New architecture, improved playbook design highlight new Siemplify release

Siemplify says that the enhancements to their SOAR platform will further build on the company’s growing channel momentum.

Nimmy Reichenberg, Siemplify’s Chief Strategy Officer

SOAR [Security Orchestration, Automation and Response] provider Siemplify has released a new version of its flagship security operations platform. It transitions to an extremely scalable Linux-based architecture, and makes significant upgrades in playbook lifecycle management. Siemplify says that this major release should significantly enhance the company’s already growing channel efforts.

The new release has two major themes, said Nimmy Reichenberg, Siemplify’s Chief Strategy Officer.

“The first is a new high performance architecture, which can scale to the most demanding environments,” Reichenberg said. “The second part is improved ease of playbook lifecycle management, something that is required now in mature SOAR implementations.”

The platform now runs on a high-performance Linux architecture.

“It was a Windows architecture before,” Reichenberg said. “The change is significant, not marketing buzz. It’s a big change from an architectural perspective, which provides and order of magnitude of scalability. It’s also cloud-ready with Docker containers and HA and DR, and provides one click install on any platform.”

Reichenberg said that having a Linux architecture is not itself a differentiator.

“The majority of SOAR tools were either originally built on Linux or have migrated to it,” he indicated. “The differentiator isn’t the Linux itself. It’s the scalability, as well as the HA, DR and playbook lifecycle management. We have engaged in deals with customers who used products that didn’t scale well. It makes a difference for big companies.”

“Windows was a limitation for us,” said Bradd Barmettler, Siemplify’s Global Head of Channel. “This will open up many more additional doors.”

“The MSSP market is a major target for this,” Reichenberg said. “They service multiple customer sites, and having a way to do this remotely yet securely is very important. It’s also important for enterprise customers, a lot of whom actually behave in a similar way to MSSPs. We have a customer who is a Fortune 100 company, in the entertainment business, and which acquires other companies. So they act very much as a service provider.”

The new version also introduces a modular approach to incident response playbook design with simplified playbook lifecycle management. It does this with a ‘block’ concept, that lets users create one block of actions for use cases, such as enrichment or response, and reuse those blocks in any playbook that requires this information.

“What we found with SOAR is that implementations have become more mature, customers now can have more than 100 playbooks,” Reichenberg said. “The blocks are reusable pieces that can be plugged into other playbooks, and every playbook that calls on it is updated automatically. It really simplifies concepts of managing playbooks at scale.”

Other enhancements have also been made to how the playbooks work.

“You can now create alternative workflows that act as a fallback branch, kicking into action if a step in the playbook fails to complete,” Reichenberg said. “If a step fails, you can go through a completely different branch. This isn’t something that I would say is common, but it’s also not a once in a blue moon thing.”

Barmettler said the problem happens when content providers make changes which break the code until a fix is implemented.

“Say that VirusTotal comes out with a new web site, and things get moved around,” he said. “This lets you go to McAfee or some other similar site and pull data from that instead.”

The enhancements are a major value-add for partners, Barmettler added.

“The increase in scalability is important because some competitors have issues here,” he said. “It’s ingesting all the alerts from SIEMs. At scale, will they lose them, or have them slow up. That and the enhancements to the playbooks deliver value faster to the customer.

Bradd Barmettler, Siemplify’s Global Head of Channel

Barmettler said that Siemplify has made great strides over the last year in increasing the amount of its channel business. A year ago, when he joined the company, 12% of sales went through the channel.

“Now, from a deal registration perspective, about 20% of inbound business comes through partners, and we are now putting 85% of enterprise fulfillment through the channel. A year ago, we had 15 partners, and we have added another dozen since then worldwide – right about where I was expecting to finish out the year.”

Barmettler emphasized that the channel enablement program has been significant built out over the period.

“We now have over 100 different channel sellers and SEs enabled on our story,” he said. “We built the partner portal up earlier this year, and it has been a great lifeline to the partners, and has got a lot of positive feedback. We also implemented a sales incentive program in North America. We have had a lot of great mindshare come back. It’s helping our inbound deal registration grow, and  has assisted in growing the partner business.

Barmettler said the plan is to further build out the team in 2020.

“This will allow channel velocity to grow further,” he stressed.