Deal: McAfee acquires Preventsys

The folks at McAfee weren't lying when they said they had the checkbook out and they were ready to use it. Today they announced a deal to acquire Preventsys (read the release here), which claims to do "security risk management" and compliance reporting. Basically Preventsys generated some reports by gathering information from vulnerability scanners.

First, let me get something off my chest. I hate the term "Security Risk Management." Hate it. Like brussel sprouts and liver pate. It doesn't mean anything to me. IDC's definition is doesn't really help either: "IT Security Risk Management (SRM) is defined as the complete process of understanding threats, prioritizing vulnerabilities, limiting damage from potential attacks, and understanding the impact of proposed changes or patches on the target systems." Isn't that what a security professional is supposed to do?

And clearly it doesn't mean anything to customers, since it's not like Preventsys was blowing the doors off of anything. Nor is anyone else in the SRM business. All of these SRM things seem like glorified reporting engines. As I've ranted probably a hundred times, REPORTING IS NOT INTERESTING. Fixing stuff and then generating a report is much more interesting. Telling folks proactively what needs to be fixed helps, but this SRM functionality really needs to be a feature of the infrastructure boxes.

Though financial terms weren't disclosed, McAfee didn't pay a lot for this company. Basically Preventsys brought in a new guy (Patrick Harr from McData) last September to see what was there. I guess he didn't like what he saw because McAfee did give some direction that they paid in the low "millions" for the acquisition. This was a fire sale, pure and simple.

So why is this interesting to McAfee? Basically the IPS market is moving towards more than just detecting and blocking attacks. As evidenced by the increasing traction of Sourcefire's RNA, customers want to leverage that data to prioritize what they should be doing. In an attack situation, you need to be able to intervene, but that's pretty rare. More likely you need to figure out what on your list needs to get done. That's what Preventsys says they can do.

Compliance reporting is also something that security professionals need to do. It's not a stand-alone product or opportunity, but McAfee gets the ability to more effectively gather data from existing product lines and pull in data from some competitors (like ISS and Qualys) and package it up. Basically, McAfee had to do this anyway - so they get some R&D for a song and a dance.

You give the Preventsys technology to the Foundstone guys (they were already technology partners) and you have a clean reporting upsell for ePolicy Orchestrator or some of the new NAC technology. And you can check the box that says compliance reporting.

Finally it will be interesting what else McAfee buys in the near term. The rumor mill is pumping about them making a big acquisition and there are lots of things that could be interesting. McAfee has largely stayed out of the perimeter (with the exception of their IPS technology), so in order to keep in step with the Big Yellow and Cisco, they may need to buy some UTM stuff or maybe bolster their content security offerings to something more enterprise class.