Splunk (SPLK) went public this week and both Infoblox and Palo Alto Networks will soon follow. This could be the start of a security IPO run moving forward. Why? Status quo security defenses aren't working so there is a burgeoning market for next-generation security technologies. This market opportunity has driven M&A activities for years but we've recently seen far broader interest in security. HP grabbed ArcSight and started a security business unit. IBM acquired Q1 Labs and did the same. Dell purchased SecureWorks and SonicWall. Investment is pouring into the security sector driving innovation and a present and future wave of IPOs.
Here's my take on the 3 recent and forthcoming IPOs:
- Infoblox. In many ways, Infoblox is a technology ditch digger, playing in the extremely geeky IP address management (IPAM), DNS, and DHCP spaces. None of these areas gets much ink but all are critical to making IP networks work. A few years ago, Infoblox had trouble selling product because most organizations used Open Source (BIND) or Windows for DNS and DHCP. As IP traffic grew exponentially, CIOs recognized problems with their current DNS/DHCP - scalability, maintenance, security, etc. All of a sudden, the phones at Infoblox were ringing off the hook. Infoblox's challenge is to branch out of from its current position of selling picks and shovels for the Internet. Nevertheless, the picks and shovels guys were the ones making the most money during the California gold rush so Infoblox's business should continue to grow.
- Palo Alto Networks (PAN). You have to give PAN credit for its chutzpah as it stepped into the mature network firewall market, focused on HTTP Port 80 traffic, and became a catalyst for reinventing the whole space. Almost every enterprise I speak with is either implementing or investigating application controls and most are doing so at the network. This gives PAN a lot of greenfield opportunities moving forward. In some ways, PAN can be compared with Riverbed who pulled the rug out from Cisco, Nortel, and Juniper in the WAN optimization space and came to dominate that category. That said, the secret is out and now all the big firewall companies (Check Point, Cisco, Juniper, etc.) and IDS/IPS companies (IBM/ISS, McAfee, Sourcefire, etc.) have application controls of their own. The security market is littered with technologies like anti-spyware and SSL VPNs that morphed from independent categories to product features. PAN has to keep running as quickly as it can to avoid this common fate.
- Splunk. Splunk pulled the Netscape freeware card to gain massive brand awareness in the security market. In Splunk's case, the mass distribution strategy worked, Splunk is everywhere. The common perception of Splunk's customer base is the security analyst sitting quietly in a corner doing queries of log data. True, but Splunk is a lot bigger than this alone. Oak Ridge National Labs use Splunk as part of its massive Oak Ridge Cyber Analytics (ORCA) project. It is also used in Penn States Applied Research Labs.
It appears that after years of seeding, Splunk is ready to harvest and its timing is good - legacy SIEM platforms don't have the scale, analytics, or automation capabilities necessary to deal with security intelligence in large networks. Splunk's challenge is picking the correct battles in this space as the historic notion of SIEM, log management, and security analytics are in the midst of a transition. Splunk is playing the "big data" card but so are IBM, HP, RSA, SAIC, and lots of other companies with deep pockets. Splunk's best bet is to remain part of the big data security analytics infrastructure and leave the customization, deep analytics, system intelligence, and automation for the big guys.
Congratulations to all three companies. I believe you are trend setters paving the road for a rich security IPO market in 2012 and beyond.
You can read Jon's other blog entries at Insecure About Security.