Gigamon, a company that provides network traffic intelligence to security tools, that I’ve profiled before, announced the acquisition of ICEBRG, a Seattle-based security startup. Now, I receive press releases about acquisitions and mergers all the time, but I took particular notice of this one because it suggests that a theory of mine is beginning to be born out in reality.
Over the past few years, both in my Forbes columns and on my research site, EarlyAdopter.com, I’ve been chronicling the need for enterprises to create a cybersecurity portfolio that enables the business to protect its crown jewels and spread its cybersecurity investment wisely across all categories of protection, detection, and response.
But as I’ve become more and more immersed in the cybersecurity space, I’ve realized that in far too many cases, the vast amount of data generated by cybersecurity products is far too often only used for the purpose of threat detection and response. This seems extremely short-sighted, as the data offers insight extending far beyond cybersecurity and should be providing value to the entire company. It could prove even more valuable as a data source when combined with other data sources in the business. (See “Why You Need A Holistic, Integrative Medical Approach to Cybersecurity.”)
That’s why I think Gigamon’s acquisition is worth paying attention to. Gigamon’s acquisition of ICEBRG shows a vision for a cybersecurity data warehouse, in which cybersecurity data is incorporated with other data sources to offer value across the enterprise.
I had the opportunity to speak with Paul Hooper, CEO of Gigamon. Our conversation confirmed that the acquisition is predicated on the potential of launching this type of dynamic cybersecurity data warehouse.
(I should note that as part of that conversation Hooper pointed out that the leaders of ICEBRG really don’t like being called a data warehouse. I guess we could call it a data platform, but when you are aggregating data from many sources, creating a unified model, and then supporting analytics, it seems to me a data warehouse isn’t a bad description. Until I get to argue with them directly, that’s the term I will use.)
The Case for a Cybersecurity Data Warehouse
Earlier this year, when I attended the RSA conference, I spoke with numerous tech leaders about the creation of cybersecurity data warehouses and enabling cybersecurity data to provide more value to the entire business. The general consensus from those dialogues was that such a warehouse had tremendous promise to provide new types of value from the cybersecurity portfolio. On its face, it is a great idea for a variety of reasons, as a cybersecurity data warehouse:
- Allows companies to collect data from all cybersecurity components into a single repository.
- Provides companies a way to future-proof against switching a component out. For instance, they could get rid of a single component for malware or deception, but all the data associated with that component wouldn’t disappear because it’s stored in the repository.
- Enriches new components. If a new component is added, it can be primed with historical data, making its analysis richer and more beneficial.
A cybersecurity data warehouse allows you to go beyond the analysis of data offered by any individual security product. Companies can do more analytics on any component using a richer store of data. The benefits would be:
- It allows you to support integrations between components. This would enable you to see if data from one component would be relevant to another and thus make both more powerful by loading in that component using an API.
- It allows you to make any one component more powerful. For example, if a component needed context, you could reach out to the data warehouse.
- It allows you to support providing expanded business value by using the cybersecurity data as a high resolution model of business activity.
Providing more business value is part of the holistic medicine approach to cybersecurity that I’ve been writing about as of late. The goal is to collect data for cybersecurity that offers a high-resolution view of the entire business so that data can then be analyzed and understood as a model of business activity that can then provide insight on a wide range of activities, such as employee satisfaction and employee departures.
However, despite all this promise, until now, a cybersecurity data warehouse is not really being implemented as a product. There are some things that are close:
- UEBA (user and entity behavior analytics) vendors have something like it but just for certain narrow use cases.
- They analyze user and entity behavior and identify anomalies.
- SIEM (security information and event management) vendors like Splunk allow lots of data to be integrated but by brute force.
- But this isn’t a true data warehouse. It’s just a lot of data you can write queries against.
My research at RSA showed that this is not going to be easy. On the one hand, cybersecurity data warehouses are likely to be more successful than BI data warehouses. They are more focused and avoid the problems shown in the Saving the Data Lake Research Mission.
On the other hand, there are challenges:
- Landing, cleaning, modeling, and integrating all the data is no small task.
- Neither is building the analytics and the data pipelines needed.
- Neither is building the UI.
Thus, given all the requirements to build such a warehouse, it’s likely only the largest companies can afford to do this or have the resources available to make it a reality. That means the area is ripe for productization for smaller businesses that want to create a cybersecurity data warehouse of their own.
Hooper acknowledges that Gigamon’s acquisition is about productizing a cybersecurity data warehouse. With its focus on network traffic analytics, Gigamon already had numerous advantages in creating a cybersecurity data warehouse as a product, including:
- Gigamon is the master of the crucial source of data from the network and is likely the largest source of cybersecurity data.
- Gigamon understands many different data formats so it could build a good integrated model.
- Gigamon understands integrating with a variety of vendor products — including how data goes in and out of each product.
Hooper offered three reasons why the ICEBRG acquisition will help Gigamon in its efforts to productize the cybersecurity data warehouse:
- He said Gigamon has a belief that the value of analytics is directly proportional to the data fed into that analysis for cybersecurity. “But much of the cybersecurity market is confined because the information from the products is very narrow — like firewall data,” he said. “To create a true cybersecurity data warehouse, you need a broader, richer dataset, and the better the dataset, the better the analysis will be.” ICEBRG improves Gigamon’s ability to collect, process, and analyze data, so it’s a huge step forward along this path.
- Hooper also said that the world of security is now analog. “It’s a series of events that need to be correlated together to make sense of the larger picture,” he said. “You have to be looking across 10—15 technologies to ensure you are secure.” Thus, data collection and analytics is imperative to being successful.
- The final reason Hooper gave for the acquisition was his belief that “the next generation of security is not going to come from security products of today — even those that do fantastic jobs. The next generation is going to come from advanced machine learning technology,” he said. And this allows Gigamon to be ready to take advantage of that technology.
Hooper summed it up this way: “The world of security has to go through a change. The combination of data from all your products will tell the complete story,” he said. “The company that owns the data wins and that’s why we are so focused on the data.”
I truly believe that Gigamon’s move is just one more sign that the productization of cybersecurity data warehouses is a trend that will become more common in the near future. And this trend will lead to cybersecurity data providing value for the entire business.