Consulting giant Deloitte dipped its toes into the cyber acquisition market once again this year, announcing the purchase of security startup Terbium Labs.
Terbium Labs, a Baltimore, Maryland-based company started in 2013, sells an online risk platform as well as continuous monitoring and anti-fraud services. A press release stated that Deloitte acquired “substantially all of the assets” of the startup. In an interview, Deloitte principal Kieran Norton said the deal gives Deloitte “all of the technology components and operations” at Terbium Labs, like Matchlight, their cloud-based risk platform, its embedded digital data fingerprinting capabilities, more than 90% of the startup’s full-time employees and most of their customers.
Matchlight is built around a patented technology that creates a digital “fingerprint” of a company’s sensitive data (such as personally identifiable information or intellectual property) within their IT environment. Matchlight then uses a machine learning algorithm to scan the open and dark web for signs that your data is being discussed, sold or leaked anywhere. While Terbium Labs offers a number of services such as domain name monitoring that could be easily folded into Deloitte’s existing threat intelligence offerings, it was the company’s platform and fingerprinting tech was ultimately what piqued their interest in a deal.
Most machine learning systems are only as good as the underlying data they’re trained on. Because Matchlight is narrowly tailored to search only for fingerprinted data on the public and dark web, it can serve as an early warning system for a data breach or compromise. Norton said the Terbium approach around fingerprinting “is very unique in our industry” and also cited the expertise of the workforce.
“A lot of companies will go out there and scan the dark web, or they monitor Pastebin and other dump sites to identify credentials or information…but that is more of a reactive approach,” said Norton. “The approach that Terbium is using is a little bit more proactive and it’s a little bit more targeted toward monitoring specific elements of information and data in the wild, as opposed to just waiting for those dumps to hit the wire.”
While Deloitte did not retain every employee, Norton indicated that the company was just as interested in the subject matter expertise of the people behind the product and said there are no plans for further layoffs.
“Our approach since the beginning has been that we want them here for the long haul. We’re not in a circumstance where we’re resource constrained or having a hard time finding opportunity in the marketplace….we need all the talent and skillset and experience we can get.”
The acquisition is designed to compliment Deloitte’s existing consulting, managed services and threat intelligence operations, which have traditionally been focused on tracking threat actor groups, their tactics, techniques and procedures and technical indicators for malware. It is, the company notes, their third cyber-focused acquisition of the year, after buying cloud security provider CloudQuest in June and threat hunting firm Root9B in January. The company declined to provide the financial cost and terms of the Terbium Labs deal.
In addition to Deloitte, other large consultant companies have been snatching up cybersecurity companies over the past few years. Accenture purchased French consulting company OpenMinded in April and Philadelphia-based Revolutionary Security last year to buttress their cloud and critical infrastructure security offerings, Ernst and Young purchased Canadian digital identity firm and managed service provider IDMSense last year and PwC bought the Fairpoint, New York cloud transformation, security and consulting firm EagleDream in November 2020.
Norton said it is likely not the last security company Deloitte will buy this year. The through-line for the three previous acquisitions was to buy capabilities in the security space that are complimentary to Deloitte’s existing cybersecurity offerings but difficult to create internally.
“From our perspective we’re not so much going out there looking for obviously anyone, we’re going out and looking at targeted spaces where we have gaps to fill or additional opportunities to grow,” he said.