FireEye has announced its acquisition of security instrumentation and validation provider Verodin. The transaction, valued at approximately $250 million, closed on Tuesday.
Verodin, founded in 2014, describes itself as helping organisations to “measure, manage and improve their cybersecurity effectiveness” using its security instrumentation platform, and had raised over $33 million in funding, according to Crunchbase. The acquisition comes just over a month after Verodin’s announcement of multiple new hires in its leadership team, particularly focused around the expansion of sales and marketing reach, which potentially raises the question of how long the acquisition has been in the pipeline.
The platform is aimed at allowing companies to review their existing security infrastructure and identify gaps in effectiveness, due to factors such as equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and so on.
“Cyber security today is based on assumptions – that technologies work as vendors claim, products are deployed and configured correctly, processes are fully effective, and changes to the environment are properly understood, communicated and implemented. However, the reality is much different for almost every organization and often they discover this only after being on the wrong side of a breach,” said Chris Key, co-founder and CEO of Verodin. “By joining FireEye, Verodin extends its ability to help customers take a proactive approach to understanding and mitigating the unique risks, inefficiencies and vulnerabilities in their environments.”
According to FireEye’s press release on the subject, the integration of Verodin’s security instrumentation platform is expected to add ‘significant new capabilities’ to FireEye’s portfolio, especially when enhanced by FireEye’s frontline intelligence. Specifically, it’ll be incorporated into FireEye Helix’s security orchestration capabilities, as well as being available through the FireEye Managed Defense service and as an Expertise On Demand automated service. It’ll also remain available as a standalone product through Verodin resellers and FireEye’s own channel partners.
The acquisition is expected to add approximately $20 million to billings in 2019 and more than $70 million to billings in 2020, FireEye says.
“Security effort does not equal security effectiveness. That is why security-conscious customers red-team their networks – they need the unvarnished truth of how effective their security programs are. Verodin gives us the ability to automate security effectiveness testing using the sophisticated attacks we spend hundreds of thousands of hours responding to, and provides a systematic, quantifiable, and continuous approach to security program validation,” said FireEye CEO Kevin Mandia.
“We believe there is no better way to train people and instrument better security than by continually attacking the environment and adapting security controls to the real threats. Finally, organizations will have a reliable and consistent way to quantify cyber risk in a manner understandable to frontline technicians and in the Board room.”
The difficulty of effective communication regarding cyber risk is one of the many challenges CISOs face – our own research found that almost half of CISOs aren’t confident that their strategic knowledge of operational risk is appreciated. Another oft-cited problem is managing complex IT infrastructure, including towering multi-vendor stacks of security solutions, so FireEye’s enthusiasm for the integration is understandable, as is the response from analysts, who have been very positive about the acquisition, with William Blair, Morgan Stanley and Stifel all praising the move.
Stifel particularly emphasised ”the ability to repackage periodic, non-recurring Red Team professional services assessments as a subscription offering” – adding to FireEye’s existing consultancy and ‘Expertise on Demand’ services, which are particularly attractive given the difficulty of hiring and retaining in-house cybersecurity talent.
As we’ve discussed on many an occasion, growth through acquisition is a solid strategy in the cybersecurity market, and it’s worked out well for FireEye in the past – the most obvious example is of course the acquisition of Mandiant for around $1 billion back in 2013, but other purchases have also been influential in developing the company from its roots as a sandboxing specialist to its current form as a ‘one-stop-shop’ provider. Recent accolades for its threat intelligence and email security solutions in particular (both key focuses of acquisitions made in the past few years) serve to emphasise the strategic value of these purchases.
With more and more CISOs looking to increase efficiency by consolidating their security stacks and reducing the number of separate vendors they work with, the addition of Verodin’s platform and capabilities to FireEye’s portfolio looks all set to be another big win for the company.