Securosis

Research

BeyondTrust Acquires Lumigent Assets

BeyondTrust announced today that it has acquired the assets of Database Activity Monitoring vendor Lumigent. Some of you are saying “Who?” Others, who have been around the DAM space a few years, shake your heads in dismay at what might have been. There was a time – way back in the 2004-2005 timeframe – that Lumigent had a clear leadership position in the Database Activity Monitoring space. They won many head-to-head sales engagements. They had a good sales and marketing team, the best Sarbanes-Oxley reports in the industry, the only viable auditing tool for Sybase, and the only platform that provided “before and after” query values. The latter was the hot feature for forensic audits and regulatory compliance, and every customer wanted it. Greylock, North Bridge, and NetIQ invested. Lumigent was a shining star in the nascent DAM market and they were making a name for themselves. Fast forward 6 years and we have an asset sale. That’s a politically correct term for fire sale. The kind where they’re selling the fixtures off the sinks. So how did it all go so very wrong? There was actually a long series of missteps, so we’ll discuss several major types of FAIL. It’s a classic example of how to plunge into the chasm, land in a fiery mess at the bottom, and get sold for scrap metal: Strike One: Technology. Lumigent never capitalized on their technology lead. Their engineering team must have known that the triggers and stored procedures they used in the early days would not scale, even though early customers preferred them to native audit and tracing – which Lumigent then added to their mix! It seemed like Dumb and Dumber were managing their product roadmap. Sure, they improved data collection over time, but not enough; nor did they ever find a consistent strategy to collect events across all databases. Additionally, they focused on Sybase and MS SQL Server – to the exclusion of Oracle and IBM, who sell a few databases. Competitors quickly provided more – and better – collection options across all the major platforms. Competitors were easier to deploy and did not kill performance. Don’t get me started on the missed Vulnerability Assessment opportunity. Lest you forget, Lumigent acquired nTier, which was a bad assessment product. Nothing was structurally wrong with it, but it needed a lot of work on policies and reporting to be competitive. During the several years assessment was key to winning deals, Lumigent made no visible investments into the nTier technology. It only covered a couple databases, with only some of the needed policies for security or compliance, when it was acquired. They were not the only vendor stuck in the mud for a while, but the upshot is that they failed to upgrade their product to keep pace. Startups have to innovate, you know? Strike Two: Partnerships. Lumigent heavily courted Microsoft and Sybase. They geared their product strategy to work with these two database vendors to a fault. This helped early on, but both partners wanted far better auditing capabilities – specific to their respective database platforms – before they were willing to really get behind Lumigent. Behind the scenes Lumigent thought acquisition was a sure thing. Not so much – Lumigent neither delivered, nor did they hedge their bets with a heterogenous solution. When Lumigent failed to provide better auditing, the rumored Microsoft and Sybase acquisitions halted, and both partners had conversations with just about every other DAM vendor. The recent partnership with Deltek was solid, but simply not enough to carry the company. They didn’t just count their chickens before they hatched, they counted them the first time the rooster made eye contact. Strike Three: Misunderstanding the market. Lumigent’s story shifted from Database Security; to Compliance; to Database Auditing Solutions for Compliance and Security; to Information Centric Security; to Application Governance, Risk & Compliance; and then back to DAM – each step worse than the one before. The App GRC strategy was the most surprising and saddest, as it looked like a desperate attempt to save the firm by re-inventing their market. I appreciated their ingenuity in repackaging DAM into something totally new, and admired the cojones management displayed with their willingness to walk away from their primary market, but I thought they were nuts. And I told them. Rich and I stopped short of begging Lumigent to reconsider their App GRC path, with at least a half dozen reasons it was a bad idea, along with practical experience about how Information Risk Management and GRC messaging missed DAM buying centers. A couple years later that horse died, and Lumigent was back to square one. Very few start-up firms get three strikes. What does this mean for BeyondTrust? The good news is that DAM extends the PowerBroker functionality, providing a means to detect misuse and compromised credentials. The PowerBroker product family is focused on credential and authorization management, but its value is the ability to delegate capabilities without distributing credentials, and fine-grained task-oriented authorization maps. Before the acquisition the PowerBroker platform was geared for preventative security. DAM provides detective capabilities along with a number of compliance reports deeply focused on the database layer. This gives BeyondTrust users some new toys to play with that improve security and broaden the product line. BeyondTrust surely acquired the assets for a song, so they really can’t lose here. And I like the vision. I hope they take a long look at how their customers will use the technology – a few strategic improvements would go a long way to improve customer satisfaction. But there is some bad news. First, the Lumigent technology is way behind the curve. For Database Activity Monitoring or Vulnerability Assessment, Lumigent cannot compete head-to-head against other established vendors. The technology lacks consistency and capabilities across the board, including data collection, database platform support, policies, and platform management. For most acquirers that wouldn’t matter – BeyondTrust can at least sell ‘new’ Lumigent functions to their existing accounts to enhance security

Share:
Read Post

VMWare Buys Shavlik: One Stop Shop for Virtual Infrastructure?

The M&A train gathers steam in the security space. With Lumigent’s assets off the table, the TripWire buy, Sophos/Astaro, and RSA/NetWitness, it seems the busiest guys in town are the investment bankers. VMware has joined the parade by buying configuration management player Shavlik, ostensibly to facilitate the adoption of virtualization in the SMB market segment, though we believe that oversimplifies VMware’s ambition to be a one-stop shop for all things virtual infrastructure. This is actually an interesting deal, particularly considering GigaOm’s excellent VMware is the New Microsoft, Just Without an OS. Think about that for a second. As Microsoft started attacking the enterprise with LAN Manager and then more specifically Windows 2K, their success was accelerated by offering seamless management of the server(s). Enterprise customers scoffed at Microsoft System Manager because it wasn’t OpenView or UniCenter, but it provided small customers with what they needed to lay down a foundation of Microsoft servers. In the small business segment, seamless management is critical thanks to the limited IT resources. And that will be a gating factor to adoption of virtualization in small companies as well. So decisively taking that issue off the table is a smart move for VMware. The ability to claim some security goodness is a bonus. You have to tip your hat to Mark and the rest of the team at Shavlik. They built the company without outside investment by focusing on a core market and not straying from it, even as Shavlik’s more enterprise-focused competitors, such as BigFix (IBM) and ConfigureSoft (EMC), were taken out by big IT players. Shavlik stayed focused on Windows environments, adding anti-virus and power management to the mix within the same management construct. They also invested heavily in spinning a SaaS management service to appeal to small companies (under 100 employees). If you look at Shavlik from an enterprise standpoint, as many of us are guilty of, they don’t measure up. But as VMware looks to go downmarket with virtualization Shavlik is a great fit. But we still need to assess the technology within the context of the entire virtual infrastructure. On one side they might be planning on adding it to VShield Endpoint to enhance VM configuration and tracking – little things like making sure the instance you spin up was patched while in storage, and updates weren’t just applied to VMs running at the time. Or maybe they will skew this more towards managing virtual desktops. Or both. To assume they will only use Shavlik as a lever to get into SMB would be to downplay VMware’s grand ambition. With some R&D investment Shavlik’s technology could be extended to other platforms. And probably needs to be, because a technology like configuration management is core to managing this next wave of hybrid virtual/cloud data centers. VMware has plenty of options for integrating Shavlik, and most inevitably lead to impinging on the territory of its partners. Initially they won’t risk alienating HP, IBM, or EMC, who are significant partners for VMware. But at the end of the day all the Big IT players are competing to control the virtualization/cloud platform and infrastructure. VMware is clearly building itself out as a one-stop virtual infrastructure shop. It’s too early to see how it will fully play out, and a lot of organizations are using multiple virtualization and cloud providers to tackle different parts of the problem (servers, desktops, big iron, etc.). But ultimately, in most market segments, the player that provides the most effective platform will gain the largest market share. And that means they all need to field complete product lines. Which they will, keeping the investment bankers busy. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.