Google has acquired security services provider Siemplify in an effort to add security orchestration, automation, and response (SOAR) capabilities to its Google Cloud security portfolio, augment its Chronicle security analytics platform, and further its efforts to make security "invisible," the two companies announced today.
While neither company officially disclosed the value of the transaction, sources including Reuters report Google paid $500 million for Siemplify, a cloud-based provider of tools for integrating and automating security operations. Its tech allows companies to present a single platform for security analysis and response, bringing together existing tools and allowing for security playbooks to be automated.
SOAR services allow analysts to more quickly triage caseloads by using more information from an organization's various security products and then automating the response.
As part of its invisible security initiative announced in July, Google aims to integrate such capabilities into its cloud services, especially its Chronicle security analytics platform — an effort that both Google and Siemplify see as a priority, according to Sunil Potti, vice president and general manager of Google Cloud Security.
"We both share the belief that security analysts need to be able to solve more incidents with greater complexity while requiring less effort and less specialized knowledge," he said in a blog post announcing the acquisition. "Our intention is to integrate Siemplify's capabilities into Chronicle in ways that help enterprises modernize and automate their security operations."
The acquisition continues Google's push into cybersecurity. In August, the company announced it would invest $10 billion in cybersecurity over the next five years to expand its zero-trust services, bolster open source security, and find ways to improve the integrity of the software supply chain. In October, the company rolled out its Cybersecurity Action Team, a set of advisory and incident response services to help government and corporate clients.
This acquisition also puts Google ahead in the competition among major cloud service providers to provide security services across platforms, says Rik Turner, principal analyst with research firm Omdia (a Dark Reading sister company). Amazon Web Services (AWS) and Microsoft Azure have SIEM capabilities within their own clouds but do not have the same features across all clouds, while Google attempts to play well with other services, he explains.
"AWS's native cloud security is AWS-only — that is, if you want to go multicloud with your security and are starting from an AWS estate, AWS points you in the direction of their partners, such as Palo Alto or Trend Micro," Turner says. "It therefore behooves both Azure and GCP — No. 2 and 3, respectively — to be heterogeneous in their cloud security offerings, which should enable them to tempt AWS customers to be more unfaithful to AWS."
The argument for that, he adds, is "that any workload or data assets that have been moved across and protected in their infrastructures can always be moved back to AWS because their security spans both worlds."
The triad of capabilities behind SOAR allows security teams to efficiently manage operations. Orchestration links security products to an organization's security information and event management (SIEM) system, allowing the system to use information from those products to help analysts better triage possible threat reports and alerts. By automating the analysis using machine-augmented playbooks, the systems can help analysts more quickly decide whether a security event needs more investigation. Finally, many aspects of the response can be automated to quickly minimize the impact of an attack.
While cybersecurity startups have tackled the trio of features, most have been merged into existing SIEM products. In July 2020, for example, Micro Focus purchased Atar Labs and integrated its SOAR capabilities into ArcSight, the grandfather of SIEM systems.
Eventually, most SOAR products will merge with SIEMs to become standard capabilities, says Allie Mellen, analyst for security and risk at Forrester Research.
"Siemplify was one of the few remaining standalone SOAR offerings, as many others have been picked up by SIEM vendors over the years," she says. "Most other standalone SOAR vendors have been acquired or built out their portfolio with other products, like threat intelligence platforms. In some ways, that makes this a heady acquisition and signals the end of the standalone SOAR or, frankly, SIEM."
Timing Is Everything
A confluence of trends has made the capabilities of SOAR products more necessary. The continued shortage and high cost of skilled cybersecurity professionals mean reducing workloads is critical. Organizations' growing attack surface area means that more data needs to be monitored to gain the necessary visibility. And remote work and fast-moving attacks have made automated response a greater priority.
"The challenges we set out to solve are only becoming more profound, and organizations are facing an unprecedented volume of cybersecurity threats — all as the shortage of skilled personnel to address these threats remains at an all-time high," said Amos Stern, CEO and co-founder of Siemplify, in a separate blog post announcing the acquisition. "There is a need and opportunity to grow our business to meet these challenges."
Google's purchase may mean that some companies will have less choice when it comes to automating their security operations, says Forrester's Mellen.
"For clients, this acquisition means that they now have one less standalone SOAR offering to choose from," Mellen says. "This can be a benefit — having a security analytics platform that tightly integrates SIEM and SOAR can help practitioners implement more seamless automation into their work. However, some practitioners prefer to use a separate, independent SOAR offering because they find the depth of available integrations to be more powerful."