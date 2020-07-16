Source: Cybrary

When BlackBerry (BB) acquired Cylance, the aim was to capitalize on Cylance's AI (artificial intelligence) and ML (machine learning) capabilities to build its EoT (enterprise of things) security platform. This deal was also expected to be synergistic to its IoT solutions.

Acquiring an endpoint security player requires two capabilities:

A large installed base of enterprise customers to cross-sell capabilities like threat intelligence, EDR, threat hunting, and consulting services. The willpower to lift the commoditization curse in the endpoint security space via investments in marketing, third party integrations, and partnerships.

BlackBerry saw a different vision that revolved around embedding Cylance into its IoT solutions and innovations. This pushed the near term cash flow expectations from Cylance into the future due to the energy that will be expended to integrate Cylance into Spark (EoT platform). This bet isn't bad, given that the advent of 5G networks will drive the ease of protecting IoT devices. It's also interesting to know that Cylance had capabilities in embedded system security and autonomous security before the acquisition. These capabilities fit well with QNX (embedded and auto security). Throw in the capabilities in AI, EDR (endpoint detection and response), threat hunting, security consulting, and the Cylance deal looks like a no brainer.

According to Gartner in its most recent Internet of Things Backbone Survey: security was cited as the top barrier to IoT success (35%), with privacy concerns (25%), and potential risks and liabilities (25%) also in the top five.

Around the period BB acquired Cylance, VMWare (VMW) also acquired Carbon Black. Investors will note that Carbon Black fits nicely with VMware's push to provide cloud security solutions for the modern enterprise. Since it acquired Carbon Black, VMWare has folded another security company into its cybersecurity platform. Octarine was acquired as a Kubernetes security play to help enterprises protect cloud workloads. It's immediately obvious that Cylance was acquired to protect the future of computing while Carbon Black was acquired to protect the present (cloud workloads and cloud data lanes).

This doesn't mean Cylance isn't immediately accretive to BlackBerry's growth. At the minimum, it plugs churn from existing UEM (unified endpoint management) customers who are aching for threat prevention and EDR capabilities. It also drives multiples expansion as BB is perceived as a SaaS company, which will.enjoy elevated SaaS multiples. Like Good Technology, and a host of other security acquisitions, Cylance is now rebranded under BB Spark. How has Cylance evolved since the acquisition?

BlackBerry has made a series of updates since it acquired Cylance. Immediately after buying Cylance, BB had to improve on its brand positioning to make Cylance more appealing to existing EMM customers. This was achieved via industry awards and third-party effectiveness tests for Cylance Protect (threat prevention using AI and ML). Cylance isn't ranked as a leader, innovator, or challenger in Gartner's EPP Quadrant (2019). Pulling out of the niche players' space will require a huge task, which includes improving on the weaknesses highlighted by Gartner.

BlackBerry partnered with AttackIQ immediately after it acquired Cylance to improve its capabilities in endpoint security configuration. This is a level-one capability compared to the deep vulnerability assessment capabilities offered by the likes of Qualys (QLYS), Tenable (TENB), and Rapid7 (RPD). AttackIQ leverages the MITRE ATT&CK framework, which now serves as one of BB's leading third-party tests for the efficacy of BlackBerry Protect. Enrolling for third party tests provided by the likes of NSS Labs is a way to convince enterprise decision-makers about the block rate and appealing TCO (total cost of ownership) of a security product/platform. The capabilities to be acquired from AttackIQ have now been extended to SafeBreach.

Palma comes to BlackBerry with nearly 20 years' experience delivering rapid growth at some of the world's largest and respected organizations such as Cisco, Boeing, Hewlett Packard, PepsiCo and the United States Secret Service. Most recently, he was Cisco's Senior Vice President and General Manager of customer experience for the Americas where his team helped customers design, build, and operate a global portfolio of network, security, collaboration, IoT, data center, and cloud services.

BB's next move was the release of Cylance Persona. Cylance Persona fits into BlackBerry's UES platform, a subset of BlackBerry Spark (BB's EOT platform). BB Persona adds user and entity behavior analytics (UEBA) capabilities to BlackBerry Optics (BlackBerry's EDR offering). Optics complements BB Protect to drive active threat detection and response for malicious attacks that are missed by BlackBerry Protect. BlackBerry isn't the only EDR player that offers UEBA capabilities. Its EDR offerings haven't received top ratings in recent quarters. Most EDR leaders have solid UEBA offerings. This means the addition of Cylance Persona extends beyond UEBA.

Cloud-based ZTNA services place the security controls where the users and applications are — in the cloud. Some of the larger ZTNA vendors have invested in dozens of points of presence worldwide for low-latency user/device access.

The addition of Cylance Persona complements BB's Zero Trust strategy, which correlates with Bryan Palmer's experience at Cisco (CSCO). Zero Trust is partly about giving users, and IP-enabled devices the appropriate bandwidth and device access that correlates with their network privilege. The Zero Trust capabilities are important because BB needs a robust IoT strategy to acquire market share. The Zero Trust capabilities will also serve as a way for BB to compete with network security vendors who are investing heavily in SD-WAN and other edge security and networking standards. This means BB has to improve its cloud computing and security offerings.

BlackBerry's recent launch of BIS (BlackBerry intelligence security) is the first iteration of its next-generation cloud security strategy. BIS's ZTNA (zero-trust network access) strategy is a sign that low latency and speed of delivery will be major metrics to watch as it scales its cloud offerings. The BIS launch appears to be focused on mobile endpoints to stress-test the adaptability of BB's ZTNA strategy as it expands into the IoT space.

"Unlike services or consulting firms that leverage third-party tools, we are intimately familiar with BlackBerry Cylance's award-winning approach for assessing vulnerabilities, resolving security breaches, and establishing a prevention-first approach that allow our customers to prevent future attacks and maintain business continuity."

Next, Verizon expanded its managed security service portfolio with Cylance. This move highlights BB's potential forays into the SecOps space. The efficacy of BlackBerry Protect is supposed to reduce false security alerts (positive/negative). Combined with Optics (automated threat hunting), and adding its integration with other security platforms, developing future capabilities in SIEM/SOAR (security operations) is inevitable. Therefore, when Forrester named BB as a strong performer in the incident response space, it wasn't far fetched.

It was a no brainer when BB launched CylanceGUARD as it represents the last major missing piece in its UES strategy. CylanceGUARD combines human expertise and intelligence from Cylance to deliver a managed security service. To efficiently scale this solution, BB needs more threat intelligence. CISOs will find it tough passing up Symantec, FireEye (FEYE), CrowdStrike (CRWD), and network security vendors who have shipped tons of security appliances. Therefore, when BB announced its integration with Chronicle's Backstory, the reasons for the partnership weren't tough to decipher. Chronicle was spunned from Google X (its moonshot division) to be a standalone cybersecurity company.

The new product also comes as it is increasingly a challenge for human analysts to sift through all this generated data alone. Chronicle notes that data uploaded to Backstory remains private and isn’t shared with other parties, while the service can scale across organizations ranging in size from 500 to 500,000 employees.

Chronicle includes Virustotal (a malware search engine). Penetration testers are familiar with Virustotal, and security analysts often upload files suspected to be infected with malware as part of their threat hunting process. Chronicle leverages Google's huge data storage, computing capability, and affordable licensing model to help enterprises with threat intelligence. Other notable partners on Chronicle's platform include Carbon Black, Fortinet (FTNT), Avast, and Tenable. It's clear that Chronicle is good for improving threat intelligence at a low cost. The only downside arises from security governance and data privacy issues that might be raised by customers as BB scales its threat intelligence capabilities. Scale, speed, and automation are key to delivering a best-of-breed IoT security solution. It's clear that BB will be relying on cloud service providers to achieve this goal. The recently announced partnership with AWS to improve its IoT and edge computing resources solidifies this conviction.

BlackBerry has also extended its Cylance capabilities to mobile devices. This was achieved by infusing its threat protection capabilities into its UEM solution. This provides BB with a strong mobile threat detection capability to add to its EPP offerings. When Gartner is writing its next report for the EPP space, the major weakness that will be highlighted is BlackBerry's go to market motion. The product innovation criteria will be a strength for BlackBerry. The latest Cylance updates include an improved UI, unified agent for Optics and Protect, and support for Linux systems. These represent a huge portion of weaknesses highlighted by Gartner. Going forward, BB has plans to add capabilities in SWG (secure web gateway), and DLP (data loss prevention). By the end of the year, BlackBerry's security toolkit will resemble a cross between Zscaler (ZS) and CrowdStrike. That's fairly competitive.

Conclusion

Blackberry is approaching parity with pure-play cloud security providers. It only needs to strengthen its go-to-market strategy going forward. Adding capabilities in SWG and CSPM (cloud security posture management) is a good way to launch more capabilities in cloud security. Cylance had a solid reputation (over 100 Fortune 500 companies) before it was acquired by BlackBerry. It boasted clients like Toyota, Panasonic, and The Gap. Today, the landing page of its enterprise page doesn't list attractive enterprise clients (top clients are often highlighted during quarterly conference calls). It appears BlackBerry is underplaying its strength with large enterprises.

As COVID-19 has established, BB missed the short window of opportunity to make a flurry of cloud bets that will have proven decisive today. BB acquired Cylance with capabilities in endpoint protection, EDR, and consulting. Cylance also adds capabilities in IoT security. BB can improve the depth of its offerings in the cybersecurity space by doubling down on its cloud security strategy. This will require strategic integrations with top cloud platforms and granular capabilities in cloud security (container security, workload protection). The speed of service delivery is also key.

Short term investors should realize the need to be patient. Long term investors shouldn't underestimate the probability of a Zoom-like (ZM) harvest with the IoT security bets. This will be catalyzed by the growing need to protect IoT devices from coordinated cyber threats.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.