After the flames from the Slammer virus attack were doused and the tech industry caught its breath, Marc Donner started asking questions. Why did this happen? Could we have prevented it? What can we do to keep such a thing from happening again?
Luckily for Donner, executive director of the institutional securities division of Morgan Stanley, there were answers out there. The server vulnerabilities that Slammer attacked had been previously identified. In fact, three out of four of all attacks are made on known vulnerabilities. And several patches were prepared months in advance of when the computer virus wreaked havoc early this year.
Unfortunately for Donner, none of the patches had been well publicized. Compounding his dilemma was the sheer volume of patches that stream from vendors, making it hard for IT departments to manage. In some cases, companies spend months testing and installing patches.
Plus, hackers weren’t done with their dirty work. Slammer was followed up in August by a whole new can of worms. Three separate viruses – Blaster, Nachi and then SoBig.F, a variant of a recurring e-mail virus that uses infected machines to spread spam – cost businesses an estimated $2 billion, according to Computer Economics Inc. in Carlsbad, Calif.
But if the venture capital community is any indicator, things are going to get a whole lot better for Donner and other IT managers. More and more investors are seeing the marketplace demand for patch management software, which identifies and corrects vulnerabilities in large business networks.
At least six companies in the sector have raised more than $60 million from the likes of Battery Ventures, Bessemer Venture Partners, DCM-Doll Capital Management and St. Paul Capital.
The patch management business will grow between 20% and 30% annually over the next four years, predicts John Muir, a security analyst with Pleasanton, Calif.-based Trusted Strategies. “Patch management is not a bubble,” he says. “It’s real and long lasting.”
Muir adds that the patch management industry makes sense from an investor standpoint since it addresses a known economic and security issue: the deployment of fixes to a software problem.
Ned Miller, CEO of Secure Elements knows the security industry well. His company, based in Herndon, Va., raised $5 million in August in a Series A round from DCM and The Carlyle Group. Miller and Dan Bezilla, CTO of Secure Elements, founded the company earlier this year. Both previously worked for Recourse Technologies, an intrusion-detection company acquired in 2002 by Symantec Corp. for $135 million. DCM also funded Recourse, so it was natural to return to the venture firm when seeking capital for Secure Elements, Miller says.
Secure Elements, which has just 20 employees, plans to release a beta version of its patch management software in the fall. Unlike some security products that have come out in recent years, Secure Elements’ software does not focus on detecting nasty worms trying to get into a network. Nor does it fight viruses that are already present. Instead, it aims to pinpoint areas in a computer system that are likely to be attacked and then works to secure, or patch, the network. “It’s not an easily understood market, but more VCs are showing interest and appreciate what’s going on,” Miller says.
Eric Gonzales, a partner at DCM, says he expects the computer worm problem to grow because of the proliferation of low-cost servers that use the Microsoft operating system, which tends to be less secure compared to Unix. Microsoft’s software is a frequent worm or virus target in part because its software is so dominant.
“I get nervous when I hear an industry is called hot’ because that means there are already too many investors involved in it,” Gonzales says. “But there are a host of security problems cropping up out there as these bugs proliferate and cause damage, so we’ll probably keep calling it hot’ for a while longer.”
Still, Gonzales says there are too many startups in the overall security space. They will have to develop a niche in patch management, as Secure Elements has done for example, to survive and dominate as the industry grows, he says.
But it isn’t as if Secure Elements is without competition. Besides publicly traded Symantec of Cupertino, Calif., the dominant company in software security tools, it faces competition from a host of other venture-backed startups, many of which have been in the business a lot longer than Secure Elements. VCs have pumped more than $40 million into at least five startups going after the same space:
* Application Security Inc. of New York raised $6 million in January from Kodiak Venture Partners and Early Stage Enterprises. It was founded in 2001.
* BigFix Inc. of Emeryville, Calif., pulled in $8 million in a follow-on round from LevensohnCapital Management, Selby Ventures and St. Paul Capital in September 2002. It has raised in excess of $14 million since its founding in 1997, according to VC market researcher Thomson Venture Economics.
* BladeLogic of Bedford, Mass., has a total of $22 million from Battery, Bessemer and Globespan Capital Partners (formerly known as JAFCO America Ventures), according to Thomson VE. The company, founded in 2001, raised its last round in February.
* LANDesk Software Inc. of South Jordan, Utah., pulled down an undisclosed investment amount in October 2002 from Vector Capital and vSpring Capital. The company, founded in 1991, was spun out of Intel Corp. last year.
* And PatchLink Corp. of Scottsdale, Ariz., raised $5.6 million Series A round from Offroad Capital in January 2000 from Offroad Capital, according to Thomson VE. Apparently, the company, founded in 1991, hasn’t needed any additional private equity since.
Illustrating the health of the patch management market, LANDesk CEO Joe Wang says he’s not looking for more money. Why would he when his company has reportedly been profitable for 13 straight quarters?
Hard To Get
Without naming names, Wang says he’s taken calls from investors who ask him if he’s looking for funding. Alas, he’s turned them all down.
“A year ago, this market was not good and it took work to convince investors that we were in a growing space,” Wang says. “Now, things are different. The awareness of recent events has made patch management a priority.”
Indeed, the number of software vulnerabilities has doubled every year since 1999, according to the CERT Analysis Center at Carnegie-Mellon University, which tracks the data as part of its ongoing push to issue its CERT security alerts.
Last year, CERT identified 4,200 vulnerabilities in software products, double the number recorded a year earlier. And it looks as though that figure will double again this year.
So does this then translate to easy pickings for budding security entrepreneurs looking for cash?
No, says Jack Kembough, CEO of Application Security Inc., which provides vulnerability assessment and protection services and was kept busy in August with demand for patch updates related to Microsoft and Oracle vulnerabilities. Kembough joined Application Security before its first round of financing in April 2002.
Kembough says that patch management is hot and will remain so. But he warns these aren’t easy days to raise money no matter how hot the industry becomes.
“A security entrepreneur can easily find investors who show plenty of interest in patch management, but you still have to demonstrate your ideas, develop an engineering team and have a business plan if you want to raise money,” he says.
Getting More Aggressive
Then there are those who say they have never looked for any VC at all. Mark Shavlik, CEO of Roseville, Minn.-based Shavlik Technologies, says he has turned down investors.
His privately held company, which provides automated patch management services, was founded in 1993 and reportedly is on track to record up to $12 million in sales this year, up from $2 million last year. Shavlik Technologies, which currently employs about 50, began shipping its current patch management product in 2001.
Shavlik says he has been able to get along so far without VC help, thanks to a partnership he inked with Microsoft three years ago. However, he’s seen competitors gaining ground thanks to their venture investments.
Shavlik has considered getting more aggressive with sales and marketing, especially since he was looking to launch another security product this fall with a patch management feature. But, for the time being, besides advertising on Google, he says his business doesn’t need to raise venture to expand marketing.
“Anytime someone else launches a new ad campaign in response to a new worm, we see a spike in business,” Shavlik says. “All the other companies together – the leaders, the investors, all of them – are building the category together. It’s incredible to see how it’s grown.”