Most of the press and preliminary analysis of the FireEye acquisition of Mandiant has been exuberant. The New York Times got to break the news just after the first of the New Year although the deal closed December 30, 2013. Of course the coverage contained the usual predictions of industry consolidation. This is not a consolidation play, I contend but rather it is a scramble on the part of FireEye to backfill its lack of product depth.
FireEye is an outlier, and frankly, overvalued compared to other security companies.
|Company||Market Cap||2013 Revenue est.|
|Checkpoint Software||12.77 Billion||1,445 Million|
|Juniper Networks||11.51 Billion||3,394 Million|
|Trend Micro||4.6 Billion||1,105 Million|
|Palo Alto Networks||4.16 Billion||457 Million|
|Fortinet||3.15 Billion||609 Million|
|Barracuda Networks||1.92 Billion||227 Million|
|Imperva||1.2 Billion||131 Million|
|FireEye post announcement||6.78 Billion||159 Million|
At its IPO FireEye had close to the same revenue as NetWitness did when RSA acquired it for $220 million. Even FireEye’s 2013 revenue is going to come in less than Barracuda’s and a third of Fortinet’s. Yet FireEye’s valuation late Friday was an eye popping $6.89 Billion, more than half of networking giant Juniper Networks, or security leader Check Point Software.
At IPO, FireEye’s sales and marketing expense exceeded its revenue and therein lies the tale. FireEye came to market with a single feature appliance than ran multiple instances of WindowsXP in virtual instances. It was early to market with this sandbox technology, which until then had been primarily used by companies like Norman as test environments. It was only after adding a very simple feature, beaconing, that FireEye began to gain traction. A FireEye appliance dropped on a network would invariably discover the presence of an infected machine that was attempting to communicate with a Command and Control server run by cyber criminals. Prospects who were comfortable in their deployment of AV, IDS, and patch management would quickly convert from doubters to customers.
If you have a product that quickly demonstrates value, and can convert demos to purchase orders, the growth path is obvious. Hire sales teams and saturate the market quickly. This is exactly the strategy that Dave DeWalt executed on when he was recruited away from Intel, quickly building a sales team of over 200 people; exceeding that of many well-established network security vendors. Of course that generated the growth in revenue that made FireEye a palatable IPO candidate.
Most feature-based vendors have to demonstrate that they have more relevance in the security market before going public, but FireEye’s timing was perfect. All the talk of cybercrime, Advanced Persistent Threats (APTs), and cyber espionage had given Wall Street an appetite for new security investments. Besides, DeWalt has a history of creating tremendous stock holder value as evidenced by his history of acquisitions at EMC and his spectacular, although still incomprehensible, sale of McAfee to Intel for $7.6 Billion.
[See Stiennon and DeWalt on stage at The Churchill Club]
But Wall Street’s perception of success often diverges dramatically from reality. Think Groupon, or going back further, Crazy Eddie, a retail electronics store chain that was welcomed with open arms by Wall Street.
While FireEye deserves credit for innovating in the advanced malware detection space, it quickly lost ground (technically) to more complete solutions from Trend Micro, Damballa, Norman (BlueCoat), who also combine virtualization and emulation to counter really advanced malware that can detect when it is being “detonated” in a virtual environment. Meanwhile FireEye’s two features, sandboxing and beaconing detection, have been rapidly incorporated into most UTM devices.
The best strategy for a high-flying public company whose products do not have staying power is to embark on an acquisition spree that juices revenue. In those terms, trading overvalued stock for Mandiant, with estimated 2013 revenue of $150 million, will easily satisfy Wall Street’s demand for continued growth to sustain valuations. FireEye has already locked in 100% growth for 2014.
But, other than playing to Wall Street, does the Mandiant acquisition make sense? Certainly for Mandiant it does.
Mandiant is a breach response services company, arguably the best. The conference call slide deck on the acquisition states that its compound annual growth has been 50% for three years. Its best year was 2012 when it grew 76% according to the New York Times. Which implies that 2013, the year when its now famous APT1 report was published, saw a decline in growth. Mandiant had tapped out its market of high profile accounts that had suffered breaches, among them the New York Times, and Washington Post. Like other vendors in the counter-Chinese-espionage business they were running into long sales cycles, and no ability to go down market to the thousands of manufacturers, law firms, and think tanks, which are also targeted for industrial and political espionage but do not have the IT budgets to do anything about it.
FireEye sales are based on discovering evidence of pre-existing breaches, a perfect lead generation opportunity for Mandiant. So yes, the deal appears to be a tremendous opportunity for Mandiant, although, as a service offering they will have to continue to invest in hiring personnel to deliver those services, not an easy task when the skill sets they are looking for are in high demand. On top of that Mandiant has to be able to offer services that are palatable to smaller organizations.
Will a product company combined with a services company succeed? HP has lost $35 Billion in valuation since it paid $13.9 Billion for EDS. IBM has certainly maintained its viability with a product/service mix of some 40/60. But IBM is somewhat larger than FireEye (400 times larger apparently based on revenue) and does not face much competition for z Series mainframes.
To succeed, a specialized service company must be able to use the best tools, especially in breach forensics and recovery. Any pressure to leverage FireEye’s products over Arbor Network’s PravailSA, or RSA’s Security Analytics, or the endpoint solutions from Guidance Software and Bit9, will restrict Mandiant’s competitiveness.
Look for more acquisitions to come from FireEye. It has to continue to grow to satisfy Wall Street. But organizations looking to counter advanced threats must continue to evaluate all the technology solutions.