More Security Consolidation

By now you've heard that IBM is buying ISS for $1.3 billion. Wow. This is much larger than the purchases of Foundstone, @Stake and Guardent in 2004 by McAfee, Symantec, and VeriSign (respectively). Remember also in early 2005 that NetSec was bought by MCI, who was then bought by Verizon.

IBM is an interesting buyer because it is a mammoth product and service vendor. I do not think of IBM as being a security product company, but I do think of them as an IT services company. It sounds like IBM will just push ISS products through its services group.

I wonder where this leaves other product/service companies? Looking at my MSSP post, I have a few thoughts on the remaining MSSPs. I am guessing that Counterpane and Cybertrust (TruSecure) would desperately like to be purchased. LURHQ is also independent and available. The remaining MSSPs tend to be smaller, or already part of large product/service companies (e.g., Symantec).

I know there are lots of MSSP readers of this blog. What do you think will happen?

As a footnote, I hope IBM eliminates ISS' motto (in the graphic). No one is ahead of the threat.


Joao Barros said…
I'm working for IBM right now on a IT Security department.
I'm most curious as to what will come from the ISS buy.
Anonymous said…
IBM will get the same thing as ISS customers have gotten for years. Headaches.
IBM was smart - they paid a bit too much for ISS, but they do have the cash and ISS does bring some name recognition to their security practice.

Anyone care to speculate on the next acquisition targets in the security space?

Good Bets for aquisition or acquiring others...
Vontu, ArcSight, McAfee, Sourcefire

Interesting targets but very limited scope:
Q1, Arbor, Network-Intelligence, Log-Logic, Tenable

and in the "If they don't get bought they'll wither and die shortly - department"
Intellitactics and Net Forensics.

just to stir the pot a bit.
Anonymous said…
IBM has the view that the security market is still try to find it's place. The SOC is slowing becoming part of the NOC and ITSM is a big priority. Customers are wanting a full security portfolio, because what they want changes so often. With a large company like IBM, the easiest way to be nimble enough to compete in the security space is to do it all.

To the anonymous commenter:

ArcSight recently had another round of funding, which makes them too cash heavy for purchase. Plus their marketings is superb, but the product is lacking. (Full Disclosure: I work for IBM Tivoli with the Security Operations Manager product, formerly NeuSecure).

I see Qualys as a prime candidate for acquisition. McAfee has got a good round portfolio, but will continue to grow by buying other niche companies. Log-Logic is pumping along nicely as a great alternative to SIEM's (when you need log consolidation, but not threat analysis or correlation) and therefore still great niche area.

Being a competitor to these guys, your last line made me smile: and in the "If they don't get bought they'll wither and die shortly - department"
Intellitactics and Net Forensics.

I vote for wither and die.
Anonymous said…
This acquisition is NOT a function or example of "consolidation."

This is one big company (IBM) who wishes to bolster its portfolio in the security market by purchasing a successful company who is a market leader in said space.

Consolidation reflects the scenario upon which, in a congested market segment, the market leaders "smush" or consolidate because it's crowded and uniting makes more sense than competing directly.

As Richard Stiennon mentioned as an example, IBM purchasing EDS would be consolidation, this is just a smart business move.

This is an important (at least to me) distinction.

I can see it two ways.

Way one: IBM offers managed security services. ISS offers managed security services. After acquisition, only IBM remains. Consolidation.

Way two: IBM doesn't sell security products. ISS sells security products. After acquisition, IBM sells security products. Not consolidation.

I expect to see the network security product side not matter as much in the future.
Anonymous said…
As an ISS employee, there are several ways to look at this...and only history will tell us which way it's going to happen.

Remember Art Wong and the "Ballista" product from the mid-90s? Network Associates purchased it, and got the upper echelons of the company, but the guys in the trenches who wrote code were never offered they left. "Ballista" went from being a decent product to becoming known as "CyberCop", and while it had a run, it just didn't hold up.

It's interesting to watch folks on the outside speculate as to what can or might happen, though.
Anton Chuvakin said…
"No one is ahead of the threat."

Yeah, that one annoyed me too; unfortunately, the security world is largely threat-driven, as wel all know ...
Hi Anton,

I think the vast majority of the security industry is vulnerability driven -- at least for and -- because vulnerability is the only component of the risk equation that can be controlled to some degree.
Anonymous said…

I'd have to disagree, to a point.

Yes, some of the world is vulnerability driven, but to a large extent, IMHO that's a bit scattered and not the status quo. "Vulnerability driven" implies a certain amount of proactiveness (is that a new word?), and there is, in fact, some of this. However, for the most part, many organizations seem to be looking at things *after* an incident occurs...meaning that not only are they reactionary and exploit-driven, but they are compromise-/incident-driven.

To be clear...yes, I believe that some places are vulnerability-driven...but are they driven in the right direction? Many places, however, still react after the fact...and much too late in many cases.
Anonymous said…
Rich, Anton: Think of "the threat" as a speeding freight train.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics