You've Never Seen Lock-In Like This Before
How cybersecurity platforms are raising switching costs and maximizing profits
For some of its largest vendors, cybersecurity has become a race towards maximum lock-in. Palo Alto Networks, CrowdStrike, SentinelOne, and other major providers now compete across endpoint, cloud, identity, and SIEM- with success dependent on customers buying it all and staying put.
For security leaders, this trend threatens to curtail access to innovative new solutions and erode the bargaining power needed to keep budget expansion aligned with the rest of the business. Can organizations continue to leverage products from platform providers without losing their independence? Like the Eagles sang in Hotel California: “You can check out any time you like... But you can never leave."
Buying Your Business
One sign that platform players are counting on long-term lock-in is their willingness to buy new business. They’re willing to take losses upfront because they believe any customer entering their walled garden will face difficulty switching later. This approach can be seen in the recent string of increasingly aggressive “loss leader” moves.
For example, CrowdStrike announced in May that Microsoft customers could get a heavily subsidized endpoint agent to run alongside the competing Defender product. In an interview, CrowdStrike Head of Products Raj Rajamani made it clear that Microsoft customers would find this offering “very attractively priced.”
Palo Alto Networks has been especially aggressive at luring customers onto its platform. Earlier this year, the company announced a new offer where they give away their product for free for the whole duration of new customer’s existing contracts. According to the press release:
The offer enables qualified customers to accelerate platformization and seamlessly transition to Cortex XDR by providing a "no-cost" period of the solution until existing legacy contracts expire. Additionally, the program includes a baseline package of "no-cost" professional services to assist with the agent migration.
Platformization, with its high switching costs, is what justifies extended free-use offers. Buyers should take this into account when considering heavily subsidized product offers.
This approach was taken to the extreme a few months later when Palo Alto struck a major deal with IBM for its SIEM business. Interestingly, IBM’s cloud SIEM product is being taken to the woodchipper. This deal isn’t about technology or capabilities. It’s about capturing customers.
Unconfirmed rumors place the deal size at around $500 million, on top of which PANW will pay IBM consultants to migrate customers to their platform. It would take years of subscription payments to offset these substantial expenditures, and the new class of “all-in-one” cybersecurity platforms is designed to make that happen with the full Hotel California experience.
Platform Exclusivity
Why is switching from a platform that includes both SIEM and endpoint agents nearly impossible? Consider the challenge of an ordinary SIEM migration, where endpoint telemetry is one of the top sources for threat detection. The migrating team reviews migrated detection logic and verifies that coverage is maintained in the new system. But for a SIEM+endpoint migration, all endpoint-related SIEM detections must be rebuilt—a huge additional effort.
The secret to this double lock-in is how next-gen SIEM platforms mandate their own endpoint agents. For example, Palo Alto Networks XSIAM licensing documentation specifies that the SIEM cannot be purchased separately from the Cortex agent.
Platform exclusivity also extends to content and capabilities. Feeding agent telemetry to a SIEM is one thing, but detection rules and models designed and tuned for a particular agent provide questionable effectiveness for third-party agents. Also, agent health monitoring is being increasingly folded into the all-in-one SIEM platform, potentially breaking essential SOC processes that depend on analyzing agent logs to identify deployment gaps and agent health issues.
I’ve heard of rare situations where an exception was made for a customer to keep their former agent while ramping up the next-gen SIEM. A team in that situation should take extra caution in validating that the competitor’s platform properly analyzes the signal from the “other guy’s” agents.
The tight coupling between SIEM and endpoint makes migrating either one incredibly difficult. Many SOCs could find migrating both at the same time to be nearly impossible. The platform vendors are incentivized to maximize this lock-in at the expense of security organizations.
The Modular Alternative
The prospect of double lock-in has driven interest in open, modular SOC architectures. This week, Jon Oltsik, the well-known analyst and founder of the cybersecurity practice at Enterprise Security Group, wrote about how “no vendor will deliver the whole enchilada.” In his CSO Online article “Cybersecurity at a crossroads: Time to shift to an architectural approach,” Oltsik rallied against the idea of an all-in-one platform.
First, the notion of moving all the data to one repository is completely outdated due to data volume and constant change. Future security operations must adhere to a federated data model…
Note that I do see large organizations standardizing with data lake technologies like Databricks and Snowflake, and I also see a role here for things like the Amazon security lake. While this makes sense today, we’ll see new data management platforms in the future with compelling security use cases. Enterprise security operations architectures must have the flexibility to migrate or integrate data in the future.
Turning to an architecture with enough flexibility to run security operations across a mix of data platforms presents an alternative to platformization. For mega vendors spending huge sums to construct walled gardens, this is the ultimate nightmare. But how do enterprise security leaders feel about it?
CISOs Umesh Yerram and Arvin Bansal, each responsible for protecting large and complex enterprises, recently published an excellent whitepaper titled Modular Stack: The Future of Cybersecurity Design. Yerram and Bansal acknowledge that big changes are happening in the SIEM market but warn of the dangers that consolidation presents to security operations:
Enterprises are made up of heterogeneous, hybrid environments that CISO organizations must secure using a range of security controls. The consolidation in the SIEM marketplace will not benefit CISO organizations significantly due to few key reasons:
1. Consolidation will result in more vendor lock-in
2. Innovation is put on the back burner to prioritize integration efforts.
3. Integration of these consolidations will take time, and most will fail based on the history of past consolidations.
Speaking from experience, Yerram and Bansal urge their fellow security leaders to watch out for short-term discounts from platform consolidators. They argue that “the significant changes in the SIEM market necessitate a strategic approach to security detection & response architecture that emphasizes the principles of standardization, flexibility, data ownership, cost-efficiency, and advanced technology adoption.”
Data ownership is a key enabler for a modular design strategy. Last week, I wrote about four elements of ownership and why XDR vendors that built their SIEM around agents see independent ownership as a threat. They want to hold your data on their platform, so swapping out any part of their portfolio becomes a monumental task.
The Modular Stack whitepaper also includes several great diagrams showing what forward-thinking CISOs envision as the opposite of the locked-in platform. In the image below, the security organization is aligned with the rest of the enterprise on a data platform that supports myriad use cases and cross-collaboration. Security data lives alongside business data and is used to power threat detection, vulnerability management, compliance automation, etc. These use cases can be supported by best-of-breed applications with SIEM capabilities and detection content plugged into the team’s data lake.
With logs normalized in the security data lake and a best-of-breed SOAR solution downstream, a SIEM purchase decision becomes reversible. A team might choose to buy Anvilogic, for example, as the SIEM layer for the data lake, and a year or a decade later, replace it with an alternative that meets new requirements or offers better pricing. The modularity in this approach de-risks the whole operation, leading to lower costs and full access to innovation.
The competition between two movements, one towards platformization and one towards modularity, may be decided by an awkward question. Like signing a prenup before the wedding, security leaders should ask, “Is it reversible?” Not because they think they’ll soon part ways but out of recognition that lock-in inevitably leads to higher costs and fewer options. As CISOs Yerram and Bansal concluded in their whitepaper, access to “innovative best-of-breed threat detection capabilities on top of standardized data” is the best position for security organizations. Just don’t tell that to the platform companies banking on lock-in.