10 Things To Know About The $560M Palo Alto Networks-Demisto Deal

Here's a look at 10 of the biggest reasons Palo Alto Networks and Demisto came together to leverage the power of automation and deliver more immediate threat prevention and response.


Unleashing The Power Of Automation

Palo Alto Networks and Demisto plan to team up and take on one of the biggest challenges Fortune 500 companies face today: the overwhelming amount of alerts coming into an organization's Security Operations Center (SOC).

The proposed $560 million acquisition will unleash the power of automation to respond more quickly and effectively to the most common alerts SOCs see, freeing up security analysts to focus on more complex matters. The deal will tighten Demisto's integration into the Palo Alto Networks Application Framework, and serve as the backbone for the company's future automation and integration efforts.

Palo Alto Networks Chairman and CEO Nikesh Arora and Chief Product Officer Lee Klarich spoke with Wall Street analysts Tuesday about what opportunities the deal will create for the channel, how the purchase will affect Demisto's ability to partner top competitors of Palo Alto Networks, and the company's acquisition roadmap going forward.

Sponsored post

From potential customer overlap to how Demisto will operate within Palo Alto Networks, here's a look at 10 of the most interesting components of the Palo Alto Networks-Demisto deal.

10. The Deal Will Be Paid For With Both Cash And Stock

Palo Alto Networks plans to pay for its $560 million purchase of Demisto using a combination of cash and stock, Arora said.

The vast majority of the dilution associated with issuing additional shares of stock to complete this Demisto transaction has been offset by Palo Alto Networks' completion of a $1 billion share repurchase program in the quarter ended Jan. 31, with the company repurchasing $350 million of stock in the most recent quarter, Arora said.

Palo Alto Networks won't know until the close how much of the transaction cost is going to be paid using cash and how much will be paid through the issuance of new stock, Arora said. The company's stock is up $2.70 (1.19 percent) in trading Tuesday afternoon to $229.47 per share.

9. Significant Overlap Likely Exists Between The Customer Bases

Demisto's more than 150 customers likely overlap significantly with the more than 60,000 businesses Palo Alto Networks since both companies target enterprise and Fortune 500 customers, Klarich said.

Demisto customers almost always have the own security operations center (SOC) since the company's product is focused on helping SOCs operate more efficiently and effectively, according to Klarich. Specifically, Klarich said Demisto customers typically want to improve how their SOC functions through the use of better technology.

8. Palo Alto Networks Won't Mess With Demisto's Success

After the acquisition closes, Demisto will continue to operate almost independently under the leadership of current CEO Slavik Markovich, with Markovich working closely with Arora, Klarich, and Palo Alto Founder and CTO Nik Zuk to further integration work with the company's Application Framework.

Arora said Palo Alto Networks won't interfere with what has made Demisto successful, and understands that Demisto must continue to operate in a multi-vendor fashion and not show favor toward one supplier over another.

Part of what made Demisto an attractive acquisition target is their go-to-market motion and the quality of their sales team in the field, and Arora said Palo Alto Networks doesn't intend to change much of the process and structure around how Demisto compensates its sales reps in the short-term. Any changes the company makes would only come after spending a lot of time with Demisto's management, he said.

7. The Deal Expands Palo Alto Networks' Use Of Automation

Palo Alto Networks uses automation in several different fashion today, Klarich said, and it is intrinsic to how the company integrates many of it own different services together. The company has also automated its integration with different data sources in order to better use context in setting policies, according to Klarich.

But where Demisto's automation capabilities come in is when the security operation platform sees an event and wants to take action. Specifically, Klarich said Demisto excels at analyzing data and alerts, and figuring out which ones are most important and need to have action taken on.

Automating the alert response allows analysts to get back to dealing with more complicated tasks rather than having to do the same menial activities over and over again.

6. Automation Is Vital When Dealing With Manual, Time-Intensive Processes

One of the most common alerts a security operations center has to deal with is every time an employee thinks he or she might have received a phishing email, which across a large enterprise could do hundreds or thousands of times per day, Klarich said.

In a traditional SOC with highly manual workflows, Klarich said every single one of those alerts gets handed off to an analyst, who then has to contact the affected employees, find the original email in question, search for additional data, determine whether or not a successful phishing attack took place, and if so, clean up the user's machine.

Demisto's customized, automated playbooks addresses very manual tasks performed by a SOC analysts like investigating a potential phishing attack and automate it, Klarich said. Organizations that automate all or part of these repetitive processes end up with a huge advantage, according to Klarich.

5. The Traditional Approach To SOC Operations Is Becoming Antiquated

Have a SOC analyst tear at and attempt to remediate alerts on their own will not be enough as bad actors increasingly deploy techniques to allow them to quickly locate the small portion of an organization's infrastructure that isn't secure, Arora said.

Automating and remediating on the fly before vulnerabilities are exploited requires a degree of machine learning and artificial intelligence that isn't in the industry today, Arora said. Technology like Demisto's will help businesses sift through and remediate events at a pace approaching real-time, according to Arora.

"I believe the SOAR [security orchestration, automation and response tool] is the first step toward aggregating all events on one end, and automating as much as can be automated," Arora said.

4. Building Out Automation Capabilities Organically Would Have Taken Too Long

Organization are increasingly paying more attention to security as they transition to the cloud, Arora said, purchasing tools that result in more alerts being sent to the company's security operations center (SOC).

Firms need SOC management and integration now, Arora said, and Palo Alto Networks needs technology that could serve as a backbone for future automation work, neither of which were possible with an organic evolutionary approach. Solving more problems in the SOC where businesses are spending more money generates value for the customer and greater compensation for the vendor, Arora said.

"We haven't done this [acquisition] lightly," Arora said. "We spent a lot of time and effort thinking about it."

3. Demisto Will Stay Play Nice With Top Competitors Of Palo Alto Networks

Being a part of Palo Alto Networks won't impact Demisto's ability to integrate data from the company's top network security competitors. Arora doesn't anticipate that any customer or partner would stop Demisto from doing the things it needs to do since it's in the customer's own interest and many Palo Alto Networks competitors are already integrated into the company's Application Framework.

Arora pointed to Splunk's 2018 acquisition of top Demisto competitor Phantom, noting that Phantom still enjoys integrations with top Splunk rivals such as ArcSight, LogRhythm and QRadar. And despite Palo Alto Networks and Splunk both owning SOARs, Arora said the two companies plan to continue partnering closely with one another.

Under Palo Alto Networks, Klarich said Demisto will continue to push and focus on embracing third-party integrations to extend the value of the platform. Everything Demisto needs from other security vendors is available either through open APIs or using log formats and standards for data collection, according to Klarich.

2. Palo Alto Networks Is All Set On The Acquisition Front For Now

Palo Alto Networks has been extremely active on the acquisition front over the past year, buying Evident.io in March 2018 for $300 million, Secdo in April 2018 for a reported $100 million, cloud security startup RedLock for $173 million in October 2018, and now Demisto for $560 million.

At this point, Arora said Palo Alto Networks doesn't see anything that it's missing from a portfolio perspective, and plans to remain heads down trying to execute its vision across the acquired properties. And the company has long refrained from buying market share in a particular product category since that doesn't align with the company's focus on integration, according to Arora.

Arora said Palo Alto Networks is comfortable that it now has all of the necessary elements to forge ahead with plans to provide industry-leading protection across traditional infrastructure and the cloud, as well as a more data-centric approach to artificial intelligence and machine learning.

1. Acquisition Presents MSSPs, SIs With A Great Opportunity

Demisto is sold exclusively by the channel today, Arora said, and Palo Alto Networks doesn't anticipate that changing. Specifically, Arora said Palo Alto Networks plans to get more engaged and involved with its MSSP and SI partners around Demisto since they are in the best position to sell and support the product for large enterprise customers.

That's in contrast to the company's October acquisition of RedLock, where Palo Alto Networks earlier this month disclosed a SaaS Deal Referral program where partners receive a 10 percent reward for bringing RedLock opportunities to the company. Arora said the referral program is only for RedLock, and exists so the company can follow the motion of cloud providers while still compensating the channel.

"When a cloud provider – whether it's AWS, or Azure, or GCP – signs up for a program with a customer, they take them direct," Arora said. "And what we've noticed is that we have to attach our sale of RedLock to that sale. And hence, we've made a change on adaptation to our channel model specifically for that product category."