Yesterday the folks from Barracuda announced an unsolicited takeover attempt of Sourcefire. They are proposing a 13% premium and think they can "fix" some of the execution problems that have plauged FIRE since they went public.

I'm sure the fish aren't laughing, but everyone else in the industry is. This deal isn't going to happen, not in it's current form anyway. Here are a couple of points that create serious headwind for the deal:

1. Crappy premium - Barracuda is bottom fishing here. Yes, FIRE has had issues and there is a ton of uncertainty about their strategy and the CEO transition. But only a 13% premium. For that type of premium, large shareholders are better off just dumping their shares, rather than risk deal closure issues. Of course, I'm not investor, but 13% seems a bit weak.
2. Deal financing - Barracuda is offering a cash deal and says it "doesn't expect any financing contingencies." Really? I guess they could raise some money, but for a private company to raise what would need to be over $200 million isn't something you see everyday and in this kind of debt environment wouldn't seem to be that easy.
3. Distribution mismatch - Sourcefire makes their money from selling network security infrastructure to large enterprise and government institutions. Barracuda sells anti-spam boxes to everyone else. There really isn't a lot of leverage between the two models and if Barracuda wanted to get into the UTM business, there are a lot cheaper ways to go.
4. Trend = Red Herring - Another big reason specified by Barracuda is that they can more effectively fight off litigation from Trend Micro over the AV gateway patent. Has Barracuda won their case yet? Oh yeah, not so much. So this is a Red Herring and just meant to sow more seeds of doubt about FIRE's existing management team.
5. What about the main line of business? - Barracuda also says they can "fix" Sourcefire's issues. Really? How do they plan to do that, especially for only a 13% premium? This is not a credible statement. It would help to understand more about Barracuda's business for them to be able to justify that kind of statement. It's a cash deal - so they don't have to - but they should.
   
   I'm no fan of Sourcefire's strategy (or lack thereof), but unless I see something more compelling than buying a bunch of cheap boxes and putting Snort on them - I don't believe Drako and Co. would be any more successful at "fixing" Sourcefire than anyone else.

So Sourcefire was correct in rejecting the deal and not even sitting down. If Barracuda was serious, they would have proposed a much higher premium and had a more effectively communicated strategy for the combined entity. The could have taken a page from Microsoft (62% permium for Yahoo) and IBM (huge premium for Lotus back in the day) and proposed a number that would be hard to walk away from. They didn't.

But let's be clear - that's not what this deal was about.

This is another example of why Barracuda may be the most effectively marketed security company out there. For the cost of a press release and some legal fees, they are going to be the talk of the town, even if Howie Mandel is just saying "No Deal!" You have to figure that Barracuda is angling for a public offering in the near term (once the markets right themselves) and this is a great way to get some visibility with the investors that are likely to invest in their IPO.

A 13% premium is a joke. But as a PR and investor relations strategy, it's brilliant.

 

OHMYGOD! OHMYGOD! OHMYGOD! OHMYGOD!

I feel like a giddy schoolgirl because I'm seeing something that many of us haven't seen since 2001. A security IPO. OHMYGOD!!!!

Sourcefire has filed a S-1, which is the first step to going public. You can read the document for yourself here. They propose to raise up to $75 million and Morgan Stanley and Lehman are the leads. Hmmm.

I'm fired up (no pun intended) because you always get lots of juicy stuff in a S-1. Revenues, earnings, senior management salaries, employment agreements, investor positions. Oh the wonder of the S-1.

I don't have time to go through the filing with a fine tooth comb, but here are the highlights.

• Total revenue in 2005: $32.9 million
• 2005 loss of $8.1 million
• Current cash of about $25 million
• Existing shareholders have put about $56 million into the company
• Revenue ramp starting in 2002: $1.9MM, $9.4MM, $16.6MM, $32.9MM
• Services currently running about 36% of total revenues
• Last 4 quarters have been: $11.6MM, $8.5MM, $9.5MM, $10.8MM
• Profitable and cash flow positive for Q3 2006
• Over 80% of revenue from the US
• Marty Roesch owns about 9% of the company
• Sierra Ventures is the biggest venture investor with a 28.8% position
  

So what's the conclusion? I guess I thought they were bigger. TippingPoint is a bulk of 3Com's $25 million in security business last quarter. I had heard the CheckPoint deal kind of hurt momentum for Sourcefire and I guess that's right. They still haven't beat the Q4 2005 number yet in 2006, which is odd for a strongly growing company.

But what should be a bit over $40 million in 2006 is a good number for a deal to get done. I figure other companies (Arbor, IronPort, Postini, MessageLabs, Crossbeam) are roughly that size if not a bit bigger, but haven't filed yet - so we could have the security IPO extravaganza in early 2007. CyberTrust is probably 4x that size, but services shops are valued differently. But the profitability thing is big hurdle to get a deal done, and Sourcefire now has that.

This could also be a ploy to force the hand of potential suitors. Brightmail played that card magnificently by filing the S-1 and then using that as leverage to extract a sweeter deal from Symantec. You figure SourceFire would have a $300-400 million valuation on the IPO (maybe?), so any suitor would need to beat that price. Rumors are swirling that Check Point is sniffing around again and some others as well.

Going public also gives Sourcefire currency to start buying other stuff. So it'll be interesting to see if they can get the deal done and then the long security IPO winter will be over. That would be a good thing, especially for my sell-side analyst friends, who haven't had any exciting security stuff to cover in a long time.

Congrats to Marty, Wayne and the rest of the team. An IPO is a big deal for all of us security folks.

I was intrigued by Alan Shimel's post this AM (link here) about the inevitable morphing of IDS/IPS into something else. The metaphor he uses is the dinosaurs evolving into birds. I thought dinosaurs were extinct, but that's why I studied engineering and not history in school. Speaking of dinosaur birds, how cool is Rodan? Alan does your 4 year old grok Rodan yet? Man, sometimes I'm a total tool.

Back to the point. Alan uses the post to seemingly poke at some of the vendors that are now chasing sexier terms like UTM and NAC. Sure, there are quite a few struggling IPS vendors that are trying to reposition in the NAC space. That's not news, nor is it interesting. You'll always have those ankle biters chasing the next best thing hoping to hit the Cisco, Symantec or McAfee acquisition lottery. So aside from the stupid vendor marketing tricks, there is actual technology evolution happening here, which are both predictable and inevitable. At some point pretty much everything technology hits the commodity curve. That happens when volumes go up, and in the IDS/IPS space we are seeing volumes (or my contacts are at least).

Why? Because IDS/IPS is not sexy anymore. It's mature. It's stable. The channel knows how to sell it and implement it. It's low risk. We can certainly argue whether it does anything or not, but that's not the point. Customers THINK it does something, so they are buying it. I've got lots of contacts in the channel and end user community and IDS/IPS is on main street (in Geoffrey Moore's parlance). TippingPoint is keeping 3Com afloat, Sourcefire continues to grow rapidly and ISS is holding its own. It's largely because the unsophisticated masses are now buying IDS/IPS.

I don't think about markets in terms of HOW, I think in terms of WHAT. Huh? IDS/IPS, firewalls, network anomaly detection, email security and probably 10 other things are HOW's to me. How you do something. I like to examine the WHAT. You are protecting your perimeter - that's WHAT. I don't much care how you protect your perimeter, but you need to protect it. There are lots of ways to skin the cat. The right approach will have everything to do with what your environment needs, not what arbitrary category a vendor's product is placed at some point in time.

I had an Incite at the beginning of the year called "Losing the Religion" (link here) and this is further confirmation of that path. UTM is all about using the right technique to block different attacks, while hopefully giving customers some management leverage. Of course the IDS/IPS vendors are going there because customers want them to. Only the big of the big can afford to support all sorts of different functions on different boxes with different management (see No mas box). The great unwashed want the IDS/IPS built into something bigger and simpler.

We are seeing the natural order of things. Getting back to Alan's bird metaphor - you've got lots of different birds and customers want something that tastes like chicken. It could be a Cornish hen or a turkey, but it better resemble poultry.

The second part of Alan's post is about Sourcefire basically focusing on post-admission control. It seems his biggest problem is that Sourcefire's RNA doesn't do pre-admission control. Yes, Alan sells pre-admission control, so he has strong feelings about it's usefulness and you know on what side of the fence he's going to end up. But customers shouldn't be playing favorites. At some point, you'll need both.

Pre-admission only solves half the problem. What happens if a machine is compromised AFTER it is admitted to the network? Likewise post-admission doesn't prevent a compromised or foreign attacker from doing damage until it is picked up by the passive monitoring approach and quarantined. So neither solves the entirety of the problem, how do you make sure only the right devices get onto the network and then do the right stuff when they are connected.

Over time the question becomes WHERE you perform these functions. My bet is that you do pre-admission control on an access gateway. Maybe a SSL VPN box on steroids to handle LAN speeds. Maybe on access points that terminate in-building wireless networks and public meeting spaces.

I think you do post-admission control in the network fabric. Initially you need to passively monitor traffic and centralize decision making, but over time (like 5-7 years) as more intelligence and capability makes its way into the wiring closet then you will actively enforce local policies in the closet and have a passive "overlord" watching everything to ensure network integrity and enterprise policy compliance.

It's a compelling vision and we are a long ways off, but that's one guy's vote on how things shake out.

I was invited by Martin McKeay (at Alan Shimel's behest - thanks Alan) to participate in Martin's weekly Network Security Podcast. The topic was the Check Point/Sourcefire non-merger and the impact across a whole number of perspectives. It was an enjoyable conversation and we had some good banter. We did end up on the same page relative to winners, losers and the fact that America got a black eye from interfering in this deal.

Martin does a good job with the podcast and also discusses a few other topics. Listen to it here.

 

I know. I know. I'm on vacation, but I couldn't resist. This is big.

Both Check Point (release here, FAQ here) and Sourcefire (here) have issued releases basically calling off their deal. Evidently the pressure from the Feds became intolerable, the approval process unbearable and the likelihood of closing the deal minimal. So both parties bowed out.

First, this is a shame. I'm sure someone on the financial side will do a bit of digging to figure out why the Feds would kill this deal. Hopefully it's more than that stupid Dubai ports fiasco. I'd be very disappointed if it turned out to be a well funded competitor making waves. That's dirty pool. Frankly I'm both surprised and concerned. Given the current administration's penchant to be pro-business, this is a big step in the wrong direction.

Customers won't really be impacted too much by this deal falling apart. There was little overlap between CHKP and Sourcefire, so it will be business as usual for both companies and their customers.

Check Point is a HUGE loser. Firstly, a lot of folks like me had been calling on them to talk more lucidly about what was next. Clearly that was Sourcefire. Now it's not, so they need Plan B and that hasn't been clear or forthcoming. Additionally, you need to be big to prosper and survive in the security business. This is a very CLEAR message to Check Point that they will not be allowed to buy US security companies. That is a big problem if they want to broaden their position and remain strategic. A very big problem.

Sourcefire is a big winner here. Sure, they did waste a bit of time, but did not lose much momentum from what I see. Everything I've been hearing about their business is very positive. With profitability, a strong growth rate and the best story among all the perimeter defense plays, they are well positioned. Their price tag just went way up.

There were rumblings that Check Point got a bargain based on Sourcefire's strong Q4 and pipeline momentum. Guess that's not an issue any more. To be clear, Sourcefire is a long way off having the breadth to be a long term, publicly traded, sustainable security player - so being acquired is still the most likely outcome for them. But Sourcefire will need to find another partner quickly before they get too big. It's very hard for all but 2 or 3 vendors to do a deal north of $300 million and that's clearly where Sourcefire's price tag is now.

So overall, I think this is terrible news for the industry and America takes a black eye. Truly horrible news for Check Point. Sourcefire comes out smelling like a rose.

Now back to my previously scheduled vacation.