LogRythm, Exabeam, Splunk, Qradar, Palo Alto …. large cyber security acquisitions are happening to the left, to the right and straight ahead too, what is going on and why is this occurring?
For those 15 of you who have not read the news yet, here it is:
LogRythm and Exambeam join forces, Splunk is acquired by Cisco here and Qradar is going to Palo Alto (not quite) here.
The mergers that have occurred here are a result of a mature market consolidating, as happens when it becomes difficult to find net new clients and continue to grow revenues at levels that are not sensible, SIEM is still critical to a modern SOC and it is not going away, I have seen comments and posts on Reddit to this end and it is simply not true, here is a sample:
These acquisitions at face value make sense or not depending on your opinion, within the bunch there are a few different reasons for what has happened, and, though this is my opinion I am confident that I am not 100 miles off being correct – pretty close when discussing very long distances!
LogRythym and Exabeam
LogRythym and Exabeam, this is the easiest – this play is a consolidation, each company has been around in market for many years and both are struggling to increase market share at the rate that is expected by corporate investors / Private Equity – they each could be doing well enough but the cyber security market is tough and not growing at the rate that is expected is the death cry of a company in the times we live in today.
Opinion: The acquisition is not going to change very much, my experience with having worked for software vendors is that both products will continue to be sold until it makes sense to get rid of one. There will be talk of integrations and migration paths etc, but this will not happen – it is simply too expensive to be needed to maximise gross profits and spend on Research and Development – for customers of either vendor, expect things to stage they same except pricing which may be adjusted based on which company has the stronger pricing model.
Splunk to Cisco
Splunk into Cisco, this is an easy one. Cisco has been building themselves a cyber security practise for many years now and a SIEM solution like Splunk is something that fits the Cisco model, Splunk is used by the enterprise, as is Cisco, the acquisition gives Cisco an additional feather in their cap with an enterprise Cyber Security log gathering and automation solution. This addition gives them something to continue to compete (or move in to compete) with Palo Alto, who is probably the biggest pure play cyber security vendor today – Microsoft is there but the numbers are a little unclear.
Opinion: Cisco has a huge legacy brand awareness that it must shift, Networking, at least the big networking hardware of old that our large corporations use is changing, sales are moving towards the Cloud compute providers and hosting providers who are looking towards their own custom hardware to save money but also improve throughputs for their particular network and data profiles.
Splunk gives Cisco a new revenue stream and helps move them more towards that cyber security major player (they are already), their problem is their name, they are known as a network company and known to be expensive. Being a mature and profitable business they do not spend on marketing at the rate that smaller cyber security vendors do and this makes it harder for them to increase growth at the rate that smaller cyber security companies do and the market loves growth over profits.
QRADAR to Palo Alto
This is a complicated purchase, the acquisition makes more sense on paper than it does in practise, Palo Alto have purchased the Software as a service assets of Qradar with the intent of moving these clients to Palo Alto’s XSIAM (this is a “next generation” name for log gathering and automation) Extended Security intelligence and automation Management platform.
Opinion: IBM after building their SaaS Qradar platform has not had the uptake that they need, or are not seeing the growth that they need to continue to invest in SaaS SIEM, this happens and there is nothing wrong with pivoting away from something that either is not core business or does not have the potential they need.
The challenge here is that customers now have a choice either to migrate to Palo Alto’s XSIAM or they can choose any other SIEM provider, SIEMs are notoriously difficult to get away from because they store so much data and often have so many integrations to other platforms, either for ingestion, analytics or automations. It is very possible that Palo do not retain even 80% of the Qradar customers because migration to their platform will be no easier than to Sentinel, Splunk etc and in my experience a migration is not free because to much must be done.
In summary
SIEM is a mature market, the easy money has long left this art of the industry and there are several very strong choices for a SIEM platform if you require one, this is important because the more you are tied to one vendor and the more you are utilising fewer cloud platforms, well the less likely it is you will need a SIEM because the modern Extended Detection and response platforms start to cross over into the more “attackable” part of your environment and provide the intelligence that is needed to protect your business.
Finally
If you are using Qradar use this moment to re-evaluate your SIEM platform and requirements, I think Palo Alto is a good company, that is not my concern here – my concern is SIEM’s lock you in to a technology for a long time as they are expensive to migrate away from. Go out to market and evaluate all SIEM technologies, please do not be fooled by XSIAM or any other name for a SIEM – do your research and you will come up with the best outcome for your business.
As always if you want to reach out then please contact me here.
Leave a Reply