Flavors of Security - Elastic

This is part of the Flavors of Security series, in particular Part 2’s investment focus on what drives the hypergrowth stories within the cybersecurity space. If you need to learn the security terms & product abbreviations, you can look up the terms that first post.

Elastic (ESTC) - SIEM & Endpoint Protection (Device)

Platform: Elastic Stack (ELK Stack)

This will evaluate just the cybersecurity-focused components of Elastic.

Flavors of Security:

  • Core: SIEM
  • New directions: EPP/EDR (thru Endgame acquisition), ISAT training (thru Perched acquisition)

Massive Tailwinds:

  • Do It Yourself Monitoring
  • ML/AI-driven Security
  • Migration to cloud

Differentiators:

  • Platform w/ incremental add-ons. Not just for cybersecurity use, can also be utilized for other uses, such as infrastructure monitoring or APM.
  • Strong adoption of ML/AI internally, exposed as ML modules in Kibana for Platinum subscribers.
  • Easy to scale. If self-managed, can simply add more nodes; if managed service in cloud, can infinitely scale.

Platform capabilities:

  • Protection: EPP
  • Prevention: EDR, ISAT
  • Monitoring: SIEM

Products:

Subscription Levels:

  • Open Source - basic Elastic Stack (free Apache 2.0 licensed open source)
  • Basic - ... plus Security, APM, SIEM, Maps, & Canvas plugins (still free)
  • Gold - ... plus Alerting & Reporting plugins, and basic support
  • Platinum - ... plus ML & Adv Security plugins, and year-round support
  • Enterprise [new] - ... plus EPP/EDR

Magic Quadrants:

SIEM: (no Elastic shown)

EPP: from Gartner EPP full report, 2019

Competitors:

  • SIEM - LogRhythm, Splunk, IBM, McAfee, LogRhythm, Rapid7, Fortinet, Secureworks
  • EPP - CrowdStrike, Symantec, Sophos, Trend Micro, Microsoft, Kaspersky, Blackberry/Cylance, VMWare/Carbon Black, McAfee, Cisco, Palo Alto, Fortinet, FireEye
  • EDR - CrowdStrike, VMWare/Carbon Black, Cisco, Check Point, Blackberry/Cylance, Microsoft, McAfee, Sophos

Gartner customer reviews:

Thoughts:

For detailed background, see my My Elastic Deep Dive, May 2019, and my ElasticON Conference recap, Oct 2018.

Elastic is the outlier of the cybersecurity hypergrowth companies I'm reviewing. It's core is not in cybersecurity -- it is an open-source database platform (Elastic Stack) with a cloud hosting service (Elastic Cloud) and on-premise hosting service (Elastic Cloud Enterprise). However, the strength of the platform is in the problems it solves. The first major market for Elastic Stack was in infrastructure monitoring, serving as a Do It Yourself solution for log collection and analysis. It competes on that with Splunk, DataDog and New Relic, but where you have to run the database yourself (whether as a managed service or self-managed on your own infrastructure).

But as I noted in the ElasticON conference recap, after infrastructure monitoring, it was clear that cybersecurity was the next huge focus. Elasticsearch is a perfect database for collecting all the logs from all the networking security equipment and using it as a way to comb through and analyze that data for intrusion detection. As an open-source database, it's been the underpinning of many open-source SIEM packages, like Wazuh and OSSEC. Basically, folks have been using the open-source Elastic Stack for SIEM and related analytic tasks (like EDR, NTA and UEBA) for years now.

This past year, Elastic has solidified its game plan for positioning its platform as a more complete cybersecurity monitoring and analytics solution. In release 7.2, they announced Elastic SIEM, a new interface in Kibana for collaborative SIEM workflows, like threat hunting and forensics, over network and endpoint data. And since then, they've been iterating quickly. In 7.3, they expanded it with three ML modules for threat detection. In 7.4, they integrated Elastic Maps for visualizations and hotspot mapping, and it now includes 16 ML modules.

Elastic SIEM is free with Basic license. If you want Alerting & Reporting, you need a Gold subscription; if you want ML features, you need to get the Platinum subscription.

Elastic has always excelled at acquisitions that bolster the capabilities of their core Stack. Their cybersecurity-related ones:

  1. Prelect (ML/AI), in 2016 - Predictive behavioral analytics firm, focused on cybersecurity, fraud detection, and IT operational analytics. Now likely integrated as the ML modules in Kibana.
  2. Endgame (EPP/EDR), in 2019 - Endpoint protection.
  3. Perched (ISAT), in 2019 - Cybersecurity training and consulting.

In particular, Endgame was quickly folded into a new feature called Elastic Endpoint Security. This new product combines their recent SIEM features with Endgame's EPP platform. You install the agent on each endpoint (Windows, Mac, Linux) and it then feeds its logs into the SIEM.

One selling point they are pushing over CrowdStrike is that it also works for offline systems. So it is probably a better use case for secure environments or other situations where the vast majority of endpoints are on-premise or are not internet-connected. However, unlike cloud-based EPP systems, Elastic Endpoint Security is an island, where a company can only analyze their own data. With CrowdStrike, you gain the benefit of "crowdsourced" security, where it is identifying and blacklisting malicious actors by analysis over their entire customer base. Another plus for CrowdStrike is that Endgame doesn't support mobile devices.

However, Elastic has a few aces up their sleeve. The major one is, in announcing Endpoint Security, they eliminated per-endpoint pricing. What's the catch? Was Endgame just a $234M loss leader to get folks into SIEM? Nope. They have created a new support tier above Platinum called Enterprise, that includes Platinum's benefits plus all Endpoint Security features. For companies that have thousands of endpoints and want a turnkey solution for endpoint protection (EPP/EDR+SIEM) at an attractive price, this product is likely a huge savings over the $15-18/endpoint/month that CrowdStrike charges for EPP+EDR.

Beyond that, other EPP SaaS platforms are going to have data retention limits (or huge costs with keeping your data archived); with Elastic, you are ultimately in charge of your data, and can maintain it as long as like. Also, you can take full advantage of the other Elastic Stack tools, like Canvas for dashboarding, Maps for visualizations, and Alerting and Reporting tools in Kibana.

It is early days for this new product angle from Elastic. Right now it is still only available as "Early Access" - so it hasn't gone full GA yet. Since they bolted EPP/EDR onto their SIEM, it makes me wonder if there are other cybersecurity directions that Elastic might go into. For one, I bet they enable EPP of mobile devices, to fill in the one gap I see in Endgame's EPP.

There are plenty of other reasons outside of cybersecurity to invest in Elastic -- but it does show you how they can tackle and solve specific problem sets on Elastic Stack, in order to get exposed to new markets.

Strengths:

  • Elasticsearch was already widely used as the underlying database in SIEM software packages. Now Elastic has created their own SIEM tooling within their stack. Customers know they can trust it. It also has a rich ecosystem of tooling in the Elastic Stack, including Kibana (ad-hoc searching, ML), Canvas (dashboards), and Maps.
  • Cost-conscious EPP customers (Type C in that recent Gartner EPP report) with thousands of endpoints will likely be very attracted to the fixed pricing of Elastic Endpoint Security, vs the per-endpoint price of every other EPP competitor. As will customers that are already on the Elastic Stack for IT infrastructure monitoring.
  • With Perched acquisition, they can also now provide proactive consulting, akin to CrowdStrike. I also expect that team to use their knowledge to help bolster the capabilities of SIEM and Endpoint Security products from here. Perhaps it becomes an additional feature of the Enterprise tier.
  • Even if Endpoint Security doesn't become a major factor, SIEM alone is going to be a powerful draw towards Elastic Stack. They will continue to improve the ML routines, and make it more and more appealing.
  • In my ElasticON review, I mentioned a presentation from a customer going from Splunk ($$$$$) to Elastic Stack ($$) for their SIEM within their home-grown security framework. There will continue to be cost-conscious companies making the move from SaaS SIEM to Elastic SIEM based on the huge cost savings, the speed improvements, and, ultimately, the control it gives them over their data and how long its retained. Elastic has great archival capabilities (hot/cold storage) for older data.

Concerns:

  • While cybersecurity and SIEM has been a major focus, endpoint protection is very new for Elastic. Will their product remain relevant in this competitive market?
  • How do we tell if one EPP platform is better than another in threat detection? Cloud-based ML-driven competitors like Crowdstrike can continually analyze off the entirety of their customer base. Will the fact that Elastic's solution only views the "island" of data be a factor in its effectiveness?
  • In the Gartner Magic Quadrant, it considered CrowdStrike a leader, while Endgame is a lower contender. The acquisition price for Endgame seems to agree with that. However, in Gartner's customer reviews, it has CrowdStrike with 4.9 stars, Endgame with 4.8 stars.
  • Endgame was dropped (along with Comodo) from Gartner's latest EPP report, as it "did not meet the minimum deployed licenses inclusion criteria". Slightly concerning -- I guess that explains the good acquisition price. Regardless, Endgame seems a respected EPP platform and gets high marks in reviews.
  • Endgame doesn't support mobile devices, only laptops, desktops and servers (PC, Mac, Linux). It's a hole in coverage. [I bet they fill it.]

-muji