Splunk explores SIEM market with Metafor acquisition

Contact: Scott Crawford Dan Raywood Scott Denne

Splunk has made its third acquisition with the pickup of anomaly-detection startup Metafor Software. With this deal, Splunk will add fewer than 15 employees to its roster. And, although terms of the deal haven’t been disclosed, the acquisition (like its previous purchases) is likely modest. Splunk paid $21m in its acquisition of Cloudmeter at the end of 2013, and $9m for BugSense earlier that year.

That doesn’t mean it can’t have an outsized impact on Splunk. The deal expands two related core functionalities into the portfolio (machine learning and anomaly detection), which will raise its profile among both IT operations management and security buyers keen to broaden and improve capabilities for detecting unexpected or malicious activity.

The acquisition raises the bar for competitors in both IT operations management and security. Challengers such as LogRhythm and AlienVault are reshaping the competitive landscape for SIEM incumbents such as HP ArcSight. Meanwhile, IBM has gained considerably from Q1Labs capabilities, which were originally differentiated through network flow-based anomaly detection. Improved SIEM performance was a good deal of the rationale behind McAfee’s (now part of Intel) 2011 acquisition of NitroSecurity. All in this space are further challenged today by a number of emerging security-analytics plays that expand capabilities in security information management performance and volume in a variety of ways.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

A steady Sophos now set to step on public stage

Contact: Brenon Daly

After an on-again, off-again march to the public market over the past decade, Sophos finally looks set to sell shares to the public for the first time. The 30-year-old, UK-based security vendor put in its paperwork last week for a $100m IPO on the London Stock Exchange (LSE). It was actually the second time the decidedly middle-aged Sophos filed to go public, and comes five years after it flirted with an IPO before selling a majority stake to Apax Partners instead.

During the half-decade in the private equity firm’s portfolio, Sophos has been a steady acquirer, picking up a company about every year. Its most recent deal, announced earlier this week, is the first time Sophos has acquired a cloud-based vendor. Sophos paid an undisclosed amount for email security and archiving startup Reflexion. The technology is expected to be integrated into Sophos Cloud later this year.

When Sophos does hit the LSE next month, we expect it to create a few billion dollars of market value. In its most recent fiscal year, which finished last March, Sophos increased revenue 18% to $447m. For comparison, Barracuda Networks – a diversified security provider that, like Sophos, serves the SMB market – posted an identical growth rate in its most recent fiscal year. (Although Sophos is growing off a revenue base that is more than half again as large as the $277m that Barracuda put up last year.) Since it went public in November 2013, Barracuda has doubled its market value to about $2bn.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Exclusive: An IPO in the works for Dell SecureWorks?

Contact: Brenon Daly

When Michael Dell pulled his company off the Nasdaq two years ago, he had very few good things to say about being a public business. Dell first listed his company back in 1988, but as its PC-dominated business fell out of favor among investors, he blasted the ‘short-term thinking’ of most money managers and engineered a $24bn take-private of his company. Now, it seems he’s looking to make a return trip to Wall Street, at least with a portion of his business.

Rumors are now swirling that Dell is planning to sell a minority stake in SecureWorks, a managed security service provider (MSSP) that Dell acquired in January 2011 for $612m. As we understand it, the plan is to sell about one-third of the SecureWorks division in an IPO later this year. We estimate revenue at SecureWorks at just under $300m, with the business running right about breakeven. Assuming it gets a valuation comparable to what has been handed out in recent MSSP transactions, SecureWorks could be valued at roughly $1bn.

Dell was rumored to be a bidder for Trustwave, an MSSP that sold to Singtel for $810m in April. (SecureWorks is roughly one-third larger than Trustwave.) Market sources have also suggested that Dell has looked at smaller regional MSSPs. Raising money through selling a minority stake to the public would give SecureWorks additional currency to pursue acquisitions.

MSSPs have been around in various forms since the late 1990s, but have recently come into favor amid a shortage of skilled infosec workers and IT security technology that hasn’t kept pace with threats. The market appears to have a fair amount of growth in front of it. In a recent study by The InfoPro, a service of 451 Research, slightly fewer than four out of 10 respondents indicated that they were currently using an MSSP.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

451 Research’s M&A KnowledgeBase tutorial: Taxonomy and summary

Contact: Adam Phipps, Kenji Yonemoto

Earlier this week, we noted a record rate of infosec M&A. In 451 Research’s M&A KnowledgeBase, users can run a security M&A screen and a statistical summary of that screen. Year-to-date, the premises network security subsector leads in spending, and physical security is the most active subsector. Learn more about running statistical summary reports by watching this video.

Security_Sub-Sector_Chart_-_JPEG_copy[1]

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

As RSA kicks-off, IT security M&A hits record rate

Contact: Brenon Daly

Opening on Tuesday, the RSA Conference runs its weeklong shindig under the tagline, “Where the world talks security.” When it comes to M&A, however, infosec acquirers are doing more than talking – they’re putting their money where their mouths are and shopping at a record rate.

Already this year, buyers representing a broad swath of the tech M&A community have announced 59 transactions valued at $8.1bn, according to 451 Research’s M&A KnowledgeBase. Annualized, that would put the total number of infosec deals announced this year at right around 200, significantly ahead of last year’s record number of 136.

Keep in mind, too, that infosec M&A activity in 2014 was about 30% higher than any year we’ve seen. (We consider the number of transactions – rather than spending attached to them – as the most accurate gauge of the overall vitality of M&A in what’s a relatively narrow market such as infosec, where a large print or two can dramatically swing aggregate spending. For context, infosec currently accounts for roughly 2% of the overall TMT M&A market, both in terms of annual deal volume and annual deal value.)

The boom in buying shouldn’t really surprise anyone, given the steady increases in infosec budgets coupled with the steady increases in security breaches (Sony and Anthem Inc, among others). Bankers we surveyed last December told us they expected infosec to the be the second-busiest sector for M&A in 2015, trailing only slightly behind mobility.

That bullish forecast is certainly coming through in the prints so far this year, which are running 40% higher than the same period in 2014. Maybe more noteworthy than the number of infosec transactions in 2015 is the breadth of infosec buyers. This year’s record acceleration has been driven by the usual suspects being active (Proofpoint has put up a print, while Checkpoint has inked two deals); PE shops getting busy (Bain Capital acquiring Blue Coat, Marlin Equity Partners purchasing the divested Fidelis business); as well as new buyers stepping into the market, such as Internet vendors (salesforce.com reaching for Toopher, PayPal snagging CyActive).

Information security M&A activity

Period Deal volume Deal value
YTD 2015 59 $8.1bn
2014 136 $8.6bn
2013 99 $8.4bn
2012 88 $1.8bn
2011 101 $3.2bn
2010 107 $19.82bn

Source: 451 Research’s M&A KnowledgeBase

For more real-time information on tech M&A, follow us on Twitter @451TechMnA

Bain reaches into Thoma Bravo’s closet for a Blue Coat

Contact: Brenon Daly

More than three years after going private, Blue Coat Systems has been flipped to another private equity firm at nearly twice the price of the initial leveraged buyout (LBO) by a Thoma Bravo-led consortium. Bain Capital said Tuesday that it will pay $2.4bn in cash for the old-line networking and security vendor. (Subscribers to The 451 M&A KnowledgeBase can click here to see our estimates for both the trailing revenue and cash flow at Blue Coat.) Thoma Bravo took Blue Coat private for $1.3bn in late 2011, after HP was rumored to have dropped out of the bidding.

Under Thoma’s ownership, we understand that Blue Coat returned to mid-teens percentage growth as it expanded beyond its core offering of network security and WAN optimization, both of which are rather mature markets. (For instance, a mid-2014 survey of more than 200 information security professional by TheInfoPro, a service of 451 Research, showed that almost nine out of 10 respondents (86%) have already deployed some form of Web content filtering, a long-standing offering from Blue Coat.)

Blue Coat made three acquisitions while in Thoma Bravo’s portfolio, including paying a rather ‘un-PE’ multiple for network analytics startup Solera Networks. (Click here to see our proprietary estimate of terms of that transaction.) Of course, being a PE-owned company, Blue Coat also fattened up its cash flow in recent years. According to our understanding, Thoma Bravo has more than tripled Blue Coat’s EBITDA since the LBO.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

A change in command at Courion?

Contact: Brenon Daly

After a fitful and protracted M&A process, Courion has been sold to a private equity (PE) firm, according to several market sources. The deal, which we understand is closed, but has not been announced, would be the third acquisition by a buyout shop of an identity-related security vendor in the past half-year. However, our understanding is that Courion got about half the valuation of the other two larger identity and access management (IAM) vendors that were recently acquired.

Several sources indicated Courion traded at around $70m, which works out to roughly 2x sales. Rivals BeyondTrust and SailPoint sold for closer to 3x sales and 5x, respectively. (Subscribers to 451 Research M&A KnowledgeBase can see our estimated terms for BeyondTrust and SailPoint.)

In addition to those financial acquirers, many of the largest strategic shoppers – including Microsoft, IBM and CA – have been snapping up IAM technology, in part to help secure cloud offerings. The reason? Security remains the top-ranked inhibitor of cloud technology adoption, according to ChangeWave Research, a service of 451 Research. In the cloud – with its centralized IT resources and pooled data – knowing who is who and who has access to what is fundamental. Further, when users are accessing corporate resources that live outside the firewall, often from devices no longer under enterprise control, perimeter-based access controls are no longer effective.

That has certainly resonated with customers. In a survey of more than 200 IT security professionals in 2014, 451 Research’s TheInfoPro found that one-quarter (24%) of respondents forecast that they would be spending more in 2015 on identity-related security technology than they did in 2014. Not a single respondent indicated they would be trimming their budget for this crucial technology. (Identity was the only specific sector – among the dozen that we asked about – that didn’t have a single response indicating lower year-on-year spending.)

As is often the case in emerging markets, however, the strong demand for IAM hasn’t been evenly distributed across the vendors. Symplified, an early entrant in the IAM market that raised nearly $50m in venture funding, wound down last summer and sold its assets to EMC for pennies on the dollar. And while Courion is a far cry from the scrap-sale of Symplified, the company had struggled to put up growth in recent years. That blunted VC’s interest in putting new money into Courion, which hadn’t raised in about a decade, and ultimately put pressure on its valuation.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Voltage is key to decrypting HP’s M&A

Contact: Scott Denne

HP’s acquisition of encryption vendor Voltage Security suggests that it’s being more disciplined on price than it had been before its M&A break. It is HP’s first security deal in four and a half years. Terms of the transaction weren’t disclosed, though encryption hasn’t garnered the high multiples that other categories of security have produced.

In the year before its reach for Autonomy shut down its M&A program, HP paid north of 10x trailing revenue on four of six purchases (and 7.7x on another). Compare those valuations with multiples in the maturing encryption space – SafeNet and Cryptzone both traded hands last year a hair below 3x trailing revenue, while earlier deals in the space, namely Symantec’s pickups of GuardianEdge and PGP, both went for 4x.

As the hangover from Autonomy fades, HP’s M&A is starting to come back online, and it has printed three acquisitions in the past 12 months. Security is likely benefiting from some M&A attention as it’s a bright spot in a declining software portfolio. In each of the past two years, HP’s enterprise software sales have ticked down a few percentage points. Security has been a growing part of that business, but could be at risk. According to a survey by TheInfoPro, a service of 451 Research, 40% of HP’s security customers anticipate spending less with that provider than they did the previous year (only Websense customers reported a higher percentage of reduced spending).

Blackstone Advisory Partners advised Voltage on its sale.

We’ll have a detailed report on this transaction in tomorrow’s 451 Market Insight.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Feeling vulnerable, Alert Logic buys Critical Watch

Contact: Scott Denne

Alert Logic reaches for vulnerability manager Critical Watch to add 15 years’ worth of vulnerability data to its cloud and analysis products. Though it already had vulnerability scanning capabilities, Critical Watch was built for distributed systems and can provide a foundation for the security offerings that Alert Logic is developing for cloud environments.

Critical Watch also performs tens of thousands of vulnerability checks and has a library of vulnerability content that Alert Logic can plug into for its security analytics product line, but would be difficult to replicate on its own. The deal adds 17 employees to Alert Logic.

Though maturing, vulnerability management continues to grow in importance. According to surveys by TheInfoPro, a service of 451 Research, 9% of IT professionals identified vulnerability management as a major infosec pain point in the second half of 2014. That’s up from just 4% a year earlier. Only mobile devices and user behavior received higher responses.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

A buyout for Bitdefender?

Contact: Brenon Daly

Bitdefender is rumored to be the latest European antivirus (AV) vendor of scale to be picked up by a buyout shop. Several market sources have indicated that Romania-based Bitdefender, which is a division of a larger company and hasn’t taken outside funding, has been sold. Neither the price nor the private equity (PE) acquirer could be immediately learned.

According to our understanding, Bitdefender generates about $50m in revenue. The consumer-focused company says its AV technology protects 500 million users, which is more than twice as many as rival AVG claims. In addition to selling directly, Bitdefender also OEMs its offering to more than 100 partners, which partially accounts for how the company’s technology has made it onto a half-billion machines.

A number of PE firms already have Europe-based, consumer-focused AV providers in their portfolios, including Apax Partners with Sophos, Summit Partners with AVAST and TA Associates with AVG, although that company is now publicly traded. Also, General Atlantic (briefly) owned a minority stake of Kaspersky Lab.

In general, those investments haven’t generated stellar returns for the buyout barons. GA had a less-than-harmonious holding of Russian firm Kaspersky for about a year. AVAST didn’t make it public when it was on file two years ago. And both Sophos and AVG have been valued in the range of 2-3x sales. Applying that multiple to Bitdefender would value it at roughly $100-150m.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.