Resilient Systems News: IBM to Buy Resilient Systems

Today, IBM announced its intention to purchase my company, Resilient Systems. (Yes, the rumors were basically true.)

I think this is a great development for Resilient Systems and its incident-response platform. (I know, but that's what analysts are calling it.) IBM is an ideal partner for Resilient, and one that I have been quietly hoping would acquire it for over a year now. IBM has a unique combination of security products and services, and an existing organization that will help Resilient immeasurably. It's a good match.

Last year, Resilient integrated with IBM's SIEM -- that's Security Event and Incident Management -- system, QRadar. My guess is that's what attracted IBM to us in the first place. Resilient has the platform that makes QRadar actionable. Conversely, QRadar makes Resilient's platform more powerful. The products are each good separately, but really good together.

And to IBM's credit, it understood that its customers have all sorts of protection and detection security products -- both IBM's and others -- and no single response hub to make sense of it all. This is what Resilient does extremely well, and can now do for IBM's customers globally.

IBM is one of the largest enterprise security companies in the world. That's not obvious; the 6,500-person IBM Security organization gets lost in the 390,000-person company. It has $2 billion in annual sales. It has a great reputation with both customers and analysts. And while Resilient is the industry leader in its field and has a great reputation, large companies like to buy from other large companies. Resilient has repeatedly sold to large enterprise customers, but it always takes some convincing. Being part of IBM makes it a safe choice. IBM also has a sales and service force that will allow Resilient to scale quickly. The company could have done it on its own eventually, but it would have taken many years.

It's a sad reality in tech is that too often -- once, unfortunately, in my personal experience -- acquisitions don't work out for either the acquirer or the acquiree. Deals are made in optimism, but the reality is much less rosy.

I don't think that will happen here. As an acquirer, IBM has a history of effectively integrating the teams and the technologies it acquires. It has bought something like 15 security companies in the past decade -- five in the past two years alone -- and has (more or less) successfully integrated all of them. It carefully selects the companies it buys, spending a lot of time making sure the integration is successful. I was stunned by the amount of work the people from IBM did over the past two months, analyzing every nook and cranny of Resilient in detail: both to verify what they were buying and to figure out how to successfully integrate it.

IBM is going through a lot of reorganizing right now, but security is one of its big bets. It's the fastest-growing vendor in the industry. It hired 1,000 security people in 2015. It needs to continue to grow, and Resilient is now a part of that growth.

Finally, IBM is an East Coast company. This may seem like a trivial point, but Resilient Systems is very much a product of the Boston area. I didn't want Resilient to be a far-flung satellite of a Silicon Valley company. IBM Security is also headquartered in Cambridge, just five T stops away. That's way better than a seven-hour no-legroom bad-food transcontinental flight away.

Random aside: this will be the third company I will have worked for whose name is no longer an acronym for its longer, original, name.

When I joined Resilient Systems just over two years ago, I assumed that it would eventually be purchased by a large and diversified company. Acquisitions in the security space are hot right now, and I have long believed that security will be subsumed by more general IT services. Surveying the field, IBM was always at the top of my list. Resilient had several suitors who expressed interest in purchasing it, as well as many investors who wanted to put money into the company. This was our best option.

We're still working out what I'll be doing at IBM; these months focused more on the company than on me personally. I know they want me to be involved in all of IBM Security. The people I'll be working with know I'll continue to blog and write books. (They also know that my website is way more popular than theirs.) They know I'll continue to talk about politically sensitive topics. They know they won't be able to edit or constrain my writings and speaking. At least, they say they know it; we'll see what actually happens. But I'm optimistic. There are other IBM people whose public writings do not represent the views of IBM -- so there's precedent.

All in all, this is great news for Resilient Systems and -- I hope -- great news for IBM. We're still exhibiting at the RSA Conference. I'm still serving a curated cocktail at the booth (#1727, South Hall) on Tuesday from 4:00-6:00. We're still giving away signed copies of Data and Goliath. I'm not sure what sort of new signage we'll have. No one liked my idea of a large spray-painted "Under New Management" sign nailed to the side of the booth, but I'm still lobbying for that.

EDITED TO ADD (3/17): This is how IBM is positioning us, at least initially.

Posted on February 29, 2016 at 11:08 AM • 50 Comments

Comments

Z.LozinskiFebruary 29, 2016 11:26 AM

Congratulations on another successful security company. 3/3 is a pretty impresive record. And welcome ...

Mark MayerFebruary 29, 2016 11:30 AM

They know they won't be able to edit or constrain my writings and speaking. At least, they say they know it; we'll see what actually happens. But I'm optimistic. There are other IBM people whose public writings do not represent the views of IBM -- so there's precedent.

As long as the check clears, you can say whatever you want, and I hope the check was big enough that you're not worried about the next check.

Congratulations, Bruce. Nobody ever got fired for buying IBM. Probably the same goes for selling to IBM. ;-)

Bruce SchneierFebruary 29, 2016 11:32 AM

"Congratulations on another successful security company. 3/3 is a pretty impresive record. And welcome ... "

3/3? I count 2/2: Counterpane to BT and now Resilient to IBM.

Bryan ManskeFebruary 29, 2016 11:41 AM

IBM has been buying up Software Defined Networking pieces, too. That's Holy Grail stuff for them. Not that they'd be interested in what I'm doing, but.... Good luck with the purchase. We all know what happens when we no longer own ourselves. But then, "always in motion is the future." I suspect that this will make it much harder to approach you with though experiments regarding new algorithms and such (for a while anyway). Congratulations!

J. JohnsonFebruary 29, 2016 11:45 AM

@ Bruce

Congratulations! I hope you will purchase and enjoy a new Tesla! This must be affordable after this big sale! ;-)

WaelFebruary 29, 2016 11:49 AM

Random aside: this will be the third company I will have worked for whose name is no longer an acronym for its longer, original, name.

RBM (Resiliant Buisness Machines) sounds more descriptive a name now! Say, how long of a prison term did you get? Are you gonna do a dime or a nickel behind the blue bars? :)

Clive RobinsonFebruary 29, 2016 12:22 PM

@ Bruce,

Have they told you about the dress code?

It includes a "working man's noose" and something we Brit's call a blazer along with black "Oxford Shoes" with "well bulled toe caps" so you need to practice "little circles"...

All jokes aside enjoy what you can of IBM they have some rather interesting bits they don't often talk about, I guess due to the size of it (rumour has it nobody knows everything it owns and does). Oh and the patent portfolio has some real suprises in it ;-)

Nick PFebruary 29, 2016 12:43 PM

@ Clive Robinson

Oh, but they do. It's on their research page, Alphaworks, and usually in various journals. Karger, one of INFOSEC's founders, even did a smartcard OS and CPU for them. Truth is, though, those are unusual parts of IBM. Most things they absorb tend to die far as their original form or greatness. They just get absorbed into IBM's other, substandard offerings for their locked-in or ultra-conservative clients in big business.

Note: The AlphaWorks page looks like a web designer with no talent tried to "modernize" it. It used to have all key tech & apps on the left in a long list. Now, one probably has to hunt around for the stuff. (sighs)

WaelFebruary 29, 2016 12:51 PM

@Clive Robinson,

Have they told you about the dress code?

Once upon a time pin-stripe shirt was a requirement. Things loosened up a bit since... this is perfectly acceptable. I bet they didn't tell you that, @Bruce :) You can afford the nasal ivory bone now :)

All jokes aside ...

Oh no, not so fast. Time for celebration :)

ReaderFebruary 29, 2016 1:11 PM

"The people I'll be working with know I'll continue to blog and write books. (They also know that my website is way more popular than theirs.) They know I'll continue to talk about politically sensitive topics. They know they won't be able to edit or constrain my writings and speaking."

That's good to hear - keep up the good work with the blog!

An appreciative reader.

AndrewFebruary 29, 2016 1:30 PM

They will probably apply Watson analytic and machine learning to security incidents logs and trace data, which is interesting.

Bruce SchneierFebruary 29, 2016 1:44 PM

"They will probably apply Watson analytic and machine learning to security incidents logs and trace data, which is interesting."

I have to admit that I am intrigued by the possibility of using the Watson engine in security detection and response. No idea when, or even if, I will get to play with it.

EricFebruary 29, 2016 2:58 PM

I hope this goes better than their ISS acquisition. What they did to RealSecure was a shame.

MikeAFebruary 29, 2016 3:29 PM

I certainly hope they don't specify the _type_ of necktie. The bow tie is far better for avoiding potential life-threatening encounters with the hopper of 1000 Card/Minute readers. The Doctor says "Bow ties are cool". As for pin-striped shirts? No way. Plain white only. Before the switch from round to rectangular holes, I suspect sleeve garters were also required.

MarkFebruary 29, 2016 3:47 PM

Crongrats ?

I've work for IBM twice in my career here in Oz. Once as a midrange platform Y2K specialist, The second as a migration specialist. I must say, my memories are fond. Although not being always politically correct, my weirdest memory of my associations in dealing with IBM'ers, was when I was a Proactive Support Engineer at Sun Micro Systems and working with IBM on Sun's largest customer here in Oz. Telstra. It was good, bad and sometimes ugly. I remember the Moffat FBI investigation quite well still. I still have the news paper articles that were printed here.

Lets hope, that your acquisition / etc. proceeds with a clean and comfortable entity change.

All the best Bruce.

I really enjoyed our conversation when we met last year on your trip to Oz.

Am now waiting in another government line, due to bullshit from another government line, and work place crap.

I dont suppose you have a job ?


Nick PFebruary 29, 2016 4:10 PM

@ Bruce Schneier

The Watson angle is actually an interesting idea. Machine learning, neural networks, and expert systems have already been applied to both network monitoring and incident response with success. There just haven't been many generic situations mostly due to vast array of configurations possible vs what training data tools use. I could see them combining Watson with other techs that sort of filter or pre-process the data into useful information that Watson could then act on using response rules from Resilient Systems.

David LeppikFebruary 29, 2016 4:38 PM

In terms of integrating with Watson, you may want to talk to some high-frequency traders. They've been dealing with AIs trying to outsmart AIs since the early 1990s.

CallMeLateForSupperFebruary 29, 2016 5:23 PM

@all

We will know when Itty-Bitty has assimilated Bruce: "application" will replace "program" in his speech and writing; a very large application will be a "platform"; "processor" will replace "computer" and will have "main store", not "memory"; "solution" will replace "service".

GiantRatFebruary 29, 2016 6:22 PM

I've worked for IBM Global Business Solutions (Federal). It was terribly mis-managed. The company's technology is generally robust but under-utilized internally (they often won't even use their own products).

I've also been a relationship manager for another large firm that was doing business for them. As mentioned up-thread, they butchered ISS (just ask one of the ISS techs from the pre-acquisition days).

I may also have been born in the same place that IBM was. They butchered the entire region (economically), all in a day, because they couldn't figure out how budget management works (take a look at how things went down in 1992). That problem persists - when I was working for them, they asked us to work on sensitive projects while being 112% utilized, which is illegal (that would require working three classified projects at a time, which is a cross-contamination problem).

I don't dislike IBM, but hope they figure out how to do business management better.

I do congratulate you @Bruce on what I assume is an exciting and lucrative opportunity. I hope that you can be a positive instrument of unscrewing the broken bulbs at IBM.

Nick PFebruary 29, 2016 6:39 PM

@ GiantRat

" It was terribly mis-managed. The company's technology is generally robust but under-utilized internally (they often won't even use their own products). "

That's what a former IBMer said on Hacker News when we were discussing the BlueBox acquisition. I pointed out IBM supposedly had an internal scheme (blue dollars?) letting other IBM groups use freely or at a discount their I.P.. They also have I.P. for about everything, including some cutting-edge stuff. The employee said most teams avoided IBM's software and services anyway to use FOSS or other proprietary products. They thought they were inferior. Ouch.

tyrFebruary 29, 2016 7:14 PM


Most of Big Blues problems internally are from being
driven by sales and viewing cutting edge tech as a
side show. Which is horribly weird in a corp that has
made its money off from cutting edge technology. You
are going to have a good time there since they have
had some cutting edge math folks around for years.
Remember to enjoy it and collect a few stories for
later.

jfgunterFebruary 29, 2016 9:30 PM

If digital security is so hot, why are all the 20+ companies in the HACK ETF such losers? each component gets hot for a while, then crashes: CYBR, FEYE, PAMW, for example ...

And, while I'm at it why is mechanical technology so reliable and solid, while with digital technology you never stop having to f**k with it? My Moto G used to be so simple, and now it's as slow as Windows!

IronicFebruary 29, 2016 10:44 PM

The ISS acquisition was a disaster because it went into services, which was, and still is, a total mess. Bruce's company is going into the security division which is the best run part of the entire company. They'll do great.

To the other poster, initiate still exists. Just rebranded as IBM MDM.

RARMarch 1, 2016 12:42 AM

Your link to resilient systems has an extra "/"
(http:///www.resilientsystems.com)

Green SquirrelMarch 1, 2016 2:09 AM

First off congratulations to Bruce for what must be a very lucrative deal.

Having worked for IBM on one occasion and for companies who purchase services from IBM on three occasions, however, I think this is actually a bit of a sad day.

IBM has some truly amazing people working for it. It has some fantastic visionaries, it has some genuinely gifted security and technology people.

Unfortunately these are largely drowned out by the overwhelming volumes of petty minded, sales-driven charlatans. Their managed services offerings follow a very predictable trend of being brilliant for the first six months as they deliver with the same people who won the business. This is the A+ service.

After this honeymoon period, the good ones move on to "win new business" and the second tier of off-shore workers take over. These tend to be at least above average but there are gaps in their knowledge and they are using a lot of the customers time to get better.

Around six months or so of this B- service and its time for these to move on - they have either upskilled enough to find new jobs within IBM or they have been offered good roles elsewhere.

This is when things go down hill. From this point on, it tends to be a race to the bottom as each new wave is slightly less skilled than the one before. All driven because an IBM Service Manager needs to keep his profits high so lower skilled workers become more and more attractive.

Three times I have seen this happen to large clients who signed up to 10 year contracts with IBM. On all three occasions by the end of the second year, the people delivering the service were so poorly skilled, the non-IBM client had to resort to bringing in other service providers (which is where I came in) to support and manage the IBMers.

It is frustrating because, as I said at the start, some of the IBM guys are so amazing at their job mere mortals aren't worth of walking in their shadow. Its a shame that most of IBM service delivery monkeys struggle to follow checklist instructions.

Given the standard with which IBM offers SOCs/ERS, I cant wait to see how they live up to the promises made around this purchase. (Hopefully they will learn how to respond to malware incidents before too long....)

DavidMarch 1, 2016 5:18 AM

As has been noted above, the ISS acquisition took place at a time before IBM had really got serious about a Security business. There was no place for it to go, apart from the Services business. That meant the products themselves were somewhat ignored. It was a bizarre thing to do with the ISS business, and is regarded by everyone there as THE example of how NOT to acquire.

IBM Security now is a completely different ball-game. QRadar has become THE example of how TO acquire, it seems to have thrived in IBM. I think this is a very good match.

Jonathan WilsonMarch 1, 2016 6:43 AM

I just hope that IBM doesn't use its long standing contracts with the NSA (the NSA has been using IBM computers for its work since the beginning) as a way to say to Bruce "please dont say bad things about such an important customer" or to get Bruce to stop talking about the NSA in the way he has.

Then again, knowing Bruce, I doubt he would have agreed to become an IBM employee if it meant he had to stop saying the things about the NSA he has been saying.

I do wonder if working for IBM is still the way it is described in the excellent book "The Dream Machine: J.C.R. Licklider and the Revolution That Made Computing Personal". I particularly like the bit about Licklider being given the choice between a "THINK" sign or a portrait of Thomas J Watson Jr for his office...

Hisham KamalMarch 1, 2016 7:18 AM

Congratulations Bruce.. I am with IBM Security and we all look forward to working with Resilient Systems' team. This is very exciting news!!

T RavelinMarch 1, 2016 10:03 AM

It sounds like they are going to stay centered in Cambridge, or will they move things to New York or Richmond or ?

Bruce SchneierMarch 1, 2016 12:46 PM

"t sounds like they are going to stay centered in Cambridge, or will they move things to New York or Richmond or?"

IBM Security is in Cambridge, so I can't imagine them moving Resilient.

Bruce SchneierMarch 1, 2016 3:25 PM

"Then again, knowing Bruce, I doubt he would have agreed to become an IBM employee if it meant he had to stop saying the things about the NSA he has been saying."

Yes, that was pretty much my first question.

Anon Y. MouseMarch 1, 2016 7:27 PM

I doubt you'd be as sanguine about being acquired by IBM if you give any
credibility to the columns on IBM written by Robert X. Cringely's in the
past few years. (http://www.cringely.com/)

Enjoy the honeymoon period while it lasts. My experience is no acquiring
company can ever resist tampering with its purchases for long. When the
corporate suits start showing up with any regularity, asking questions
and poking at things, that's the beginning of the end. Best to get out
before that happens.

RRMarch 1, 2016 9:12 PM

I'm having trouble finding anything good to say about Qradar after IBM bought it. It's not a product I recommend anymore, I try not to use it unless I'm forced to.

mooMarch 2, 2016 4:37 AM

@Anon Y. Mouse:

Anecdotal, but I once worked for a wholly-owned subsidiary of IBM that they took remarkable care not to fuck up (since they knew they needed the stuff it made, they viewed it as a sort of golden goose). After more than a decade of hands-off ownership, we did eventually get digested and become IBMers, but the transition was handled carefully and the key employees got lavish deals that kept nearly all of them happy enough to stay.

Resilient represents a valuable asset to IBM and I predict that they will be pretty careful not to wreck it. I think certain parts of IBM, including their security division, are savvy enough to handle that.

PeterMarch 2, 2016 8:46 AM

Great, IBM will make their software bloated, unmanageable, and overpriced now... Poor QRadar SIEM.

GordonMarch 3, 2016 8:43 AM

"Deals are made in optimism, but the reality is much less rosy. I don't think that will happen here."

Are you sure, Mr Schneier? Just look at what IBM did to Lotus Smartsuite. They purchased Lotus Software back in 1995 and had the best spreadsheet (Lotus1-2-3)and the best organizer (Lotus Organizer). However, IBM never really invested in further development of the SmartSuite. Some two years ago, IBM ended support of the SmartSuite, tough quite a lot of people still use it. A prime example of how to destroy an acquired company. Fortunately, the SmartSuite still works on Win 10.

Dirk PraetMarch 3, 2016 10:34 AM

@ Gordon

Some two years ago, IBM ended support of the SmartSuite, tough quite a lot of people still use it. A prime example of how to destroy an acquired company.

In tech, nobody did acquisition worse than Sun Microsystems. The way they managed to completely and utterly destroy both the Cobalt and Netscape product lines was beyond epic, to the point that many of us SE's started questioning not just the competence but even the mental health of (some of) our then leaders.

Z.LozinskiMarch 3, 2016 10:48 AM

@Gordon,

> Just look at what IBM did to Lotus Smartsuite.

I don't think I'm breaking any confidences in saying that the reason IBM acquired Lotus was for Lotus Notes. (Indeed after a quick check, this is official). There is probably a good study to be written on the saga of SmartSuite / Organizer vs Office / Outlook vs OpenOffice.

CallMeLateForSupperMarch 4, 2016 10:51 AM

Certain parts of the IEEE article are very, very familiar. "Déjà vu all over again."

mary shafferMarch 4, 2016 5:13 PM

Thank you for your writing on the TSA. They seems to be getting greedier. It now costs $85 to get a pre-boarding 'clearance' from TSA.

Perhaps you could delve? Follow the money? I've read several times that the Bush family made money on 'no child left behind. I suspect they are making money from TSA. Bush Jr. was in the airline catering business...maybe some connection through some of those contacts?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.