As large security players look to add patching and remediation tools to their arsenals, analysts say the days of the standalone patch-management vendor may well be numbered.
McAfee Inc.'s purchase this week of patch-management Citadel Security Software Inc. is likely the first of many such transactions to come in the next few months and years, analysts say, as large security and enterprise software vendors look to wring more value out of their presence on corporate desktops and servers.
At the same time the larger security industry continues to undergo a major wave of consolidation, and the patch-management sector could be one of the more fertile hunting grounds for acquirers. The space is populated mainly by a handful of large players, such as CA Inc., Symantec Corp.'s BindView offering and PatchLink Corp., in addition to myriad smaller, more specialized vendors, including Altiris Inc., Shavlik Technologies LLC, BigFix Inc. and St. Bernard Software Inc. Many industry observers also believe that those smaller fry soon will become food for the fish at the top of the food chain.
"The days of the standalone in this category are numbered because we're hitting the age of the huge distributed system," said Pete Lindstrom, a senior analyst with Midvale, Utah-based research firm Burton Group. "They're all trying to broaden their message around remediation and what else they can do with their agents. Citadel was there years ago with that. The cool thing about them is that they completed the circle, they did the remediation, not just the assessment."
Indeed, several of the independent vendors are working on plans to do more with the agents they already have installed on users' machines. PatchLink, for one, is actively seeking out acquisition targets, namely companies with technologies that PatchLink can integrate with its own offerings and manage through its existing console, said CEO Patrick Clawson.
"We want to carve out our own future," Clawson said. "We're looking overseas for acquisitions, in Asia, in central Europe. It's not just about patching and remediation either. Compliance is unbelievably important. Executives care because they can't afford to have a failure on that. These are job security type things."
Configuresoft Inc., whose offerings cross the boundaries between patch management, configuration management and change control, also is working with customers on ways to use its Enterprise Configuration Manager to manage and secure encryption implementations and virtual machines.
Despite the likelihood of further market consolidation and the looming presence of Microsoft and IBM, both of which have made big moves into security of late, Lindstrom thinks there still is plenty of room for a variety of players. He said that's because many -- if not most -- enterprises still use multiple patch management and remediation tools and have heterogeneous environments that require different approaches.
"I'm surprised at how many people still use two [products] or even more," Lindstrom said. "I think that's probably because there's a big difference from an organizational perspective between patch management and configuration management. The folks with really strong security groups may go with just one, but in most cases the different platforms are owned by different groups.
"I don't see Microsoft getting there immediately," he added. "They're still only at a basic level of functionality with most of their [software update and patching] offerings."