This year has seen a record number of new security firms jockeying for a slice of the growing cyber-pie. At RSA this year, the expo floor teemed with innovative new companies as well as reinvigorated old ones. All of them were (loudly) proclaiming their case for better, stronger, faster security. In front of the pack was a familiar name with a new face.
Just as RSA kicked off on April 19th, 2015, Raytheon announced their acquisition of veteran security company Websense in a deal sized at around $1.7B. This was a bold, high-profile action, for a company that is not known for spontaneity.
The initial response from analysts and the media ranged from “wait, Websense, what?” to “meh, Raytheon is just trying to make a few bucks.” However, behind closed doors, the conversations were more inquisitive. People were asking, “What is going on with this Raytheon Company?”
Now, for full disclaimer: Anitian was an advisor on the Raytheon/Websense transaction. However, Raytheon did not sanction this blog entry. This analysis is our own, based on publicly available information.
As part of the analysis work we did, Anitian was able to hear a lot about Raytheon’s vision. For the most part, the media and analysts have missed the real story. This is not just a cyber land-grab. Raytheon has set their sights on the nascent Security Analytics market, and they have not only the potential to drive the market, but define it as well.
A year ago, this blog published extensive research on the Security Analytics (SA) market. Since then, many of our conclusions have started to materialize. BlueCoat, Cisco, RSA, IBM, and now Raytheon are all positioning to build or acquire the components of an analytics platform. At the same time, threat intelligence startup companies are jockeying to get some of the money flooding into information security from these industry giants.
Under normal circumstances, a stodgy military contractor like Raytheon attempting to commercialize military technology would elicit dismissal from the likes of cynics such as myself. Government contracting differs profoundly from the commercial market: the pace, competition, marketing, sales, revenue, recognition…everything is different.
Furthermore, defense contractors do not have a rich history of success in converting military technology for civilian use. Consider AM General’s gigantic Hummer trucks, which General Motors commercialized back in early 2000s. While the Hummer H1 and H2 were initially successful, the market for gigantic, fuel-guzzling, military-style trucks was shallow. Once the customer base of mullet-topped weekend warriors was exhausted, the brand had nowhere to go. Desperate, GM did what they always do: brand engineering. This gave us the Hummer H3, a pathetic knock-off that devalued the brand. Mercifully, GM killed off the Hummer line during the 2008 meltdown.
However, information security is not a huge truck (although Fortinet thinks so.). Where others have failed, Raytheon stands a chance. Information security, and particularly Security Analytics, has a natural alignment with the defense industry. Moreover, Raytheon has three important factors working in their favor: experience, money, and vision.
At RSA, Raytheon’s new intentions were bolstered with some aggressive new messaging: “Defense Grade Security!” Again, the cynic in me would usually dismiss such sloganeering as marketing spin. However, this is a case where the spin is justified. Raytheon has a much deeper well of experience in information security than is widely known. They have supported the militaries of the world with intelligence and security technologies for decades. In 2009, Raytheon also acquired BBN Technologies, which is one of the foremost research institutions in the world on matters of security.
When you look at Raytheon’s history, they have more security experience than many of the big names in information security. Everybody loves to gush about their Palo Altos, Crowd Strikes, and Splunks, but Raytheon was doing network security when Palo Alto was still a glimmer in Nir Zuk’s eye. Also, much of Raytheon’s experience comes from monitoring for internal threats (which is something the military cares about), making them uniquely qualified to handle the complexities of security analytics.
However, experience is only part of the story. Experience needs resources to turn vision into reality, and Raytheon is in a good position here as well.
The irrational exuberance of the 1990s is back! If you have a cloud-something, engage in the “shareconomy,” or can use the word “next-generation” and “threat intelligence” in the same sentence, somebody will throw a bag of money at you. (I am still waiting for my bag.)
A recent study from KPMG shows that private equity and other funds are sitting on vast piles of money that they need to get working. Interest rates are as low as they can get, and unemployment is way down. Economists are almost all positive about the economy, and the haze of the 2008 meltdown has cleared. With all that good news, the bankers want to buy stuff and cybersecurity is just the tulip they want.
While Raytheon is not a bank, they have a vast pool of financial resources. They also have a lot of the development resources in place either from previous acquisitions or from the Websense buy. This affords them something that few of the startup security firms have: breathing room. Raytheon can shovel resources into their cybersecurity business for a while.
Furthermore, most of their business still comes from defense contracting. As such, Raytheon’s shareholders do not need this cybersecurity endeavor to be hugely successful right out of the gate. Raytheon can still make plenty of money on defense work and mature their cyber division over the next 12-24 months.
Raytheon’s $1.7B Websense buy is one of the largest security acquisitions since Bain bought Blue Coat (which Anitian also advised on). Websense is a sizable firm with a global presence. This too gives Raytheon a strong revenue stream, and presence in a lot of accounts.
So, while Raytheon has the foundations of experience and resources, they still need something in the driver’s seat.
It goes without saying that the breach-mania of the past year has profoundly altered the security landscape. It is amazing to us at Anitian how little insight most organizations have into their own internal environment. The Verizon Breach Report (and others) cites the average dwell time of an intruder at around 200 days. Moreover, external entities find and report a whopping 71% of all breaches, with only 29% being discovered internally within the breached organization. Breaches do not suddenly happen. They take time to unfold. As such, insider threats have become the new (actually old) frontier for security.
When Raytheon announced that their products would focus on reducing dwell time, I immediately awoke from my jet-lagged slumber. Reducing dwell time and combatting the insider threat is what Security Analytics is all about.
This is vision, not the marketing puffery of all those hyperventilating “threat intelligence” startups. If Raytheon can pull together a security analytics platform centered on the principle of reducing dwell time, they could not only disrupt the market, but also define it.
The fusion of Raytheon’s current SureView technologies and Websense’s Triton platform has the potential to do this. Monitoring for internal threats with the ability to watch not just behavior but also data would give Raytheon a depth of analysis that none of the other insider threat products have. Most existing endpoint analytics products are just behavior analyzers. They either monitor system or network behavior and determine anomalies from those inputs. This is merely a slight evolution of host-based intrusion prevention. Few (if any) endpoint breach detection products have the ability to analyze data (either structured or unstructured).
With the behavior analytics of SureView, and the data analytics of Triton, fused with the threat intelligence from Websense (and others), Raytheon has the early workings of a platform that can do real security analytics. Furthermore, their experience with military networks is a natural fit here. Military environments have always focused on monitoring internal assets as much (if not more) than external ones.
Rough Road Ahead
So the big question here is, can Raytheon leverage their experience, money and vision and disrupt the market? They have the right pieces in place, but there are plenty of potholes along the road that could turn this deal into a broken-down cyber-Hummer.
Integrating the technology, product development, channel, and support is going to be an epic challenge. However, merging the culture will be even more difficult. Raytheon and Websense are oddly good for each other here. Websense could use some of Raytheon’s vision and focus; conversely, Raytheon could learn a thing or two about the pace and complexity of the commercial market from Websense.
This is an odd case where it is Raytheon in the driver’s seat, but Websense has the mechanics to keep the truck running. Raytheon needs to stay on the road and stick with their vision. Likewise, Raytheon needs to let Websense’s commercial sensibilities infect some of the slower moving elements of the business.
Nevertheless, this will not be all unicorns and rainbows. Raytheon has a long road ahead of them. However, they have the right mix of ingredients to make this work. Anitian predicts that the perimeter security players, namely NGFW, will start to slow down in the next few years. Combating insider threats and reducing dwell time is the future of information security. As such, the timing is right for Raytheon.
However, BAE, Lockheed, and the other defense contractors are not going to sit idle while Raytheon profits. It is a forgone conclusion that those companies are monitoring Raytheon’s activity very closely. If they smell success, they are going to start the “me too” moves.
I have seen many acquisitions in my time, but honestly, Raytheon/Websense is one of the more fascinating stories out there that nobody knows. If they can pull this off, we could have a new titan in the industry.