Having transformed the user behavior analytics (UBA) market after the purchase of Caspida, Splunk now has the potential to similarly disrupt the security automation and orchestration (SAO) sector by reaching for Phantom. Splunk synthesizes large amounts of operational data and customizes detection investigations according to IT processes in using analytics to drive activity for security operations centers (SOCs). Phantom's technology should allow Splunk to complete the SOC processing cycle with automation via remediation playbooks and workflow execution to enhance the efficiency of securing the enterprise. With this addition to its Adaptive Response initiative, we consider Splunk one of the strategic players at the epicenter of the analytics transformation.
The 451 Take
We first introduced the Actionable Situational Awareness Platform (ASAP) in 2016, a concept transforming security operations from a deterministic block/allow threat prevention bias to an analytics-driven approach fueled by security and IT data, where automation can play a significant role in yielding action from insight. ASAP requires customization to meld with the business and enable controlled responses when appropriate, for which automation can be a key enabler – particularly when the availability of people is in such high demand.
Splunk continues to tick many of the ASAP boxes with the acquisition of Phantom, which brings technology for processing workflows and playbooks, connecting security silos into a coordinated security response fabric, and dispatching reported alerts and events. The acquirer is now in a position to deliver a SOC platform that conforms to the business requirements for collecting data (Splunk ES), analyzing the data to detect issues (Splunk Caspida), and acting to respond to incidents and events (Splunk Phantom). By bringing Phantom in-house, Splunk also is more fully embracing its Adaptive Response initiative within its own portfolio, a long-awaited move following its advocacy of the concept among its partners and customers.
Deal details
Splunk is handing over $350m in a mix of cash and stock for Phantom. The deal, the company's largest ever, is expected to close in the first half of 2018. Splunk has been increasing its M&A activity over the past few years, particularly within security – three of its last four acquisitions, including the $190m pickup of Caspida, have been squarely focused on that sector. Oliver Friedrichs, founder and CEO of Phantom, will report to Haiyan Song, senior VP and general manager of security markets for Splunk. Morgan Stanley advised Splunk on the transaction.
Deal rationale
Splunk's customers collect large quantities of security log and event data, execute custom scripts and analytics to detect the presence of advanced threats, and process prioritized alerts for security incident response teams. Alert fatigue sets in when SOC experts cannot keep up with the volume of alerts. The company's Active Response initiative is designed to provide the tools necessary to enhance the capacity of SOC resources to resolve security incidents, learn from experiences to update playbooks, minimize gaps in coverage with orchestrated responses, and pave the way for automated controlled responses. Phantom, one of the best known of the SAO providers, was a natural acquisition target for Splunk.
Target profile
Phantom offers a security automation and orchestration platform. Enterprise SOC teams document manual procedures to be followed across individual security products to gather and correlate information to build context, complete an investigation, or develop incident response actions from workflows for individual analysts and teams to modify point products and tighten defense. The company's SAO platform is critical in automating the steps outlined in playbooks, orchestrating sequenced actions between deployed security products, and expanding the SOC capacity to remediate security issues. Three main features of Phantom for Splunk include:
Acquirer profile
Publicly held Splunk produces technology supporting the management of security and IT organizations, with security representing slightly more than 50% of its business. Central to its product strategy is Splunk Enterprise Security (ES), its platform focused on security operations for gathering, correlation, search and analysis of alerts, events and information throughout an environment required to meet compliance and SOC operational mandates. Teams apply analytics to the data to better detect threats, remediate security incidents, and manage the business of security.
Notable Splunk M&A
We first introduced the Actionable Situational Awareness Platform (ASAP) in 2016, a concept transforming security operations from a deterministic block/allow threat prevention bias to an analytics-driven approach fueled by security and IT data, where automation can play a significant role in yielding action from insight. ASAP requires customization to meld with the business and enable controlled responses when appropriate, for which automation can be a key enabler – particularly when the availability of people is in such high demand.
Splunk continues to tick many of the ASAP boxes with the acquisition of Phantom, which brings technology for processing workflows and playbooks, connecting security silos into a coordinated security response fabric, and dispatching reported alerts and events. The acquirer is now in a position to deliver a SOC platform that conforms to the business requirements for collecting data (Splunk ES), analyzing the data to detect issues (Splunk Caspida), and acting to respond to incidents and events (Splunk Phantom). By bringing Phantom in-house, Splunk also is more fully embracing its Adaptive Response initiative within its own portfolio, a long-awaited move following its advocacy of the concept among its partners and customers.
Deal details
Splunk is handing over $350m in a mix of cash and stock for Phantom. The deal, the company's largest ever, is expected to close in the first half of 2018. Splunk has been increasing its M&A activity over the past few years, particularly within security – three of its last four acquisitions, including the $190m pickup of Caspida, have been squarely focused on that sector. Oliver Friedrichs, founder and CEO of Phantom, will report to Haiyan Song, senior VP and general manager of security markets for Splunk. Morgan Stanley advised Splunk on the transaction.
Deal rationale
Splunk's customers collect large quantities of security log and event data, execute custom scripts and analytics to detect the presence of advanced threats, and process prioritized alerts for security incident response teams. Alert fatigue sets in when SOC experts cannot keep up with the volume of alerts. The company's Active Response initiative is designed to provide the tools necessary to enhance the capacity of SOC resources to resolve security incidents, learn from experiences to update playbooks, minimize gaps in coverage with orchestrated responses, and pave the way for automated controlled responses. Phantom, one of the best known of the SAO providers, was a natural acquisition target for Splunk.
Target profile
Phantom offers a security automation and orchestration platform. Enterprise SOC teams document manual procedures to be followed across individual security products to gather and correlate information to build context, complete an investigation, or develop incident response actions from workflows for individual analysts and teams to modify point products and tighten defense. The company's SAO platform is critical in automating the steps outlined in playbooks, orchestrating sequenced actions between deployed security products, and expanding the SOC capacity to remediate security issues. Three main features of Phantom for Splunk include:
- Digital representation of playbooks and workflows allows automated processing between security and IT teams and potentially provides a feedback loop into security analytics functions.
- Customization interfaces enable coordination across the security infrastructure. Every enterprise has a set of purchased security products, supported vendors, and unique SOC processes. Integration via tools such as Python scripts allows Phantom's SAO platform to align with the business.
- Phantom has a community that actively develops and shares playbooks. Roughly one-third of the company's playbooks are offered to the community from customers – an efficient means of developing new content and ensuring a happy installed base that will be excited by new products.
- Phantom has raised $23m in venture capital investment since its founding in 2014. The Palo Alto, California-based vendor's board of directors includes security veterans Tom Noonan, Dave DeWalt, Ted Schlein and Todd Headley.
Acquirer profile
Publicly held Splunk produces technology supporting the management of security and IT organizations, with security representing slightly more than 50% of its business. Central to its product strategy is Splunk Enterprise Security (ES), its platform focused on security operations for gathering, correlation, search and analysis of alerts, events and information throughout an environment required to meet compliance and SOC operational mandates. Teams apply analytics to the data to better detect threats, remediate security incidents, and manage the business of security.
Notable Splunk M&A
| Target | Abstract | Deal value | Date announced |
| Phantom | Security automation and orchestration | $350m | February 27, 2018 |
| Rocana | IT analytics | $30.2m | October 9, 2017 |
| SignalSense | Security and network analytics | $12.2m | October 17, 2017 |
| Caspida | User behavior analytics | $190m | July 9, 2015 |
| Metafor | Machine-learning analytics | $16.4m |
June 23, 2015
|
In particular, Splunk's purchase of Caspida positioned it to dominate the UBA segment because of the acquirer's penetration of control for operational security data. Enterprises preferred to source UBA projects with their established partner for security information and event management (SIEM), effectively freezing out privately held UBA vendors. We believe the same dynamic may play out in 2018 in the SAO space as Splunk controls the alerts and events that launch remediation efforts.
Competition
Competition for SOC projects comes from many directions. Three publicly held companies offer integrated product sets that include SAO features and are designed for SOC teams.
Finally, there is a long list of privately held SAO specialists that will feel pressure to find a buyer or risk not finding an exit. These include Awake Security, Ayehu, Demisto, Fidelis, LogicHub, Resolve Systems, Respond Software, SecBI, Swimlane, Siemplify and Versive. Each has adopted unique approaches toward fighting alert fatigue, managing workflows, and controlling responses through playbooks. Some take a page from precedents in IT operations such as runbook automation, suggesting potential synergies with the likes of ServiceNow and its rivals.
Outlook
The growing accumulation of security data required as modern IT transforms is driving demand for analytics to help teams consume timely operational intelligence, manage alert priorities and SOC workloads, and automate corrective activities. We believe Splunk's acquisition of Phantom puts teeth into its Active Response initiative with its own competitive asset. It's easy to envision Splunk extending Phantom's playbooks and workflows into IT operations, integrating SAO customization capabilities into Splunk's investigation and search features, and contributing response team feedback into machine-learning analytics algorithms. With this addition to its Adaptive Response initiative, we consider Splunk one of the strategic players at the epicenter of the analytics transformation, as well as an exemplar of our Actionable Situational Awareness Platform concept.
Competition for SOC projects comes from many directions. Three publicly held companies offer integrated product sets that include SAO features and are designed for SOC teams.
- IBM highlights security as one of its strategic imperatives, a business that grew 54% in generating $3.2bn in fiscal 2017. A foundational element of Big Blue's security is its analytics-based work based on QRadar for SIEM and data management, i2 for UBA, and Resilient Systems for automation and orchestration, primarily for incident response.
- FireEye is making waves with its Helix management and Invotas-inspired SAO capabilities using real-time network (SmartVision) and application (NX and TAP) data to drive advanced threat detection and incident response activity.
- Rapid7 combines its InsightIDR product line, which features SIEM and analytics, with its acquired Komand SAO functionality to help bridge security and IT operations.
Finally, there is a long list of privately held SAO specialists that will feel pressure to find a buyer or risk not finding an exit. These include Awake Security, Ayehu, Demisto, Fidelis, LogicHub, Resolve Systems, Respond Software, SecBI, Swimlane, Siemplify and Versive. Each has adopted unique approaches toward fighting alert fatigue, managing workflows, and controlling responses through playbooks. Some take a page from precedents in IT operations such as runbook automation, suggesting potential synergies with the likes of ServiceNow and its rivals.
Outlook
The growing accumulation of security data required as modern IT transforms is driving demand for analytics to help teams consume timely operational intelligence, manage alert priorities and SOC workloads, and automate corrective activities. We believe Splunk's acquisition of Phantom puts teeth into its Active Response initiative with its own competitive asset. It's easy to envision Splunk extending Phantom's playbooks and workflows into IT operations, integrating SAO customization capabilities into Splunk's investigation and search features, and contributing response team feedback into machine-learning analytics algorithms. With this addition to its Adaptive Response initiative, we consider Splunk one of the strategic players at the epicenter of the analytics transformation, as well as an exemplar of our Actionable Situational Awareness Platform concept.
Eric Ogren
Senior Analyst, Security
Eric Ogren is a Senior Analyst with the Information Security team. Eric has extensive experience in software development, technology marketing, and as a security industry analyst.
Scott Crawford
Research Director, Security
Scott Crawford is Research Director for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market.
Keith Dawson
Principal Analyst
Keith Dawson is a principal analyst in 451 Research's Customer Experience & Commerce practice, primarily covering marketing technology. Keith has been covering the intersection of communications and enterprise software for 25 years, mainly looking at how to influence and optimize the customer experience.