Yesterday, Google has announced that it has acquired Siemplify, a well-known provider of security orchestration, automation and response (SOAR) solutions, for an undisclosed amount. The stated strategic goal of this acquisition is to “change the rules on how organizations hunt, detect, and respond to threats”. The SOAR capabilities of the Siemplify platform will be integrated into Google’s own Chronicle security analytics platform to provide even better visibility and productivity for security analysts.

Now, at the first glance, one could simply ask: “What’s the big deal? Acquisitions happen all the time, especially in the cybersecurity market nowadays”. However, there are a few interesting observations to be made here that go beyond this particular purchase.

First of all, Google has never been seen by the public as a “security vendor”. Despite operating one of the world’s largest clouds and playing a role of an identity provider for (literally) billions of users worldwide, we usually don’t hear much about cybersecurity from Google (although to be fair, we don’t hear much about Google’s security problems, as opposed to some of its largest competitors). However, the appearances can be deceiving – just last summer the company has pledged to invest $10 billion in cybersecurity over the next five years, and an acquisition of a SOAR technology is just a small part of this strategy.

What is SOAR anyway?

Emerging less a decade ago, SOAR was hailed as a means to finally make traditional SIEMs useful and, more generally, to centralize the management and automation of multiple security tools in a single interface for security analysts. The biggest selling point of having a separate SOAR tool is its ability to integrate with a variety of existing SIEM, XDR, or other platforms that typically power a modern security operations center.

SOAR solutions usually provide several key capabilities:

  • Security data collection and enrichment – either on their own or through a bidirectional integration with existing SIEM platforms;
  • Security orchestration and automation – by implementing playbooks and automated workflows across disparate security tools and to let analysts concentrate on more creative tasks;
  • Incident Response – by coordinating mitigation activities across multiple teams, departments, and systems. Here the degree of automation might vary from opening support tickets to autonomous isolation and cleanup of malicious activities.

Siemplify was notably one of the few remaining independent SOAR vendors. This is not the first and certainly won't be the last acquisition in this space. A few SOAR specialist vendors we covered in the 2020 edition of the Leadership Compass on SOAR solutions have been acquired in the meantime as well. Stay tuned for further updates: KuppingerCole is in the process of updating the SOAR Leadership Compass for 2022.

The trend is however completely logical and predictable from the start – since the primary strategic goal for every digital business is to reduce the overall complexity of their security architectures, having yet another standalone tool is not the best idea. Rather, most customers would prefer seeing SOAR capabilities integrated directly into their favorite SOC platforms. For security vendors, such technology acquisitions have always been absolute no-brainers, but nowadays, even companies that, like Google or Microsoft, were never calling themselves security vendors, see such investments as extremely important.

Security as a brand reputation factor

In the era of large-scale data breaches and constant cyber-attacks, being perceived as a “secure vendor” is crucial for every cloud service provider, and every major one now has a broad portfolio of services to assure their customers that their sensitive data and critical workloads remain safe at any time. However, while some vendors (like AWS or Oracle) are primarily focusing on protecting their own customers with their “cloud-native” (in other words, proprietary) solutions, others (like IBM and now Google) see multi-cloud support and open ecosystems as a potential competitive advantage.

Google Chronicle is an interesting example of the latter strategy. Created with a vision of a security analytics platform with unlimited scalability and intelligent automation, Chronicle harnesses Google Cloud’s infrastructure to offer a platform for managing security data at a petabyte scale. Although it is not positioned as a SIEM, it does offer all the features typically found in one: ingesting, retaining, and analyzing massive amounts of network and security telemetry from a variety of sources, including an ecosystem of third-party partners.

On top of this, Chronicle offers a range of tools for incident investigation, threat hunting, and attack detection. Adding SOAR capabilities from Siemplify will make Chronicle a very capable, scalable, and open security analytics service you’ve probably never heard about. Which is a shame, actually. Perhaps one thing Google still has to learn from its competitors is to invest more into spreading awareness about their newest developments in the field of cybersecurity.

Speaking of awareness – we’re planning to publish a new Leadership Compass report on the market segment of Intelligent SIEM Platforms soon. We’re covering over 20 solutions in this report, both big and small, including Google Cloud among the vendors to watch. Stay tuned!