Blue Coat

Given the state of frenetic M&A in the security space, it makes sense to look back on a monthly basis and see what deals were announced, and the eventual impact to the space. There will also be more specific deal postings as they happen, but this summary will keep things in context.

In January, there were two deals of note, both happening during the first week. Seems many companies were busy over the holidays rounding out their product portfolio. Interestingly enough, both deals were under $100 million and fall more into the category of technology acquisition.

1. Symantec buys IMLogic - IMLogic was one of the 3 instant messaging security horsemen (along with FaceTime and Akonix), which were seemingly undifferentiated. The rumor mill pegs the deal somewhere in the $75-80 million range. This was a good outcome for IMLogic, since the IM Security business hasn't really gotten beyond early adopters (like financial institutions) and Barracuda has recently entered the market, which ultimately would speed the commodity curve for stand-alone boxes. This also gives Symantec a foothold in the business and another capability to integrate into the gateway UTM platform. If you've been reading for a while, the clear direction is to centralize all of these perimeter defense capabilities into one box and now the Big Yellow has another piece of the puzzle. SYMC may be a bit early in this space, but it's not really a question of if IM security is important, it's when.
   
   
2. Blue Coat buys Permeo - This $60 million dollar buy of an SSL VPN vendor could leave some initially perplexed, but there is more to the story. Permeo was built on a client side capability to provide access control and endpoint protection. As they tried to find the market, they focused on the SSL VPN gateway. Blue Coat did this acquisition to get a more focused presence on the desktop, as it's clear blocking malware on the perimeter is critical and necessary, but it's not sufficient. Some type of desktop presence is needed and Permeo gives Blue Coat the beginning of that story. The only complicating factor is Blue Coat's recent earnings miss and the pounding that its stock took. The deal value is considerably lower now, so Permeo's investors need to figure out whether it still makes sense. I suspect Blue Coat will close this deal, since this is a much better outcome for Permeo, rather than trying to continue slugging it out with Juniper and Aventail.

So a relatively quiet month, but expect some more deals to be announced leading up to the RSA Conference.
 

Blue Coat pre-announced a pretty substantial miss this morning. Analysts were expecting $39 million in revenue for the quarter and BCSI will come in somewhere between $34.5 - $35.1 million. That's an over 10% miss on the revenue side, which is definitely not just a couple of big deals that slip into the next quarter.

Blue Coat's stock is off 35% this morning, so clearly Wall Street was surprised. There are a couple of things at work here:

1. The pain of being public - I think most companies would be pretty much crazy to go public. Between trying to hit Wall Streets "expectations" and Sarbanes-Oxley, it just doesn't seem worth it. Now Blue Coat went public as Cacheflow back in the bubble days, so this doesn't necessarily apply to them, but still, they could have been taken private during the dark days and not have to deal with this crap.
   
   
2. Opaque channels - Blue Coat sells most of their products through the security reseller channel. That is a very effective method (just look at how Blue Coat ramped over the past year), but it does introduce a bit of a blind spot. I suspect Blue Coat was surprised by this miss, and my guess is that deals committed to by the resellers didn't close.

Now what about the fundamentals of Blue Coat's business? Actually they remain strong. Spyware continues to be a high profile issue and with the Permeo acquisition, Blue Coat is working on an end to end protection story. I've only heard good things about the product, so that leads me to believe that it's not a product issue. So, what's the answer then?

This could be indicative of a pretty major change in spyware appliance market dynamics. Blue Coat could be suffering from what I'll now term as the "Barracuda Effect." I've seen this up close and personal in the anti-spam business and it is not pretty. Basically companies that have enterprise class appliances build their business on $30-50k deals. Lots of them. But Barracuda enters the market with a product that sells for about $3,000. Right. 10% of the previous price.

Did Barracuda win every deal? No, the product didn't really stand up under heavy load. But for many many companies, their product was "good enough." And what used to be a good $30k deal became $10k if you could even get it. That absolutely KILLS both revenue predictability and puts a much bigger reliance on the large enterprise deals. You don't leave yourself much margin for error. Blue Coat may have discovered this.

Barracuda introduced an anti-spyware device in mid-2005. I don't have a lot of data points, but again it seems to be "good enough" for the mid-sized market. That would definitely cannabalize the sweet spot for Blue Coat. If this is the case, this will cause Blue Coat significant economic pain. It will be interesting to hear BCSI's explanation for the miss in a couple of weeks.

Of course, end users need to figure out if a low cost solution like Barracuda will meet their needs. It usually makes sense to test Barracuda with the "enterprise" product to compare in a bake-off. If Barracuda is good enough, you can't beat the price.

As discussed in Friday's post about StopBadware.org, I believe that building and maintaining a database of known "badware" is important. The missing piece of StopBadware.org is a way to caution users before they do something stupid like download a known bad application.

Another way to prevent the spread of spyware is to make sure that anti-spyware products use common terminology and meet a lowest common denominator level of effectiveness. I'm reasonably excited about an initiative announced this morning by McAfee, Symantec, Trend Micro, ICSA Labs, and Thompson Cyber Security Labs (who?).

A clip from the press release really underscores the need for this type of activity:

When publishing results and product recommendations, few product testers currently document their test samples or methodology, and many use very small sample sets in their testing environments. As a result, there is no distinguishable benchmark for comparison of anti-spyware product vendors, leaving customers unclear as to the most effective products and solutions for their environments.

This is exactly right. The industry needs a benchmark to define this moving target called anti-spyware. ICSA Labs' involvement means it may actually get done. Having worked at TruSecure, I am very familiar with the capabilities of ICSA Labs (since TruSecure, now CyberTrust, owns them). This is a significant opportunity for ICSA Labs, which has not really had another "hit" in terms of a program that users deemed a requirement for their vendors to be tested since the AV and firewall programs launched years ago. Of course, my friend George Japak (who runs the Labs) may disagree, but it is what it is.

Given the confusion around what anti-spyware is and what it isn't and whether it makes more sense to stop it at the perimeter (via a gateway appliance) or on the client or both, having a common, agreed upon testing methodology will help. ICSA Labs has built certification programs for every significant security market, so they get how to standardize the terminology and put in place a structured, repeatable process to ensure the anti-spyware products remain effective in the face of rapidly evolving threats. It won't be long before ICSA Labs rolls out a formal certification program, so that vendors can prove they meet an acceptable level of effectiveness. This will be a big positive for everyone.

Since Microsoft is giving away their anti-spyware solution, it will be interesting to see how they fare relative to the testing methodology. Microsoft is also conspicuous by their absence in this initiative. That also begs the question about Webroot, Blue Coat and Sunbelt Software. These folks (among others) should have a hand in this as well. Hopefully this is not a transparent attempt by ICSA and their anti-virus buddies to try to protect their turf. Like any of them can really stop Microsoft. Alternatively, this could be another example of Microsoft's arrogance in not thinking they have to play in the sandbox with the rest of the industry. Ultimately, this initiative must get broader industry support to have a chance of sticking. 

As with everything, there are lots of things that can go wrong, but in the meantime users should enjoy the good news today. Help is on the way to ease some of the confusion around anti-spyware defenses.