F5's $1B Shape Security Acquisition: What It Means for SPs

F5 rang in the holidays with a $1 billion security acquisition, putting fraud and abuse specialists Shape Security under its tree. The acquisition is primarily an enterprise play, but service providers aren't getting stuck with lumps of coal -- the deal has some service provider ramifications.

Shape counts service providers among its top customers, according to an F5 spokesperson. And Shape provides managed services opportunities for SPs looking to win enterprise businesses.

F5 and Shape announced the definitive agreement Thursday. The Santa Clara, Calif., Shape protects the biggest banks, airlines, retailers and government agencies with bot, fraud and abuse defense. "In particular, Shape defends against credential stuffing attacks, where cybercriminals use stolen passwords from third-party data breaches to take over other online accounts," the companies said.

That's where telcos find Shape particularly valuable, an F5 spokesperson tells Light Reading. A case study on Shape's website about an unnamed "top 3 telecom provider" claims that organization was able to detect credential stuffing using Shape.

The threat for telcos is that attackers use stolen telco credentials for upgrade theft -- buying devices at discount to sell on third-party marketplaces. Additionally, attackers can use stolen mobile credentials to gain access to services such as email and financial accounts, as consumers often use mobile credentials for two-factor authentication. And they'll use stolen mobile numbers for phone scams, Shape says.

A marriage in the cloud
The two companies tout the deal as marrying F5's multicloud application protection with Shape's fraud and abuse prevention capabilities, to provide "end-to-end application security, potentially saving billions of dollars lost to fraud, reputational damage, and costly disruptions to critical online services," the companies said.

Learn more about how the cloud is transforming the service provider sector at Light Reading's Cloud content channel.

The deal fills in a gap for F5, compared with its competitors, in anti-bot and API security, says Ovum analyst Eric Parizo. And because Shape is software-based, F5 can add Shape as a feature of Big-IP, relatively easily. "Huge upsell opportunity," the analyst says.

Also, Shape is "relatively high touch" and F5 is keeping Shape's professional services team, which amounts to at least several dozen people -- "pretty large for a 350-person company," Parizo says. Enterprises often need extended support for Shape, or to just offload management entirely. That support need could provide service provider opportunity, says the Ovum analyst.

F5 provides application performance management and security using on-premises hardware, and is transitioning to a cloud model. The Shape acquisition is a big step in that direction.

As part of that transition, F5 acquired NGINX in 2019, for $670 million. NGINX develops an open source web server with load balancer and other network services.

An armed raid
NGINX became a focus of controversy this month as the Russian company offices in Moscow and the homes of founders Igor Sysoyev and Maxim Konovalov were raided by police armed with automatic weapons in an intellectual property dispute. The founders were brought in for questioning.

The raid was instigated by claims from Russia's Rambler media group, which claimed to own key intellectual property peddled by NGINX. Rambler has asked Russian law enforcement to cease pursuit of the criminal case and begin talks with NGINX and F5 -- resolving the situation through negotiations.

F5 is reassuring users that it's taking steps to ensure the security of its master builds for NGINX software, which are stored on servers outside Russia.

F5 is not currently a party to the NGINX intellectual property dispute, according to an F5 spokesperson last week, adding, "No employees have been arrested or are currently detained. F5 fully supports our employees and we believe these claims against them do not have merit."

In other security M&A activity, VMware acquired Carbon Black, which provides cloud-native endpoint security, with a price tag of $2.1 billion.

— Mitch Wagner Executive Editor, Light Reading