Early this morning, I received news that Splunk intends to acquire Phantom Cyber Corporation for $350 million. Just as IBM purchased Resilient Systems a few years ago, Splunk decided to add a dedicated security operations automation and orchestration toolset to its security information and event management (SIEM) platform.
4 reasons for Splunk's purchase of Phantom
Why is Splunk making this acquisition? Because Splunk wants to do the following:
- Anchor its adaptive response initiative. Over the past few years, Splunk has championed a framework called adaptive response that provides for closed-loop process automation between security analytics and security controls. When analytics tools detect a problem, they can be programmed to trigger some type of response, such as conducting a vulnerability scan, creating a new firewall rule, or quarantining a network node beaconing out to a command-and-control server. While Splunk will still open adaptive response to others (Demisto, Resolve Systems, Siemplify, ServiceNow, Swimlane, etc.), Phantom will become its de facto process automation/orchestration glue. Look for Splunk to start to crowdsource adaptive response playbooks like it has done so successfully for dashboards.
- Capitalize on market momentum. Security operations automation and orchestration is already happening at an increasing pace. According to ESG research, 19 percent of enterprise organizations (i.e. more than 1,000 employees) are already adding technologies for security operations automation and orchestration extensively, 39 percent are doing so on a limited basis, 26 percent are engaged in a project to add security operations automation and orchestration technologies, and 13 percdent plan to implement security operations automation and orchestration technologies in the future or are interested in doing so. (Note: I am an ESG employee.) Splunk supported this market growth in the past, now it can promote and capitalize on this trend.
- Help customers to become more productive. There’s a simple reason why organizations are embracing security operations automation and orchestration — they simply can’t keep up with the growing number of security alerts, investigations, and remediation tasks facing every enterprise security team. This is especially relevant considering the global infosec talent shortage where 51 percent of organizations claim to have a “problematic” shortage of cybersecurity skills. Splunk wants to use Phantom to make its customers more productive, freeing up time for them to collect, process, and analyze even more data using core Splunk.
- Continue to build an enterprise-class SOAPA. Slowly but surely, Splunk is surrounding its core SIEM with additional functionality, such as behavioral analytics, regulatory compliance, fraud detection, and insider threat. Along with its partners, Splunk had a solid SOAPA offerings before this acquisition. With Phantom in tow, however, Splunk can now check most of the SOAPA boxes on its own. This sets Splunk up for big security operations systems integration deals that could span several years. Look for leading system integrators to jump on this bandwagon.
A few closing thoughts:
- Look for Splunk and Phantom to work with service providers to help organizations build and design SOCs and nail down formal incident response plans (IR). This could be a multi-hundred-million-dollar business opportunity.
- On a similar note, Phantom is an old-timer in the security automation and orchestration space with a lot of institutional knowledge, but its ability to broadcast this was limited by its size and resources. Look for Splunk to turn the crank on its marketing, training, and education machine to get the word out.
- Timing is everything. Splunk and Phantom should benefit from GDPR planning, improvement, and panic over the next few years.
- This acquisition further justifies the market, which will create a lot of tire kicking around others in this space. Others, such as Check Point, Cisco, Forcepoint, Fortinet, McAfee, Palo Alto Networks, and Symantec, may wind up acquiring a security operations automation/orchestration vendor of their own.