There's a lot going on in the data protection and cyber security markets - it can be hard to keep up with all the news. That's where The Competitive Corner's Newsletter comes in, to help curate and distill the most pertinent movers and shakers each month to make your job easier.
I realize I've fallen behind a little bit, so with the next 4 blogs coming all at once I should be back on track! September was full of M&A activity with key newsmakers including #Own, #Rubrik, #Veeam, and #Commvault. Below you'll find a breakdown of why these news items matter to you, links to the original articles, and related blogs for further research and insights.
September 2024 Competitive Headlines:
(click any headline to jump directly to the analysis)
Salesforce Signs Definitive Agreement to Acquire Own Company
[Link to Original Article]
Why it Matters?
Seriously, all this “Who owns OWN” is sounding like a comedy sketch, but I digress…
It seems Salesforce wanted to kick off their upcoming Dreamforce event (Sept 17-19) with a BANG, but this certainly will shake things up in the market! Salesforce has agreed to acquire Own Company for $1.9B in cash. Own was the first 3rd party SFDC backup solution in the market and for the longest time the only one approved on the AppExchange for backup and recovery of the CRM software.
Apparently, Own had been shopping themselves around for a buyer, but their limited support outside of Salesforce was always going to be a key factor for investors. Outside of SFDC, Own can protect Microsoft Dynamics CRM, Microsoft Power Apps, and ServiceNow. The solutions cover off backup/recovery, DR, archive, analytics, data lifecycle management, compliance, and secure access to these apps..
Right now it’s really a “wait and see” situation. Own has been the de facto leader in the Salesforce data protection/management space for years, so will be very interesting to see what impact this will have as many other vendors provide backup and recovery for Salesforce. Will Salesforce restrict backups to their new Own solution only? Will SFDC cut back on the support for non-SFDC platforms? Or will Salesforce use this to leapfrog into other markets?
Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
[Link to Original Article ]
Why it Matters?
I guess Veeam will be rushing to push all their v12 customers to install the latest 12.2 release to fix all of these CVEs (especially the 5 Critical ones rating between 9/10 to 9.9/10 in severity) they just disclosed in their software which covers all versions except for the latest one released just last week. Let's look at this latest batch of 18 vulnerabilities that Veeam customers and ALL MSP partners need to address themselves and don't forget this is on top of the other 6+ already disclosed this year so far...
Veeam Backup & Replication (VBR) - their core flagship solution
CVE-2024-40711 (Critical 9.8/10) -- Allows for unauthorized remote execution of code!!! (very bad)
CVE-2024-40713 (High 8.8/10) -- Allows a low privilege user to bypass MFA
CVE-2024-40710 (High 8.8/10) -- A number of related exploits that stem from a low privilege user being able to execute code remotely and extract sensitive information (credentials and passwords)
CVE-2024-39718 (High 8.1/10) -- Enables a low privilege user to remotely remove files as if they had the privileges of a service account on that system
CVE-2024-40714 (High 8.3/10) -- TLS vulnerability whereby an attacker on the network can intercept credentials during restore operations
CVE-2024-40712 (High 7.8/10) -- Allows a low privilege local user to elevate their permissions/privilege on the system.
Veeam Agent for Linux
CVE-2024-40709 (High 7.8/10) -- Enables a local low privilege user to elevate themselves to ROOT
Veeam ONE - (used for reporting and visibility across multiple Veeam instances, used by most enterprises and MSPs)
CVE-2024-42024 (Critical 9.1/10) -- A user with access to a service account on one system can execute remote code on any other system with a Veeam ONE agent installed on it
CVE-2024-42019 (Critical 9/10) -- Allows a user to access the NTLM hash of the Veeam Service Account.
CVE-2024-42023 (High 8.8/10) -- A low privilege user can remotely execute code as if they were an Administrator
CVE-2024-42021 (High 7.5/10) -- An attacker can gain access to valid access tokens and saved credentials
CVE-2024-42022 (High 7.5/10) -- Attackers can modify configuration files in the Veeam ONE product itself.
CVE-2024-42020 (High 7.3/10) -- This vulnerability in the Reporter Widget allows for HTML injection attacks
Veeam Service Provider Console - (something ALL Veeam MSPs are running!)
CVE-2024-38650 (Critical 9.9/10) -- Allows a low privilege user to get access to the NTLM hash of the service account on the main VSPC server
CVE-2024-39714 (Critical 9.9/10) -- A low privilege user can remotely upload files to the Veeam server and thus execute code remotely from that server
CVE-2024-39715 (High 8.5/10) -- Low privileged users with REST API access can remotely upload files via the REST APIs, and remotely execute code
CVE-2024-38651 (High 8.5/10) -- Files on the VSPC server can be overwritten/changed by low privileged users which can lead to remote code execution
Veeam Backup for Nutanix AHV, Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
CVE-2024-40718 (High 8.8/10) -- Low privilege user can escalate their local privileges
In all of these cases, the fixes are included in the latest builds for these respective products. Customers are recommended to immediately update their software to resolve these exploits.
That is now over 20 CVEs, most of which are rated High or Critical, that Veeam has disclosed over the past 9 months and the year ain't over yet! Customers that already were impacted earlier this year find themselves having to update their Veeam software yet again. Patching/Upgrading the backup software is not something many customers can just do whenever they want, which means most Veeam customers will be exposed/vulnerable for quite some time until they can get these fixes applied.
Link to the Veeam KB article covering all of the CVEs in detail is available here.
Rubrik Reports Second Quarter Fiscal Year 2025 Financial Results
[Link to Original Article ]
Why it Matters?
Despite a relatively good Q2 result, Rubrik stock was trading down 6% (~$30) following their announcements around financials this week. Revenue was up 35% YoY at $205M, but so were operating costs - jumping to $27M in negative cash flow, a huge jump compared to the $6.7M negative cash flow a year ago from operations. Sure, they are increasing overall subscription ARR,
but they are burning a lot of money to bring that revenue in.
Another factor putting pressure on the stock price is also the fact that on Wednesday, September 11th the lockout period for Rubrik expired -- meaning pre-IPO investors and shareholders could finally cash in on all their options. The stock finished the week at $30.50, down almost 20% lower than their IPO launch.
Rubrik’s overall success in growing revenues and winning more customers over the $100k is a good thing for the market as a whole. It shows that customers are investing not just in backup, but in data security. A healthy market is always good.
Commvault Accelerates Cyber Resilience Capabilities for AWS with Acquisition of Clumio
[Link to Original Article]
Why it Matters?
Very interesting news for sure! It appears the transaction is valued at ~$47M USD, and this was identified as an “asset acquisition” - meaning that it wasn't an outright purchase of the entire company. It's likely that Commvault has only bought the technology stack / IP, but there is not yet any confirmation around what is or is not included in the sale. I’d hazard a safe bet is to
assume that the people were not a part of the purchase - just the tech.
Now, in terms of the technology, Commvault's core software already had very good workload coverage within the AWS ecosystem. However, that functionality and workload support didn't translate to the Metallic SaaS offering and there were other AWS specific restrictions with the Metallic solution in AWS. So, while Commvault did have AWS backup support, the Clumio solution provides them with a stronger AWS-native option. It’s most likely that Clumio will get swapped in to deliver a more complete AWS backup offering and Metallic remains as the go-to option for OCI and Azure data protection. Clumio also gives Commvault the potential option to host M365 backup in AWS (Clumio) or Azure (Metallic) depending on which offering is more ideal for the customer.
Clumio did just raise $75M in funding back in February, got a new CEO just last month along with new VP of marketing and chief people person in July so....it was a little bit of a surprise to see them sell, but there is a good fit. Clumio claimed to have a 4x growth in ARR and 100+PB of data under protection (100s of customers) in 2023. Last ARR figures stated "double digit" numbers with estimates around $15M.
Veeam, the #1 Data Resilience Company, Appoints Niraj Tolia as Chief Technology Officer to Accelerate Innovation of Data Resilience as a Service
[Link to Original Article]
Why it Matters?
Interesting news here...
Veeam had invested in Alcion back in September 2023 when they emerged from stealth with a $21M of investment. The acquisition is a little confusing as Alcion's solution is a BaaS platform for M365 backup...which is what Veeam acquired Cirrus for back in October 2023 and relaunched as the Veeam Data Cloud in January 2024.
Tolia was involved in that initial investment, so this doesn't surprise me to see him backfilling the role left vacant when Danny Allen departed for Snyk. Tolia also was part of the Kasten team (also acquired by Veeam) so he has a long relationship there with the Veeam executive folks and company as a whole.
The Alcion solution 100% overlaps with the existing Veeam Backup for M365 (which they just released v8.0 for) which is also the backbone of the current Veeam Data Cloud M365 backup offering as well. I'm really not sure what Veeam's plans are for reconciling the 2 solutions at this point.
Alcion is built in AWS and available in only 3 regions (N.Virginia, Ireland, Sydney). They do provide some M365 security features above and beyond Veeam's current capabilities such as:
Malware/Ransomware detection in M365 data
Ability to skip backing up detected malware to create clean backup copies
Identification of known clean/safe backups for faster recovery
This certainly creates a little ambiguity around what solution(s) Veeam will be selling for M365 data protection. Will existing users have to transition to Alcion? Will existing Alcion users have to migrate to Veeam? Or will this acquisition turn out to be just Veeam buying the security IP currently missing from their own software and integrating it into their platform? Time will tell, but right now there have been no answers or roadmap provided by either organization.
Written by Matt Tyrer. These posts reflect my own opinion and are not necessarily the opinion of my employer.
Comments