UPDATE: Call it ‘dancing with the girl that brought ‘ya,’: two weeks after it disclosed a serious security breach at its RSA Security Division, tech firm EMC said it was buying NetWitness, a threat analysis firm that helped it detect the breach in the first place.
EMC said on Monday that it had acquired NetWitness for an undisclosed sum on April 1. The company will operate as part of RSA, EMC’s Security Division. The company said that NetWitness’ technologies would allow it to detect and remove so-called “advanced threats” from customer networks. NetWitness’ network monitoring technology will operate as a separate line of business under RSA, according to a statement from NetWitness.
The deal for the five year-old, Herndon, Virginia company is the latest sign that organizations are struggling to address attacks from so-called “advanced persistent threats” – slow and deliberate attackers who use a combination of social engineering, custom malicious code and, often, exploit code for previously unknown security holes in common products to gain a foothold on sensitive networks.
All those factors appeared to play a role in an attack on RSA, itself, that was first disclosed on March 17. In a blog post and analyst conference call on Friday, RSA said that a compromise of systems holding intellectual property about its SecurID strong authentication product combined phishing e-mail messages containing a Microsoft Excel Spreadsheet that, when opened, ran a zero-day exploit of a known Adobe Flash vulnerability (CVE-2011-0609). That was used to install variant of a known Trojan horse program on the infected systems. The attackers then moved laterally within the organization from relatively low level employees to those with access to more sensitive systems.
In a conference with analysts, Art Coviello, Executive Chairman, RSA, and Uri Rivner, Head of New Technologies, Consumer Identity Protection, credited NetWitness’ products in stopping the breach. “They were a crucial component of our tool set that we used. That with our people is what contained this,” he said.
Founded in 2006, NetWitness makes a range of analysis tools, with names like Informer and
Investigator, that compile, index and analyze a wide range of network
activities for signs of malicious activity. The company has seen its revenue grow by leaps and
bounds, as organizations within the government, financial services and
technology sectors went looking for tools that could spot the subtle
signs of network intrusions – NetWitness’ specialty.
The company
now employs 130 people, almost doubling in size in the last year.
Revenues for 2010 are estimated to have more than doubled, also, in
2010, from around $20 million in 2009 and just $2.7m in 2007. That
could put the purchase price for the firm anywhere between $200m and
more than $400 million, according to analyst projections. Both
NetWitness and EMC declined to disclose revenues or the purchase price.
EMC’s interest in NetWitness predates the breach. Rumors of the acquisition had been circulating for weeks and prior to the disclosure of the breach.
Josh Corman, research director for the Enterprise Security Practice at The 451 Group, an industry analyst firm, said that the breach at RSA, along with those at certificate authority Comodo, high tech firm HBGary and the so-called “Aurora” attacks on Google and other firms have pushed concerns about targeted attacks to a “saturation level.” “Clearly we have a problem, here,” Corman said.
The NetWitness acquisition shows EMC and its RSA division betting that, in light of those incidents, companies will be looking to make investments that bear measurably on their security posture, rather than just investing to satisfy auditors – as has been the case in recent years.
NetWitness’ technology has traditionally been adopted by large enterprises looking for cutting edge technology, or those that have been the subject of targeted attacks, Corman said. Being part of a larger and more established firm could give rank and file enterprises more confidence investing in NetWitness and extend the benefits of its technology into more companies.
However, Corman said that there’s a shortage of IT workers with the knowledge of networking and security to make the best use of sophisticated tools like NetWitness. “This is not a turnkey solution,” he said. Today, many NetWitness customers use the company’s products in more of a forensic role to understand what happened in a breach than as a defensive tool to spot and block breaches, Corman said.
In a letter to customers, NetWitness CEO Amit Yoran said
the company hoped to gain from the acquisition through integration with
RSA and EMC’s infrastructure technology and EMC’s global sales and
services organizations.
Corman said other firms similar to NetWitness could also go to larger technology and services firms in the months ahead, as they look to convince customers that they are serious about addressing targeted threats.
Other firms that sell security intelligence tools akin to NetWitness say they, also, have seen increased demand in the last year.
“The awareness of potential cyber attacks has grown with the increase in
reported breaches and attacks, such as the RSA breach, Stuxnet, Wikileaks..and
who knows what is next,” said Tom
Turner, senior vice president of marketing and channels for Q1 Labs. “All of this attention is driving demand, and we are
seeing it reflected in a growing interest for security intelligence solutions
and pro-active security in general.”