Category Archives: Anti-Malware

Thoma Bravo Sees Promise in SonicWALL’s UTM Plans

A reader asked me to comment on the acquisition of SonicWALL, so that’s what I’ll do now. Yes, I sometimes take requests, just like a washed-up lounge lizard.

The announced transaction has been well documented in the business and trade press. An investor group led by private-equity firm Thoma Bravo, and comprising the Ontario Teachers’ Pension Plan, will acquire SonicWALL in a deal worth approximately $717 million. SonicWALL shareholders will receive $11.50 per share in cash, a 28-percent premium over Wednesday’s close.

The deal already is being challenged by law firms alleging that SonicWALL and its board of directors breached fiduciary duties by agreeing to the proposal before diligently seeking an offer that would have provided better value to shareholders.

I don’t want to step into that fray, because it’s an inherently subjective debate based on market estimates from analysts who might or might not have applied accurate assumptions, methodologies, and statistical models. I have no idea how some analysts arrive at their forecasts — some perform thorough channel checks and build intricate spreadsheets, while others perform Santeria rituals with live chickens on neighborhood baseball diamonds under the cover of darkness.

I think you take my point. That said, I will note that the premium offered looks at least superficially attractive. What’s more, the fevered response to it from the wealth-redistribution agents of the legal profession tells you that SonicWALL is an asset that is not bereft of hope and promise.

Indeed, SonicWALL is a strong UTM-firewall and point-product security vendor in the SMB/SME space and across a number of vertical markets, including government, education, and healthcare. The company has built a strong channel presence, and its channel partners generally have a favorable view of the company.

In its latest quarter, just before this acquisition hit, its results did not suggest obvious signs of distress. You can do the math and employ your multiples based on those numbers, but this deal is about what the buyers think the company is worth going forward, not on what the company has done historically. My point regarding the recent financial results, though, is that SonicWALL’s wheels were not falling off.

SonicWALL faces a lot of competition in an Internet-security market that is consolidating on multiple fronts. Security functionality is consolidating, as evidenced by jack-of-all-trades UTM boxes from the likes of Fortinet and SonicWALL; and the market is consolidating, too. Bigger vendors are buying point-product purveyors in attempts to become one-stop shops for the security needs of SMEs and large enterprises alike.

That’s why SonicWALL’s management chose to do this deal. Thoma Bravo not only brings money to the table, but also a potentially coherent plan as to how SonicWALL fits into its existing stable of Internet-security and infrastructure companies. In previous transactions, Thoma Bravo has acquired security-management firm Attachmate, application and database-tool vendor Embarcadero Technologies, and authentication vendor Entrust. Conceivably, SonicWALL will benefit from access to this technology ecosystem and to its sales channels.

Meanwhile, Thoma Bravo saw considerable growth potential in SonicWALL. The vendor holds its own in the SSL VPN market, where it has about a 20-percent share, but the real promise is in UTM, which really is the next-generation firewall.

According to Frost & Sullivan, the UTM market was worth nearly $2 billion in 2009. The market-research firm expects UTM growth to increase through 2010 and 2011 before moderating in subsequent years.  Nonetheless, if the market researchers are right, the UTM space will reach revenues of $7 billion in 2016. With SMEs and distributed enterprises expected to account for the vast majority of those sales, SonicWALL is well placed to benefit.

This is where we have to come back to the competition, though. The company faces not only Fortinet, which rode to an IPO on its UTM exploits, but also Internet-security heavyweights such as Cisco, Juniper, and, to a lesser extent, Check Point.

One factor that could work in SonicWALL’s favor is that Cisco doesn’t seem as focused on Internet security as it has been. Not only has Cisco suffered from component shortages that deferred and cut into sales of its ASA boxes, but the Internet-gear colossus seems distracted by shinier, glossier market opportunities. Cisco also is less focused on serving SMEs than on catering to its large-enterprise and service-provider customers.

Looking ahead to the changing security demands occasioned by increasing virtualization and the adoption of cloud computing, SonicWALL is developing a new security God-box architecture under an Austin Powers-like moniker, Project SuperMassive. The company describes it as a “next-generation security platform and technology capable of detecting and controlling applications, preventing intrusions, and blocking malware at up to 40 Gbps without introducing latency to the network.”

According to SonicWALL, Project SuperMassive will implement a patented Reassembly-Free Deep Packet Inspection (RFDPI) engine to “provide increased insight into inbound and outbound network content without compromising security or performance.” SonicWALL says its new technology will intercept network threats that come from “anywhere and everywhere” and “scan everything.”

It all seems impressive, but the proof is in the pudding, or — in this case — the UTM. However it turns out, Thoma Bravo is buying a company with no shortage of technological vision.

As a postscript to this note, I will say that HP bears watching in the space. It’s possible, though by no means certain, that HP will acquire a vendor such as Fortinet to fill a gap in its HP Networking security portfolio.

Companies Pursuing M&A in China Frequently Hacker Targets

In doing some additional background reading on Operation Aurora, I came across an article at Dark Reading that contained an intriguing quote.

Published online on February 10, the article reported that the hack attacks that hit Google, Adobe, and other U.S. organizations were continuing and had affected far more companies than the original 20 or 30 victims reported by Google and others.

The provocative comment comes later in the article, however. It is provided by Kevin Mandia, CEO of forensics firm Mandiant. In discussing the origins of the Operation Aurora malware and the advanced persistent threats (APTs) it unleashed, Mandia said he noticed that many of the firms that were victimized had something in common.

“We see patterns that just make us curious. If you’re doing merger and acquisition work in China, you’re targeted, We’ve seen when we respond to client sites [that were attacked] a lot of legal counsel, external counsel, and C-level executives [targeted] in M&A with China.”

In a Wired article, Mandia said: “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it.”

In this case, it seems, being forewarned does not equate to being forearmed.

As HP waits to learn whether its acquisition of 3Com — an ostensibly American company with most of its operations and employees in China — will be approved by China’s Ministry of Commerce (MOFCOM), it might want to batten down the security hatches, just in case.

McAfee Commits to China, Establishes Wholly Owned Subsidiary

As I’ve discussed previously in venerable forum, security-software vendors face unique challenges in trying to crack the potentially lucrative Chinese market.

Notwithstanding those challenges, security-software market leaders such as Symantec, McAfee, and Trend have every intention of pursuing opportunities in China. To do so, they must find the right mix of product offerings (including localization), positioning, pricing, and channel partners.

To succeed in China, though, vendors must commit to China. Responding to that imperative, McAfee said yesterday that it would establish a new wholly owned subsidiary in China.

In Beijing to make the announcement, Dave DeWalt, McAfee’s president and CEO, issued the following statement:

“China offers compelling opportunities for McAfee. China has great potential as a center for manufacturing, research and development for McAfee and is also a significant burgeoning market for our products. McAfee has continuously strengthened its presence in China over the last decade and we are planning to expand our investment in the near term to take full advantage of the opportunities China presents.”

McAfee estimates that its potential addressable market in China will grow from about $390 million in 2009 to $1.09 billion in 2013.

In a press release accompanying the announcement of its new Chinese subsidiary, McAfee explained that its Chinese expansion also would include the following:

• A new call center planned to open in Beijing in February 2010 to service the mid-market segment, particularly in smaller cities across China.

• Additional headcount in functions including sales, sales engineering, marketing, support and research and development (R&D), including a planned doubling of the field sales organization in 2010.

• Recently signed reseller partnerships with both Neusoft and CS&S (China National Software and Services) who have become premier partners for McAfee products in China.

• A partnership with Lenovo to market McAfee VirusScan products through Lenovo retail outlets across China, opening up a significant retail channel for McAfee and contributing to our position as the world’s largest dedicated security technology company. McAfee products ship on more than 50% of the PCs shipped by the top 10 PC OEMs.

• A partnership with Dell to offer China consumers 15 month subscriptions on all their retail and direct systems with a Microsoft Windows preinstalled.

McAfee also plans to strengthen existing partnerships in the Chinese market and to establish new ones. Prior to the announcement, McAfee operations in China included sales, manufacturing of the McAfee Unified Threat Management Firewall, and an R&D team focused on mobile security, localization, and security research.

The cornerstone of this move, though, is the establishment of the wholly owned subsidiary. As DeWalt explained to PCWorld, McAfee’s formation of the subsidiary will give the company greater flexibility and more options relating to its China-based manufacturing and to the regulatory approval of its products.

Those considerations are significant. In China, McAfee not only competes against its traditional rivals, such as the aforementioned Symantec and Trend, but also against domestic Chinese software companies that have benefited from home-field advantage in more ways than one.

Sound and Fury in “Black Screen of Death” Saga

I still don’t know what to make of the “Black Screen of Death.” It was initially thought to have affected millions of WIndows users, but now appears to have a stricken a smaller number, perhaps tens of thousands.

What we do know is that a problem struck a relatively small number of Windows users, including those with Windows 7, and that, for those users, the problem ranged from being an inconvenience to something more serious. Beyond that, we’re still looking for answers.

Prevx, the security-software company that originally identified the affliction, suspected that a recent Windows security update was to blame for the problem, which apparently causes desktop icons and the start menu to disappear from computers, leaving a black screen behind.

Microsoft has countered that malware, and not a security update, was the likely cause of the problem. Prevx has apologized to Microsoft for rushing to judgment with its initial diagnosis, which proved errant, but it also has defended itself from criticisms that it overstated the severity of the glitch.

All in all, recriminations are flying, and lessons should be learned, as PC World’s Tony Bradley notes.

On the Internet, though, everybody wants the scoop, the edge, the time advantage that accrues from identifying or getting to something — a story, a development, or actionable information — ahead of everybody else.

That pressure will ensure that we’ll all struggle — vendors, writers, and readers alike — to sort the wheat from the chaff as we thresh real-time information.

McAfee Maps the Malware World

The mind of the average cyber criminal is dark, devious place. These are people who spend considerable time thinking about how they can deceive you, the unsuspecting Internet voyager, for fun and profit.

McAfee, whose business it is to defend against the misdeeds of online malefactors, has just published its third annual “Mapping the Mal Web,” report, which provides insights into which top-level Internet domains (those suffixes at the end of web address, such as the “.com” and “.edu” designations) are the most frequent and likely harbors for malevolence.

For as long as humans use keyboards as a mechanism for alphanumeric communication, typographical errors will be with us. The Internet’s evildoers try to exploit such human frailty, which is why Cameroon’s domain, “.cm,” has risen to the top of the malware charts. All it takes is rushed keystrokes, and one can easily be transported to an Internet tar pit rather than to a desired destination.

That isn’t to say all “.com” sites are safe havens. McAfee finds that the designation for commercial sites ranks second, behind only Cameroon’s domain, as a source of online risk. Whereas McAfee assigns a weighted-risk ratio of 36.7 percent to Cameroon, it gives “.com” a ratio of 32.2 percent. (You can read about McAfee’s methodology, about the weighed-risk ratio, and about caveats associated with the study at the McAfee website hosting the report.)

The news isn’t all bad. Hong Kong (.hk) went from being the top-level domain with greatest number of risky registrations to an overall risk ranking of 34th in this year’s report. While you should never drop your guard completely while online, McAfee says your safest Internet travels will be among the domains associated with government (.gov), Japan (.jp), education (.edu), Ireland (.ie), and Croatia (.hr).

In considering where to register malicious websites, according to McAfee, scammers and hackers account for the following factors: lowest domain prices lack of domain regulatory control and supervision, and ease of registration.

Online malfeasance is a booming business. McAfee says we should not be surprised:

The evolution of malware delivery toolkits has given even the novice hacker the ability to easily create a fake bank site that challenges all but the most careful consumer to tell the difference. The persistence and proliferation of these phishing sites is in itself proof of this; absent of hacker profitability, phishing would disappear. Likewise, the explosion in the use of social networking sites and communication tools has exposed even more consumers to malware authors.

I suppose one could draw some dark inferences about humanity from the criminality manifested online. Then again, what’s new isn’t the evil, nastiness, and wrongdoing by some people against others. That’s been with us from time immemorial. What’s new, of course, is that the Internet has provided a venue in which certain criminal activities can become anonymized, unprecedentedly stealthy and surreptitious.

What this tells us is that even the best anti-malware can only go so far in providing us with online protection. Many Internet criminals are proficient social engineers. It’s incumbent on us all to rely at least as much on our wits as on our firewalls and anti-virus software.

What follows is a color-coded map, excerpted from the McAfee report, ranking countries according to the relative risk of their Internet domains.

InternetDangerNations2.jpg

Fortinet Enjoys Impressive Trading Debut

Fortinet’s IPO launched today. It went about as well as possible, with the shares, trading under the symbol “FTNT,” up $4.12 (32.96 percent).

I provided an overview on the Fortinet IPO yesterday, and what transpired today was consistent with my expectations. As a quality company, Fortinet offered a quality IPO. The market, which hasn’t seen many new technology issues in recent years, was appreciative.

From here, Fortinet shares might face some headwinds. With the company’s shares jumping impressively on their first day of trading, Fortinet now has a significantly higher market capitalization than it had before its stock began changing hands. That factor must be considered carefully in any assessment of buying into the company’s shares at the current price.

Examining the chart for Fortinet’s first day of trading, I see that its stock surged as soon as it hit the market, hitting $17.18 per share. It then dipped as low as $16.53 per share at about 11:44am Eastern before bouncing its way to a closing price of $16.62.

All in all, it was a good day for Fortinet, its financial backers, and its underwriters. As mentioned above, the market hasn’t seen many strong information-technology issues recently.

Fortinet Trades Tomorrow

When I composed my earlier post regarding Fortinet’s IPO, I was under the mistaken belief that the company would have its NASDAQ trading debut today.

As it turns out, Fortinet will begin trading under the “FTNT” symbol tomorrow morning.

Fortinet’s investment-banking underwriters — Morgan Stanley, JPMorgan, and Deutsche Bank — have the option to buy up to 1.9 million additional shares to address overallotments.

Overview of Fortinet IPO

Proffering advice on whether others ought to buy into a company on its first day of public trading always is a tricky business. At any given moment, one has only limited visibility into the company’s prospects, the industry to which it belongs, and the health of the overall market. Things change — often with alarming speed.

It goes without saying that plenty of caveats, provisions, and reservations attend any recommendation. Still, I feel good about the immediate prospects of Fortinet, the unified threat management (ATM) security-appliance vendor that begins trading today under the “FTNT” symbol.

I don’t know whether the company will be successful in the longer-term against larger competitors such as Cisco, Juniper, and now HP (through its 3Com acquisition) as it attempts to take a bigger share of the high-end enterprise and service-provider market segments, but in the near term, it seems like an investment that can deliver some pop.

Fortinet makes appliances that integrate several security capabilities into a single box. Any customer that buys from Fortinet gets a security appliance that providse anti-spam, antivirus, firewall, VPN, IPS, and web filtering all in a single system. For the Fortinet customer, the value proposition is that a single appliance can deliver the security functionality of multiple point products, leading to savings in product-related security costs and in the ongoing management of devices and vendor relationships.

That said, the strength of a UTM appliance also is its weakness. I would not say that Fortinet is a jack of all trades and a master of none, but I would contend that many large enterprises might be inclined to select a best-of-breed application-security appliance over a broad-based UTM box.

As of now, according to information provided in the Fortinet prospectus, the company’s product sales are evenly divided between its low-end, midrange, and high-end models, with each product class accounting for about a third of sales. A perception lingers that UTM solutions sell mainly to small and midrange companies, and not to larger enterprises, and Fortinet cites that perception as a risk in its prospectus, particularly in light of its desire to get more business from high-end enterprise, government, and service-provider customers.

Unlike Cisco, Fortinent doesn’t have much in the way of a direct sales force. Its sales are made through its channel partners, comprising distributors, resellers, and some specialized integrators. That strategy covers a lot of ground and helps defray cost of sales, but it can also be a weakness in some large accounts.

Another potential weakness for Fortint is its reliance of open-source software for various facets of its security functionality. Fortinet argues that its “secret sauce,” if you will, is its FortiASIC hardware, which is optimized for accelerated processing of security and networking tasks. It also has its underlying FortiOS, an operating system that provides a foundation for application-security functionality.

Above those two technological cornerstones, however, one will find open-source software that Fortinet has licensed to provide disparate security functionality. With such code in play, there always is a danger, as Fortinet’s history attests, of patent-related litigation. Fortinet has been down that litigious road before, and it readily concedes that further courtroom drama could ensue.

Fortinet has has a lot of R&D in China, as well as in Canada (Vancouver), and in the USA. The China-based R&D will provide it with cost advantages over many competitors.

In the second quarter of 2009, market-researcher IDC said Fortinet had about 15.4 percent of the worldwide UTM market. According to IDC projections, the market will grow from $1.3 billion in 2007 to $3.5 billion in 2012, representing a compounded annual growth rate (CAGR) of 22.3 percent. In its prospectus, Fortinet said it has shipped more than 475,000 appliances to more than 5,000 channel partners and 75,000 customers worldwide — including more than 50 customers in the Fortune Global 100 — during the first nine months of 2009.

Regarding that latter point, my observation is that Fortinet would like deeper penetration in those high-end Fortune 500 accounts. Although it has cracked Fortune 500 companies, Fortinet’s account presence often is at a small number of branch offices rather than throughout the organizations. As much as it resists the notion, Fortinet probably would reluctantly concede that UTM products traditionally have enjoyed more success in SME accounts than in high-end enterprises.

Fortinet reported revenue of $123.5 million, $155.4 million, and $211.8 million for its fiscal years 2006, 2007, and 2008, respectively. It says it had revenue of $152.7 million and $181.4 million in the first nine months of fiscal 2008 and 2009, respectively. I regard as a strength the geographical diversification of Fortinet’s revenue mix. In first nine months of fiscal 2009, 37 percent of total revenue came from the Americas, 37 percent from Europe, and 26 percent from APAC. Since 2006, more than 60 percent of Fortinet’s revenue has been derived from outside the Americas.

For its size, the company has accrued a respectable amount of cash. Fortinet has generated positive cash flow from operations since 2005. Operational cash flow has grown from $3.4 million in fiscal 2005 to $37.7 million in fiscal 2008. During the first nine months of fiscal 2009, the company saw positive cash flow from operations of $45.8 million.

With the company’s revenue coming from product sales as well as from subscription-based services, the latter have provided a significant and growing source of recurring, high-margin revenue. That’s all good. As long as new customers are brought into the fold, subscription-based revenue will continue to proliferate and Fortinet will continue to generate meaningful operational cash flow.

Given the cash it is spinning and the proceeds it will derive from today’s IPO, Fortinet should be reasonably well placed to fortify itself, through acquisitions or other means. Although some factors are beyond its control, it is positioning itself strongly for the competitive struggles ahead.

The company has a good, battle-hardened management team. It’s a balanced group, with business and technological acumen. Fortinet also has been through some trials and tribulations. This isn’t a group of neophytes. The company has met adversity and endured.

Nothing lasts forever and nothing is a sure thing, but Fortinet comes into its IPO in good health, and with the near-term prospect of trading above its opening price range of $9 to $11 per share.

It now will sell 12.5 million shares instead of the originally planned 12 million shares.

McAfee and Symantec Contend for Market Share and Stock-Market Favor

Two major security-software vendors released their latest quarterly results this week. It’s instructive to look at how the markets reacted to those results and to look ahead and see what we can discern about each company’s prospects moving forward.

Symantec, which had been struggling in prior quarters, surpassed the expectations of market watchers in its second quarter, which ended October 2. Excluding certain costs, profit was 36 cents a share; analysts had predicted 33 cents on average, according to a Bloomberg survey. Including revenue from acquired companies, sales were $1.48 billion, exceeding the average estimate of $1.43 billion, but down three percent from the same quarter a year ago.

Symantec saw six-percent growth in its sales of security software to consumers. Sales in the storage and server-management segment fell nine percent, while security and compliance sales slid three percent. Symantec, which had previously experienced sales-execution problems in enterprise-security markets, seems to be rectifying that problem, with several high-value deals coming to fruition in vertical markets such as financial services, the federal government, and telecommunications.

Geographically, Symantec saw growth in China specifically and Asia more generally, and it saw a semblance of stability beginning to return to its business in North America.

Extending a previous practice, Symantec will buy back up to $1 billion in shares through public and private transactions. Symantec still has about $57 million remaining under its current share-repurchase plan. The company has bought back over $1.9 billion in shares since the last plan was approved in June 2007.

Share-buyback programs usually enhance the value of remaining shares, but they also have the effect of making it easier for executives to reach performance-based benchmarks because the earnings-per-share value increases as the number of shares in circulations decreases.

The overall theme of Symantec’s results was stabilization, and the market was appreciative. Symantec shares went up after the results were announced.

If Symantec benefited from the market’s low expectations, McAfee was undermined by the market’s relatively high expectations.

You wouldn’t know it from most of the business-press headlines regarding McAfee’s results, but the company actually did well in its fiscal third quarter.

McAfee reported sales of $485.3 million, up 18 percent from $409.7 million in the same period last year, just below the $486.6 million that Wall Street had predicted. Meanwhile, the company reported profit, excluding items, of 62 cents per share for the third quarter, above the average forecast of 60 cents, according to Thomson Reuters I/B/E/S.

The company is seeing slower growth on sales of anti-malware products to consumers. Up eight percent to $177 million in the quarter, consumer sales grew at their slowest rate since 2007. On the other hand, corporate sales grew 25 percent to $308 million, even though McAfee CEO Dave DeWalt said enterprise sales were affected by reduced sales of PC-based anti-malware software to companies that have fewer employees than they had previously. With fewer employees, companies have less need for PCs and PC software, including security products.

DeWalt made an interesting point about software sales to consumers. He noted that accounting rules require McAfee to book revenue from each consumer sale over 36 months. As such, he said, revenue reported in any one quarter is “a backward looking indicator.”As for what transpired specifically in the third quarter, DeWalt said consumer bookings grew 12.5 percent.

Looking ahead, McAfee foresees fourth-quarter profit, excluding items, of 61 to 65 cents per share on revenue of $505 million to $525 million. Analysts expect McAfee to earn 63 cents per share on revenue of $507 million.

McAfee fell just short of expectations on the revenue side, and it was punished accordingly by analysts and investors alike. Conversely, Symantec wasn’t a train wreck, as some analysts had anticipated, so it was rewarded for taking steps toward stability.

Although some of the business press focused on Symantec’s pickup in consumer business, the real battle between it and McAfee will occur in enterprise accounts, from SMBs all the way up to the largest corporations. Even though investors like the margins associated with anti-malware sold to consumers, that market is intensely competitive, even more so now Microsoft finally has a free consumer offering, Microsoft Security Essentials (MSE), that is good enough to cut into the for-pay sales of Symantec, McAfee, Trend, and others.

Neither Symantec nor McAfee will admit that Microsoft is a threat on the consumer front, but, behind the scenes, they must be concerned about market erosion.

Symantec is making considerable effort to rectify the problems it had in its SMB channel. It also won some big enterprise deals. Increasingly, what it does in enterprise markets will be critical to its long-term prosperity. Although evidence suggests McAfee is gaining ground on Symantec in business markets, “big yellow” is getting back to basics and will make its smaller rival earn any further advances.

It won’t be easy for either vendor. Even as they’re getting pinched competitively in the consumer space, Symantec and McAfee confront constrained corporate budgets.

According to Bloomberg, Goldman Sachs Group reported this month that enterprise global spending on security programs next year will grow about 5 percent, compared with an 8 percent increase for all enterprise software.