Security Experts:

Industry Acquisitions Show Enterprise Appetite for Malware Analysis, Cyber-Forensics

FireEye's acquisition of Mandiant and last month's acquisition of Norman Shark by Blue Coat Systems reflect the growing awareness among enterprises that they need sophisticated security technologies which go beyond antivirus and traditional perimeter-based defenses.

Thanks to the growing number of cyber-attacks, data breaches, and network intrusions against practically every industry sector, enterprises are realizing that they need new approaches to security. CISOs and security manages are looking at multiple technologies to improve their ability to find and stop new threats and sophisticated malware, experts said. Organizations now realize they can't just focus on detection, but also need to beef up their protection and remediation capabilities to stay ahead of the attackers. The latest round of security mergers confirm this trend.

Cybersecurity Acquisitions“Companies that will be longer-term winners need to be able to detect and protect desktops/servers and networks against malware,” said Mike Rothman, analyst and president of the analyst firm Securosis. “Having products to address just one area isn't sufficient,” he said.

Malware Analysis, Sandboxing

As SecurityWeek reported last month, Blue Coat Systems acquired Norman Shark to add zero-day sandboxing technology to its advanced threat protection portfolio. Norman Shark creates a secure virtual environment where unknown malware and other suspicious objects can be executed and analyzed. With Norman Shark, and the earlier acquisitions of Solera Networks and Netronome, Blue Coat will be able detect and identify advanced persistent threats as well as block, resolve, and fortify the network, said Steven Schoenfeld, Blue Coat's senior vice president of products.

Enterprises need to be able to derive indicators to detect and find malware attacks, and malware analysis is a key part going forward in towards preventing and detecting malware infections, said Rothman. “Sandbox-based malware analysis provides a piece of that puzzle,” he said.

Traditional pattern matching is no longer sufficient, and security companies are either developing malware capabilities in-house or buying malware sandboxing technologies to add to their arsenal, said Paula Musich, a principal analyst at Current Analysis. Blue Coat buying Norman Shark was the second sandboxing deal in 2013, with Invincea scooping up Sandboxie for an undisclosed amount earlier in the year.

FireEye Adds Forensics

FireEye—whose success with malware sandboxing has helped spur adoption of the technology through the industry—is enhancing its product line with an acquisition of its own. The security software company announced on Jan. 2 its acquisition of Mandiant, a company specializing in endpoint security and incident response.

Mandiant is best known for its team of digital forensics specialists who investigate network breaches for other companies to determine what happened, how, and by whom. It released an exhaustive report, the APT1 report, laying out all the evidence linking Chinese government-backed hackers to attacks against businesses in the United States.

For customers, the combination of FireEye, the company which detects attacks, and Mandiant, the company which responds to attacks, can be a powerful one. With this merger, FireEye would be able to detect abnormal behavior and fix the issue that allowed the incident, and then send in its own forensics team to determine what additional steps are necessary.

“FireEye bought Mandiant to fill a gap in its ability to help customers more effectively respond to stealthy malware that's been discovered in the network,” Musich said.

One-Stop Shopping?

Enterprises are also looking to consolidate the number of security companies they buy from, Musich said. These recent mergers provide organizations with technologies that balance both detection and response.

The Norman Shark deal gives Blue Coat control of a key technology—which is already integrated into the Malware Analysis Appliance—to include into other products, such as the Web gateway and the Solera Network Forensics product line.

However, it's important to remember that CISOs are investing their security dollars in a range of technologies, not just forensics and sandboxing. Other technologies to invest in include security information and event management (SIEM) systems with Big Data analytics as well as packet capture and analysis.

In 2011, EMC’s RSA division acquired Virginia-based NetWitness, which provides network security monitoring and analysis technology that helps organizations see what’s happening on their networks. 

Juniper Networks also features a unique malware deception technology from its $80 million acquisition of Mykonos Software, and Cisco Systems acquired its own set of sophisticated anti-hacking technology when it paid $2.6 billion for Sourcefire last year. Sourcefire (now Cisco) competitor Palo Alto Networks announced this month that it acquired Morta Security, a Silicon Valley-based security startup, to help bolster its threat detection and prevention capabilities. 

“There's no one clear winner yet,” Musich said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.