Risk
11/11/2010
01:23 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Security M&A: Where Innovation (Too Often) Goes To Die

Following a handful of high profile security acquisitions this year, the ever-simmering topic of security industry consolidation has once again surfaced.

Following a handful of high profile security acquisitions this year, the ever-simmering topic of security industry consolidation has once again surfaced.InformationWeek's Mathew J. Schwartz examined the potential impact of the rash of security acquisitions this year, from Symantec's bagging VeriSign, PGP and GuardianEdge throughout Intel's great shock to the IT security market by nabbing McAfee for nearly $8 billion.

Some of these acquisitions make sense, and have the potential to simplify the lives of security managers, such as Symantec's acquisition of PGP. Symantec has a solid footing in the endpoint security market, and the demand for encryption has been heating up. Should Symantec, through the acquisition, be able to simplify how security admins can manage their endpoint firewalls, anti-malware, and encryption software all the better.

Other acquisitions are desperate grasps for growth. I think McAfee's being acquired by Intel is an example. Anyone who thinks that Intel is going to be able to bake anti-virus into high-speed silicon and provide any adequate level of defense for mobile devices is smoking a pipe dream with some very high-grade contraband.

Stuffing signatures into anti-malware engines to try to block malware is yesterday's model and a dying cash cow. Today the threats move too fast, change too quickly, and are too many. And attackers are targeting too many devices on too many varying operating systems on way too many form factors. There is no way the old anti-virus signature model can keep up, no matter how tightly it is integrated with the silicon.

These acquisition spurts are nothing new. I interviewed Stratton Sclavos after VeriSign acquired network solutions for $21 billion in 2000 and I interviewed John Thompson and after Symantec acquired Veritas. And I covered hundreds of acquisitions in between and whether it was in the 1990s, early 2000s, or now the reasons were always the same.

VeriSign, for example, in 2003 acquired a privately held security services provider Guardent, and the reasons cited were to help simplify its intrusion detection system and vulnerability management services. Other reasons cited for that and other security deals also sound just like the reasoning today: security is considered more important now, security has gained higher awareness in the boardroom and other rationales we repeatedly hear every few years.

Some of these acquisitions will turn out well. Most will not. If customers are lucky, the acquiring company will allow the acquired products and services to be sold independently. But, most of the time, those offerings tend get assimilated and tailored for the acquiring vendors core product set. Rigamortis then sets in and any hope for evolutionary let alone innovative growth in the product dies. Many products are then discontinued.

The good news is that these acquisitions make room for entirely new generations of security vendors that will bring to market solutions needed for the changing landscape brought on by wide adoption of virtualization, cloud, mobile, and whatever the else the future has in store.

For my security and technology observations throughout the day find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.