Palo Alto Networks has acquired security operations, analytics, and response (SOAR) vendor Demisto for $560m, a deal which enhances its play in the evolving security management market. Ovum sees this as the latest development in the industry's attempts to go beyond security incident and event management (SIEM) technology.
With some 150 enterprise customers on its books, Demisto was a leading player in the SOAR market, a segment that has emerged over the last few years to address the growing need for security management to extend into incident response. In the first instance, this involves playbooks to streamline human responders' activities, with integration to ticketing and IT service management systems and, beyond that, automated response. Indeed, another translation of the SOAR acronym has it standing for security orchestration, automation, and response.
Meanwhile, Palo Alto is among a handful of major cyber vendors proposing "platforms," meaning technology to span silos of security tools from multiple vendors and enable a centralized, enterprise-wide view of threats, as well as the concomitant response actions. Others include Symantec, McAfee, Cisco, and RSA. Some of them are SIEM vendors, while others identify the need to supersede SIEMs, whose shortcomings Ovum has chronicled in other reports.
SOAR and user and entity behavior analysis (UEBA) are two areas of technology that have arisen to address shortcomings in SIEM platforms, and it is no coincidence that some SIEM vendors have made acquisitions in these areas to supplement their technologies: IBM bought SOAR vendor Resilient in 2016, Splunk acquired Phantom in 2018, and RSA snapped up Fortscale in April 2018.
Palo Alto has no SIEM, but its Security Operating Platform can, in many ways, be considered as a complement or an alternative to SIEMs, and the addition of SOAR capabilities makes its security management offering a compelling one.
On the Radar: Seceon moves into SIEM with AI-based protection, INT003-000309 (January 2019)
"Defining a platform for managing threat intelligence," INT003-000264 (November 2018)
"Jask offers a platform for enterprises to go beyond SIEM," INT003-000162 (May 2018)
"Is SIEM dead or just on life support?" INT003-000135 (April 2018)
Rik Turner, Principal Analyst, Infrastructure Solutions