Barracuda

Yesterday the folks from Barracuda announced an unsolicited takeover attempt of Sourcefire. They are proposing a 13% premium and think they can "fix" some of the execution problems that have plauged FIRE since they went public.

I'm sure the fish aren't laughing, but everyone else in the industry is. This deal isn't going to happen, not in it's current form anyway. Here are a couple of points that create serious headwind for the deal:

1. Crappy premium - Barracuda is bottom fishing here. Yes, FIRE has had issues and there is a ton of uncertainty about their strategy and the CEO transition. But only a 13% premium. For that type of premium, large shareholders are better off just dumping their shares, rather than risk deal closure issues. Of course, I'm not investor, but 13% seems a bit weak.
2. Deal financing - Barracuda is offering a cash deal and says it "doesn't expect any financing contingencies." Really? I guess they could raise some money, but for a private company to raise what would need to be over $200 million isn't something you see everyday and in this kind of debt environment wouldn't seem to be that easy.
3. Distribution mismatch - Sourcefire makes their money from selling network security infrastructure to large enterprise and government institutions. Barracuda sells anti-spam boxes to everyone else. There really isn't a lot of leverage between the two models and if Barracuda wanted to get into the UTM business, there are a lot cheaper ways to go.
4. Trend = Red Herring - Another big reason specified by Barracuda is that they can more effectively fight off litigation from Trend Micro over the AV gateway patent. Has Barracuda won their case yet? Oh yeah, not so much. So this is a Red Herring and just meant to sow more seeds of doubt about FIRE's existing management team.
5. What about the main line of business? - Barracuda also says they can "fix" Sourcefire's issues. Really? How do they plan to do that, especially for only a 13% premium? This is not a credible statement. It would help to understand more about Barracuda's business for them to be able to justify that kind of statement. It's a cash deal - so they don't have to - but they should.
   
   I'm no fan of Sourcefire's strategy (or lack thereof), but unless I see something more compelling than buying a bunch of cheap boxes and putting Snort on them - I don't believe Drako and Co. would be any more successful at "fixing" Sourcefire than anyone else.

So Sourcefire was correct in rejecting the deal and not even sitting down. If Barracuda was serious, they would have proposed a much higher premium and had a more effectively communicated strategy for the combined entity. The could have taken a page from Microsoft (62% permium for Yahoo) and IBM (huge premium for Lotus back in the day) and proposed a number that would be hard to walk away from. They didn't.

But let's be clear - that's not what this deal was about.

This is another example of why Barracuda may be the most effectively marketed security company out there. For the cost of a press release and some legal fees, they are going to be the talk of the town, even if Howie Mandel is just saying "No Deal!" You have to figure that Barracuda is angling for a public offering in the near term (once the markets right themselves) and this is a great way to get some visibility with the investors that are likely to invest in their IPO.

A 13% premium is a joke. But as a PR and investor relations strategy, it's brilliant.

 

Since I've left the anti-spam business about 9 months ago, it's nice to see that it's still a brutally competitive market where everyone sounds the same. It does seem that innovation on email hygiene (meaning inbound mail) has slowed. I can't recall anyone really introducing a new, important capability over the past 6 months. It's been a lot of point releases aimed at either adding better enterprise management capabilities, scalability or broadening the product scope beyond just inbound email. So now things like IM and compliance/encryption are becoming the battleground - the differentiation so to speak.

At the tail end of my anti-spam tenure, reputation services were all the rage. The concept is that if you know a lot about the sending IP address, you can tell whether they are very likely to be sending spam or good mail. IronPort was the reputation innovator with SenderBase and CipherTrust came later with TrustedSource. Standard disclaimer: I used to work for CipherTrust and am a shareholder (because I can't sell the stock).

Folks like Symantec and Postini always said they had reputation services under the covers, but never really made them visible enough to prove it. Recently (like within the last two weeks), BorderWare (link here) and Habeas (link here) have introduced their own reputation services. Either broader, BorderWare's tracks IP and VoIP data, or larger, Habeas claims 60 million IP addresses in their database - which may or may not be true. I'm sure they have 60 million things in a database. What those things are is subject to interpretation. You have to love marketing.

But if you are a customer looking at these solutions, does it matter? The vendors will try to paint their reputation stuff as broader, more accurate, bigger and will let you drop more bad messages at the gateway. Who do you believe? I say believe none of them. Reputation is now a standard part of the game and its certainly under the covers. You don't buy an anti-spam product because of a reputation service. You buy it because it stops your bad mail.

Content security is a different animal. That is hard for many to believe that have grown up in the network security space, where an attack is an attack is an attack. Maybe 50% of spam is ridiculous. Dealing with nasty inappropriate stuff or prescription drugs, all the products catch that stuff - or they don't get to play.

It's the borderline stuff that is very difficult to categorize. One man's spam is another man's gold. A lot of spam is subjective, so it's very hard to say in absolute terms whether a message is really spam. That's why end user quarantine is so important, then the users at least get to see if there are false positives in the mix. Then you've got the language issue. Non-English spam provides a lot of variability in results. You can't just drop a US anti-spam product into the Far East. It's not a firewall.

But getting back to reputation, your definition of spam may be different and your traffic is going to be different. So you'll need to figure things out for yourself. In the content security space, the eval is everything. You need to test these products out. Maybe the specific vendor's reputation database works great for you. But it may not. And the only way you'll find out is by running the products against actual mail. That's right, run the email gateways against a subset of your live mail flow.

Theoretically, reputation should still be a differentiator. But folks like Proofpoint and MailFrontier/SonicWall continue to stop spam without it. So maybe it doesn't matter. Unfortunately I can't answer the question for you. You'll need to be the judge.

Spyware is on everyone's brain. With good reason, of course, given that Webroot published some compelling statistics this week regarding the growth of spyware attacks in 2005. This is joined by Barracuda's recent announcement of a desktop cleaning agent to work in tandem with their spyware appliance. Other recent news pegs include a new web security box from IronPort that is "fast," whatever that means. There are also managed services offerings emerging, most notably from ScanSafe, though it's just a matter of time until the email hygiene services jump on this bandwagon.

I'm sure we'll see more stuff next week at the RSA conference.

Some highlights from the Webroot study:

• "For enterprises, between Q3 and Q4 2005, the number of Trojan horse infections increased 9 percent and from Q2 to Q4 2005, the number of system monitors like keystroke loggers increased 50 percent consecutively each quarter."
• "Throughout 2005 Webroot researchers observed a steady increase in the complexity and severity of spyware technology."

Sure, this is pretty obvious stuff, but the numbers don't lie. Spyware attacks are increasing, becoming more malicious, and harder to catch. If you haven't already, the time is now to start thinking about proactive defense against these attacks.

Malware/Spyware will be the subject of an upcoming "Battle Plan," which is a detailed Security Incite analysis into a space , planned for April/May. But in the meantime, here are some things to think about from an architectural perspective as you focus on the right way to defend your enterprise from this scourge.

1. Client, Servers, and/or Perimeter - One of the major decision factors in the battle against malware is where to deploy protection. In a perfect world, you'd have protection everywhere. Of course, the world is seldom perfect and tough decisions need to be made because multi-layer protection is not free. Your decision here will be made based upon the type and level of mobility and the types of external devices and people that connect to your network and resources. To be clear, there is no simple answer, but you can profile a use case to get a feel for what could make sense for your organization (yes, the battle plan will detail use cases in this manner).
   
   
2. AV vendors own the client? - AV is already at the desktop, and the AV vendors are frantically adding anti-spyware capabilities to their security suites. So why would anyone need something else on the desktop? It's not clear that you would, but integration becomes an important aspect of this. Do you need policies defined and enforced that span from perimeter to endpoint? Again, it depends on your usage characteristics, but obviously it's an uphill battle for anyone besides an AV vendor to gain presence on the desktop for any length of time.
   
   
3. Is this a feature of UTM boxes? - From a perimeter defense standpoint, why would you need an extra box to detect spyware? Over time, you probably don't, but right now the technology is still maturing to do all of these functions effectively on one platform. But if you do have segmented equipment depending on the traffic type (email vs. web vs. web services), you are looking at implementing malware/spyware defense on all of the devices, since attacks can vector from anywhere.
   
   
4. Managed Service impact - The further away from your enterprise you get rid of bad stuff, the better. That's just common sense. So, the next step is to filter in the network. Managed services will have a very strong play in this sector, since it's trivial to point your pipes to a service provider for this hygiene service. Of course, scalability on the part of the service provider is critical, but the email security providers proved this model can work (functionally at least, not necessarily economically). The Web filtering and spyware folks will get there too, sooner rather than later.
   
   
5. Complementary pieces of layered defense (anomaly detection, NAC policies, application control) - Malware defense is also just a piece of the security architecture, and thus needs to interoperate with other aspects of a layered defense. Depending on your requirements, you may want to make sure you are looking at traffic flows on your networks (for analomolous behavior) and also lock down both your networks (with NAC) and endpoints (with application control), to ensure full protection, and that these defenses are complimentary. Sure, economics dictate you can't do everything, but you need to make sure you are doing something.

So there is some food for thought. Much more later, as the battle plan develops and new types of attacks cause us to adapt our defenses. That's just the way of the world.