HP Overhauling Security Units, Denies ArcSight Sale, Spin-Off

Hewlett-Packard, beleaguered by internal strife and a series of financial setbacks in recent months, is revamping its security units, stripping its popular Zero-day Initiative bug bounty program from TippingPoint to create a new research arm.

Former and current employees told CRN that the company was considering a number of options over the last year, including a possible spin-off or sale of its ArcSight security business. But Art Gilliland, a former Symantec executive who took the senior vice president and general manager of Enterprise Security Products position at HP last July, said in an interview that ArcSight is currently not up for sale or spin-off, nor had it been over the last year. He called the company's ArcSight security business a core part of the company's future.

"I can't speak for the board of directors; I can only speak to the data that I know and the data that I know in my group is that there is no intention to do that," said Gilliland in an interview with CRN. "It's not something that I'm recommending; it's absolutely one of the futures of the business. Everything we've said publicly is security is important to the future of the HP turnaround, and that's been my understanding so far and we're operating the business that way."

[Related: HP CEO Whitman: Dell Leveraged Buyout Spells Opportunity For HP ]

Gilliland pointed to a recent restructuring of personnel as a key part of the security unit overhaul. The ZDI program is being split off from TippingPoint, which became part of the HP security software business in 2005 as part of its $2.7 billion 3Com deal. Under the restructuring, it is being centralized into a threat intelligence group headed by Jacob West, CTO of HP Fortify. The move brings together what had been pockets of security research in the separate product areas. West now leads a combined research team with increased funding, Gilliland said.

"In my opinion that was an unleveraged way to drive what I think is a really critical point of the future success of security in general, which is security intelligence," Gilliland said. "We brought it together because I think you'll get more leverage. You can hire a different caliber of researcher if they know they're going into a research org with a career path and with investments and objectives around driving better, more effective research."

The ZDI vulnerability bounty program, which pays researchers up to $5,000 for serious flaws, was maintained by TippingPoint DVLabs since 2005. Under the new plan, the ZDI will be the core of a new threat intelligence unit. The ZDI program took in a record 300 vulnerabilities in 2010 and the submissions increased to more than 350 last year. The number fell in 2012 to 203 published advisories due, in part, to the loss of its staff. Brandon Edwards, Aaron Portnoy and several other security researchers who staffed the ZDI left the company to found Exodus Intelligence, which buys zero-day vulnerabilities and is run in a similar fashion as ZDI.

NEXT: TippingPoint In Market Tough To Stand Out

TippingPoint was once a clear leader, but it is increasingly difficult to say it stands out, said Magnus Boll, an account manager for Access 2 Networks, a Toronto solution provider. Boll said the market for IPS appliances has become commoditized, making it very difficult for vendors to differentiate themselves.

"For us, HP buying TippingPoint was a negative thing because we lost a direct family relationship where now it's just one more player in an enormous basket of players that HP has," Boll said. "There was a time when TippingPoint was easily defined as a leader and had significant advantage over other technologies, but there are more replacements now and everybody wants a piece of that cake."

HP CEO Meg Whitman recently told CRN that security software is a key part of her plan to bring HP back as an industry leader. In fact, she predicted that in five years, HP will be "widely recognized for having a very strong software suite, anchored in hybrid cloud, big data analytics and security."

ArcSight has struggled under HP's bureaucratic malaise, former insiders told CRN. Tom Reilly, who was CEO and president of the firm before it was acquired by HP, departed in May of 2012. He had been serving as general manager of enterprise security at HP where he oversaw ArcSight, Fortify and HP Tipping Point.

In addition to a spate of engineers, the security unit also lost ArcSight co-founder and CTO Hugh Njemanze, who departed to take a position as entrepreneur in residence with Kleiner Perkins (KPCB). Njemanze is also a senior external advisor to AlienVault where Roger Thornton, who was founder and CTO of HP-Fortify, now takes residence as AlienVault’s CTO. Dan Barahona, a senior executive in charge of ArcSight's technology alliances and partner program, left the company last year to join document security vendor WatchDox. He was a key player in ArcSight's integration into HP.

The turmoil within the ArcSight security business mirrors the high-level-executive turnover and turmoil that HP has experienced with other software acquisitions, including its acquisition of database analytics software maker Vertica in February 2011 and unstructured software cloud power Autonomy in August 2011. Both Vertica and Autonomy lost high-level executives and seasoned engineering talent.

"The ArcSight founders all left, most of the VPs from the security business left and it's been a real mess," said one source. "ArcSight was long in the tooth when they bought it and they can't execute on anything."

ArcSight embraced the channel model and was reselling well, but under HP, sales have diminished, said Dan Thormodsgaard, director of solutions architecture at FishNet Security, No. 54 on the SP500, one of the top security solution providers in the country. HP needs to reinvigorate its channel organization if it expects to have success, he said.

"The HP model, in terms of the channel, is not what it was when it was ArcSight," Thormodsgaard said. "They are not as engaged at the field level and they need to properly staff within the organization to recognize that there is a need in terms of the VAR."

Gilliland said the departures within the ArcSight unit were a normal part of attrition in the organization. The attrition in engineering is the same percentage of attrition today as it was when ArcSight was a standalone company, he said.

"The reality is that there is always a cultural difference between a big company like HP and a startup," Gilliland said. "While I think we have lost some great contributors to the original ArcSight, we have actively hired new members to the team; that business is growing for us and it is a successful part of the portfolio."

NEXT: HP Overhauling ArcSight SIEM Platform

HP also has been overhauling ArcSight's security information event management (SIEM) system, ripping out the underlying Oracle database and replacing it with HP's proprietary system it calls the Correlation Optimized Retention and Retrieval (CORR) engine. The changes may be too little too late say some observers.

The Oracle database management system required extensive tuning and ArcSight implementations have been compared to massive ERP system deployments. It has been steadily losing ground to competitor SIEM products that, according to industry analysts, are easier to deploy and maintain.

Reworking ArcSight's underlying foundation may have set HP behind IBM and RSA, which have each recently announced the integration of their SIEM systems with the Hadoop framework for big security data analytics, said Mike Rothman, analyst and president of research consultancy Securosis. Historically, large companies have had a difficult time integrating acquisitions and keeping them innovative.

"They're giving the product a brain transplant and there has been a number of management changes, so it's not clear who is driving the ship over there," Rothman said. "ArcSight was the thought leader and driving the agenda for security management, but that is not the case anymore."

Jon Oltsik, a senior principal analyst at Enterprise Strategy Group, a market research firm based in Milford, Mass., said HP is likely evaluating all its security assets for sale or spin-off. "With the state of HP anything and everything is in play," said Oltsik. "There's no doubt they're looking at all their assets and all their business units and making tough decisions and security is probably no exception."

There is no reason why HP cannot re-establish itself in the security market with ArcSight, said Oltsik, but the company needs to move quickly or it could lose further momentum to other established players such as IBM, McAfee and RSA, he said.

Business news site Quartz reported earlier this month that the HP board of directors is exploring a breakup of the company, citing unnamed "people familiar with the matter."

HP, for its part, publicly raised the specter of a possible sale or spin-off of underperforming assets or business units in a 10-K filing late last year.

In the "Risk Factors" section of that 10-K filing, HP said that it will "continue to evaluate the potential disposition of assets and businesses that may no longer help us meet our objectives." Furthermore, HP cautioned in the 10-K that it may "dispose of a business at a price or on terms that are less desirable than we had anticipated."

"When we decide to sell assets or a business, we may encounter difficulty in finding buyers or alternative exit strategies on acceptable terms in a timely manner, which could delay the achievement of our strategic objectives," HP said in the 10-K. "We may also dispose of a business at a price or on terms that are less desirable than we had anticipated."

PUBLISHED FEB. 20, 2013

This story was updated on Feb. 21, 2013, at 9:51 a.m. PST, to clarify Hugh Njemanze's roles at Kleiner Perkins (KPCB) and AlienVault.