Big Fish Eat Little Fish As Portfolio Players Gobble Up SAO
Security has long been hampered by a deluge of data, manual processes, and vendor sprawl. Technology has evolved to address the first two of these, but expense in depth continues as new functionality and innovation are often only available through startup vendors and standalone best-of-breed vendors. Too often, startups are product features, not standalone companies.
The cybersecurity vendor food chain has larger vendors swallowing the smaller vendors to add breadth to their portfolios and allow them to address new problem spaces. The addition of additional capabilities, the relative purchasing ease, and the desire to reduce the number of security vendors are motivating security buyers to be more willing to purchase from portfolio vendors.
Palo Alto Networks announced yesterday that it is purchasing security automation and orchestration (SAO) vendor Demisto. This is the fifth cybersecurity vendor acquisition by Palo Alto Networks in the past two years, as it adds security analytics, automation, EDR, and incident response capabilities to its portfolio.
Last year, Forrester published the report, “Now Tech: Security Automation And Orchestration (SAO), Q3 2018,” which covers 17 SAO providers in four primary market segments: IT solution providers, SAO pure plays, security analytics providers, and security portfolio vendors. Vendors such as IBM, FireEye, and Rapid7 bought into SAO early with the acquisitions of Resilient, Invotas, and Komand, respectively. Splunk got into the space last year with its acquisition of Phantom. Only a few standalone SAO players such as CyberSponse, Ayehu, Siemplify, Swimlane, and Syncurity remain but will likely be taken off the board by larger players.
As the demand for automation and orchestration increases and the SAO market matures, Forrester expects continued consolidation. This consolidation will be centered around:
- Security analytics platforms, adding automation and workflow to security analytics platforms. Vendors such as Exabeam, IBM, LogRhythm, and Splunk are examples.
- IT solution providers, extending existing IT solutions into security operations. Vendors like Resolve Systems and ServiceNow are examples.
- Security portfolio vendors, adding automation and orchestration to a portfolio of security products. Vendors such as FireEye, Palo Alto Networks, Proofpoint, Rapid7, and Threat Connect are examples.
While a small handful of standalone vendors may continue to exist as a security middleware layer that ties together multiple technologies or focuses on niche use cases, most of the market will be subsumed by larger players. This makes perfect sense when you consider that complexity is a leading cybersecurity challenge and that security pros suffer from vendor fatigue, complaining about the number of vendors they have in their environments. After all, if you are solving the problem of too many different technologies that don’t talk to each other, the last thing you want to add is yet another technology to make them all talk to each other.
Forrester has long advocated for S&R pros to embrace automation as part of their security program. Our report, “Rules Of Engagement: A Call To Action To Automate Breach Response,” demonstrates a model that uses security analytics for threat detection combined with policies and SAO technology to automate breach response. Security automation and orchestration is also a key component of the Zero Trust eXtended (ZTX) framework and an important capability for ZTX ecosystem providers.
Attackers will continue to evolve, weaponizing AI and using automation to carry out attacks. There was already too much malware and too many threat actors for us to cope with without automation. Security teams can’t hope to defend against adversaries that are using sophisticated computational tools against their enterprise without automation. In short, enterprises that don’t automate will die . . . or at least, it will feel like they have.
S&R pros should look for ways to automate their security processes, starting with operational tasks such as triage, context gathering, and investigation. From there, they can evolve to automate response actions as they gain confidence and experience. Choose automation and orchestration capabilities from the vendors that best fit your environment, security team, and current technology investments.