Starting the New Year off with a bang, Google Cloud last week announced its acquisition of Siemplify, a leading Israeli security orchestration, automation, and response (SOAR) provider. On the surface, the acquisition appears straightforward. With Siemplify, Google Cloud can deliver a modern threat management stack that Sunil Potti, vice president and general manager of Google Cloud Security, says will help security analysts solve complex incidents in an easy-to-use way.
If we look beyond the surface though, this acquisition does the following to the SOAR market:
Siemplify was one of only a handful of remaining standalone SOAR vendors – and now the shallow pool has become even more sparse. Today, there just isn’t enough addressable market for a company to sustain itself. On top of that, user adoption has been slow and value realization takes significant effort. Because of this, I believe we’ll see SOAR feature sets rolled up into larger cybersecurity ecosystems – in a very similar way to how user behavior analytics (UBA) technology integrated with security information and event management (SIEM) systems.
With so few stand-alone SOAR vendors left, we’ll have to see if Microsoft follows in Google Cloud’s footsteps and makes a similar acquisition. The company purchased Hexadite back in 2017, which might already give Microsoft what they need to compete with SOAR capabilities. Or they might opt to go after one of the very few remaining stand-alone SOAR providers, such as Swimlane.
SOAR technologies have failed to deliver on their original promise to automate away the human element in security investigations by taking over orchestration and response to threats and incidents. In reality, very few security issues have end-to-end predictability with binary outcomes. This was a leading driver in SOAR failing to live up to the hype – further undermining the stand-alone market and leading to bifurcation of SOAR functionality.
Originally, SOAR vendors were laser-focused on threat prediction and automated response. However, given the challenges organizations have experienced, many SOAR providers pivoted direction to focus on data enrichment and automating the contextual collection of data (based on an alert or event) to give tier-one analysts the information they need to better understand what’s happening. In short, they’re now focusing on data orchestration rather than automated response. Siemplify’s SOAR technology aligns with this switch, and its acquisition by Google Cloud validates the market’s new direction.
The need for a security ecosystem validates why organizations now require a data integration layer. In 2018, Google Cloud invested in its Chronicle security analytics and threat intelligence service, and they will integrate Siemplify’s SOAR technologies into the platform. The Siemplify acquisition further demonstrates the need for vendors to have integration capabilities beyond their own technologies if they want to deliver meaningful security solutions to customers. And this, in turn, brings to light two very important lessons.
First, organizations that have effective security architectures, platforms, and strategies view security as an ecosystem that works in concert, rather than a bunch of point solutions that work independently. Second, the only way to make all of these disparate security tools work together as an ecosystem is to implement an integration layer that serves as a data hub.
And this brings me to my final point. When it comes to security investigations, we need to move beyond the universal data centralization approach. It always has been a lofty goal, and in today’s complex, siloed security architectures, it’s impossible. Organizations need to modernize their operations to deal with decentralized, distributed data from a variety of tools and platforms.
While we can break down Google Cloud’s acquisition of Siemplify as a $500 million transaction, it gives us priceless insight into the current and future state of the SOAR market. The large vendors will keep buying up smaller, niche players, so it’s important for security teams to keep the end goal in sight: making security investigations simpler, faster, and more effective using a modern approach based on a security ecosystem.
Andrew Maloney, co-founder and COO, Query.AI