Bit9 Buys Carbon Black, Gets $38M to Try to Win Security Arms Race

2014 is shaping up to be the year of cybersecurity. Or lack thereof.

It seems every week we hear about a new data breach or major hacking operation. And every week there seems to be a new tech company trying to solve these problems.

Bit9 is not one of them. The Waltham, MA-based company has been around since 2003, which makes it a veteran of the security scene. But the market and technologies are changing so fast, Bit9 has had no choice but to reinvent itself as a new kind of cybersecurity company.

Today the firm said it has acquired Carbon Black, a security startup based in San Antonio, TX, for an undisclosed sum. Bit9 has also raised $38.25 million in new funding from its existing investors, which include Atlas Venture, Highland Capital Partners, .406 Ventures, Sequoia Capital, and Kleiner Perkins. Carbon Black investor Blackstone also participated in the round.

The funding brings Bit9’s total raised to about $120 million, and the company has just surpassed the 200-employee mark.

It’s hard to say how much of the new money is related to the merger, because the companies aren’t talking about the terms of the deal. Carbon Black has 17 employees and will retain a presence in Texas, where engineering lead Scott Lundgren is based. The Texas team has been using the Geekdom co-working space in San Antonio.

Carbon Black got started in 2010 and was incubated at Kyrus, a Virginia-based security firm. The startup is led by CEO Mike Viscuso, who is moving to Boston to become Bit9’s chief strategy officer (welcome to New England weather).

“We have the opportunity to take the market in front of us,” says Patrick Morley, Bit9’s CEO. As he puts it, his company “brings strong experience on the prevention side,” while Carbon Black brings expertise on the “detection and response” side—so customers who have been hacked can “instantly see everything going on across the whole enterprise.”

Bit9 is positioning the merger as a classic blend of complementary offerings. To be fair, though, Bit9 is the much larger company, and it has been working on its own incident detection and response technology in recent years. But its DNA is on the server and endpoint protection side—sort of a replacement for the antivirus paradigm of the previous era. Morley calls it “reducing the surface area of attack.” So that’s the perspective from which the company’s products have been built.

Meanwhile, as the security mindset has shifted—from “how do we prevent attacks” to “how do we respond to inevitable attacks”—newer approaches like Carbon Black’s have taken hold.

“If you expect hackers to hit you all the time, eventually they’re going to get resident somehow into your enterprise,” Morley says. “You have to be able to detect someone is in and then respond to it in an instant.”

Carbon Black’s software tries to understand the relationships between files and other entities within an organization. Once a breach is detected, it can provide information such as the outside IP addresses or domain names involved, as well as the machine or specific process that initiated a bad connection. (Sounds a bit related to Cybereason’s “malops” approach, with some differences.)

“Because we’re obtaining all this relational information, we can go back to ‘how did this start?’ An intern can answer that question in seconds. Which dramatically reduces the cost” to the organization, Viscuso says. And then Bit9’s protection software can help make sure that kind of attack doesn’t work again.

Ultimately the companies are joining forces to lower the security costs for big customers. “Every [chief security officer] we met that had Bit9 said, ‘Can’t you and Bit9 play together? If I had Bit9 and Carbon Black, I’d have everything,'” Viscuso says.

Competitors would say the merger doesn’t really advance enterprise security. But Bit9 is forging ahead in a new world. The company reported 66 percent revenue growth in 2013 (no absolute numbers given), and it says it has started pilot tests at 34 retailers since the beginning of January. Its other big customers include universities, government organizations, energy companies, financial institutions, and Internet firms.

“We’re still very early in a market that’s very quickly developing,” Morley says.

For Bit9, let the IPO and acquisition rumors begin. The rest of the industry will soldier on.

Trending on Xconomy