Observability vendors push further into SecOps territory
Cybersecurity market consolidation continues, as observability players push beyond security monitoring and into enforcement via XDR and SOAR products.
This year's mass merger between IT security specialists and DevOps vendors continued this week, with two observability vendors deepening their forays into SecOps.
Elastic Inc., purveyors of the Elastic Stack initially best known for collecting and searching on log data for observability, acquired two IT security companies this week, Cmd and build.security. Cmd performs data collection via the Linux Extended Berkeley Packet Filter utility on cloud-native systems such as containers and Kubernetes.
Elastic announced its intent to acquire Cmd two days after it revealed plans to acquire another startup, build.security, which uses the Open Policy Agent to enforce application-level security policies within DevOps pipelines. These tools will be integrated in the coming months with Elastic's security information and event management (SIEM) and extended detection and response (XDR) features.
Meanwhile, Sumo Logic, also originally known for log-based observability, made a new security orchestration, automation and response (SOAR) product available this week based on its March acquisition of DFLabs. The tool expands on Sumo Logic's products for security operations centers, which include a SIEM.
Ash KulkarniChief Product Officer, Elastic Inc.
Overall, these moves continue a theme within this year's broader frenzy of IT security M&A -- the increased convergence between observability and SecOps tools and vendors.
"Security and observability are fundamentally search problems," said Ash Kulkarni, chief product officer at Elastic. "When you're thinking about security, you're looking for indicators of compromise or attack. ... Basically, you're looking for patterns."
SIEM, SOAR, XDR -- digesting the SecOps alphabet soup
For both Elastic and Sumo Logic, these updates represent new steps beyond monitoring into the enforcement of security controls and policies. But they occupy subtly different SecOps categories.
SIEM products collect and present security data, while SOAR tools are used to automate responses to security alerts by SecOps pros. SOAR products accomplish this through integrations with a broad set of tools, from web application firewalls to IT infrastructure automation playbooks. At launch, Sumo Logic's SOAR product has more than 200 integrations with third-party tools, according to a company press release this week.
Over the past 18 to 24 months, however, XDR has begun to generate increased SecOps market buzz. XDR takes its name from earlier SecOps tool categories such as infrastructure detection and response (IDR), endpoint detection and response (EDR), and network detection and response (NDR). XDR unifies telemetry data collected from those sources and automates a security threat response that encompasses all of them.
"SOAR is more about orchestrating and responding -- the key value is in integrations and optimizing threat response," said Fernando Montenegro, an analyst at 451 Research, part of S&P Global. "XDR includes some of that but also presents an opinionated UI that optimizes security analyst workflow."
SOAR and XDR can be complementary -- Sumo Logic's Cloud SOAR uses the Open Integration Framework to integrate with EDR, NDR, managed detection response and threat intelligence tools through a low-code interface.
However, some industry experts see XDR succeeding in some cases where SIEM and SOAR haven't worked as expected, because it offers a focused and efficient mechanism for threat response.
"When shutting down an attack in progress, security analysts often need to work together with network admins, firewall admins, cloud security teams and endpoint teams," wrote Dave Gruber, an analyst at Enterprise Strategy Group, a division of TechTarget, in a 2020 blog post. "SOAR tools attempt to automate this process, but ... too much heavy lifting is required to make all this happen."
XDR products have also arisen more recently during the cloud-native era, and thus may lend themselves to cloud-native deployment, according to a Gartner report.
"However, XDRs are not a replacement for all SIEM use cases, such as generic log storage or compliance," the Gartner report added.
Elastic touts data integration, consolidated pricing
While DevOps and IT security disciplines and vendors are consolidating amid the trend toward DevSecOps, IT pros still have a dizzying array of tools from which to choose. Within the observability category alone, Elastic and Sumo Logic also compete with Splunk, Cisco's AppDynamics, Datadog and Sysdig, to name a few.
In the XDR category, 451 Research and S&P Global see vendors approaching from three different vantage points, Montenegro said, including managed services vendors, existing IDR, EDR and NDR vendors expanding into XDR, and analytics vendors, where Sumo Logic and Elastic fit in.
Elastic's competitive claim to fame in the SIEM world has been its licensing model. Whether it's used for SecOps or observability, the Elastic Stack is priced according to the CPU and memory resources it consumes, rather than requiring separate licenses for security and observability features, or separate charges according to the number of endpoints monitored or the amount of data users collect. Some advanced features, including advanced features of XDR, are reserved for premium Elastic licensing tiers. Elastic SIEM users have also cited Elastic's standard data schema for both security and observability as a selling point.
In a market that remains subject to further M&A volatility, enterprise users are generally inclined to stick with products they already use, but that loyalty will go only so far, Montenegro said.
"Customers demonstrate a preference for not adding complexity to their vendor management efforts too much, but not at the expense of best-of-breed capabilities," he said. "The situation on XDR is pretty fluid."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
Google, VMware surveys raise DevSecOps red flags
The 3 pillars of observability: Logs, metrics and traces