Fortinet has acquired security orchestration, automation, and response (SOAR) vendor CyberSponse in the latest in a series of opportunistic tuck-in acquisitions by Fortinet. Fortinet is among the large cybersecurity "platform" vendors seeking to ease front-end integration of portfolios designed around multiproduct threat detection and response.
Fortinet has one of the broadest portfolios among the large enterprise cybersecurity vendors, spanning network, endpoint, cloud, SD-WAN, Wi-Fi, application security, and identity and access management as well as a series of products in security operations including security information and event management (SIEM), analytics, and user and entity behavior analysis. It expects the CyberSponse technology to enhance its FortiSIEM product, its FortiGate firewalls, and its FortiAnalyzer security and log management platform.
Fortinet's acquisition of CyberSponse is opportunistic; CyberSponse, based in Arlington, VA, has fewer than 100 employees, less than $8m in funding, and is believed to have struggled to compete with a cadre of well-funded, larger rivals.
SOAR technology has emerged in recent years, at least in part, to address a key shortcoming of SIEMs: while they collect and analyze security data, they generally cannot coordinate or conduct incident response. SOAR provides that capability, bringing orchestration and automation to bear to streamline mundane, repeatable activities such as event enrichment; it also handles more complex actions such as isolating, analyzing, and remediating an infected endpoint. This becomes increasingly important as the concept of XDR (integrated threat detection and response across endpoints, networks, clouds, and beyond) gains traction.
SOAR's key benefits include reducing the time that highly paid, hard-to-find security incident analysts spend conducting mundane response activities; easing the difficulty of managing multistep security processes that involve two or more unique, best-of-breed security tools; and reducing the time to mitigate and, ultimately, remediate security incidents.
As that market segment took shape, a logical development was that several SOAR vendors were acquired, particularly by large players with complex product portfolios aiming to gain ground in the security operations market:
IBM bought Resilient Systems in 2016, before the SOAR acronym had even gained currency.
Around the same time, FireEye purchased security orchestration and automation specialist Invotas.
In 2018, Splunk acquired Phantom Cyber.
In 2019, Palo Alto Networks bought Demisto. While the buyer is not a traditional security operations player, it is clearly developing a broader security management capability with its Cortex technology.
Fortinet's move advances this trend and, given Fortinet's record of successfully integrating technologies it has purchased in this way, stands a good chance of success.