, a 25% increase over 2019 that equates to roughly two breaches per day, according to the U.S. Department of Health and Human Services. On a global basis, 2.3 billion records were breached in February 2021.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Conventional DLP solutions are built on a castle-and-moat framework in which data centers and cloud platforms are the castles holding sensitive data. They’re surrounded by networks, endpoint devices and human beings that serve as moats, defining the defensive security perimeters of every organization. Conventional solutions assign sensitivity ratings to individual data assets and monitor these perimeters to detect the unauthorized movement of sensitive data.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Unfortunately, these historical security boundaries are becoming increasingly ambiguous and somewhat irrelevant as bots, APIs and collaboration tools become the primary conduits for sharing and exchanging data.

In reality, data loss is only half the problem confronting a modern enterprise. Corporations are routinely exposed to financial, legal and ethical risks associated with the mishandling or misuse of sensitive information within the corporation itself. The risks associated with the misuse of personally identifiable information have been widely publicized.

However, risks of similar or greater severity can result from the mishandling of intellectual property, material nonpublic information, or any type of data that was obtained through a formal agreement that placed explicit restrictions on its use.

Conventional DLP frameworks are incapable of addressing these challenges. We believe they need to be replaced by a new data misuse protection (DMP) framework that safeguards data from unauthorized or inappropriate use within a corporate environment in addition to its outright theft or inadvertent loss. DMP solutions will provide data assets with more sophisticated self-defense mechanisms instead of relying on the surveillance of traditional security perimeters.

Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax

Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month.

Intuit says the change is tied to an “exciting” and “free” new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit.

“In early fall 2021, your QuickBooks Online Payroll subscription will include an automated income and employment verification service powered by The Work Number from Equifax,” reads the Intuit email, which includes a link to the new Terms of Service. “Your employees may need to verify their income and employment info when applying for things like loans, credit, or public aid. Before, you likely had to manually provide this info to lenders, creditors or government agencies. These verifications will be automated by The Work Number, which helps employees get faster approvals and saves you time.”

An Intuit spokesperson clarified that the new service is not available through QuickBooks Online or to QuickBooks Online users as a whole. Intuit’s FAQ on the changes is here.

Equifax’s 2017 megabreach that exposed the personal and financial details of 145.5 million Americans may have shocked the public, but it did little to stop more than a million employers from continuing to sell Equifax their employee payroll data, Bloomberg found in late 2017.

“The workforce-solutions unit is now among Equifax’s fastest-growing businesses, contributing more than a fifth of the firm’s $3.1 billion of revenue last year,” wrote Jennifer Surane. “Using payroll data from government agencies and thousands of employers — including a vast majority of Fortune 500 companies — Equifax has cultivated a database of 300 million current and historic employment records, according to regulatory filings.”

QuickBooks Online user Anthony Citrano posted on Twitter about receiving the notice, noting that the upcoming changes had yet to receive any attention in the financial or larger media space.

“The way I read the terms, Equifax gets to proactively collect all payroll data just in case they need to share it later — similar to how they already handle credit reporting,” said Citrano, who is founder and CEO of Acquicent, a company that issues non-fungible tokens (NFTs). “And that feels like a disaster waiting to happen, especially given Equifax’s history.”

In selling payroll data to Equifax, Intuit will be joining some of the world’s largest payroll providers. For example, ADP — the largest payroll software provider in the United States — has long shared payroll data with Equifax.

But Citrano said this move by Intuit will incorporate a large number of fairly small businesses.

“ADP participates in some way already, but QuickBooks Online jumping on the bandwagon means a lot of employees of small to mid-sized businesses are going to be affected,” he said.

Why might small businesses want to think twice before entrusting Equifax with their payroll data? The answer is the company doesn’t have a great track record of protecting that information.

In the days following the 2017 breach at Equifax, KrebsOnSecurity pointed out that The Work Number made it a little too easy for anyone to learn your salary history. At the time, all you needed to view someone’s entire work and salary history was their Social Security number and date of birth. It didn’t help that for roughly half the U.S. population, both pieces of information were known to be in the possession of criminals behind the breach.

Equifax responded by taking down its Work Number website until it was able to include additional authentication requirements, saying anyone could opt out of Equifax revealing their salary history.

Equifax’s security improvements included the addition of four multiple-guess questions whose answers were based on publicly-available data. But these requirements were easily bypassed, as evidenced by a previous breach at Equifax’s employment division.

The Work Number is a user-paid verification of employment database created by TALX Corp., a data broker acquired by Equifax in 2007. Four months before the epic 2017 breach became public, KrebsOnSecurity broke the news that fraudsters who specialize in tax refund fraud had been successfully guessing the answers to those secret questions to reset TALX account PINs, which then let them view past W-2 tax forms for employees at many Fortune 500 companies.

Intuit says affected customers that do not want this new service included must update their preferences and opt-out by July 31, 2021. Otherwise, they will be automatically will be opted in. According to Intuit, customers can opt out by following these steps:

1. Sign in to QuickBooks Online Payroll.

2. Go to Payroll Settings.

3. In the Shared data section, select the pencil and uncheck the box.

4. Select Save.

A Moment of Appreciation. Today SentinelOne Becomes a Publicly Traded Company!

It’s with great pride that we announce that as of today, SentinelOne officially becomes a publicly traded company on the New York Stock Exchange under the ticker symbol “S”. Today marks an exciting new chapter in our company journey and positions us for continued growth and long-term success. Thank you to the many amazing customers, investors, employees, and partners from around the world who have helped us establish SentinelOne as an XDR market leader.

Today’s IPO is validation of the innovation and investment we’ve made to pioneer the use of behavioral AI and harness the power of data to help our customers autonomously prevent and remediate attacks, lessening the load for humans and providing capabilities not possible from other cybersecurity products on the market.

Today starts the next chapter in SentinelOne’s story of fighting today’s adversaries and protecting our customers.

Protecting Society Against Ransomware and Malicious Attacks

Eight years ago, my co-founder Almong Cohen and I started SentinelOne to address what has become one of the greatest threats of the digital age: cyberattacks. As attacks proliferate and impact every level of society, cybersecurity is indispensable in protecting our future and current way of life.

We saw the changing nature of digital infrastructure, the accelerating rise of breaches, and the devastating impacts of cyber attacks on society – which have been amplified over time. The digitization of the modern world has made securing even the most basic services our daily lives rely upon an exponential challenge. This is why we set out to create a new and better approach to solve this critical problem.

The sheer amount of data, devices, and workloads in today’s enterprise environments make cybersecurity simply too big, too vast, and too fast for humans alone to shoulder. The only solution to this challenge is found in the power of AI and the ability to harness data to devise a new, proactive, and autonomous approach that would be highly scalable.

As we embark on this new journey, I want to make a commitment to our customers, employees and partners that our core values will not change. We will stay true to the core tenets that guide us in serving our customers and protecting the world’s most important data and infrastructure.

Our Pledge: SentinelOne – A Force for Good

We exist to be a force for good. People’s most sensitive data lives on computing devices and in the cloud, making cyberattacks one of the biggest threats to society. We pledge to place integrity first and to foster a culture of equality, diversity, and inclusion. We protect all data, we serve all people. We strive for truth, honesty, and transparency in all dealings with our customers, employees, shareholders, partners, and society at large.

Our Mission: Keep the World Running

The world is full of criminals, state actors, and other hostile agents who seek to exfiltrate and exploit data to disrupt our way of life. Our mission is to keep the world running by protecting and securing the core pillars of modern infrastructure: data and the systems that store, process, and share information. This is an endless mission as attackers evolve rapidly in their quest to disrupt operations, breach data, turn profit, and inflict damage.

We believe that the world is and will be a safer place because of SentinelOne. Today is the beginning of the rest of the story to win the cybersecurity battle and keep our customers safe.

I am truly humbled by everyone who has made SentinelOne the company that it is and will be.

Thank you,

Tomer Weingarten


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

DevOps platform JFrog acquires AI-based IoT and connected device security specialist Vdoo for $300M

JFrog, the company best known for a platform that helps developers continuously manage software delivery and updates, is making a deal to help it expand its presence and expertise in an area that has become increasingly connected to DevOps: security. The company is acquiring Vdoo, which has built an AI-based platform that can be used to detect and fix vulnerabilities in the software systems that work with and sit on IoT and connected devices. The deal — in a mix of cash and stock — is valued at approximately $300 million, JFrog confirmed to me.

Sunnyvale-based, Israeli-founded JFrog is publicly traded on Nasdaq, where it went public last September, and currently it has a market cap of $4.65 billion. Vdoo, meanwhile, had raised about $70 million from investors that include NTT, Dell, GGV and Verizon (disclaimer: Verizon owns TechCrunch), and when we covered its most recent funding round, we estimated that the valuation was somewhere between $100 million and $200 million, making this a decent return.

Shlomi Ben Haim, JFrog’s co-founder and CEO, said that his company’s turn to focusing deeper on security, and making this acquisition in particular to fill out that strategy, are a natural progression in its aim to build out an end-to-end platform for the DevOps team.

“When we started JFrog, the main challenge was to educate the market on what we saw as most important priorities when it comes to building, testing and deploying software,” he said. Then sometime around 2015-2016 he said they started to realize there was a “crack” in the system, “a crack called security.” InfoSec engineers and developers sometimes work at cross purposes, as “developers became too fast” the work they were doing has inadvertently led to a lot of security vulnerabilities.

JFrog has been building a number of tools since then to address that and to bring the collective priorities together, such as its X-ray product. And indeed, Vdoo is not JFrog’s first foray into security, but it represents a significant step deeper into the hardware and systems that are being run on software. “It’s a very important leap forward,” Ben Haim said.

For its part, Vdoo was born out of a realization as well as a challenging mission: IoT and other connected devices — a universe of some 50 billion pieces of hardware as of last year — represents a massive security headache, and not just because of the volume of devices: Each object uses and interacts with software in the cloud and so each instance represents a potential vulnerability, with zero-day vulnerabilities, CVEs, configuration and hardening issues, and standard non-compliance among some of the most common.

While connected-device security up to now has typically focused on monitoring activity on the hardware, how data is moving in and out of it, Vdoo’s approach has been to build a platform that monitors the behavior of the devices themselves on top of that, using AI to compare that behavior to identify when something is not working as it should. Interestingly, this mirrors the kind of binary analysis that JFrog provides in its DevOps platform, making the two complementary to each other.

But what’s notable is that this will give JFrog a bigger play at the edge, since part of Vdoo’s platform works on devices themselves, “micro agents” as the company has described them to me previously, to detect and repair vulnerabilities on endpoints.

While JFrog has built a lot of its own business from the ground up, it has made a number of acquisitions to bolt on technology (one example: Shippable, which it used to bring continuous integration and delivery into its DevOps platform). In this case, Netanel Davidi, the co-founder and CEO of Vdoo (who previously co-founded and sold another security startup, Cyvera, to Palo Alto Networks) said that this was a good fit because the two companies are fundamentally taking the same approaches in their work (another synergy and justification for DevOps and InfoSec being more closely knitted together too I might add).

“In terms of the fit between the companies, it’s about our approach to binaries,” Davidi said in an interview, noting that the two being on the same page with this approach was fundamental to the deal. “That’s only the way to cover the entire pipeline from the very beginning, when they go you develop something, all the way to the device or to the server or to the application or to the mobile phone. That’s the only way to truly understand the context and contextual risk.”

He also made a note not just of the tech but of the talent that is coming on with the acquisition: 100 people joining JFrog’s 800.

“If JFrog chose to build something like this themselves, they could have done it,” he said. “But the uniqueness here is that we have built the best security team, the best security researchers, the best vulnerability researchers, the best reverse engineers, which focus not only on embedded systems, and IoT, which is considered to be the hardest thing to learn and to analyze, but also in software artifacts. We are bringing this knowledge along with us.”

JFrog said that Vdoo will continue to operate as a standalone SaaS product for the time being. Updates that are made will be in aid of supporting the JFrog platform and the two aim to have a fully integrated, “holistic” product by 2022.

Along with the deal, JFrog reiterated financial guidance for the next quarter that will end June 30, 2021. It expects revenues of $47.6 million to $48.6 million, with non-GAAP operating income of $0.5 million to $1.5 million and non-GAAP EPS of $0.00 to $0.01, assuming approximately 104 million weighted average diluted shares outstanding. For Full Year 2021, revenues are expected to be $198 million to $204 million, with non-GAAP operating income between $5 million and $7 million and an approximately 3% increase in weighted average diluted shares. JFrog anticipates consolidated operating expenses to increase by approximately $9-10 million for the remainder of 2021, subject to the acquisition closing.