15 Hot Security Companies That Could Be Symantec Acquisition Targets

If It Had The Cash, What Would Symantec Acquire?

Symantec will be playing catch-up with the rest of the industry once its separation is complete next year, according to security partners and industry analysts.

The Mountain View, Calif.-based company has a security portfolio rooted in data security, compliance and endpoint protection. It made acquisitions of market leaders in data loss prevention, encryption, eDiscovery and mobile security. While Symantec executives have focused internally over the last several years, a wave of new endpoint and network security technologies have emerged focused on detecting so-called advanced threats. Cloud security vendors have built out platforms to protect data stored in Salesforce.com, Box and other cloud services. Network security platforms from FireEye, Palo Alto Networks, Cisco-Sourcefire and Check Point Technologies -- an area Symantec has largely ignored -- have built out endpoint components for visibility and threat detection. CRN has pulled together some key vendors that could fill the security technology void in the Symantec portfolio if it had the ability to strike deals.

Bromium, Invincea

Symantec built up its endpoint security platform for threat detection, but Bromium and Invincea provide protection that may aim squarely against Symantec archrival McAfee. Bromium, started by Citrix Systems veterans, says it provides protection against advanced threats by isolating system processes in a virtual container. Meanwhile, Invincea started out by creating a virtual sandbox around a browser to prevent attacks from escaping to other system resources. It now supports a sandbox for Adobe PDF and Microsoft Word, Excel and PowerPoint. Invincea has partnerships with Dell and McAfee. Bromium partners with LogRhythm, Forescout and Palo Alto Networks.

Bit9-Carbon Black

Symantec could feed the need for advanced threat detection by acquiring Bit9-Carbon Black. Bit9 merged with Carbon Black in February to add threat detection and incident response capabilities to its application whitelisting platform. The combination has gotten the attention of chief information security officers and security pros at systems integrators and consultancies. Waltham, Mass.-based Bit9 started out in whitelisting, a strategy to restrict systems to run only approved software. It automated the platform and now ties into network security appliances. It currently has partnerships with Check Point, Fidelis, Palo Alto Networks and FireEye. Like other endpoint security vendors, Bit9 can also feed data into security information event management platforms, according to partners.

Guidance Software

Symantec already shelled out $20 million for Clearwell Systems in 2011 and LiveOffice for $115 million, leaping into the eDiscovery market. But Pasadena, Calif.-based Guidance Software has moved well beyond eDiscovery and compliance with its EnCase platform, adding security incident response, threat intelligence along with its digital forensics tools. The company is open to integrating to third-party partners and is a member of Check Point's Open Platform for Security program. While there would be overlap with Clearwell and LiveOffice, the threat intelligence, analytics and digital forensics could be the fuel that grows the company's cybersecurity services, according to industry analysts. Guidance's main rival across the street, AccessData, already has partnerships with McAfee, Hewlett-Packard and Dell.


This could be the dark horse in the pool of advanced threat detection vendors that Symantec could acquire. Symantec may decide to stick to its endpoint and data protection strategy, but partners told CRN that it could add breach detection capabilities without overburdening its customer base with additional endpoint software or agents. Nev.-based Outlier is one of the latest and least tested entrants to the market, but its Endpoint Threat Detection and Response (ETDR) system is backed by industry luminary and recognized security expert, Greg Hoglund, formerly of HBGary. Outlier is positioning its technology as a way to reduce the noise produced by network security appliances and increase visibility at the endpoint to identify and contain the most dangerous threats. Outlier doesn't use agents. It scans endpoint systems every 2 to 15 seconds and supports up to 10,000 endpoints. The company claims to be able to identify "true alerts" based on high-risk threats. It also can validate alerts from security information and event management systems and prioritize them based on risk.

Alert Logic, LogRhythm

Symantec is missing an analytics component forcing its customers to rely on competitor platforms to correlate system logs and event data and uncover threats. Partners and industry analysts point to Houston-based Alert Logic as a potential target because it differentiates itself from competitors by focusing on identifying threats to cloud, hybrid and on-premises infrastructure. The company has a partner base consisting of resellers and MSPs as well as managed hosting and cloud service providers. Alert Logic's ActiveGuard threat detection service is capturing the upper midmarket, partners told CRN. Symantec could also take the traditional route by looking at Boulder, Colo.-based LogRhythm, a longtime SIEM vendor that has managed to remain a pure play despite all the acquisition activity. LogRhythm has earned the respect of industry analysts and its customers and has added network and endpoint forensics and security analytics capabilities into its platform.

Skyhigh Networks, Ciphercloud

An emerging group of vendors provide security assessments to uncover ShadowIT, data encryption, file integrity monitoring and data loss prevention capabilities (DLP) and could give Symantec a leg up on a disruptive market, partners told CRN. Ciphercloud provides encryption, tokenization and DLP for data in cloud-based services. The platform also has activity monitoring to identify suspicious employee activity. It supports Salesforce.com, Box and Google Gmail The company also supports Office365, which would give Symantec access to Microsoft partners that sell either hosted Exchange or are involved in Exchange-Office365 migration projects. Skyhigh will scan a corporate network and identify the number of cloud services used by employees against company policy. It also will provide a risk rating for the services and can encrypt data in Box, Google Drive, Salesforce.com and ServiceNow. Skyhigh has partnerships with network security appliance maker Palo Alto Networks, data encryption and tokenization vendor SafeNet. Deploying encryption using the two platforms could still be a deployment headache, security experts told CRN, because of the potential to break third-party applications that tap into the cloud-based data. Don't rule out Netskope, which has former Symantec CEO Enrique Salem on its board of directors.

Okta, Ping Identity

Symantec struck a deal with cloud-based single sign-on vendor Symplified, using its technology as the core of its O3 identity gateway launched in 2012. The company sought to acquire Symplified, former CEO Steve Bennett told CRN. RSA snapped up Symplified assets in a fire sale in July, which may have been a case of bad timing for Symantec, when acting CEO Michael Brown was busy exploring plans to breakup Symantec. The company hasn't said what it plans to do with O3, but industry observers said the new Symantec could look to SaaS-identity market leaders, such as Okta and Ping Identity, for the technology. Ping has an established partnership with Cisco Systems.


FireEye is no stranger to acquisitions with its $1 billion deal to acquire Mandiant incident response services and endpoint forensics software. One industry analyst called a merger with FireEye almost laughable from a financial perspective, but said it would give Symantec a place in the network security market that doesn't necessarily compete against next-generation firewall vendors and would build on its threat intelligence capabilities and cybersecurity consulting practice. Like other security vendors in the space, Symantec could develop its own virtual sandbox service to detect advanced threats. But industry analysts point out that while the deal is a fantasy, there's no way Symantec could pull together a team that replicates the Mandiant services arm in the U.S.

Crowdstrike, Cylance

Crowdstrike and Cylance are both security startups founded by former McAfee executives who departed following Intel's acquisition of McAfee in 2010. The new Symantec might look to grow its threat intelligence capabilities by considering acquiring Crowdstrike and its Falcon threat intelligence platform, which is designed to identify dangerous targeted attacks from the commodity attacks that plague corporate networks. The company also specializes in attributing threats to their source. Its technology partners include Agiliance, Centripetal Networks, Check Point Software Technologies, General Dynamics Fidelis Cybersecurity Solutions, LogRhythm, ThreatQuotient and ThreatStream. Cylance uses analytics to identify and prevent malicious software from executing on endpoint systems. The company's CylanceV product aims at prioritizing SIEM alerts for incident responders and reports the zero-day threats and other custom malware it detects.


Symantec doesn't need Proofpoint's email security gateway or its archiving and data loss prevention capabilities, but partners told CRN that it could benefit from the Security-as-a-Service antimalware capabilities from Proofpoint's Armorize Technologies acquisition or the security incident response platform it acquired from NetCitadel in May.