Research

BeyondTrust announced today that it has acquired the assets of Database Activity Monitoring vendor Lumigent. Some of you are saying “Who?” Others, who have been around the DAM space a few years, shake your heads in dismay at what might have been. There was a time – way back in the 2004-2005 timeframe – that Lumigent had a clear leadership position in the Database Activity Monitoring space. They won many head-to-head sales engagements. They had a good sales and marketing team, the best Sarbanes-Oxley reports in the industry, the only viable auditing tool for Sybase, and the only platform that provided “before and after” query values. The latter was the hot feature for forensic audits and regulatory compliance, and every customer wanted it. Greylock, North Bridge, and NetIQ invested. Lumigent was a shining star in the nascent DAM market and they were making a name for themselves. Fast forward 6 years and we have an asset sale. That’s a politically correct term for fire sale. The kind where they’re selling the fixtures off the sinks. So how did it all go so very wrong? There was actually a long series of missteps, so we’ll discuss several major types of FAIL. It’s a classic example of how to plunge into the chasm, land in a fiery mess at the bottom, and get sold for scrap metal: Strike One: Technology. Lumigent never capitalized on their technology lead. Their engineering team must have known that the triggers and stored procedures they used in the early days would not scale, even though early customers preferred them to native audit and tracing – which Lumigent then added to their mix! It seemed like Dumb and Dumber were managing their product roadmap. Sure, they improved data collection over time, but not enough; nor did they ever find a consistent strategy to collect events across all databases. Additionally, they focused on Sybase and MS SQL Server – to the exclusion of Oracle and IBM, who sell a few databases. Competitors quickly provided more – and better – collection options across all the major platforms. Competitors were easier to deploy and did not kill performance. Don’t get me started on the missed Vulnerability Assessment opportunity. Lest you forget, Lumigent acquired nTier, which was a bad assessment product. Nothing was structurally wrong with it, but it needed a lot of work on policies and reporting to be competitive. During the several years assessment was key to winning deals, Lumigent made no visible investments into the nTier technology. It only covered a couple databases, with only some of the needed policies for security or compliance, when it was acquired. They were not the only vendor stuck in the mud for a while, but the upshot is that they failed to upgrade their product to keep pace. Startups have to innovate, you know? Strike Two: Partnerships. Lumigent heavily courted Microsoft and Sybase. They geared their product strategy to work with these two database vendors to a fault. This helped early on, but both partners wanted far better auditing capabilities – specific to their respective database platforms – before they were willing to really get behind Lumigent. Behind the scenes Lumigent thought acquisition was a sure thing. Not so much – Lumigent neither delivered, nor did they hedge their bets with a heterogenous solution. When Lumigent failed to provide better auditing, the rumored Microsoft and Sybase acquisitions halted, and both partners had conversations with just about every other DAM vendor. The recent partnership with Deltek was solid, but simply not enough to carry the company. They didn’t just count their chickens before they hatched, they counted them the first time the rooster made eye contact. Strike Three: Misunderstanding the market. Lumigent’s story shifted from Database Security; to Compliance; to Database Auditing Solutions for Compliance and Security; to Information Centric Security; to Application Governance, Risk & Compliance; and then back to DAM – each step worse than the one before. The App GRC strategy was the most surprising and saddest, as it looked like a desperate attempt to save the firm by re-inventing their market. I appreciated their ingenuity in repackaging DAM into something totally new, and admired the cojones management displayed with their willingness to walk away from their primary market, but I thought they were nuts. And I told them. Rich and I stopped short of begging Lumigent to reconsider their App GRC path, with at least a half dozen reasons it was a bad idea, along with practical experience about how Information Risk Management and GRC messaging missed DAM buying centers. A couple years later that horse died, and Lumigent was back to square one. Very few start-up firms get three strikes. What does this mean for BeyondTrust? The good news is that DAM extends the PowerBroker functionality, providing a means to detect misuse and compromised credentials. The PowerBroker product family is focused on credential and authorization management, but its value is the ability to delegate capabilities without distributing credentials, and fine-grained task-oriented authorization maps. Before the acquisition the PowerBroker platform was geared for preventative security. DAM provides detective capabilities along with a number of compliance reports deeply focused on the database layer. This gives BeyondTrust users some new toys to play with that improve security and broaden the product line. BeyondTrust surely acquired the assets for a song, so they really can’t lose here. And I like the vision. I hope they take a long look at how their customers will use the technology – a few strategic improvements would go a long way to improve customer satisfaction. But there is some bad news. First, the Lumigent technology is way behind the curve. For Database Activity Monitoring or Vulnerability Assessment, Lumigent cannot compete head-to-head against other established vendors. The technology lacks consistency and capabilities across the board, including data collection, database platform support, policies, and platform management. For most acquirers that wouldn’t matter – BeyondTrust can at least sell ‘new’ Lumigent functions to their existing accounts to enhance security

The M&A train gathers steam in the security space. With Lumigent’s assets off the table, the TripWire buy, Sophos/Astaro, and RSA/NetWitness, it seems the busiest guys in town are the investment bankers. VMware has joined the parade by buying configuration management player Shavlik, ostensibly to facilitate the adoption of virtualization in the SMB market segment, though we believe that oversimplifies VMware’s ambition to be a one-stop shop for all things virtual infrastructure. This is actually an interesting deal, particularly considering GigaOm’s excellent VMware is the New Microsoft, Just Without an OS. Think about that for a second. As Microsoft started attacking the enterprise with LAN Manager and then more specifically Windows 2K, their success was accelerated by offering seamless management of the server(s). Enterprise customers scoffed at Microsoft System Manager because it wasn’t OpenView or UniCenter, but it provided small customers with what they needed to lay down a foundation of Microsoft servers. In the small business segment, seamless management is critical thanks to the limited IT resources. And that will be a gating factor to adoption of virtualization in small companies as well. So decisively taking that issue off the table is a smart move for VMware. The ability to claim some security goodness is a bonus. You have to tip your hat to Mark and the rest of the team at Shavlik. They built the company without outside investment by focusing on a core market and not straying from it, even as Shavlik’s more enterprise-focused competitors, such as BigFix (IBM) and ConfigureSoft (EMC), were taken out by big IT players. Shavlik stayed focused on Windows environments, adding anti-virus and power management to the mix within the same management construct. They also invested heavily in spinning a SaaS management service to appeal to small companies (under 100 employees). If you look at Shavlik from an enterprise standpoint, as many of us are guilty of, they don’t measure up. But as VMware looks to go downmarket with virtualization Shavlik is a great fit. But we still need to assess the technology within the context of the entire virtual infrastructure. On one side they might be planning on adding it to VShield Endpoint to enhance VM configuration and tracking – little things like making sure the instance you spin up was patched while in storage, and updates weren’t just applied to VMs running at the time. Or maybe they will skew this more towards managing virtual desktops. Or both. To assume they will only use Shavlik as a lever to get into SMB would be to downplay VMware’s grand ambition. With some R&D investment Shavlik’s technology could be extended to other platforms. And probably needs to be, because a technology like configuration management is core to managing this next wave of hybrid virtual/cloud data centers. VMware has plenty of options for integrating Shavlik, and most inevitably lead to impinging on the territory of its partners. Initially they won’t risk alienating HP, IBM, or EMC, who are significant partners for VMware. But at the end of the day all the Big IT players are competing to control the virtualization/cloud platform and infrastructure. VMware is clearly building itself out as a one-stop virtual infrastructure shop. It’s too early to see how it will fully play out, and a lot of organizations are using multiple virtualization and cloud providers to tackle different parts of the problem (servers, desktops, big iron, etc.). But ultimately, in most market segments, the player that provides the most effective platform will gain the largest market share. And that means they all need to field complete product lines. Which they will, keeping the investment bankers busy. Share: