A few years ago the market for “endpoint” security—software designed to protect people’s computers—was ripe for the taking. Investors poured hundreds of millions of dollars into startups salivating over the lunches of stalwarts Symantec and McAfee. While some defiant contenders remain, the situation has changed drastically since then: Winners have been anointed; losers disappointed.
The latest example of consolidation in the once-hot market came Thursday. PC and printer-maker HP bought Bromium, one such cybersecurity business that struggled to live up to its promise. While the terms of the deal were not disclosed, judging by the low multiple on HP’s own valuation, it’s safe to assume the company did not pay a premium for its purchase. (HP shares trade at a price-to-earnings ratio of less than 7, relatively anemic for a tech company—rival Lenovo trades at 12x and Dell at nearly 14x.)
Bromium’s fate isn’t surprising. The company in 2016 struggled to raise venture capital funding, ultimately settling for a “down round” that sliced its private valuation in half to $240 million from nearly $500 million. An HP partner since 2017, Bromium has supplied the technology underlying HP’s “sure click” malware protection, designed to shield computers from hacks. The two expanded their tie-up in March, likely setting the stage for this week’s M&A consummation.
HP has not said whether any Bromium employees will be joining the company, implying the deal may solely be a tech grab. Notably, no Bromium executives were quoted in the press release announcing the deal. (A Bromium spokesperson replied to Fortune’s inquiry with a redirect to HP’s press team, “as we’ve been instructed.”)
Bromium’s struggles, while singularly acute, are indicative of the shifting fortunes of the cybersecurity marketplace, and the increasingly unattractive prospect of going it alone; plenty of competitors have been rushing for the exits lately, too. Last month, VMware agreed to acquire Carbon Black. Endgame sold to a Dutch tech firm, Elastic, in June. BlackBerry closed its acquisition of Cylance in February. There’s even chatter that a couple of private equity firms will soon snap up the remnants of Symantec.
I recently spoke with an investor at Andreessen Horowitz, whose firm, one can only presume, recouped little, if anything, on its Bromium bets. He confirmed my impression that the battle is largely over. CrowdStrike, whose eye-watering IPO captivated investors this summer, has effectively dominated the turf. There’s not much competition left…everyone now seems to be looking for ways out.
As the “endpoint” exhilaration winds down, we’ll be keeping eyes on a few worthy opponents—Tanium, Cybereason, and SentinelOne among them—as they continue to challenge incumbents.
***
In a recent Cyber Saturday dispatch, I lamented the inability of a popular brand of hardware security key—Yubico’s YubiKeys—to work via near-field communication on Apple iPhones. A few days after I published that essay, Apple revealed at its September event that it would enable the feature. This is a major victory for consumer security.
Robert Hackett | @rhhackett | robert.hackett@fortune.com
THREATS
Bye-passcode. A bug in Apple's new mobile software—iOS 13, released Thursday—supposedly allows people to expose contact details in iPhone address books without requiring a passcode or biometric unlock. A researcher informed Apple of the issue, which requires physical access to a device, in July, but the company appears to have opted to release the software anyway, reports CNN. A fix is slated for the next iOS update, iOS 13.1, due out on Sept. 24.
Forget sex—fear sells. Chris Krebs, cybersecurity director for the Department of Homeland Security, chastised the cybersecurity industry for its typically fear-mongering approach to communications. "One of the things we’ve got to do a better job of is stop selling fear," he said during a keynote address at a summit organized by his agency. "Fear sells, but we have far too much to offer to just be looking for the next mark."
MacGyver vs. McDonald's. Some estimates place the number of unfilled cybersecurity job openings at nearly 3 million. Why such a shortage? Cybersecurity news site CyberScoop says the industry's problem may be, at least partially, "self-inflicted." Pointing to a July Forrester report, the outlet notes that hiring managers "expect to hire MacGyver but pay like McDonalds."
Strike a pose. Chinese cybersecurity experts are warning that posing for selfies with a hand-gestured "peace sign"—fingers splayed outward in the shape of a "V"—is a risky behavior. Why? Because hackers can magnify the image and use artificial intelligence techniques to reconstruct a subject's fingerprints, useful for breaking into biometric-locked devices. Maybe we should all just stop taking photos and move to the woods.
A star is born. Acronis, A Swiss data backup and recovery firm, raised $147 million in funding at a private valuation in excess of $1 billion, making it the latest "unicorn" startup in cyberland. Goldman Sachs led the round.
Man, WeWork, get it together.
Share today’s Cyber Saturday with a friend: http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Memories of my melancholy computers. Edward Snowden, the U.S. government secret leaker, has written an autobiography. The Nation published an excerpt that describes the whistleblower's first adventures in cyberspace. Snowden says he experienced the throes of "technological puberty" after his father bought the family a Compaq Presario 425 computer. Department of Justice lawyers are now suing Snowden for failing to clear the text with his former employers, the CIA and NSA—a lapse that surprises no one. (He left on bad terms.)
From the age of twelve or so, I tried to spend my every waking moment online. The Internet was my sanctuary; the Web became my jungle gym, my treehouse, my fortress, my classroom without walls. If it were possible, I became even more sedentary. If it were possible, I became even paler. Gradually, I stopped sleeping at night and instead slept by day in school. My grades went into free fall.
FORTUNE RECON
Russian Hacker Will Plead Guilty for Role in JPMorgan Cyber-Attack by Christian Berthelsen
‘Security’ Cameras Are Dry Powder for Hackers. Here’s Why by Robert Hackett
Who Is Robert O’Brien? What to Know About Trump’s New National Security Adviser by Terry Collins
Huawei’s Big Offer by Alan Murray and David Meyer
Mechanic in American Airlines Sabotage Case Had Islamic State Videos on Phone, Prosecutors Say by Curt Anderson and The Associated Press
Startup Raises $4 Million to Secure Crypto Transactions Without an Internet Connection by Jeff John Roberts
After Saudi Oil Attack, Trump Pledges Help for Middle East Allies By Jordan Fabian, Nick Wadhams, David Wainer, and Glen Carey
ONE MORE THING
A hacker by any other name... Last week the U.S. Treasury Department added several North Korea-affiliated hacking groups to its sanctions list. The update referred to a single, blocked entity by as many names as Game of Thrones' Daenerys Targaryen has titles. Witness: Lazarus Group, AppleWorm, APT-C-26, Group 77, Guardians of Peace, Hidden Cobra, Office 91, Red Dot, Temp.Hermit, The New Romantic Cyber Army Team, Who Is Hacking Team, Zinc...*Gasps for breath.*
InfoSecurity Magazine's Danny Bradbury astutely notes that the cybersecurity industry has a naming problem—an issue that is exacerbated by the number of private companies seeking to slap their own branding on the groups they uncover. Ultimately, the muddled taxonomy makes it harder for researchers and crime-fighters to keep track of the baddies. Let's just use The New Romantic Cyber Army Team for this one.
