Tanium + FireEye
After FireEye’s meteoric rise and recent IPO, most people are familiar with the company. They’re most well known for their appliance-based approach to detecting emerging malware. However, they’ve branched out into other aspects of security recently — mostly by way of acquisition. FireEye picked up iSight Partners, which is a threat intelligence provider that also happens to be Tanium’s partner for Indicators of Compromise (IOCs) and other threat intelligence data. FireEye also purchased Invotas in February of 2016, which provides a mechanism to automate common actions that a security team currently performs manually. FireEye now offers that technology under the moniker “Security Orchestrator”.
Tanium goes after a boring, yet profoundly important aspect of information security: configuration management. It is a persistent problem in organizations of 10 or 10,000 systems. Tanium has grown rapidly and has a very impressive client-base. They would make an excellent addition to the portfolios of numerous larger players.
FireEye and Tanium would make a strong combination, provided you can glue them together so that FireEye alerts trigger actions in Tanium. I know this from experience as I spent a good amount of time helping a client with this during 2015. It’s common to do things like the following:
- Aggregate log data (FireEye alerts, etc.) in a SIEM
- Generate an alert based on certain conditions
- Perform an action based on the alert, e.g.:
- Have Tanium query every endpoint for the existence of a known-bad domain name in the DNS cache
- Have Tanium take some action on the end user’s system if the domain name was found
- Take any number of other actions
However, integrating the two systems requires the Security team to learn the APIs for both, then spend time defining work flows and translating those workflows into code. Most security teams don’t have the time to do these things, even if they do have the skills. What’s missing is a mechanism to make the systems work more smoothly together. And FireEye just obtained that piece with the acquisition of Invotas in February of 2016.
If FireEye could manage to put it all together cleanly (FireEye + Invotas + Tanium + iSight), they could have a resurgence. It’s a bit of a long shot, but that’s the direction they appear to be trying to go in. Furthermore, Tanium provides many capabilities to deal with end-user systems at scale that nothing else provides. Whomever owns Tanium owns that part of the market, and the more useful they can make it the further ahead they get.
This makes a lot of sense on paper, but given how rough the Mandiant acquisition went for FireEye, this pairing is not without its risks. Given Tanium’s recent $3.5B+ valuation, this may be a situation that warrants a take-private of FireEye, followed by a merger of the two companies and possibly a re-IPO of the resulting juggernaut.
Cyphort + Phantom + CrowdStrike
Cyphort is a direct FireEye competitor; they provide a passive network monitoring appliance that does a better job than FireEye at detecting cutting edge malware.
Phantom Cyber, the winner of the 2016 RSA Innovation Sandbox, has a bright future. Coordinating security response across disparate platforms has been a Holy Grail of cybersecurity for decades. Phantom actually makes it look easy. Their product is surprisingly mature for a young company.
CrowdStrike has threat intelligence capabilities that are among the best in the industry and their endpoint protection products have a robust set of capabilities. CrowdStike enjoys “Palo Alto Networks” style zealotry among its customers. They would make an easy tuck in for any security vendor who needs a strong endpoint solution.
If FireEye + Invotas + iSight makes sense, then Cyphort + Phantom + CrowdStrike makes at least as much sense, and provides an attractive alternative to FireEye for the folks who want something different. While CrowdStrike’s success has netted it a $1 billion valuation, Phantom can be obtained for a fraction of that cost. This consolidation would blend best-in-class threat intelligence, excellent endpoint protection, top tier network-based anti-malware protection and a very capable automation & orchestration platform.
Singtel + Veracode
Singapore Telecommunications Limited (Singtel) announced in April of 2015 that it was acquiring Trustwave Holdings , Inc. Singtel is, in a sense, playing catch-up with other telecommunications providers that had already acquired their way into the security space. TrustWave’s established brand and customer base, positive cashflow, and broad product portfolio with recurring revenue were attractive characteristics for Singtel. TrustWave is also strongly positioned in the PCI DSS compliance arena. The Payment Card Industry Data Security Standard (PCI DSS) is a payment industry security mandate that applies to many merchants that process credit card transactions. TrustWave is both a Qualified Security Assessor and a provider of PCI DSS compliance tracking and management services. We haven’t heard much about Singtel in the security space since the acquisition was announced, but TrustWave is unlikely to be Singtel’s last security move.
Enter Veracode, a company that pioneered a unique approach to application security testing. Rather than scan source code for vulnerabilities, Veracode set out to scan compiled programs and offered this capability as a service (clients upload their binaries via the Veracode web portal). This approach allows developers to upload binaries and go on to work on something else while the binaries are being analyzed, rather than fiddling with a source code static analyzer that they don’t want to use.
Veracode’s business has traits that Singtel would be attracted to: it’s an established business with a respected brand, predictable revenue and fills a demand that is not likely to dry up soon. The last few versions of the PCI DSS have mandated that applications be developed in accordance with industry-accepted secure coding practices, which generally means some type of application security testing during the Software Development Lifecycle. PCI DSS further requires that applications be tested for specific types of application security vulnerabilities, all of which Veracode can identify. Indeed, Veracode has PCI DSS-specific reports. Application security analysis as a service is a logical product offering for a company that offers the PCI DSS compliance services that TrustWave can provide. Singtel paid less than $1B for TrustWave, and could pay as little as $500M for Veracode, so the deal cost is not beyond Singtel’s demonstrated appetite.
Optiv + ReliaQuest (this could also be Symantec, McAfee, IBM, etc.)
ReliaQuest is a managed security vendor that has tapped into the eternal hatred of SIEM technologies. Their co-managed and managed SIEM solutions are filling a huge need in the industry. Services companies are traditionally difficult to scale and therefore difficult to sell. However, the demand for security services is off the charts. Demand for co-managed SIEM and co-managed SOC (where the service provider has full access to an organization’s SIEM and other security technologies) are growing and there aren’t many mature offerings in this space.
Optiv is the result of combining two existing security services providers: Accuvant and FishNet. The result is a company that positions itself as “a single-source provider of cyber security services and related products.” FishNet had a fledgling managed security services offering, but the offering needed strengthening to properly compete with more mature MSSP offerings and to meet the evolving needs of customers, especially those looking for a co-managed solution. While Optiv’s MSSP offering continues to improve, adding ReliaQuest to its portfolio and rolling existing MSSP capabilities under that operation would make Optiv a top tier offering in the MSSP space and better fulfill its intention to be a single-source security services provider.
Symantec + LogRhythm
For the past few years, the SIEM market has been dead. Nobody wanted anything to do with SIEM. Then, just this month, Fortinet bought Accelops. SIEM is a miserable market, but it’s also an extremely important, foundational technology for any IT department. LogRhythm has done exceptionally well in the mid-market, with a supremely compelling technology. They would be an excellent add-on to any larger vendor seeing to build out a comprehensive security analytics platform.
Symantec tried to build their way into the SIEM market and did a terrible job of it. Early version of their SSIM product claimed a number of features that didn’t exist or didn’t work correctly. Symantec could never catch up to the rest of the industry. In 2013, Symantec declared that they were discontinuing SSIM in 2017 because its market share was declining and “would require significant investment to gain par and surpass the current market leaders.”
Symantec’s strategy is to become a leading security services provider, and has a Managed Security Services (MSS) division. However, SIEM is still a core tool for a full-fledged MSSP. With LogRhythm, Symantec could have a mature, capable, solid SIEM with existing market share. Symantec could pair this offering with its MSS capabilities to make it a primary competitor in the MSSP space.
Symantec + Dome9
Anyone who makes serious use of AWS knows that it has become its own unique ecosystem that warrants specialization by IT professionals. Likewise, companies that specialize in enhancing the manageability of the AWS platform have taken hold. Dome9 is one such company; they provide visualization, Identity and Access Management (IAM), and compliance tools. I often see small startups make such a mess out of their AWS Security Groups that no one can perform a reliable audit of the rules, and that kind of mess gets exponentially worse as an organization scales. Dome9’s visualization tools can be critical in determining what’s happening with Security Groups and VPCs. Dome9 also provides multi-platform file integrity monitoring and other security tools that integrate tightly with AWS instances — something that companies undergoing SOC 2 and other audits usually need. Dome9 also provides enhanced IAM controls, such as the ability to automatically revert an unauthorized AWS change made by an administrator.
Symantec now offers a number of interesting security capabilities for virtualized environments (e.g.: hypervisor-based agent-less endpoint protection, VMWare NSX integration, etc.), but many of those are for companies that are doing virtualization in-house. Symantec has relatively little to offer to the scads of businesses that are born, and grow up on, AWS. While that won’t kill Symantec’s market share overnight, it will eat into it in the long run. With a valuation of $60-70 million, Dome9 represents a relatively cheap way for Symantec to get its foot in the AWS doorway with a solid, mature suite of useful products.
HP Enterprise + Zscaler
One of the challenges with web proxy and next generation firewalls protections is that they’re only really effective for users in a specific physical location (read: at the office). As soon as an employee gets on the local coffee shop’s Wi-Fi network, they lose the protections afforded to them by the devices deployed at the office. Or, in some cases, they get stuck with an “always-on” VPN setup that makes for a slow, painful Internet experience. Zscaler offers a solution to this problem by providing an Internet-based equivalent. Users’ computers are configured to send their traffic through Zscaler’s infrastructure while roaming, and Zscaler provides firewall, anti-malware, acceptable use policy enforcement, and other capabilities on the fly — with SSL decryption and no major performance impact. Founded in 2008, Zscaler is ahead of competitors like BlueCoat, who’s cloud-based offerings pale in comparison — realtime malware detection & prevention is seriously lacking in BlueCoat’s nascent offering.
The closest thing that HP Enterprise (HPE) has to this is their Cloud Access Security Broker (CASB) offering by way of a partnership with Adallom. CASB technologies usually work similarly to Zscaler, but try to solve a different problem (enforcing controls on and gaining insight into the use of Software as a Service technologies). To that point, Zscaler has already added CASB functionality to its product offerings and will naturally evolve that functionality over time. In late 2015, Adallom was purchased by Microsoft. The effort that HPE puts into selling the Adallom service fills Microsoft’s coffers.
With Zscaler, HPE could have the top cloud-based firewall solution with its very own CASB capabilities all to itself. The deal would be pricy, however, as Zscaler is currently valued at over $1B. Zscaler is an established business with a class-leading set of capabilities, and would fill a void in HPE’s catalog, sitting nicely next to other top tier technologies (ArcSight, Voltage, Fortify).
Anybody + Cylance
Last, is the company that is so acquirable it is amazing it has made it this long without being acquired. Stuart McClure’s Cylance makes an impressive endpoint security tool that is both light and powerful. They have been growing like crazy the past year, and everybody seems to want a piece of their action. Cylance would be an easy add on to almost any security company. They would make a strong addition to ForcePoint, Fortinet, Cisco … anybody. Maybe even Microsoft.