Has IBM’s ISS Takeover Killed Indie Security? Next on the Matasano Group.

Thomas Ptacek | August 25th, 2006 | Filed Under: Uncategorized

THE MATASANO GROUP

HOST: JOHN SANAMATO

PANEL: RICHARD STEINNON, IT-HARVEST; RICHARD BEJTLICH, TAOSECURITY; MIKE ROTHMAN, SECURITY INCITE; THOMAS PTACEK, MATASANO SECURITY

TAPED: FRIDAY AUGUST 25, 2006

MR. SANAMATO: Issue One! Looming consolidation in security:

ARMONK, NY and ATLANTA, GA – August 23, 2006: IBM (NYSE: IBM) and Internet Security Systems, Inc. (NASDAQ: ISSX) today announced the two companies have entered into a definitive agreement for IBM to acquire Internet Security Systems, Inc., a publicly held company based in Atlanta, Ga., in an all-cash transaction at a price of approximately $1.3 billion, or $28 per share. The acquisition is subject to Internet Security Systems, Inc. shareholder and regulatory approvals and other customary closing conditions. The transaction is expected to close in the fourth quarter of 2006.

MR. SANAMATO: ISS is just the latest in a string of high-profile acquisitions of large independent security companies. Could IBM’s move be the canary in the coal mine, signaling the demise of the large pure-play security product company? Has all the best real estate been claimed by multi-billion dollar giants?

MR. SANAMATO: Item! IBM’s acquisition removes the most successful independent IPS product from the market, leaving behind an enterprise inline market dominated overwhelmingly by companies with over $1Bn in revenue.

MR. SANAMATO: Item! The ISS takeover closely follows EMC’s acquisition of RSA Security, practically the standard-bearer for pure-play security companies.

MR. SANAMATO: Item! After string of low-profile technology acquisitions at Cisco and four years of M&A activity at Juniper and 3Com, the network infrastructure giants now field well-rounded portfolios of products, and continue to squeeze the rest of the market with lock-in stategies like NAC.

MR. SANAMATO: Question: has consolidation of the security industry reached a tipping point? Richard Steinnon.

MR. STEINNON: Let me explain what is going on. Put simply, the security industry has grown to the point where their markets are attractive to very large corporations that are looking for new opportunities. IBM has diligently looked at the managed security space for over five years. They did not buy Riptech or Gaurdent, which went to Symantec and Verisign respectively because the industry was to small. Now, as managed services becomes a big business, fueled by increased interest in regulatory compliance, it is worth jumping in.

MR. SANAMATO: Does IBM’s takeover leave behind a viable independent security industry? Without ISS or RSA, have the majors locked it all up?

MR. STEINNON: Not even close. There are over 867 vendors in the IT-Harvest knowledge base this morning. When that number falls month to month we can start talking about consolidation.

MR. BEJTLICH: How many of those companies are 1 year old or less? 2 years? 3 years? I’m guessing that many companies that were firewall development startups have either been bought or gone out of business.

MR. SANAMATO: New security startups can clearly still get funded. But can they survive? Mike Rothman.

MR. ROTHMAN: Smaller vendors are not going to beat Cisco, Symantec or McAfee at their own game. But these folks can fill the gaps. As long as they don’t get greedy can find a home in one of the bigger players when a market materializes.

MR. SANAMATO: So the independent companies will fight over the scraps.

MR. PTACEK: I don’t buy that at all, John. Like the EMC acquisition of RSA, if you’re a small security startup, the IBM takeover is good news.

MR. SANAMATO: Not if you’re trying to bring an IPS to market.

MR. PTACEK: Well, read the press releases carefully. The long-term outlook for Proventia had to have been a top-of-mind issue for this M&A team. But the lede in the announcement is the integration of ISS software into IBM’s software-only Tivoli unit. The uncertainty here could leave a gap in the market for a company like SourceFire to fill.

MR. SANAMATO: So how is this good news?

MR. PTACEK: Once again, an important and ambitious security player with a painfully constricted budget has been picked up by an industry giant with a near-limitless capacity to develop their security line of business by acquiring small companies.

MR. SANAMATO: ISS has acquired several small companies. Will the stifling bureaucracy at IBM do any better?

MR. PTACEK: Imagine ISS trying to pick up any company in security with more than $20MM in revenue at any reasonable multiple. You’re talking about multiple tens of points of net assets; any of these plays would be a bet-the-company move. IBM hasn’t come close to betting Tivoli on the ISS takeover.

MR. STEINNON: This is all about services. IBM is already an ISS partner for managed services so I expect a fast ramp up in product offerings and it won’t be long after the deal closes that you will be able to buy firewall and IDS managed services from IBM.

MR. SANAMATO: Does IBM have a chance selling firewalls to enterprises?

MR. BEJTLICH: The functions that ISS network security products provide, however, are going to end up in Cisco switches. Those features are going to be available as upgrades to sufficiently powerful switches, leaving managers with the choice of running Cisco plus other boxes, or just Cisco. They will choose “just Cisco.”

MR. PTACEK: I’ll object to that. On the one hand I think IBM will have a hard time competing with the Cisco ISR on the one hand and Checkpoint on the other. We have to see how much of an impact “all-in-one” boxes, like IBM/ISS might try to field, will have on that space. But the wholesale slaughter of enterprise security by switch-integrated security is never going to happen.

MR. SANAMATO: Every major switch vendor is trending in that direction.

MR. PTACEK: It’s an obvious strategy. It’s doubly sensible for Cisco; security technology on the whole, including VPN gateways, may add up to less than 10% of their revenue in switching. Meanwhile, every high-density security offering from a competitor is a potential long-term challenger to their switch monopoly, especially at the access layer. But that doesn’t mean they’re going to win in the space. For one thing, it’s taking Cisco an incredibly long time to execute on integrating security features with the Catalyst platform. For another, it’s uncertain that the packaging everyone envisions, security blades in Catalyst chassis, that those are even palatable to large enterprises. In a lot of places that’s a forklift upgrade.

MR. SANAMATO: But what about —-

MR. PTACEK: —- and don’t even get us started on the other switch company offerings. Name 5 companies in the Fortune 1000, half of a percent, that are seriously contemplating a new rollout of 3Com or Extreme switches, outside of specialized applications like data centers.

MR. SANAMATO: Well then —-

MR. PTACEK: —- and the most annoying part of this discussion. We’re all stuck fighting the last war! ISS has defined itself over the past 5 years as the thought leaders in intrusion prevention. But is there any evidence that any enterprise has really benefited from intrusion prevention? My colleagues on the panel will protest, but they can’t say I’m unreasonable for posing the question! Who’s going to lead application firewalling? What product is going to make internal segmentation viable? In 5 years, 80% of the Fortune 1000 will use 802.1x and Active Directory to assign every endpoint to a VLAN. What’s going to sit in between those VLANs? Definitely not IPS. And obviously we’re just talking about network security here. Someone’s going to take a run at solving software security, too.

MR. SANAMATO: Enough speculation. On a scale of zero to ten, with zero representing impossibility and ten representing complete metaphysical certitude, what is the chance that the IBM takeover of ISS strikes a death blow to the pure-play security market? Steinnon.

MR. STEINNON: Zero, John. I’m tracking over 850 vendors in my database, and I can even pinpoint many of them on a Google map.

MR. BEJTLICH: Ten. Those that focus on host-centric products may continue to exist, but there is a good chance that they will be continue to be bought by Microsoft.

MR. ROTHMAN: Five. An independent security company’s only chance in 2006 is to find a small niche that doesn’t get them crushed by a major player.

MR. PTACEK: Zero. Consolidation happens when consumers have fewer suppliers for the same features and utility. IBM might be big, but they weren’t an IPS player before. They probably won’t be in the future, either, but they’re sure as hell more likely to buy another security company now that they’ve staked a claim there.

MR. SANAMATO: The answer is ten. IBM, Cisco, Juniper, Symantec and McAfee have put Checkpoint 7 moves away from inevitable checkmate, and none of you are smart enough to see it. That’s it for today. Bye bye!

Viewing 14 Comments

    • ^
    • v
    Well guys I guess I should pack my bags and go home then ;-) This is no different than in other industries. There will always be room for smaller, nimbler players who innovate and offer better service to customers. I think the real question is, how big do the big boys let the rising stars rise before they buy them. Also, in every generation if you will there will be a few new winners who can rise to the top and make it.
    • ^
    • v
    The one that ISS does for IBM is that it gives them a leading security vendor drive their security efforts. IBM has a good reputation for security now IBM has a chance to be considered a leader in security. As for Cisco it's a different issue. ISS needs to compete with Cisco, but I don't believe that it's imperative to beat Cisco in the security space.

    As for IBM don't forget that they have pioneered
    the swtich on a chip and the router on a chip technolgy which Cisco uses. Recently IBM came out with some voip switch blades for it's blade center servers (http://www-03.ibm.com/servers/eserver/telecom/b... ). So given this fact it's not improbable that IBM would come out with some security related blades. Another factor to consider is IBM's considerable research and development resources.

    I do think the notion that IBM will completly dominate the "pure play" security market is way to early to tell and unlikely at this point. I do think however that IBM will put considerable pressure on companies like Symantec or CA. IBM's considerable customer base put's it in a very strong position to take market share.
    • ^
    • v
    Randy, thanks for the great comment. Let me say though that the reason "switch security" is an elephant in the room is that Cisco holds a monopoly on enterprise switching that resembles (if not, by the ratios, exceeds) Microsoft's old desktop monopoly. Put simply, nobody is going to run their network on IBM blades.

    "Switching" is a piece of real estate, like "desktop host" and "perimeter gateway". What you do with real estate is, you find the best parcels, you claim them, and then maybe you develop them. I'm waiting to see what Cisco builds on its enterprise infrastructure real estate. I'm pretty sure anything IBM might want to locate there, Cisco is going to charge enormous rents and make a pretty annoying landlord.

    (By the way, track down some of Cisco's PowerPoint decks on Cat architecture --- try searching for "Pinnacle ASIC" --- and see that while Cisco is clearly highly competant, they aren't winning with fabulous technological advancements. You can get a PICMG 2.16 chassis, slap a switch blade onto it, and another board with some Pentiums and system controllers on daughterboards, and bring a "security switch" to market. But nobody's going to run their network on it.)
    • ^
    • v
    Actually Cisco is developing a blade to run on IBM's blade server. So it's really IBM's real estate. So it's quite probable that we could see a IPS or firewall ISS blade.

    But like I said before the real advantage is that it gives them a leading role in security

    New IBM Blade Computers Speed Business Data up to Ten Times Faster
    (http://www-03.ibm.com/press/us/en/pressrelease/... )

    "The BladeCenter H systems introduced today provide a new way to deliver blade technology, by collapsing servers, storage devices, networking infrastructure and security appliances into a single location in the datacenter."
    • ^
    • v
    I still think there are loads of good indie research companies out there, i'm more interested to see what happens to the X force and how they are controlled (anyone remember @stake's research team after the yellow suit buyout?)
    • ^
    • v
    It's a good question (whether IBM keeps x-force intact). I think the answer is "no", for liability and PR reasons.

    Having said that, I don't believe @s had a research team that worked the same way x-force (or eEye or iDefense or whatever) does. X-Force team members are not billable 80% of the time (in fact, I don't know that they're ever client-facing at all). At @s, the impression I have is that you were client-facing the majority of the time, or you were working on product.
    • ^
    • v
    ... the irony of this is that, with Oliver Friedrichs' new team at Symantec, there's probably more vulnerability researching going on there now than there was at @stake at the time of the acquisition.

    Seems like a strong statement; anyone want to debunk me?
    • ^
    • v
    At one point @stake had 10-20% of the company working on research. What percentage does Matasano? I guess this would be %people * %research time. Symantec could have 100 people doing research and it would only be 1% of the company. That is easily doable and it make sense for them to do it. Look they have a vulnerability research page: http://www.symantec.com/enterprise/research/ind...
    It took them 16 months to do this after the @stake acquisition but better late than never.

    -Chris
    • ^
    • v
    In the last 12 months at @stake how many people were in roles that allowed for at least 50% of their time to be spent in non-product-development research work?
    • ^
    • v
    it was also interesting that when IBM bought Data Power last year for its XML security products, they put them in the Websphere group not the Tivoli group where TAM, et. al. live.
    • ^
    • v
    I'm sorry, but I just can't buy the concept of the "death" of ANYTHING IT-related. Maybe it's the constant inane warnings of the death of Usenet/the Internet/whatever, but I don't believe that security will ever be consolidated in one appliance. Yes, it would be nice to have some in the switch, but security *never* resides in just one place. So there will always be room for indie security to explore the next paradigms. The big players will keep gobbling them up as soon as they look tasty, but they'll never empty the pond.
    • ^
    • v
    So much ground to cover! This is crazy to think IBM has made even a significant move by purchasing ISS, which was a big fish in a very small pond, IDS. To make a security play IBM has to purchase a firewall or anti-virus company.

    People, IBM has purchased a managed security service provider (MSSP). One at which I was employee number 9 (Netrex). ISS bought them for something like $60 million and just sold it for $1.3 billion. Brilliant move on Tom Noonan's part. And frankly, if you have followed IBM's recent product offerings, a strategic win for IBM.

    There are two battle fronts in security, the network and the desktop. If IBM, or EMC are going to go after Security (big S) they would have to go for one of these. But they are not. They are making strategic purchases, IBM around services, EMC around data life cycle protection.

    Note that Cisco and Microsoft are aiming at the desktop. Note that switch vendors are aiming at Cisco's weak underbelly: lack of innovation in their core product line to counter new threats.

    There is room for hundreds of new stand alone security companies in the next 18 months. Palo Alto Networks, FireEye, GreenArmor, BlueLane, MuSecurity, Breakingpoint to name the few that occur to me. Check 'em out.
    • ^
    • v
    I like your analysis but you skipped a couple battlefronts:

    - The Data Center (which EMC owns): interconnections between servers, including:
    - Data center switching
    - Storage
    - Virtualization

    - The Server Itself (Microsoft, Sun, Linux)

    - The Perimeter Network

    - Software Security

    - Professional Services

    Like I keep saying, I think Cisco makes around $1Bn on security, which sounds like a lot but it includes IP VPN (which is connectivity technology, not security) and is less than 10% of what they make on switching. The only thing that blurs the picture at Cisco for me is the ISR, which is a huge success for them.

    I think security is more of a threat to Cisco than an opportunity; it motivates enterprises to deploy security switches, which is not a category Cisco has a mortal lock on.

    I think you're oversimplifying IBM's strategy by saying they bought an MSSP. They picked an awfully expensive way to buy an MSSP if that's their strategy.

    I think you're oversimplifying EMC's strategy by saying they're just buying data protection. I think EMC wants to use security to lock out competitors, and cut off avenues for competitors to gain a beachhead in the data center.
    • ^
    • v
    i have no problem with cisco taking 80 percent of the network security market and juniper networks taking 15 or the rest.

    cisco/juniper/foundry already own BGP. imagine! now i have security features where my network connects to other networks! fancy that!

    i've always been for switch and router integration of security features. the only network attack that's been [historically] more of a host problem instead of a network problem has been the syn attack. smurf (including tcp amplification), fraggle, land, etc - have always been solved at the network layer.

    sure, it's weird and uncomfortable that higher layer attacks are moving into routers/switches - but it makes sense to me to roll it out this way. we load hosts and servers up with tons of software - why not the network?

    what's wrong with this consolidation for now? what's good about pure-play in the firewall/IDS/IPS/NAC market?

    and how long will this last? 3 years until IPv6 grows in popularity? 1-2 years until a giant gaping hole in IPS is found - which could be vendor defaults - or an enterprise mishap in popular implementations?

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus