Category: security

Contact: Javvad Malik Scott Denne

FireEye follows up its $1bn Mandiant purchase with a smaller bite: the $60m acquisition of nPulse Technologies. In addition to the $60m in cash, FireEye is on the hook for $10m in stock for an earnout and another $10m in retention payments for the 30-employee company.

Its latest buy brings FireEye network forensics capabilities to go along with its network threat detection and the endpoint forensics it picked up with Mandiant. FireEye now joins several competitors that have built or bought network forensics, including LogRhythm, which recently announced a forensics product, and Blue Coat, which acquired Solera Networks last year (and subsequently purchased Norman Shark, which competes with FireEye’s core offering).

We would expect FireEye to keep hunting for new acquisitions. While it now has network and endpoint forensics as well as network-based threat detection, it’s missing endpoint threat detection, though it does have a partnership with Verdasys for endpoint detection. CEO Dave Dewalt has been vocal about the need to build FireEye beyond its original network detection products, and the company just raised $446m in a second public offering.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Contact: Adrian Sanabria Scott Denne

Cloud application control (CAC) has emerged suddenly, spawning 15 startups, by our count, in less than two years, and three acquisitions since last fall. The market was born out of the need for nuanced control of enterprise SaaS applications: a gaping hole in offerings across many security categories, including next-generation firewalls and identity and access management.

Given the abundance of available startups and the relevance of this technology to so many vendors, we expect to see more acquisitions in this sector in the near future. We would be surprised if most CAC providers haven’t fielded some interest in an exit at this point.

Cloud application control acquisitions

Date announced Target Acquirer Employees Deal value September 26, 2013 SaaSID Intermedia 20 Not disclosed January 15, 2014 CloudUp Networks CipherCloud Two Not Disclosed February 6, 2014 Skyfence Networks Imperva 20 (estimated) $60m

Source: The 451 M&A KnowledgeBase

Whether CAC eventually takes shape as a feature of a firewall or a cornerstone of a consolidated identity management and cloud encryption offering, this market is here to stay as all enterprises will require a way to control access and data outside their own perimeter.

We’ll explore this sector in depth in a report in tomorrow’s 451 Market Insight.

Contact: Scott Denne Javvad Malik

Firewall management companies began to crop up a decade ago to help organizations tackle firewall sprawl, but that corner of the security market has seen few acquisitions, despite its age. Now that all the vendors in that space are expanding beyond pure firewall management, we expect a few of the five vendors here – FireMon, Skybox Security, RedSeal Networks, AlgoSec and Tufin – to take advantage of high valuations among security companies and look for an exit. While the category continues to grow modestly, none of these vendors has emerged as the clear leader, with most hovering around $25m in annual sales.

In trying to stand out from the crowd, they’ve all expanded in recent years beyond firewall management and into adjacent areas such as network risk assessment and network orchestration. As pure firewall management vendors, there was little interest in buying them: their sales came from being positioned as a neutral party with the ability to manage products from different security vendors. Getting picked up by a large security vendor could put that position in jeopardy.

Over the last 12 months, security companies have sold at a median valuation of 8.3x trailing revenue, according to the 451 M&A KnowledgeBase. Many may still be stymied, however, by a perception that they’re still primarily firewall management vendors, thereby affecting their valuation potential.

We explore this sector in depth in a report here.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Contact: Adrian Sanabria Scott Denne

Palo Alto Networks buys into the endpoint security business with its $200m acquisition of early-stage vendor Cyvera. The deal moves the next-generation firewall provider into a new corner of the security market and mirrors other transactions by competitors that have also taken advantage of their rising stock prices to buy companies that can wring larger purchases from their customers.

Palo Alto will pay $112m in stock and $88m in cash for Cyvera when the deal closes. In exchange, it gets ownership of a service that protects endpoints by recognizing techniques used by hackers and preventing them from executing on endpoints. Cyvera, which has 55 employees and raised $13m in venture capital, isn’t expected to add notable billings or revenue to Palo Alto until later next year.

The deal is similar to FireEye’s $1bn acquisition of Mandiant earlier this year. In that transaction, FireEye, like Palo Alto, was aiming to extend itself beyond its focus on network security and into a larger total addressable market (TAM). While the price tag for Mandiant (which came with a large and lucrative consulting practice) was higher than Cyvera, the latter acquisition is more significant – with this deal, Palo Alto will immediately cover a larger swath of the security market.

We’ll have a longer report on this transaction in our next 451 Market Insight.

Security companies hunt larger TAM

Date announced Acquirer Target Rationale Deal value (stock portion) March 24, 2014 Palo Alto Networks Cyvera Expanded into endpoint security $200m ($112m) February 13, 2014 Bit9 Carbon Black Added network and forensic capabilities >$40m* (Not disclosed) February 6, 2014 Imperva Skyfence Networks Brought cloud application control $60m ($57m) January 2, 2014 FireEye Mandiant Obtained threat intelligence and nascent endpoint offering $989m ($889m)

Source: The 451 M&A KnowledgeBase *451 Research estimate

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Contact: Scott Denne

Symantec’s board has fired Steve Bennett, the CEO who brought the security vendor’s vigorous M&A practice to a halt. During his tenure, beginning in July 2012, Symantec bought just one company, compared with an average of four deals per year for the preceding decade.

Under Bennett’s watch, Symantec purchased only PasswordBank Technologies, an identity management firm that we estimate had $2m in annual revenue at the time. According to The 451 M&A KnowledgeBase, which tracks back to the start of 2002, the only other year Symantec acquired one or fewer companies was 2011, when it spent $410m on e-discovery vendor Clearwell Systems.

It’s hard to fault Symantec’s recent management for its M&A reluctance. The company built itself through acquisitions, but its biggest bet proved one of its worst. In 2004, it paid $13.5bn for storage software provider Veritas and every Symantec CEO since then has struggled with the legacy of that deal. Symantec’s current market cap, at $12.7bn, sits below what it paid for Veritas and it has taken nearly a decade to grow Veritas’ sales by just 25%.

Regardless of the failure of the Veritas buy, Symantec has been increasingly inactive as its competitors grabbed seats in several markets. Take security event and infrastructure management. Surveys of security customers by TheInfoPro, a service of 451 Research, show that Symantec ranked third in that category in mid-2011, shortly after HP spent $1.65bn on market leader ArcSight. Subsequent deals by IBM (Q1 Labs) and McAfee (NitroSecurity) pushed Symantec further down in the rankings.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Contact: Scott Denne Adrian Sanabria

With the acquisition of Carbon Black, Bit9 continues to reinvent itself, moving beyond its roots in whitelisting and toward a holistic threat detection and prevention vendor. Founded in 2002 and venture-funded since 2004, Bit9 gained traction in financial sectors and niche products such as point-of-sale terminals and grew its revenue to about $45m last year, with the lion’s share of its growth coming in the past three or four years.

We understand the deal values Carbon Black at more than $40m – a nice number for a company with an impressive list of early customers and little revenue (it began selling products in earnest in May 2013). Carbon Black brings Bit9 endpoint sensors that go beyond detecting file events to monitor registry changes, network connections and binary executions, enabling Bit9 to move beyond prevention and into threat response.

In addition to shedding its whitelisting label, the acquisition will better position Bit9 to fend off an eventual FireEye endpoint offering that will likely result from its acquisition of Mandiant (Bit9 and FireEye are currently partners). It also improves its edge on endpoint competitors such as Invincea and Bromium that protect and remediate, but are limited in scope to the Web browser and some office applications.

Look for a more detailed report on this deal in tomorrow’s 451 Market Insight.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Contact: Scott Denne

Imperva leverages its expensive stock to make its first major acquisition, picking up Skyfence Networks for $60m, consisting of just $2.8m in cash. Public markets value Imperva at 10x trailing revenue and its stock has more than doubled since its IPO in late 2011, outpacing the growth in its sales over that time. The deal is reminiscent of FireEye’s purchase in January of Mandiant. At $1bn, that transaction was far larger, though it was also about 90% stock and made possible by FireEye’s eye-popping valuation: 62.6x trailing revenue.

Imperva holds enough cash that it could have done the deal without a rich stock price, though it’s unlikely it would have. The purchase is small, though it is still more than 8x the free cash flow Imperva generated last year. Skyfence didn’t post any revenue and with Tomium Software’s mainframe security assets (the other acquisition Imperva has announced), Imperva will add $11m in operating expenses this year.

What Imperva is getting is a product that pads its strong position in the Web application firewall market. According to surveys by TheInfoPro , a service of 451 Research, Imperva is the second most implemented vendor in the space (behind F5), with 32% of customers reporting they intend to spend more on those products in 2014, up from just 24% in 2013.

The transaction marks the first entry of an established security player into the cloud application control market, something we expect to see more of this year as there’s no shortage of emerging companies in this space and it’s complementary with next-generation firewalls (a case we laid out in our ‘2014 M&A Outlook – Enterprise Security’). With the rich multiples that public and private security vendors command these days, lots of stock could trade hands.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Contact: Scott Denne

Over the past year, Juniper Networks shaved $111m of revenue – or 16% – off its security business, capping a three-year period that has seen that unit decline 25%. Unless it makes a move to offer more up-to-date products, there’s little reason to expect the division to stop shrinking. According to a survey by TheInfoPro, a service of 451 Research, the same amount of Juniper’s security customers said they plan to spend less with the vendor as said they would spend more (22%). Compare that with 2013, when only 11% planned to spend less and 44% planned to spend more.

Juniper’s security portfolio consists of network perimeter defenses (firewalls, VPN, intrusion prevention, etc.) and has been slow to adopt emerging technologies, such as next-generation firewalls. The founders of Palo Alto Networks, which pioneered next-gen firewalls, initially wanted to build the company at Juniper; however, they left and now Palo Alto is a quarter or two away from being larger than Juniper’s security business.

Meanwhile, Juniper spends conservatively on M&A – it hasn’t spent more than $300m on a deal in almost nine years and has only crested $100m three times since then – so we don’t expect it to make a big, splashy Sourcefire-like acquisition. Even so, the flood of venture money going to security creates an abundance of targets that match its spending profile.

Cloud application control technologies would make a good fit with Juniper. There are several startups in this space, including Adallom, Netskope and Skyhigh Networks, that are developing technologies that promise more nuanced control of SaaS apps compared with what next-gen firewalls typically offer today. As the services are offered, in part, through a network-based appliance, they would fit Juniper’s product portfolio. We expect Juniper’s competitors to get in this game in a year or so, making it possible that Juniper would try to regain some ground with a move in this market.

On the other hand, Juniper’s overall business is healthy: revenue grew 7% last year to $4.67bn, with a $439m profit on the strength of its router sales. With new CEO Shaygan Kheradpir, who’s been on the job for about a month, management may decide that it’s not worth the trouble to keep its promise to return the security division to growth this year. While it’s too early to say what moves he’ll make, his resume as the COO and CTO of Barclays and before that, CTO and CIO of Verizon, which accounted for 10% of Juniper’s revenue in several recent quarters, suggests that Kheradpir was brought in to protect the company’s existing relationships, rather than expand into new markets.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.