X
100819

FireEye's busy day: new investment infusion and acquisition of Respond Software

November 20 2020
by Fernando Montenegro, Scott Crawford, Aaron Sherrill


Introduction


Among the many challenges facing most security teams today, the combination of increased volumes of security alerts, which often require sophisticated correlation among multiple sources, with a shortage of human resources to handle them is a top priority. This has led to two broad industry trends: the rise of security services that leverage deep domain expertise, coupled with interest in the use of automation to expedite some security tasks. Both trends are on full display as FireEye – known for, among other things, its Mandiant security services capabilities – has picked up Respond Software, which aims to offer a platform for doing that type of analytics. Along with that deal, the company has announced the addition of $400m in new funding.

Snapshot Snapshot

Acquirer

FireEye

Target

Respond Software

Subsector

Security analytics

Deal value

$186m

Date announced

November 19, 2020

Closing date

November 18, 2020

Advisers

Undisclosed


The 451 Take

For years, security operations technology has focused on aggregation and escalation – aggregation primarily of log and event data via security information and event management, escalation by first-tier analysts for the gathering of context from multiple sources and further investigation and response. Today, that picture is changing as technologies such as extended threat detection and response (XDR) take more of the spotlight, automating the gathering of that context and bringing a deeper level of analysis closer to real time. A key factor of this transformation that is often overlooked is that expertise is central to making the most of the technology opportunity.

Anchored by its Mandiant capabilities in threat intelligence and threat response, FireEye has been building a portfolio of technologies that will directly challenge established models in this space: proactively around continuous automated security testing and validation, assessment services through its acquisition of Verodin in 2019, and now, with the purchase of Respond, responsively around XDR and the expertise needed to direct it. These assets are further complemented in FireEye's product portfolio with technologies such as visibility into potentially malicious network, endpoint and email activity, as well as the enabling centralization of FireEye Helix.

The addition of Respond for doing better processing of alerts nicely complements continuous validation with the prior reach for Verodin – if your analytics engine can now process high volumes of alerts at machine speed, you can crank up the dial on more constant validation and not worry about overburdening your teams. This functionality can also make better use of the time spent by experienced analysts. The key challenge for FireEye will be to navigate the nuance of supporting an expanding services business while maintaining a product division that keeps it in touch with customers more often than just during incidents.

Deal details and rationale


FireEye announced the Respond Software buy the day after it closed and says it is paying $186m for the company in a combination of cash and equity. The target's team is slated to join FireEye as part of its Mandiant Advantage arm, which focuses on vendor-agnostic services.

The $400m funding infusion – led by Blackstone, with ClearSky participating – will be complete in approximately 15 days. FireEye indicates that the rationale for this raise is to give it extra flexibility for future opportunities, as well as to bring in partners that it sees itself aligned with in the context of the broader company transformation.

The overall rationale for nabbing Respond is that the latter's analytics engine will support Mandiant's services-centric offerings, particularly in the context of helping both Mandiant customers and consultants make better use of scarce human resources. FireEye expects significant benefits in terms of accelerating alert triage and sees opportunities for synergies with its existing offerings in two ways: Respond will eventually support integration with FireEye's Helix platform and existing products, but more importantly, the acquirer anticipates that the analytics engine will benefit from the vast amounts of threat intelligence that the Mandiant services team has access to as they execute on the hundreds of 'red team' and incident response engagements they normally do.

The transaction also fits neatly within the broader trend of security vendors supporting XDR design patterns, where customers rely on multiple sources of telemetry, specialized analytics, and optimized response workflows to better support the increased complexity of security operations. As can be seen from data derived from 451 Research's surveys, security teams indicate that they consider security analytics a key area of investment:

Figure 1

Analytics Is a High Priority for Security Projects
451 Research, Information Security, Workloads & Key Projects 2020

Target profile


Mountain View, California-based Respond Software was founded by Chris Calvert, Mike Armistead and Robert Hipps in 2016. The company has approximately 45 employees, with founders Armistead, Calvert and Hipps serving as CEO, CTO and CPO, respectively. Respond has raised a total of $32m, the latest being a $20m series B in May 2019. That round was led by ClearSky and included CRV and Foundational Capital. The vendor is estimated to generate less than $10m in revenue.

Respond's offering consists of a vendor-agnostic, cloud-based analytics engine for security telemetry. Its Analyst XDR Engine automates the ingestion and processing of security telemetry from sources such as endpoint security, network security, web proxies, and others, and performs various analytic functions. The result is to allow customers to only focus on high-priority incidents as opposed to a multitude of alerts and, when doing so, have the Analyst XDR engine already execute much of the work associated with investigation itself.

Acquirer profile


FireEye was founded in 2004 and is headquartered in Milpitas, California. It has approximately 8,000 customers and 3,400 employees worldwide. The company went public in September 2013. Since then, FireEye has added to its portfolio – originally centered on network security – by having offerings in email security, endpoint security and, most notably, services via the purchase of Mandiant in 2014. Kevin Mandia has served as CEO since 2016.

The firm recently reorganized its efforts along two distinct efforts: FireEye products, which houses the traditional controls-centric business such as network security and forensics, endpoint security, email security and the Helix platform; and Mandiant Solutions, which is a vendor-agnostic services organization with a focus on threat intelligence, incident response and security validation. This unit is in the process of rolling out a new SaaS-based offering named Mandiant Advantage, which is where Respond will initially be integrated.

Select FireEye Acquisitions Select FireEye Acquisitions

Date announced

Target

Sector

Amount

January 2, 2014

Mandiant

IR services

$989.4m

May 6, 2014

nPulse Technologies

Network analysis

$60m

January 20, 2016

iSIGHT

Threat intelligence

$200m

February 1, 2016

Invotas

Threat response

$20m*

January 12, 2018

X15 Software

Data analytics

$20m

May 28, 2019

Verodin

Attack simulation

$250.2m

January 21, 2020

Cloudvisory

Cloud security

$13.2m

November 18, 2020

Respond Software

Security analytics

$186m


451 Research * 451 Research estimate

Competition


In the context of this transaction, FireEye's competition can be broken down into three layers: strategic security vendors, providers focusing on XDR, and security services firms. Customers looking at strategic security vendors may consider offerings that include products and services from Microsoft, Palo Alto Networks, Cisco, IBM, Trend Micro, VMware, Fortinet, and more, including Google Cloud's Chronicle, which also threatens the status quo with the ability to handle high volumes of telemetry with responsive analytics. Palo Alto, for example, has made recent moves into technologies that are stretching the extent of security operations visibility, such as its recently announced pickup of Expanse for attack surface management, while Microsoft is pushing into the space via Azure Sentinel as well as through endpoint visibility and protection. Cisco, meanwhile, is marshaling visibility and response resources such as Stealthwatch, Umbrella and AMP, and has introduced a platform for centralizing visibility and some extent of process automation across its security portfolio with SecureX.

In addition to strategic vendors with portfolios that may include XDR capabilities, other security providers both large and small with XDR messaging include, but are not limited to, Cybereason, SentinelOne, CrowdStrike, McAfee, Sophos, Stellar Cyber, Confluera and Hunters.ai. On the services angle, FireEye/Mandiant is often seen in competition with larger services firms such as AT&T, Verizon (which bought Niddel in 2018 for a similar automated analytics capability as Respond's), Secureworks and NTT. Many other players, including SIs such as Accenture, BAE Systems, Deloitte and Ernest & Young, as well as a multitude of smaller specialists, also offer security services. FireEye is aiming to differentiate against these rivals by virtue of the synergy between the experience and threat intelligence it collects on security engagements with the efficiencies that the Respond engine is expected to bring.