McAfee

McAfee is proving itself to be the most astute buyer out there in security land. For less than $500 million, they acquired Secure Computing this morning and are now back in the network security business. Pete Lindstrom goes through the weird chronology and I'm thankful that there are other guys in this space as long as I've been - so I don't have to remember everything.

Secure Computing has been struggling. You only need to look at the stock chart over the past year to see that. They were caught in no-man's land. Not big enough to do real deals (Securify is not a real deal), but too big to be nimble or easily acquired. Not at close to a billion dollar valuation (which is where they were only a few months ago) anyway. But at half a billion, a deal become just a matter of time.

Alan points out that things started to turn to the negative for Secure once they bungled the CyberGuard acquisition. And before that deal was even through the alimentary canal, they totally over-leveraged themselves with the CipherTrust deal. McNulty got tossed and Dan Ryan (the new CEO) was faced with rebuilding. The stock got hammered and basically it was going to be a long steep climb back up.

Then McAfee came a knocking, and getting out is probably exactly what the board and the executive team saw as the only feasible option. It seems Dan Ryan is going to stick around and "run" the network security business, and we'll see how much (and who) else decides to stick around.

What's in it for McAfee? Well besides buying more revenue at a good value, they are also filling out the product line. Beside IntruVert (the enterprise IPS product), McAfee had very little exposure to the network security market, so there is very little overlap. Secure brings a bunch of firewalls/UTM devices and the email security gateway (CipherTrust's IronMail).

But the real gem here is Webwasher. McAfee's product in the web gateway space was poor and Secure's is a market leader, and this market continues to grow at a decent clip. McAfee will also try to make a big deal about TrustedSource (Secure's content reputation service), but it's not that novel anymore. Everyone has a reputation service nowadays.

For a long time, UTM and other network security words were counter to McAfee's positioning. But ultimately how can you say you are a legitimate enterprise security provider without having competitive offerings for securing the network? I could make the same case for Symantec (after they moved their gateway business over to Juniper a few years back). Basically you can't, so the pendulum will keep swinging back and forth, as technologies get spun out and subsumed again.

The channel synergy will be pretty good as well. Secure was having a hard time keeping enterprise-class sales folks, so having a lot more to sell and being more competitive will certainly help both retain and recruit better folks in the field. McAfee may also be able to revive the CyberGuard business, given it's mid-market distribution engine. Existing McAfee reps and channels get access to new product lines that can only broaden the value they offer for customers.

And let's not forget the US Feds. They are spending money like it's going out of style, or had been anyway before the Treasury wrote a trillion dollar check over the weekend. Secure had a good position in the Government market and McAfee is pretty strong there too. Definitely synergies in one of security's growth markets.

Of course, synergy on paper doesn't mean a lot until integration and execution happens. Secure Computing proved that many times, so the jury is really out on this deal, but given the price and lack of product overlap - it looks pretty good at first blush.

Photo: "Fish eat fish" originally uploaded by clara

 

As predicted, the DLP market continues to consolidate on it's way to eventually disappearing. McAfee announced as part of their earnings release that they are acquiring Reconnex for $46 million in cash. This is a good deal for McAfee for lots of reasons. I don't think they are going be "redefining the data protection market" as stated in their press release - but there are positives.

1. All the cool kids have one - McAfee needed to bolster their DLP position because their benchmarks, Symantec, Trend, EMC/RSA, and Websense, already acquired assets in this space. They also realized the endpoint centric product they've brought to market (based on the Onigma acquisition) wasn't going to get them there. Reconnex is one of the last independents standing, so it's not a surprise they got taken out.
   
   
2. DLP is a feature - As I've mentioned, DLP is not a market category that is going to stand alone. These capabilities need to be built into bigger security, and eventually general IT infrastructure. McAfee now has some more technology to foster that kind of integration and value add.

Of course, all that glitters is never gold, so there are some things to watch for, especially around channel mismatch. McAfee doesn't really have a high end services/implementation business to drive big DLP implementations. And their channel tends to focus more on mid-sized companies. Sure they do some big deals (around endpoint security and some IPS), but there could be a bit of an impedance mismatch when the reality of DLP deployment cycles sets in.

How about that price?

But any potential issues with the deal are offset by the price. $46 million in cash. Wow! That is really a fire sale price for a company with seemingly a lot of momentum. I guess seemingly is with a capital SEEMINGLY.

Reconnex had raised $37 million in VC funding. So the VCs get their money out, the management team (mostly executives) maybe gets a little carve out, and the rank and file get screwed. Of course, that is speculation on my part, but having seen enough of these deals - I'm probably not too far off.

This is just yet another example of the reality that you cannot believe all your read. Check out the momentum release from TWO WEEKS ago. If you take the words on the surface, things are going great. Lots of growth, named a leader in that quadrant thingy, yada yada. The print isn't even dry on that release and they sell for not much more than DeWalt's expense account.

I'm sure there is some kind of back story here, and I'm sure it's not real pretty. But at the end of the day, they got a deal done. Bully for them. And once again, McAfee shows it's one of the shrewdest buyers in the space. They won't have to turn many Reconnex lemons into lemonade to make the deal pay big time.

Photo credit: "Cheap Store" originally uploaded by ZannaLyon

In the last post, I went into Symantec's big Security 2.0 strategy and am pretty favorable to where they are going. Not to be outdone, McAfee makes a big strategic statement this week. Glad they didn't have a big shindig scheduled in NYC, as they would have had to make it into a funeral for their senior management. But I digress.

McAfee is calling their initiative "security risk management" and as I mentioned on Tuesday AM - I'm not a huge fan of taking two nebulous categories (security and risk) and mashing them together to get something meaningful. So I'm not a big fan of this tag line either, but these are pretty minor nits compared to the strategy.

The world according to McAfee breaks up into two domains: threat prevention and compliance. NAC is in there two, but it's not clear how it relates to the other domains quite yet. This is wrong because they don't factor in identity or information/data security - but they don't have those pieces yet - so I'll forgive them. But if you are going to make a strategic statement about how security needs to be done - you can't really leave anything out.

Threat prevention is the traditional McAfee business - AV, IPS and anti-spyware. Throw a little SiteAdvisor magic dust in and the business is pretty competitive. They'll need to add application control to make a complete story for threat prevention from end to end, but those pieces are pretty much there.

Compliance is a conglomeration of what McAfee's shopping spree has yielded of late. By aligning the original Foundstone stuff, with the newly acquired Preventsys and Citadel technologies, McAfee can now set a policy, find broken stuff, and fix it. That's pretty slick.

Of course, it'll take some integration - but not a brain transplant. Why? Because McAfee has always built management of their disparate products into the ePO management console. This is a huge advantage tactically over Symantec, who has never delivered on any kind of console to speak of. ePO is McAfee's secret weapon, and they are acknowledging it - which is a good thing.

As I mentioned above, the weakness is really more about not having all the pieces, rather than anything relative to the strategic direction. McAfee must do more on the content/data/information side and they need something in the identity space as well.

So how do they get there? I suspect they don't. Now with the options overhang gone, the old management cleaned out, and a lot of the pieces assembled - McAfee is clearly a target for a HP, Juniper or even Cisco. The synergies with HP are pretty obvious. Plug ePO right into OpenView and combining that with the newly acquired Mercury on the application side and you've got a very complete story.

Given these new strategic initiatives from both Symantec and McAfee, big is the new small strikes with a vengeance. The second tier AV vendors find themselves that much further behind as the desktop suites become increasingly part of a larger security story. These folks (Trend, Sophos, Panda, Kaspersky, et al) need to either get out the check books and start buying their way to a broader offering, or put on their Sunday best, paint some lipstick on the pig and try to get a deal done.

It's about time the Big AV players acknowledged that their business is fundamentally changed. Over the past two weeks, both Symantec and McAfee announced new strategies, extending beyond milking the AV cash cow - into trying to solve broader security and risk problems for customers. I'll do two pieces examining both Symantec and McAfee's new strategies.

Both Symantec and McAfee have done a lot of acquisitions over the past couple of years, but neither did a very convincing job of how and why these deals made sense. I put them largely in the bucket of "put more crap in the bag" strategies of giving reps more to sell and pray they can figure out what to sell and when.

But, I like the strategies that both have put in place for moving forward. Symantec finally has a story that starts to integrate the VERITAS storage management products into the Big Yellow. McAfee also does a nice job of reconciling their recent acquisitions as well.

Let's dig into the Big Yellow's plans a bit more. Symantec is calling their initiative "Security 2.0." I hate it. Well, the name anyway. It makes their approach seem more like a fad, rather than a sea change of how security should be done. I get that part of their offerings are protecting the identity of users online and Web 2.0 is all about user-generated content, but it feels icky to me. Kind of like a used car salesman.

Which is too bad because Symantec has filled a couple of big holes in their offerings - in the identity space, leak prevention and database/data center security. By partnering with VeriSign and hooking the new Norton Confidential consumer anti-fraud and anti-phishing product to VeriSign's VIP network - we see the potential of the first broad Identity Service Provider.

Will it happen? I've got no clue. Having hooks to the VIP Network on the hundreds of millions running Symantec's AV will give it broad distribution. But we also thought that having Cisco's Trust Agent distributed with the AV products would help spur adoption of the C-NAC Framework - which didn't happen. So we'll see, but it's a good partnership on both sides.

Secondly, Symantec has upgraded their mail security offerings to do outbound content filtering. It's about time on that one. Folks like CipherTrust (now Secure Computing) and ProofPoint have been doing this for years and it's becoming increasingly important. Outbound email is also a logical first place to start with leak prevention because that's where many users feel the most pain. Of course, Symantec needs to make a broader statement about supporting multiple protocols, which will likely involve buying something that's a bit broader.

Next, they announced a database security product and initiative that finally gives all of those VERITAS folks something else to sell to their data center customers. It's a new product and will take some time to mature, but that's fine - database security is still an early market. Any success that Symantec has in this space will likely kick off yet another feeding frenzy to acquire the myriad of database security players out there.

Finally, Symantec announced a strategic relationship with Accenture. I had initially overlooked this deal when I did my quicky analysis last week, but this is actually the most important part of the strategy. Why? Because Symantec is not credible with the CIO. They think they are because they are big, but they aren't. CIO's don't care about AV. They don't care about optimizing storage. They have folks to do that for them.

CIO's care about how to leverage technology for competitive advantage. That's what Accenture does. They've got the relationships to get Symantec an audience with the right people, and if the partnership gets any traction - they'll be built into Accenture's huge projects as the security component. Of course, this is easier said than done - given the loose partner-driven fiefdom model of all of the big integrators - but it's a start.

But most of all, I like that Symantec finally has pieces along all parts of the Pragmatic Security Architecture. Adding the identity piece (even if it's a start) and a presence in information/data security gives Symantec a much broader, more coherent and more strategic story. They still spout the compliance word and that's fine.

So two years (and countless senior managers) later, the pieces are starting to come together for Symantec. It's about execution now, The big hole is still integration of all these disparate pieces, something that McAfee's ePO does well. It's not enough to have everything in a yellow box, all of these products need to work together and provide the CSO with a more compelling "dashboard" to manage policy and remediate broken stuff.

But those are just details, eh? McAfee's up next.

The folks at McAfee weren't lying when they said they had the checkbook out and they were ready to use it. Today they announced a deal to acquire Preventsys (read the release here), which claims to do "security risk management" and compliance reporting. Basically Preventsys generated some reports by gathering information from vulnerability scanners.

First, let me get something off my chest. I hate the term "Security Risk Management." Hate it. Like brussel sprouts and liver pate. It doesn't mean anything to me. IDC's definition is doesn't really help either: "IT Security Risk Management (SRM) is defined as the complete process of understanding threats, prioritizing vulnerabilities, limiting damage from potential attacks, and understanding the impact of proposed changes or patches on the target systems." Isn't that what a security professional is supposed to do?

And clearly it doesn't mean anything to customers, since it's not like Preventsys was blowing the doors off of anything. Nor is anyone else in the SRM business. All of these SRM things seem like glorified reporting engines. As I've ranted probably a hundred times, REPORTING IS NOT INTERESTING. Fixing stuff and then generating a report is much more interesting. Telling folks proactively what needs to be fixed helps, but this SRM functionality really needs to be a feature of the infrastructure boxes.

Though financial terms weren't disclosed, McAfee didn't pay a lot for this company. Basically Preventsys brought in a new guy (Patrick Harr from McData) last September to see what was there. I guess he didn't like what he saw because McAfee did give some direction that they paid in the low "millions" for the acquisition. This was a fire sale, pure and simple.

So why is this interesting to McAfee? Basically the IPS market is moving towards more than just detecting and blocking attacks. As evidenced by the increasing traction of Sourcefire's RNA, customers want to leverage that data to prioritize what they should be doing. In an attack situation, you need to be able to intervene, but that's pretty rare. More likely you need to figure out what on your list needs to get done. That's what Preventsys says they can do.

Compliance reporting is also something that security professionals need to do. It's not a stand-alone product or opportunity, but McAfee gets the ability to more effectively gather data from existing product lines and pull in data from some competitors (like ISS and Qualys) and package it up. Basically, McAfee had to do this anyway - so they get some R&D for a song and a dance.

You give the Preventsys technology to the Foundstone guys (they were already technology partners) and you have a clean reporting upsell for ePolicy Orchestrator or some of the new NAC technology. And you can check the box that says compliance reporting.

Finally it will be interesting what else McAfee buys in the near term. The rumor mill is pumping about them making a big acquisition and there are lots of things that could be interesting. McAfee has largely stayed out of the perimeter (with the exception of their IPS technology), so in order to keep in step with the Big Yellow and Cisco, they may need to buy some UTM stuff or maybe bolster their content security offerings to something more enterprise class.

As we resume the NAC series, let's take a look at how the BigCo's (Cisco, Juniper, Microsoft, Trusted Computing Group) are collaborating in the NAC market to magnify their impact. For this post and the architectural discussions as well, I'll be referring heavily to a series of posts that John Gallant of NetworkWorld has done on the topic.

In his first post (http://www.networkworld.com/weblogs/vortex/2006/011732.html), John sizes up the NAC opportunity and scopes out the players. John's observation about the amount of collaboration in this early market is spot on. NAC is different than most other markets that we've seen and he sums it up very nicely in this quote:

"...in this fight there is not only the customary clawing for high ground and accumulation of weapons (technology, marketing hype, etc), there is also an extraordinary alliance-building effort underway - one that involves virtually every major player in the IT eco-system as well as dozens of smaller companies."

NAC really touches all aspects of the network, so many of the big vendors realized pretty early on that homogeneity is not reality (despite Cisco's best efforts) - so some level of cooperation is required. Even if these are clearly collaborations of convenience (alliteration alert :-), they are important. Any vendor that comes to market with an architecture that requires wholesale upgrade and cannot provide a customer-controlled migration will have a limited chance for success.

Also interesting about this intro is that John jumps to Phase 2 as I described in NAC Attack, Part 1 almost immediately. He pays very little attention to the endpoint admission part of NAC that is really driving the market. I think this is a little misdirected only because Phase 2 (flow control) is hard, much harder than endpoint admission. So I think we'll see folks opt for the path of least resistance initially and build towards the holy grail of real-time automated policy (my Phase 3).

Finally, if I'm looking for areas to build on what John has written, he doesn't include Symantec or McAfee in his series, only assessing the big networkers and Microsoft. Last time I checked, both of the big security players had strategies here. Symantec bought Sygate mostly for the NAC technology and McAfee has been building on its EPO (enterprise policy orchestrator) functionality to add NAC-like capabilities. I won't dive deep into these two until later, but they do exist and they do plan to play in the NAC space.

John wraps up his piece assessing the level of Barney partnerships that each group (or vendor) has announced. Again, these are clearly partnerships of convenience and if you read between the lines you should get a feel for how the battle is shaping up. But, don't be confused about Microsoft and Cisco collaborating closely on paper. Let's be very clear about the fact that both are fighting for control of the enterprise infrastructure and this collaboration is not long lived. Microsoft is not going to have a product widely deployed enough to matter until 2008, so they need Cisco to legitimize their plans. Cisco has a product now and knows that Microsoft doesn't - so there is no benefit to them of telling Microsoft to pound sand yet. But they will, it's just a matter of time.

Next up, I'll assess how John sizes up Cisco's strategy.

After the bell, McAfee announced a good quarter. Top line of $272 million (that's over a billion run rate folks) and earnings beat expectations by 7 cents. That's good performance, with consumer providing 20% growth. Wall Street likes it because the stock is up almost 8% this morning.

So what is McAfee doing that the Big Yellow is not? One man's opinion is that It's all about the channel. McAfee has been very aggressive in courting and investing in the enterprise security channel and it's paying off. If you pick up a CRN magazine, you see them everywhere. Security is a huge problem for the mid-market, and the mid-market buys through the channel. McAfee is there.

Second, they are looking at alternative distribution on the consumer side. Sure they are in the retail channel, but you are not going to beat Symantec on their own turf. But increasingly consumers and SOHO businesses are buying the security suite from their broadband provider. McAfee has most of the big ones locked up. They don't make a lot of money in year 1, but then they become the incumbent. Most folks are lazy, so unless it doesn't work - people just renew. The recent deal to buy SiteAdvisor will only strengthen their position in the consumer's mind. That is going to be a very visible service for them and a great brand enhancer.

So where are the holes? Come on, there are always holes and guys like me have to pick at them. That's the fun part of this gig. Basically, McAfee has to figure out where they are going to focus their efforts, either on the infrastructure (network, servers, etc.) or content (email, applications, databases). Of course they'll have products in all security categories, but what are they going to lead with? All of the above is not really an option either.

On the infrastructure side, they have a good position in the DMZ with the IntruVert product, so they can extend from that. But they'll need to move into the core of the network. We are going to see a lot of the capabilities subsumed into the network and data center fabric. Network access control (NAC) is going to be embedded into the switch infrastructure. The endpoints will just feed information to the network and become much less strategic in that scenario. They need some way to bring forward as complete a story as Cisco has in the campus.

Content security is another story. Understanding how applications work and how to secure them without breaking stuff is hard. It's not something you can do half-ass. For most of the last two years, McAfee's content story was weak. Their new content gateways (for email and Web) seem to be better, though not as robust as some other players in the market. So if they want to keep pace in this space, they need to get smarter in the data center and supplement their Entercept stuff (which seems to be going nowhere fast) with some database security mojo.

Or maybe they make a bigger play into the managed services space. That's certainly an area where McAfee has lagged.

But these are good problems to have. Unlike a number of big companies that can't find their way (3Com, Novell), McAfee is building momentum and figuring out how to goose growth - as opposed to figuring out which private equity firm is going to take them private to milk their installed base.

McAfee announced this AM that they are acquiring SiteAdvisor, which just last month unveiled their service to test and evaluate the relative "security" of most of the websites out there. I actually tried the software and it broke my Yahoo! mail, so I couldn't really check it out.

This is a very aggressive move for McAfee, since SiteAdvisor had not entered the revenue generation phase. But SiteAdvisor was positioned well in the marketplace and by selling out now, they remove the risk of having to raise more money and actually meet revenue expectations. This is a textbook start-up folks.

I suspect the key asset here is the database of web sites. That will be very hard to replicate in any reasonable timeframe for anyone else. Since this is a consumer offering, expect SiteAdvisor to be bundled into McAfee's security suite sooner rather than later. It's stuff like this that will help McAfee to stand out in the commodity desktop security suite business, especially in the face of the coming price war driven by the entrance of Microsoft.

I'm blogging during a break in my day-long meeting, so I don't have time to do a lot of digging on this one, but it's a strong and good move by McAfee.

Here is the release: http://biz.yahoo.com/prnews/060405/sfw108.html?.v=37 

 

 

Ellen Messmer of NetworkWorld posts on Friday (here) about Microsoft's eventual impact and potential domination of the anti-spyware business. Why? They are bundling Windows Defender (the new name for their anti-spyware) with IE 6 and 7 and Vista. So within a year or two, it will just be there on a majority of PCs. Since it will likely be good enough, why would someone pay for anything else?

The answer - they won't. But not necessarily because everyone will use Microsoft's stuff. I don't think that is the case. Customers will not pay for anti-spyware because it is a feature of their anti-virus and/or desktop security suite. So it may not be Microsoft that gets all the business (though they will get there share), but Symantec, McAfee and Trend will also benefit. Anti-spyware capabilities will be integrated into the unified threat management (UTM) equipment on the perimeter, so the gateway opportunity is not long lived either.

Mark Shavlik posts on his blog as well about the topic (here), even working in a cool Brady Bunch analogy. He maintains that Microsoft will dominate the consumer end of things, but that Microsoft is not going to provide what's needed for enterprises. I do agree with the fact that Microsoft is not going offer anti-spyware for Linux or Mac, and as usual their first couple of releases leave a lot to be desired. But that doesn't mean there is a large opportunity for stand alone anti-spyware vendors.

He goes on to mention some of the functionality that will be in Shavlik's anti-spyware offering:

Our corporate customer focus groups are driving what our Spyware product does, we are being asked for deep clean up, admin level control, enterprise features such as machine grouping and reporting, fast database back-end support, large network support, remote site management all things Microsoft is not providing.

Our corporate customers (we do not sell consumer products) are not comparing us to Microsoft, they are comparing us to the Anti-virus products because those products have the management tools needed.  We tie patching and spyware together, the AV vendors tie AV and Spyware together.  We will add AV management to our line soon to make the choice easier for customers.

So, there you have it. Enterprise customers want enterprise management. Shocker! And Microsoft's product is not really enterprise capable right now. Duh!

More interesting to me is the 2nd paragraph. Shavlik sees themselves as an AV vendor with the differentiation being patching and compliance (whatever that means). Man, that will be a tough road to hoe. Sure, you've got to do something since stand alone patching is not a long term answer either, and Shavlik's reputation on the patch side is sterling. BUT, that does not translate into being able to compete effectively with the folks milking the cash cows. But Shavlik is a privately held, self-funded company, so they very well may be able to build a nice business scraping the barnacles off of Symantec's and McAfee's oceanliners (Sophos and Kaspersky certainly do). 

To be clear, there are some organizations that will want to use stand alone anti-spyware offerings. Just as with every security market, some buyers opt for best of breed, even when the stand alone product isn't very differentiated. That's basic religion and these customers will never move towards a suite approach. They believe their value is in integrating lots of different solutions, thus providing job security because they've built an environment that is too complex for anyone else to manage.

Yes it's cynical. But it's also true. These folks should realize their value is in pushing forward a security agenda, and focusing on high value projects. Not on integrating disparate point products.

OK, back to the topic. I don't believe best of breed anti-spyware is the mass market. Per my ranting in "More Stupid Marketing Sizing Numbers" it's clear to me that anti-spyware is not a stand-alone market. No one seems to be disagreeing with that.

So that means some ferocious consolidation and erosion in that space will happen in the coming 12 months. End users need to choose carefully because there is a great likelihood whichever independent you choose today will be gone (or merged) tomorrow.