Growth, Money and Confusion in the Security Operations Category

How would you categorize a solution that helps you respond to security threats? The cybersecurity industry now unhelpfully offers at least four categories for such products: Security Automation and Orchestration (SAO), Security Orchestration Automation and Response (SOAR), Security Operations Center on demand (SOC-on-demand) and Security Operations (SecOps). There are others, for sure, including endpoint response tools and so forth. I’m already getting a headache just trying to sort them all out.

Having been in the enterprise tech field for over 20 years, I have grown ambivalent about the categorization of technologies. At an earlier stage of my career, I managed marcom for a startup that was originally doing what was then known as SOA management, which became API management, then API governance and security. It was like trying to hit a moving target from a moving platform. There were a lot of messaging misses. We’ve all been there, I suspect.

Categorization is a drag, but it’s essential. A good deal of money is usually at stake. Venture investors, and eventually M&A buyers or IPO investment bankers, allocate capital based on categories that are perceived to be in-demand. Industry analysts also traffic in categories, which is what they have to do. How else can anyone make sense of what’s what—and which products to buy?

Category confusion is at the heart of what I’m observing in the security operations area. A number of companies are growing and getting investment backing in what seem to be different categories. Yet, despite the nominal taxonomic differences, these companies are all doing essentially the same thing: giving security operations managers more abilities to respond to threats and security events.

Backdrop: The Need to Do Something in Response to Threats

However you categorize the solution, there’s a compelling need to respond to threats and security events. Lost in the thunder of industry buzz and “TLDR” frameworks is the big question: what are we going to do when a malicious actor comes knocking? Security Operations teams must do something. The what and the how of the response are in flux, though. This is a good thing, as existing countermeasures and practices are being revealed as deficient every day of the week. Now, we can start to get serious about effective solutions.

Emerging Threat Response Solutions

Money is certainly chasing the issue of effective threat response. Siemplify, for example, which considers itself on the SOAR category, raised $30 million in a Series C round last month. This brings their total capital raised to $58 million. The investment seems well-deserved. According to Nimmy Reichenberg, Siemplify’s CMO, whom I met at RSA 2019, the company’s revenue tripled in 2018 after a 10X increase the previous year.

“We enable collaborative case management,” Reichenberg explained. “Working more as a SOC platform than an automation solution,” he added, hinting at the categorical ambivalence going on in the space. The label doesn’t matter, though. What counts is effectiveness. “We’re geared to the SOC analyst,” Reichenberg shared. “We don’t require knowledge of command line.” As the company’s name itself suggests, their goal is to simplify the use of Security Incident and Event Management (SIEM) solutions—powerful security tools that are notoriously hard to use.

Demisto, which was recently acquired by Palo Alto Networks, identifies itself as being in the SOAR category. However, their tagline is “The Operating System for Enterprise Security.” This is a good example of categorical creep. What’s an operating system for enterprise security? Hard to know, but the intent of the message is clear, and in my view, needed.

“We’re geared to the SOC analyst,” Reichenberg shared. “We don’t require knowledge of command line.”

SecOps needs better coordination and control. Companies are struggling with security response, so they might resonate with the idea of having an operating system that pulls together all of their disparate detection and response tools and processes. Certainly, Palo Alto Networks bought into the idea.

Demisto will continue to operate independently for the time being, despite the acquisition. This is probably a wise move on the part of Palo Alto Networks. The SOAR space is moving quickly. Venture integration would be a distraction. It might take Demisto’s focus away from innovations like their new mobile app extension, which they introduced at RSA 2019. The mobile version of Demisto enables SecOps team members to interact with the SOC and run playbooks on threats regardless of where they are located.

Demisto will continue to operate independently for the time being, despite the acquisition. This is probably a wise move on the part of Palo Alto Networks.

Swimlane is another SOAR player that’s getting funded.  We’ve covered them in the past. They closed a $23 million Series B round last month as well, bringing their total raise to $35 million. As their CEO, Cody Cornell explained to VentureBeat, “The sheer volume of threats, shortage of available security talent, and lack of integration between existing security and IT products creates an almost impossible situation for the modern security ops team.”

“The sheer volume of threats, shortage of available security talent, and lack of integration between existing security and IT products creates an almost impossible situation for the modern security ops team.” – Cody Cornell, CEO of Swimlane

Swimlane’s is offering a solution for organizations that are struggling with understaffed, overworked SecOps teams. Tellingly, though, VentureBeat refers to Swimlane as a “security operations management software provider.” This is another categorical shift that hints at how the issue at hand is really more about security operations than security automation and orchestration.

Artic Wolf is arguably in the same category as Swimlane, Siemplify and Demisto, though they may not agree. Technically, they’re not, but does it matter? They offer SOC-as-a-Service, rather than a SOAR solution, but the customer need they’re serving is quite similar. They’re helping companies respond to threats with concrete, effective actions. Investors are evidently impressed. The company secured $45 million in a Series C round late last year.

“People want outcomes, not staffing up for security, especially in the mid-market,” explained Sam McLane, CTO of Arctic Wolf.

“People want outcomes, not staffing up for security, especially in the mid-market,” explained Sam McLane, CTO of Arctic Wolf. “Companies want to know they’re secure, that they can take meaningful steps to counter a threat. This is what we accomplish with our concierge approach.”

Arctic Wolf sees itself as more than a Managed Security Services Provider (MSSP). They augment their SOC-as-a-service with an AI-driven threat detection and response platform. As McLane put it, “Our offering gives customers threat detection capabilities without putting them through the headache and expense of building their own on-premises SOC.”

The security operations category is evolving, with its various sub-categories merging. The level of investment makes it clear, though, that the category itself is secondary in importance to what these solutions actually do. Outcomes matter more than categories.

Photo Credit: Aviat Networks Flickr via Compfight cc