Risk
11/9/2010
04:49 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Schwartz On Security: Reaching The M&A Tipping Point

The jury is out on whether businesses will benefit from Intel buying McAfee or from Symantec, IBM and Microsoft sucking up everything in sight.

The pace of mergers and acquisitions in the security industry has been breathtaking, but could it be headed for a stop?

Since last year, numerous top-tier smaller outfits have been snapped up by large players. Indeed, more than $10 billion has been spent in just the past six months by Symantec (VeriSign plus PGP and GuardianEdge), IBM (BigFix, OpenPages, PSS Systems), Hewlett-Packard (Fortify and ArcSight) and CA (Arcot).

Furthermore, the technology industry heavyweights -- who by virtue of their size largely innovate via acquisitions -- apparently still have oodles of cash at the ready.

What's behind the breakneck pace of acquisitions? One answer is that it's mirroring a growing awareness of security by senior executives. "Security is starting to get higher on their radar screens now," said Steve Robinson, general manager for IBM security solutions. "Many of our corporate accounts are starting to put in chief security officers, to expand their security teams and see that security has impact on all parts of their business."

This evolution and growing security understanding is -- on the upside -- leading customers to demand more consolidated approaches to mitigating their security challenges. Accordingly, said Robinson, "we need to move beyond the single product to solve a single problem, to more of a comprehensive strategy."

Cue mergers and acquisitions. But where should they end, and are businesses best served by a more all-in-one approach?

Consider Intel's $7.7 billion acquisition of McAfee, which surprised many industry watchers who thought endpoint security should be built into the operating system, rather than the motherboard.

The positive spin is that the deal has the potential to bake-in better security to PCs and mobile devices -- through to virtualized environments and the cloud -- from the get-go. But it also has the potential to be seen, in a few years, as an expensive one-size-fits-all boondoggle of AOL proportions.

Garter Group analyst John Pescatore likens the overall information security M&A equation to cars and boats: Would you buy a car from a boat maker? How about a boat from a carmaker? The short answer is, no. Now extend the paradigm to information security.

"I'm always amazed when network infrastructure vendors like Cisco and Juniper build security solutions that try to get us to put their software on our endpoints, and when software vendors like IBM Tivoli or CA acquire and try to sell network security products," he said. "These strategies always end badly -- it is why the McLobster sandwich and the Nobu Whopper never did well either."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web