BeyondTrust announced today that it has acquired the assets of Database Activity Monitoring vendor Lumigent. Some of you are saying “Who?” Others, who have been around the DAM space a few years, shake your heads in dismay at what might have been. There was a time – way back in the 2004-2005 timeframe – that Lumigent had a clear leadership position in the Database Activity Monitoring space. They won many head-to-head sales engagements. They had a good sales and marketing team, the best Sarbanes-Oxley reports in the industry, the only viable auditing tool for Sybase, and the only platform that provided “before and after” query values. The latter was the hot feature for forensic audits and regulatory compliance, and every customer wanted it. Greylock, North Bridge, and NetIQ invested. Lumigent was a shining star in the nascent DAM market and they were making a name for themselves.
Fast forward 6 years and we have an asset sale. That’s a politically correct term for fire sale. The kind where they’re selling the fixtures off the sinks. So how did it all go so very wrong?
There was actually a long series of missteps, so we’ll discuss several major types of FAIL. It’s a classic example of how to plunge into the chasm, land in a fiery mess at the bottom, and get sold for scrap metal:
- Strike One: Technology. Lumigent never capitalized on their technology lead. Their engineering team must have known that the triggers and stored procedures they used in the early days would not scale, even though early customers preferred them to native audit and tracing – which Lumigent then added to their mix! It seemed like Dumb and Dumber were managing their product roadmap. Sure, they improved data collection over time, but not enough; nor did they ever find a consistent strategy to collect events across all databases. Additionally, they focused on Sybase and MS SQL Server – to the exclusion of Oracle and IBM, who sell a few databases. Competitors quickly provided more – and better – collection options across all the major platforms. Competitors were easier to deploy and did not kill performance. Don’t get me started on the missed Vulnerability Assessment opportunity. Lest you forget, Lumigent acquired nTier, which was a bad assessment product. Nothing was structurally wrong with it, but it needed a lot of work on policies and reporting to be competitive. During the several years assessment was key to winning deals, Lumigent made no visible investments into the nTier technology. It only covered a couple databases, with only some of the needed policies for security or compliance, when it was acquired. They were not the only vendor stuck in the mud for a while, but the upshot is that they failed to upgrade their product to keep pace. Startups have to innovate, you know?
- Strike Two: Partnerships. Lumigent heavily courted Microsoft and Sybase. They geared their product strategy to work with these two database vendors to a fault. This helped early on, but both partners wanted far better auditing capabilities – specific to their respective database platforms – before they were willing to really get behind Lumigent. Behind the scenes Lumigent thought acquisition was a sure thing. Not so much – Lumigent neither delivered, nor did they hedge their bets with a heterogenous solution. When Lumigent failed to provide better auditing, the rumored Microsoft and Sybase acquisitions halted, and both partners had conversations with just about every other DAM vendor. The recent partnership with Deltek was solid, but simply not enough to carry the company. They didn’t just count their chickens before they hatched, they counted them the first time the rooster made eye contact.
- Strike Three: Misunderstanding the market. Lumigent’s story shifted from Database Security; to Compliance; to Database Auditing Solutions for Compliance and Security; to Information Centric Security; to Application Governance, Risk & Compliance; and then back to DAM – each step worse than the one before. The App GRC strategy was the most surprising and saddest, as it looked like a desperate attempt to save the firm by re-inventing their market. I appreciated their ingenuity in repackaging DAM into something totally new, and admired the cojones management displayed with their willingness to walk away from their primary market, but I thought they were nuts. And I told them. Rich and I stopped short of begging Lumigent to reconsider their App GRC path, with at least a half dozen reasons it was a bad idea, along with practical experience about how Information Risk Management and GRC messaging missed DAM buying centers. A couple years later that horse died, and Lumigent was back to square one.
Very few start-up firms get three strikes.
What does this mean for BeyondTrust? The good news is that DAM extends the PowerBroker functionality, providing a means to detect misuse and compromised credentials. The PowerBroker product family is focused on credential and authorization management, but its value is the ability to delegate capabilities without distributing credentials, and fine-grained task-oriented authorization maps. Before the acquisition the PowerBroker platform was geared for preventative security. DAM provides detective capabilities along with a number of compliance reports deeply focused on the database layer. This gives BeyondTrust users some new toys to play with that improve security and broaden the product line. BeyondTrust surely acquired the assets for a song, so they really can’t lose here. And I like the vision. I hope they take a long look at how their customers will use the technology – a few strategic improvements would go a long way to improve customer satisfaction.
But there is some bad news. First, the Lumigent technology is way behind the curve. For Database Activity Monitoring or Vulnerability Assessment, Lumigent cannot compete head-to-head against other established vendors. The technology lacks consistency and capabilities across the board, including data collection, database platform support, policies, and platform management. For most acquirers that wouldn’t matter – BeyondTrust can at least sell ‘new’ Lumigent functions to their existing accounts to enhance security within their existing product suite. But to offer real value to customers, the Lumigent DAM and VA capabilities must be fully integrated to leverage audit and assessment results to improve authorization mapping. Unfortunately that’s the second problem: how can BeyondTrust integrate the DAM piece with an access control and authorization suite, without stepping on Protegrity’s database intrusion detection patent (US 7120933)? I’m not a patent attorney and therefore not qualified to comment on the law, but as a security technologist it looks like fully integrating BeyondTrust’s products would yield something remarkably similar to Protegrity’s patent.
So what does this mean for the DAM market, which still grows at a healthy rate? Not much. Many Lumigent customers have switched to new products, or been looking at other solutions for a while. The technology has simply not kept up with the competition, and with holes in both functionality and platform support. That’s not to say the technology is non-viable, but it cannot become a class leader. In with a bang and out with a whimper, Lumigent is the sixth DAM vendor to be acquired, following IPLocks (Fortinet), Guardium (IBM), Secerno (Oracle), Tizor (IBM via Netezza), and Sentrigo (McAfee).