BeyondTrust announced today that it has acquired the assets of Database Activity Monitoring vendor Lumigent. Some of you are saying “Who?” Others, who have been around the DAM space a few years, shake your heads in dismay at what might have been. There was a time – way back in the 2004-2005 timeframe – that Lumigent had a clear leadership position in the Database Activity Monitoring space. They won many head-to-head sales engagements. They had a good sales and marketing team, the best Sarbanes-Oxley reports in the industry, the only viable auditing tool for Sybase, and the only platform that provided “before and after” query values. The latter was the hot feature for forensic audits and regulatory compliance, and every customer wanted it. Greylock, North Bridge, and NetIQ invested. Lumigent was a shining star in the nascent DAM market and they were making a name for themselves.
Fast forward 6 years and we have an asset sale. That’s a politically correct term for fire sale. The kind where they’re selling the fixtures off the sinks. So how did it all go so very wrong?
There was actually a long series of missteps, so we’ll discuss several major types of FAIL. It’s a classic example of how to plunge into the chasm, land in a fiery mess at the bottom, and get sold for scrap metal:
- Strike One: Technology. Lumigent never capitalized on their technology lead. Their engineering team must have known that the triggers and stored procedures they used in the early days would not scale, even though early customers preferred them to native audit and tracing – which Lumigent then added to their mix! It seemed like Dumb and Dumber were managing their product roadmap. Sure, they improved data collection over time, but not enough; nor did they ever find a consistent strategy to collect events across all databases. Additionally, they focused on Sybase and MS SQL Server – to the exclusion of Oracle and IBM, who sell a few databases. Competitors quickly provided more – and better – collection options across all the major platforms. Competitors were easier to deploy and did not kill performance. Don’t get me started on the missed Vulnerability Assessment opportunity. Lest you forget, Lumigent acquired nTier, which was a bad assessment product. Nothing was structurally wrong with it, but it needed a lot of work on policies and reporting to be competitive. During the several years assessment was key to winning deals, Lumigent made no visible investments into the nTier technology. It only covered a couple databases, with only some of the needed policies for security or compliance, when it was acquired. They were not the only vendor stuck in the mud for a while, but the upshot is that they failed to upgrade their product to keep pace. Startups have to innovate, you know?
- Strike Two: Partnerships. Lumigent heavily courted Microsoft and Sybase. They geared their product strategy to work with these two database vendors to a fault. This helped early on, but both partners wanted far better auditing capabilities – specific to their respective database platforms – before they were willing to really get behind Lumigent. Behind the scenes Lumigent thought acquisition was a sure thing. Not so much – Lumigent neither delivered, nor did they hedge their bets with a heterogenous solution. When Lumigent failed to provide better auditing, the rumored Microsoft and Sybase acquisitions halted, and both partners had conversations with just about every other DAM vendor. The recent partnership with Deltek was solid, but simply not enough to carry the company. They didn’t just count their chickens before they hatched, they counted them the first time the rooster made eye contact.
- Strike Three: Misunderstanding the market. Lumigent’s story shifted from Database Security; to Compliance; to Database Auditing Solutions for Compliance and Security; to Information Centric Security; to Application Governance, Risk & Compliance; and then back to DAM – each step worse than the one before. The App GRC strategy was the most surprising and saddest, as it looked like a desperate attempt to save the firm by re-inventing their market. I appreciated their ingenuity in repackaging DAM into something totally new, and admired the cojones management displayed with their willingness to walk away from their primary market, but I thought they were nuts. And I told them. Rich and I stopped short of begging Lumigent to reconsider their App GRC path, with at least a half dozen reasons it was a bad idea, along with practical experience about how Information Risk Management and GRC messaging missed DAM buying centers. A couple years later that horse died, and Lumigent was back to square one.
Very few start-up firms get three strikes.
What does this mean for BeyondTrust? The good news is that DAM extends the PowerBroker functionality, providing a means to detect misuse and compromised credentials. The PowerBroker product family is focused on credential and authorization management, but its value is the ability to delegate capabilities without distributing credentials, and fine-grained task-oriented authorization maps. Before the acquisition the PowerBroker platform was geared for preventative security. DAM provides detective capabilities along with a number of compliance reports deeply focused on the database layer. This gives BeyondTrust users some new toys to play with that improve security and broaden the product line. BeyondTrust surely acquired the assets for a song, so they really can’t lose here. And I like the vision. I hope they take a long look at how their customers will use the technology – a few strategic improvements would go a long way to improve customer satisfaction.
But there is some bad news. First, the Lumigent technology is way behind the curve. For Database Activity Monitoring or Vulnerability Assessment, Lumigent cannot compete head-to-head against other established vendors. The technology lacks consistency and capabilities across the board, including data collection, database platform support, policies, and platform management. For most acquirers that wouldn’t matter – BeyondTrust can at least sell ‘new’ Lumigent functions to their existing accounts to enhance security within their existing product suite. But to offer real value to customers, the Lumigent DAM and VA capabilities must be fully integrated to leverage audit and assessment results to improve authorization mapping. Unfortunately that’s the second problem: how can BeyondTrust integrate the DAM piece with an access control and authorization suite, without stepping on Protegrity’s database intrusion detection patent (US 7120933)? I’m not a patent attorney and therefore not qualified to comment on the law, but as a security technologist it looks like fully integrating BeyondTrust’s products would yield something remarkably similar to Protegrity’s patent.
So what does this mean for the DAM market, which still grows at a healthy rate? Not much. Many Lumigent customers have switched to new products, or been looking at other solutions for a while. The technology has simply not kept up with the competition, and with holes in both functionality and platform support. That’s not to say the technology is non-viable, but it cannot become a class leader. In with a bang and out with a whimper, Lumigent is the sixth DAM vendor to be acquired, following IPLocks (Fortinet), Guardium (IBM), Secerno (Oracle), Tizor (IBM via Netezza), and Sentrigo (McAfee).
Reader interactions
6 Replies to “BeyondTrust Acquires Lumigent Assets”
The intention in pointing out flaws is not to kick Lumigent – product or management. The intent is to illustrate how decisions resulted in both product strengths and weaknesses. The end goal is to provide potential customers the knowledge they need to evaluate enhanced PowerBroker functions. I envision that many existing BeyondTrust customers will do well with auditing capabilities, but that’s a different conceptual model than standalone DAM for database security.
-Adrian
Hi Adrian,
while Lumigent’s product had its numerous flaws, a catalyst to its failure was the management team. I never saw so many “executives” come in and out. From first hand experience, dealing with them was impossible. they present an air of doscontent and lack of vision. moreover, trying to get the executive team to make a decission was impossible and a total lack of control and direction for the sales force was apparent.
while its all 20/20 hindsight at this point i do feel sorry for the next group that thinks they can improve on the Lumigent technology.
I would however like to meet the salesperson who sold it to BeyondTrust….
peace
Adrian—thanks for correcting this point.
As to your interpretation of the various products, companies, and customers involved in the DAM market, I have no comment on your opinions—you are of course entitled to them (as is the curiously named commenter “Me”).
@Murray – My intention was not to say Oracle and IBM database platforms were unsupported. They were. But it was clear to me, the other DAM vendors, and your customers that the focus was MS SQL Server and Sybase. I appreciate your commenting on this matter as I can see how the post would come across that way and I apologize. However I stand by the assertions in the post about the strengths and weaknesses of the product suite.
@Me – In the mid and late 2000s most security products were in and of themselves insecure. The IPLocks products were subject to 1/2 dozen SQL Injection attacks at the time.
-Adrian@Murray – My intention was not to say Oracle and IBM database platforms were unsupported. They were. But it was clear to me, the other DAM vendors, and your customers that the focus was MS SQL Server and Sybase. I appreciate your commenting on this matter as I can see how the post would come across that way and I apologize. However I stand by the assertions in the post about the strengths and weaknesses of the product suite.
@Me – In the mid and late 2000s most security products were in and of themselves insecure. The IPLocks products were subject to 1/2 dozen SQL Injection attacks at the time.
-Adrian
Hi Adrian,
As a co-founder of Lumigent, I wanted to share a correction to a factual error in your post: during my time at Lumigent, we offered products that worked with Oracle and IBM databases, and we had active partnerships with Oracle and IBM.
Cheers,—Murray
Dear lord… Have you ever actually implemented or used AuditDB? It’s absolute crap. Lumigent crammed several 3rd party technologies, that they didn’t understand, together and then called it a product. Not only was it crap, it was absolutely insecure crap. Which is a really interesting characteristic for a “security” product. Then everyone in the company who had a pair of neurons to run together fled (yeah, all two of them)… I stopped reading SC magazine the year that they gave AuditDB a glowing review. Honestly, this whole deal reflects poorly on BeyondTrust’s management.