Could Citrix acquire Bromium as part of their mission to become a security company?

Citrix wants to be a security company. The strategy they outlined at Synergy covered threats from outside the organization, but what about threats that come from user activity?

In the midst of rumors that Citrix is for sale, combined with my opinion that at Synergy they positioned themselves as a security company to make them more attractive to potential buyers, I wanted to explore another angle that–one that doesn't involve Citrix being sold.

The thing is, there's a lot of good that can come from Citrix being a security company. They occupy a spot in the top tier of desktop virtualization platforms, and though that may not be as sexy as it used to be, the world will need what Citrix sells for well into the foreseeable future. Combine that with the mobility and cloud offerings they have, and you can see why they would want to repackage their platform as a security platform. It's security for the modern era–the one where we have to support legacy and new-age technologies.

So what can Citrix do to ensure that their platform is the most secure out there? They're creating the Citrix Analytics Service, which as best I can tell is just a concept. A source that we can't identify indicated that what we saw at Synergy, which amounts to using Machine Learning and AI to analyze user activity and assess risk, was little more than a PowerPoint mockup, but that doesn't mean Citrix isn't working on it. They have access to all the data, so it makes sense that they'd try to build a platform to use it.

CAS is a good idea, but it doesn't help threats that originate from inside the environment. Take ransomware, for example, which has proven difficult to deal with. Citrix CEO Kirill Tatarinov recently said at The Deal's Corporate Governance Conference that companies are "proactively bulking up on bitcoins, anticipating attacks." (He went on to say it was a "couple companies in the UK," so it's not an epidemic.)

Okay, I guess I can see the rationale there. Why waste time and money acquiring bitcoins at a premium after you've been compromised when you can just have them ready to go when it happens. On the other hand, though, does it make sense to invest in a volatile currency whose price can be driven up by the very nefarious activities that require bitcoins to recover from those activities? On January 1, 2017, bitcoins could be bought for just under $1,000 USD, and today they're worth nearly $2,500 $2,380 $2,368 $2,371 USD (the price literally changed that much as I wrote this paragraph.) As you can imagine, WannaCry drove up the value of bitcoins, to a high of $3,000 USD earlier in June.

With that kind of volatility, pre-buying bitcoins doesn't seem to make sense. The bottom could drop out and, even without an attack, a company could lose money. Wouldn't it make more sense to invest that money into preventing the attacks from happening in the first place?

And, wouldn't it make sense for Citrix to meet you in that spot when you're ready? Especially if you already use them for your desktop virtualization?

With that in mind, I want to throw something out there. Keep in mind I have no idea how this would shake out, if it's possible, or if anyone even cares, but what if Citix did something that would completely set themselves apart from VMware, let alone all the other desktop virtualization platforms that are on the market. What if they took steps to make sure that their platform was, in fact, the most secure place to run Windows desktops and applications?

What if Citrix bought Bromium?

I'm not suggesting Bromium is for sale. They may not want to sell. They may want to go public. They may see themselves as having such a bright future that they couldn't possibly get out this early. But think about it­­–both companies cater to a market that is nearing the Extended Support phase of life. They're selling products that are built around Windows and Windows applications, which, while they'll be around for a while, there's little doubt that the world is moving in a different direction.

If Citrix bought Bromium and incorporated it into the XenDesktop/XenApp family, worked with Microsoft to see if they could also get it into Azure, and continued to sell it as a standalone product, they would have a ridiculously compelling value prop that would be hard to ignore. That, combined with all the other stuff Citrix is doing, could position Citrix as the cloud, application, and desktop delivery, mobility, and security company they want to be. Plus, they'd bring Simon Crosby, Ian Pratt, and others back into the Citrix fold that can certainly help the company down that path.

Again, I'm just throwing this out there. Bromium, according to Crunchbase, has taken on $115.8M in funding. With that much funding, it would likely take a heck of a large acquisition (or maybe even a merger?) to make it happen. That said, Citrix does have cash in the neighborhood of $907M, so it's not like they don't have room to make a move if there is a move to be made.

What do you think?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Two turkeys don't make an eagle!
Brian - I had great respect for you. Everyone knows that you're close to Bromium founders. But now that you're pimping for Bromium to get bought by Citrix just shows that i need to stop reading your blog. Bromium technology has been totally rejected by the cyber security industry. Are you drunk? Thinking that they'll go public shows that you're indeed drunk or getting paid by Bromium to write this desperate blog. People don't need Bromium anymore, they lost the wave. Just use Windows10. #nomorebrianmadden
Hi mafawars, this post was written by Gabe. Brian left the industry last year: #nomorebrianmadden

Is this what Citrix is already trying to do with the direct inspect APIs in Xenserver?  Is Bitdefender a more likely partner than Bromium?  I do think that Bromium's lack of a XenApp specific (rather than XenDesktop) product complicates the picture.  I understand the scalability cost of doing a XenApp / published application microvisor product, but given how the security landscape seems to have utterly changed in the last year, I suspect there are many companies that would tolerate the scalability hit for a more secure environment.  Regardless of Citrix, I think this is going to be a very interesting time for security vendors.

BTW Gabe, congratulations on the "drunk" troll.  I would take that post as a high compliment...