Why Splunk Acquired Phantom

Merger_Puzzle.jpgEarly this morning, I received news that Splunk had announced its intention to acquire Phantom for $350m. Just as IBM purchased Resilient Systems a few years ago, Splunk decided to add a dedicated security operations automation and orchestration tool set to its SIEM platform.

Why is Splunk making this acquisition? Because Splunk wants to:

  1. Anchor its adaptive response initiative. Over the past few years, Splunk has championed a framework called adaptive response that provides for closed-loop process automation between security analytics and security controls. When analytics tools detect a problem, they can be programmed to trigger some type of response like conducting a vulnerability scan, creating a new firewall rule, or quarantining a network node beaconing out to a command-and-control server. While Splunk will still open adaptive response to others (Demisto, Resolve Systems, Siemplify, ServiceNow, Swimlane, etc.), Phantom will become its de facto process automation/orchestration glue. Look for Splunk to start to crowdsource adaptive response playbooks like it has done so successfully for dashboards. 
  2. Capitalize on market momentum. Security operations automation and orchestration is already happening at an increasing pace. According to ESG research, 19% of enterprise organizations (i.e., more than 1,000 employees) are already adding technologies for security operations automation and orchestration extensively, 39% are doing so on a limited basis, 26% are engaged in a project to add security operations automation and orchestration technologies, and 13% are planning to implement security operations automation and orchestration technologies in the future or are interested in doing so. Splunk supported this market growth in the past, and now it can promote and capitalize on this trend. 
  3. Help customers to become more productive. There’s a simple reason why organizations are embracing security operations automation and orchestration: They simply can’t keep up with the growing number of security alerts, investigations, and remediation tasks facing every enterprise security team. This is especially relevant considering the global infosec talent shortage where 51% of organizations claim to have a problematic shortage of cybersecurity skills. Splunk wants to use Phantom to make its customers more productive, freeing up time for them to collect, process, and analyze even more data using core Splunk.
  4. Continue to build an enterprise-class SOAPA. Slowly but surely, Splunk is surrounding its core SIEM with additional functionality like behavioral analytics, regulatory compliance, fraud detection, and insider threat detection. Along with its partners, Splunk had solid SOAPA offerings before this acquisition. With Phantom in tow however, Splunk can now check most of the SOAPA boxes on its own. This sets Splunk up for big security operations systems integration deals that could span several years. Look for leading system integrators to jump on this bandwagon. 

A few closing thoughts:

  • Look for Splunk and Phantom to work with service providers to help organizations build and design SOCs and nail down formal incident response plans (IR). This could be a multi-hundred million dollar business opportunity.
  • On a similar note, Phantom is an old-timer in the security automation and orchestration space with a lot of institutional knowledge, but its ability to broadcast this was limited by its size and resources. Look for Splunk to turn the crank on its marketing, training, and education machine to get the word out. 
  • Timing is everything. Splunk and Phantom should benefit from GDPR planning, improvement, and panic over the next few years.
  • This acquisition further justifies the market, which will create a lot of tire kicking around others in this space. Others like Check Point, Cisco, Forcepoint, Fortinet, McAfee, Palo Alto Networks, and Symantec may wind up acquiring a security operations automation/orchestration vendor of their own. 
Topics: Cybersecurity SOAPA