On cybersecurity platforms, vertical integrations and consolidation - Part 1
- Is it possible to create a genuine cybersecurity platform? This is a contentious topic among both professionals and investors. The cybersecurity industry is known for being highly specialized and always requiring new tools to safeguard assets, given the ever-evolving nature of business and security threats. To put it another way, it's like having five locks on a door - you may add a sixth lock this year, but you won't remove the previous five locks.
- This is the current security landscape. A ton of debate if we will have more or fewer vendors in the future. Can consolidation or platform or vertically integrated plays simplify this landscape?
- What is a "Platform"?
- The true definition of a platform is when 3rd party vendors are able to "stand" on your platform and sell "products" to your customers using your APIs/data/infra. Normally the platform provides the most popular apps (e.g Excel, PowerPoint in Windows) and lets 3rd party build long-tail products on the platform. I do not consider a company as a true platform if "services" companies are selling managed services around their product
- A good example is infra providers such as Microsoft, Oracle, SAP (vendors building custom apps like ERP, and CRM on top of their databases), VMware (vendors like backup, hyper-converged, distributed firewall, etc), AWS/Azure/GCP (vendors like DataDog, security, storage, etc). SaaS vendors such as Salesforce and ServiceNow are also data platforms (they own sales, marketing data, or assets )
- Let us frame up the security problem statement using Sounil Yu's cyber defense matrix
- Assets such as people, devices, networks, applications, data, and the cloud (IaaS/SaaS) need to be protected from hackers. At the core one can argue that "data" is the center of gravity as hackers want data. People, applications, and networks are attack surfaces to steal data from devices, data systems, or cloud
- Infra providers such as Microsoft ("devices", "people", "data"), RedHat ("applications"), Cisco ("networks"), and Oracle ("data"), EMC/NetApp ("data"), AWS, Azure, GCP ("Cloud") "own" the primary data. SIEMs such as Splunk, Securonix, and Exabeam aggregate data exhaust from all systems and applications. The majority of the security vendors are "applications" that sit on top of platforms such as Microsoft, Cisco, EMC, etc. This is the essence of the cybersecurity industry
- Why did the industry evolve into a best of breed category?
- Consider "Devices". Microsoft owned the windows operating system, but when viruses, and hackers started breaking the system McAfee & Symantec stepped up and invented the endpoint protection products. Customers bought these products and Microsoft was happy to partner with and provide access to the data to these vendors.
- Consider "Networks". Cisco pioneered the switches and routers and also introduced the first firewall to protect the network. But CheckPoint Software and Palo Alto Networks invented a better and vendor-neutral firewall regardless of whom you buy your switches and routers from. These were called best-of-breed vendors and focused on doing one thing really really well and working closely with the customers.
- Microsoft served as a true platform for devices, windows based apps, and identity (Active directory) and you had a ton of vendors such as endpoint protection (McAfee, Symantec, Crowdstrike, SentinelOne, etc), Identity providers (Okta, CyberArk, etc.) to name a few relying on the platform.
- But Microsoft has started vertically integrating. Azure AD competes with Okta, Defender competes with Endpoint vendors, Sentinel competes with Splunk
- UEBA (user & entity behavioral analysis) and SOAR (Security orchestration, automation& response) vendors initially rode on SIEM platforms such as Splunk and ArcSight. But Splunk acquired Caspida (UEBA) and PhantomCyber (SOAR)
- Security vendors such as Palo Alto Networks, CrowdStrike, SentinelOne, etc shared the logs with SIEM vendors but now are backward integrating into the SIEM data platform with their XDR/Data Lake play.
- So net-net I do not think we will ever have a "true platform" as not just vendors but customers might demand an integrated solution. Platform works well when you can have a number of long-tail applications which the platform vendor chooses not to build
- How about Palo Alto Networks? I believe when Palo Alto Networks talks about a "platform" they mean the following
- Consolidating best-of-breed functionality at a product level: Palo Alto Networks provides all the tools for protecting an asset like a cloud or network. So Prisma platform is a true CNAPP and includes CSPM, CWPP, IaC, DSPM, CIEM, KSPM. The customer does not need to buy any other point tools. Any new startup launches a feature, Palo Alto will snap them or builds it internally to make the platform complete so customers do not have to buy the product from another company
- Palo Alto Networks also has two other platforms - Cortex (XDR/SIEM/EDR) and Strata (SASE/Network security). Are there any product synergies between these products other than selling to similar customer - CISO? Palo Alto Networks Cortex XSAIM play aims to aggregate data from this three platforms to provide a better security posture and operational efficiency for the customer
CEO Pixlr Group
1yPramod, thanks for sharing! Would be great if you could check out www.designs.ai as a way to automate your content flow. It uses AI to create logos, templates, videos and more. I trust that it could be relevant to . We've got many users from industry.
President & CEO @ Tigera (Project Calico)
1yGreat article, Pramod Gosavi. I enjoyed reading it. You may want to consider adding #datadog to the bottom right quadrant. They are a giant in the context of a Data Platform and are poised to be a powerful player in security. The mix of their tech and GTM model makes them a formidable contender.