Christmas came early for three vendors in the threat intelligence and attack surface management space this past week. In a reported all-cash $500 million deal (no need for layaway when your market cap is north of $2 trillion), Microsoft acquired threat intelligence and attack surface management vendor RiskIQ. In Europe, Swedish vulnerability risk management firm Outpost24 announced its acquisition of threat intelligence provider Blueliv. Today, Rapid7 announced its acquisition of threat intelligence firm IntSights. The approximately $900M (Forrester’s estimate) spent on threat intelligence signals how the pandemic has increased the importance and value of attack surface management and threat intelligence in reducing vulnerability risks and protecting brands.

(Source: Flickr)

Cyber threat intelligence vendors need access to telemetry to continually identify, track, and model cyber threats. Smaller cyber threat intelligence vendors without managed security service providers/managed detection and response services or a software-as-a-service (SaaS) security control offering need to get creative with their collection plan — or they can get acquired by an established security vendor with a robust suite of SaaS security controls and managed services. IntSights’ acquisition by Rapid7 and Blueliv’s acquisition by Outpost24 should have tremendous benefits for all bases. With additional threat intelligence capabilities, vulnerability risk management vendors should improve their prioritization models to focus even more on exploitation, rather than Common Vulnerability Scoring System scores.

Recent acquisitions of attack surface management vendors (Palo Alto Networks acquired Expanse last year) suggest these products are more valuable as components of larger security ecosystems, with limited futures as independent companies. As an attack surface is more than just what is Internet-accessible, there is tremendous opportunity to integrate the external visibility from attack surface management with the internal security controls to completely map all the connections and assets of an enterprise. I can think of several ways that RiskIQ’s technology can be integrated with Microsoft’s security controls to deliver immense value. Alternatively, RiskIQ could give Microsoft an opportunity to make more of its immense security telemetry available to the security community. Jess Burn and I are scrambling to update our in-progress research on attack surface management. Watch this space for the final report this summer — unless there is another acquisition to blog about in the meantime!