Shares of FireEye, the newly public Internet security firm, rose by more than 23 percent in trading on the Nasdaq this morning following yesterday’s eye-popping $1.05 billion acquisition of another security firm, Mandiant.
As I noted in a story covering the deal yesterday, FireEye specializes in a real-time filtering technology that uses virtual machines to analyze different elements of a company’s network traffic. Mandiant specializes in two things: Security — at what it calls endpoints, which can be notebooks, desktop PCs, phones or tablets — and it also has a high-profile incident response team.
Here’s why the combination of the two will make them so much stronger together. FireEye has set up several million (CEO Dave DeWalt didn’t say how many) of these virtual machines on its customers’ networks. They act as sort of an early-warning sensor network that encounters new attack techniques and malware on the front lines and reports back to a cloud-based command center. That way, when one customer’s network comes under a new kind of attack, it can instantly report back with information that’s quickly shared with the VMs running on other customers’ networks.
Combine that with Mandiant’s endpoint security network — which amounts to two million instances of its software running on all those PCs — generating attack reports to its own command center in the cloud, and you’ve got a pretty impressive set of eyes watching for trouble on the Internet. “This is probably one of the most powerful intelligence grids in the security industry,” said DeWalt (pictured above on the left).
Here’s why this matters. The most dangerous attacks being encountered on the Internet these days are known as “zero-day” attacks. These are attacks using vulnerabilities in software or operating systems that have been kept secret by the people who have discovered them. That means that standard security tools can’t protect against them because they don’t know what to look for. Usually once they’re disclosed, software vendors can readily fix the vulnerability and issue a patch.
Information about these vulnerabilities is typically sold for large sums of cash on the black market, and then used to develop malware attacks aimed at committing some kind of financially motivated crime. A 2012 study by researchers at Symantec (PDF here) found not only that attacks based on zero-day vulnerabilities are on the rise, but that they last for an average of 10 months. Worse, once a zero-day vulnerability is released into the wild, attackers have been known to create many malware variants — as many as 85,000, Symantec found — using it, complicating the response.
“Both of our technologies can quickly understand what’s going on with these attacks and respond,” DeWalt said. “It’s a new kind of defense architecture.”
FireEye reported about $61 million in revenue for the first six months of its fiscal year and is on track to hit about $158 million for the year, according to the average estimate of analysts surveyed by Thomson Financial. Mandiant, DeWalt told me, had about $100 million in annual sales, and is said to have been growing at rate of about 60 percent annually.
You would think that they share a lot of the same customers, which might limit growth potential. It turns out, as DeWalt told me in an interview this morning, that the two companies share less than 20 percent of their combined customer base. Mandiant, he said, has about 500 customers, and derived about 95 percent of its business in the U.S. FireEye has about 1,500 customers and has more exposure to non-U.S. markets.
“Sometimes it’s good if you do have overlap because you can cross-sell each other’s products to customers that already trust you,” he said.
Mandiant was started by Kevin Mandia (pictured above, on the right), a 42-year-old former U.S. Air Force intelligence officer. It first rose to prominence for what’s referred to in the industry as the APT-1 report (PDF here), which pointed a well-researched finger at a specific unit of China’s People’s Liberation Army as the source for many of the most egregious cyber attacks on U.S. and European companies. It has been described as a “digital Blackwater.” Its incident response and forensics team, which is called in to handle the aftermath of hacking attacks at large, high-profile companies, is said to charge a pricey $400 an hour.
In an interview, Mandia said it was more or less inevitable that the two companies would team up as one. They’ve been collaborating for some time. At last year’s RSA conference, they announced an integrated product. “It was such a natural fit, it almost felt like we had an obligation to merge to better safeguard our customers,” he said. “We felt like we had to do it.” Mandia suggested the combination in a phone conversation with DeWalt last year.
The deal is being structured as a cash-stock combination, but a lopsided one: 90 percent shares and 10 percent cash. Mandiant’s shareholders — they include venture capital firm Kleiner Perkins Caufield and Byers and J.P. Morgan’s One Equity Partners — will get $106 million in cash, the rest in FireEye shares. As of Sept. 30, FireEye had about $328 million in cash on its balance sheet. Those shares are worth a lot more today than they were when the deal first closed on Dec. 30.