Email Security

McAfee Acquires MX Logic

By Adrian Lane

During the week of Black Hat/Defcon, McAfee acquired MX Logic for about $140M plus incentives, adding additional email security and web filtering services to their product line. I had kind of forgotten about McAfee and email security, and not just because of the conferences. Seriously, they were almost an afterthought in this space. Despite their anti-virus being widely used in mail security products, and the vast customer base, their own email & web products have not been dominant. Because they're one of the biggest security firms in the industry it's difficult to discount their presence, but honestly, I thought McAfee would have made an acquisition last year because their email security offering was seriously lacking. In the same vein, MX Logic is not the first name that comes to mind with email security either, but not because of product quality issues -- they simply focus on reselling through managed service providers and have not gotten the same degree of attention as many of the other vendors.

So what's good about this? Going back to my post on acquisitions and strategy, this purchase is strategic in that it solidifies and modernizes McAfee's own position in email and web filtering SaaS capabilities, but it also opens up new relationships with the MSPs. The acquisition gives McAfee a more enticing SaaS offering to complement their appliances, and should more naturally bundle with other web services and content filtering, reducing head-to-head competitive issues. The more I think about it, the more it looks like the managed service provider relationships are a big piece of the puzzle. McAfee just added 1,800 new channel partners, and has the opportunity to leverage those channels' relationships into new accounts, who tend to hold sway over their customers' buying decisions. And unlike Tumbleweed, which was purchased for a similar amount of $143M on falling revenues and no recognizable SaaS offering, this appears to be a much more compelling purchase that fits on several different levels.

I estimated McAfee's revenue attributable to email security was in the $55M range for 2008, which was a guess on my part because I have trouble deciphering balance sheets, but backed up by another analyst as well as a former McAfee employee who said I was in the ballpark. If we add another $30M to $35M (optimistically) of revenue to that total, it puts McAfee a lot closer to the leaders in the space in terms of revenue and functionality. We can hypothesize about whether Websense or Proofpoint would have made a better choice, as both offer what I consider more mature and higher-quality products, but their higher revenue and larger installed bases would have cost significantly more, overlapping more with what McAfee already has in place. This accomplished some of the same goals for less money. All in all, this is a good deal for existing McAfee customers, fills in a big missing piece of their SaaS puzzle, and I am betting will help foster revenue growth in excess of the purchase price.

–Adrian Lane

Virtual Identities

By Adrian Lane

I am starting to hear stories from friends in the Phoenix area more and more about identity theft and account hijacking. Two weeks ago we got a phone call from a friend in the wee hours of the morning. She called to ask if we knew if a mutual friend, we'll call her 'Stacy' for the purpose of this post, was in England. Our friend had received an email from Stacy stating she was in trouble and asking for money. We know Stacy pretty well and we assured out friend that she was not in England and was certainly not requesting $2000.00 be wired to her. Seems that everyone Stacy knew received a similar email claiming distress and requesting significant sums of money.

Later in the afternoon we called Stacy and verified that she had in fact not been to England and was not in distress. But she had found that her Yahoo! account had been hijacked and she was getting calls from friends and family all morning who had received the same request. She admittedly had a very weak password, not unlike most of the people we know, and have never even thought someone would be interested in gaining access to the account. We spoke with Stacy again today, and jokingly asked her how much money she has made. She did not find this very funny because, after a dozen or so hours on the phone with the overseas 'technical' support , she still has not been able to restore her account nor stop the emails. It seems that the first thing the hijackers did was change the account verification questions as well as the password, both locking Stacy out of the account and removing any way for her to restore it. The funny part of this is the phone calls Stacy has had with the support team, which go pretty much like this:

Stacy: "Hi, my email account has been taken over and they are sending out emails under my name requesting money."
Support: "OK, just go in and reset your password. I will email you a change password request."
Stacy: "I can't do that. They changed the password so I cannot get email from this account. I am locked out."
Support: "OK Stacy, we will just need to ask you a few questions to restore your account ... Can you tell us where you went on your honeymoon?"
Stacy: "Yes, I honeymooned in Phoenix."
Support: "I am sorry, that is not the answer we have."
Stacy: "Of course not. They changed the information. That is why I am calling you."
Support: "Would you like another guess?"
Stacy: "What?"
Support: "I asked would you like another guess on where you spent your honeymoon?"
Stacy: "I don't need to guess, I was there. I honeymooned in Phoenix. Whatever answer you have is wrong because ...."
Support: "I am sorry, that is not correct."

And so it goes. Like a bad game of "Who's on First?". How to prove you are really you, in a virtual environment, is a really hard security problem to solve. More often than not companies want to deal with our virtual images and identities rather than our real selves, and automate as much as they can to cut costs and raise profits. If you need something out of the ordinary fixed, it is often far easier to simply abandon the troubled account and start over again. At least you can do that with a Yahoo! email account. You bank account is another matter entirely. But we can do a lot better than a single (weak) password being the keys to the kingdom. This is a subject I would not normally even blog about except a) I found the dialog funny and b) it is becoming so common I think think we periodically need a reminder that if you are using a weak password on any account you care about, change it now! If you have two-factor authentication at your disposal, use it!

–Adrian Lane

Symantec Buys MessageLabs

By Adrian Lane

Well, I did not see this coming. Today Symantec Corp has agreed to acquire Message Labs for $695 million. That represents close to a 5x multiple on $145M in revenue. While market conditions are not rosy, this price is not out of line for a segment leader who is seeing growth in the highly competitive email security market. This appears to be a good strategic move; they address their largest weakness in email security (SaaS), they can leverage the continued convergence of security offerings in messaging and data protection, and there is a substantial cross-selling opportunity. If memory serves, the 19,000 customers of MessageLabs represents an order of magnitude larger customer base Brightmail brought to the table in the 2004 acquisition. It's hard for me to fault this acquisition.

The primary growth opportunity in the email sector appear to be on the hosted services side, and the bet here is being made that SaaS is the model for the future. Today you can get Brightmail as software, hosted email security or an appliance, so it's not like you did not have the choice, but the focus was clearly not on SaaS. MessageLabs, along with Google's Postini, are the current leaders in this space with hosted services. The danger for for the vendors who offer email security as a service is the ease of migration from one platform to the next. It's not like software or hardware purchases where the investment & employee training creates a degree of 'stickiness'. Migration from one hosted email security vendor to the next is relatively low, and Symantec will be under immediate pressure to keep the MessageLabs customer base happy as they are in serious competition from Postini. Postini is dirt cheap, so failure to convey the overarching vision or a significant alteration to pricing could result in a very quick loss of customers.

Still, I don't see that happening as Symantec offers a low risk choice for many companies. A large stable firm with strong commitment to the segment and the breadth of product offerings makes a compelling choice. Upstarts with better technology just cannot compete with the mature, high availability, low risk vendors. As the other major growth opportunity in this segment is the convergence of messaging, web and DLP security feature sets, customers are more commonly viewing these as similar problems and want to address with a unified solution. It is difficult for companies to offer highly competitive products in all areas, but Symantec is now able to take a leadership role in each.

And what does this mean for Brightmail? Undoubtedly this will be rolled out as a hybrid model for now, with at least a short term commitment to existing customers. Symantec can hedge their bets on what the market will want in terms of technology for the short term. In response to John Thompsom's quoate, yes, today's customers have a great choice as far as the type of solution they choose, but my guess is the Brightmail investment will slowly atrophy, and Symantec will migrate customers onto the more profitable hosted platform.

–Adrian Lane

Outsourced Email Security

By Adrian Lane

In the last post on Email Security, I commented on how easy it was to add outsourced email security services onto your existing email security deployment. That adding on an extra layer of anti-spam filtering on top of what you have not only provides an increase in the effectiveness of filtering, but also reduced the processing load on your existing hardware. But email security service vendors have been adding outbound email, data and web security offerings to their portfolio on top of their existing offerings, and these services solve different problems and offer different value propositions. 

Most companies I speak with state that 95~97% of the email that hits their servers are spam. A large percentage contain viruses, spyware and inappropriate content. The switch is cost effective and 'painless' in terms of administration and maintenance, and the large service providers tend to have very current and effective solutions. But it is worth noting that the problem you are solving is not protecting sensitive corporate information, rather keeping garbage out of your system. If you don't see spam and your computers have not been infected, you have been successful. 

From the customer's perspective, outbound email security offers many of the same advantages as inbound. As most companies have a very positive experience with inbound service, adoption of an outbound email security service is a natural extension of those advantages you enjoy today. It takes very little work to route your outbound email to a third party provider. These providers offer a canned set of security policies out of the box so you can be up and running in minutes, in conjunction with well designed web interfaces to customize and tune email (or even web security) policies. But the problem being set being addressed is very different; intellectual property leakage, use of private customer information, inappropriate content, violation of corporate policies and even bot-net detection. These problems are more complex and require policy and system verification. 

Just because you outsourced the operation does not mean you removed the responsibility of audit and security verification of the system itself.

Specifically what do I mean by that? If all of your corporate correspondence is being routed through a third party provider, you need to make sure that they are secure, and their policies are in line with yours. Remember, the information you are sending out is all of your corporate email, your policies for enforcement, and possibly all of the web browsing history. The service providers offer ad-on email retention services for 'compliance', but as some of the data is stored for their own backup and recovery processes, your data will be stored for some period of time. How is privacy maintained? Who has access to the data? Is there verification of integrity? When and how is the data disposed?

What the vendor will be selling you is the filtering service, the administrative interface, and the storage. What you need to ask for is their security policy, their data retention & data destruction policies, and audit reports for changes in permissions, data access and alterations to your data. The vendor will provide you a report on what was filtered and blocked according to policy; in addition you need reports on the operational controls around the system. If these services are being marketed to you as 'must-have' for compliance, then the vendor must be able to provide their own policies and audit trail of their service. The vendor will need to provide some degree of transparency both to their methods and processes in general, but specifics on who or what has access to your data.

I know a lot of this sounds incredibly obvious, but I have yet to run across a company who has requested this information from their outbound email security provider.

–Adrian Lane

Email Security

By Adrian Lane

When was the last time you thought about your email security? Have you reviewed the vendors or the market lately? If not, it may be time. It is no surprise that the market is mature; read the collateral and the discussion has long since moved away from technology nuances- rather it is reputational risk reduction & business function continuity. It is no longer startups but some of the largest firms in security. And while not seeing a lot of growth in the segment, we are starting to see changes in how the services are delivered, and that is leading to some vendor swapping. What's more, these changes are so transparent that the effect on privacy and security is not always obvious.

I have been doing a surprising amount of investigation in the email security segment lately. Rich and I have a couple of projects in and around email security, I have a friend who works in this area and was asking some market related questions, I have been helping another friend analyze a prospective job with an email security company, and at Securosis we have gone through the selection process for a supplementary spam filter (Postini, if you were interested). The focus on this segment showed a subtle change in direction, and raised a couple of issues you may want to consider.

Every vendor claims 96-99% efficiency, and on any given week, delivers on that promise. Most offer inbound and outbound anti-virus, content scanning, image scanning, archiving, reporting and policy management. Want an appliance or software? No problem. Want it as a service?

It's a replacement market at this point, as every firm has some type of email security and filtering, either in-house or provided as a service. One company's new email security customer come at another vendor's expense. And there is a feeling that these offerings are a commodity. If you don't like the vendor or product you have today, the cost of a switch is far less than it used to be. The battle in email security today is between the entrenched appliances and "security in the cloud". And much like the AV market once it had reached this stage, changing providers can be a fluid event. Adding an extra layer of anti-spam at Securosis took a few minutes of work, and the cost is negligible. From a consumer standpoint, the ability to choose what I want and switch as needed shows the maturity of this space.

Appliances still rule the day, but with firms like Google (Postini) and Message Labs offering quality services, it appears to be this subsegment of the market that is making inroads. I am talking to a lot of customers who have a hybrid in place today, but many I speak with have not looked at their email security solution in years as it works, and so they just don't give it a lot of thought. Those who do find it an easy choice to adopt a hybrid model, with inbound spam and AV filtering to reduce the load on internal systems while they review their plans for the future. Once again, while there are few new customers to be won, there is quite a bit of switching between vendors going on, with services gaining share.

However the change from in-house appliance and software brings some considerations in the area of data privacy. Outsourcing your inbound spam filtering and adding an extra layer of AV seems like a good idea, and can take the strain off older infrastructure. And the switch can be so seamless and easy that often thought is not put into where the IP is actually going. As many of the email security providers offer outbound content analysis, leak prevention, and compliance assurance, you are by nature sending the data you want to protect offsite. While it is almost invisible to daily operations, there are ramifications and considerations for compliance and privacy. In my next post, I will discuss some of these considerations.

–Adrian Lane