This week, Microsoft made official its agreement to acquire Threat Intelligence vendor RiskIQ in a deal rumoured to be worth around $500m. It is not an unusual event; Microsoft has absorbed five businesses already in 2021, and usually it is to acquire a discrete technology it deems useful or sometimes to push into emerging markets.

This latest acquisition falls into both camps. While Threat Intelligence is not an emerging in the normal sense, it has acquired a new importance in the last 18 months as global cyber-attacks reached a new level of intensity. The fact this has run in parallel with the global epidemic is no coincidence – criminal gangs thrive on vulnerability.  In this case it has also thrived on the sudden switch to remote working and the opening up of millions more internet facing endpoints.

Why make the acquisition now?

As the world’s largest supplier of business software, Microsoft will be fully aware of the threat to its customers from this current wave of ransomware; more sophisticated and aggressive than previously recorded. Governments around the globe have now listed ransomware as a systemic threat to national security and economic wellbeing. It is deadly serious.

Ransomware attacks have been successful in part because of the openness of today’s IT infrastructures. But business needs openness and the complexity of applications, architectures, IoT connectors, digital identities running across multiple clouds and hybrid cloud environments. This is a positive development as it means that organizations are embracing leading edge technologies to embrace collaborative working, automation, and deliver innovation.

Microsoft has been working to ensure that its platforms are compatible with the new openness and remote working, and takes security seriously. It makes sense to acquire a Threat Intelligence capability, a move that is commercially driven as much as as adding capability that will help its customer base defend against ransomware and other forms of cyber-attack.

What is RiskIQ?

RiskIQ is among several leading Threat Intelligence companies that have emerged in the last decade; other well know names include FireEye, InfoBlox, LookinGlass, IntSights and Recorded Future. All offer analysis and interpretation of global threat traffic and enable advance warning of possible attacks, adding an extra layer of cyber defence for organizations. Key to this is tracking of internet facing endpoints targeted by cyber criminals.

RiskIQ was a good fit in that it already had close ties with Microsoft through connectors and support for Azure Sentinel SIEM – it is also relatively cheap if the $500m purchase price is accurate. The RiskIQ mission statement of “safely bringing people together, connecting people across the world” might sound a little trite but it’s a laudable ambition and chimes well with Microsoft’s own goals. 

Microsoft already had an endpoint protection play with 365 Defender, but RiskIQ offers much more than monitoring activity at endpoints and applications. RiskIQ helps customers discover and assess the security of their entire enterprise attack surface through connections in the cloud, AWS, other clouds, on-premises, and from the supply chain. Its Internet Intelligence Graph deploys “virtual users" that simulate human-web interactions to map relationships between internet-exposed infrastructure worldwide.

What does the acquisition mean for Microsoft customers?

Several Microsoft customers will already use a Threat Intelligence platform from one of the existing vendors but for those that do not, and particularly for SMBs the integration of RiskIQ technology and intelligence gathering into O365, Azure, Active Directory, Teams etc. is something to be welcomed. Microsoft has a good record on integration, and this should be quickly offered as part of the Microsoft universe to all customer levels. For Microsoft it means a great new marketing tool to convince customers that it has their back in the fight against ransomware, now and in the future. Stopping ransomware by plotting its path and patterns before it can hit home is a great defensive move – once Ransomware is in and activated, it’s pretty much game over as we are seeing across the world.

Will it be a success?

In short, yes. Integrating RiskIQ across the Microsoft stack will add undoubted cyber security value for its customer base. Even better for Microsoft it will allow them to offer a robust and trusted integrated Threat Intelligence platform in competition with RiskIQ’s former competitors. More worrying for them, the Redmond software giant can easily afford to offer Threat Intelligence as integral part of its overall security marketing strategy for O365 and beyond, in the name of keeping the Internet safe for business. Quite an option to have.

For more on this topic: