alphaspirit - Fotolia

HP enterprise security: Can acquisitions lead to cohesive strategy?

Through acquisitions Hewlett-Packard has built a formidable lineup of enterprise security offerings, but experts question whether a strong brand can overcome legacy technology and a lacking endpoint strategy.

Hewlett-Packard Co.'s lineup of enterprise security products and services is winning in terms of brand-name power, according to industry observers, but there are holes to fill as the company moves toward a major turning point.

In October 2014, HP CEO Meg Whitman announced that the vendor, which in fiscal 2014 reported $111.5 billion in net revenue, would split into two separate companies: Hewlett-Packard Enterprise (HPE) would focus on hardware, software and services for enterprise customers, while HP Inc. would be formed for its PC and printer businesses. The split will be finalized by the end of HP's 2015 fiscal year, which ends on Oct. 31.

At the time of the announcement, CIOs lauded the plan for its potential to allow HP to be more nimble in the IT space. More recently, Whitman has stated plans to make more high-impact acquisitions to bolster the HPE lineup before the split. Last month, HP agreed to purchase Cupertino, Calif.-based Voltage Security Inc . in an effort to improve cloud services, and two weeks ago HP agreed to purchase Sunnyvale, Calif.-based Aruba Networks Inc. for $3 billion, which could help the company become a stronger competitor to Cisco Systems Inc.

The core of HP's broad portfolio of enterprise security products and services includes the ArcSight SIEM, TippingPoint network security, and Fortify application testing and security technologies. Beyond those products, HP offers data security and encryption services on-premises, in the cloud, and in mobile environments through Atalla; Application Defender, which scans inside applications for attacks that network security might not see; and WebInspect, which tests Web application and services security by attempting to mimic real-world hacking techniques.

According to experts, HP's security product lineup is anchored by strong brand names like ArcSight and Fortify, both leaders in their respective categories, plus the well-respected TippingPoint IPS. However, experts also see these products as somewhat disparate parts that don't necessarily combine into a cohesive whole, putting pressure on HP to better integrate its products while keeping up with changing customer needs.

Gathering data and ArcSight SIEM

Frank Mong, HP's vice president and general manager of solutions and enterprise security products, said in an interview with SearchSecurity that the ultimate aim of HP's enterprise security lineup is to disrupt the growing ecosystem and underground marketplace of highly specialized, organized threat actors.

"Look at the bad guys," Mong said. "It's not just a single threat actor, but a culmination of nation-states, cybercrime organizations and hacktivists."

To do this, Mong said that HP is focused on three broad areas: collecting data, processing data and taking action on that data. HP has multiple products for each of these functions. The hub, according to Mong, is the ArcSight SIEM, which gathers alerts from firewalls, servers, logs, and numerous other sources.

"Customers have heterogeneous environments, so ArcSight uses open standards like Common Event Format to ingest intel from all vendors," said Mong. "We have 2.5 billion events per day at HP, and we use ArcSight to filter that down to find the 10 to 20 critical events within the noise."

Being able to do that efficiently is paramount, said Mong, and HP is focused on adding more automation to the process during the next 12 months.

"We need to fill a skill gap," said Mong. "There aren't enough security professionals, and too much time is wasted with repetitive tasks like filtering events. We want to improve correlation so you won't look through a few hundred items, but bring that down to under 50."

In this same vein, Mong said that threat intelligence that is shared through Threat Central can be filtered through ArcSight so users only see alerts that are contextual to their environment and industry.

Moving beyond SIEMs

According to Rick Holland, principal analyst for security and risk management at Cambridge, Mass.-based Forrester Research Inc., while ArcSight carries a lot of weight in terms of brand name power, one potential problem is that SIEMs are already losing standing with consumers.

"SIEM itself is in transition, and is more of a necessary evil," said Holland. "Many see a SIEM as being like driving a car while looking through the rearview mirror -- it doesn't help with what's coming down the road."

Holland said that users are looking for what he calls "SIEM 2.0" products, which would rely more on big data analytics, but that transition is difficult both for customers and for HP.

"There is a lot of hype with big data security, but how do you make it meaningful to customers?" asked Holland. "Customers are already having trouble with 'little data' [SIEMs], and you need to prove yourself there before moving on to big data."

Mong said that he recognizes the shift that is coming in the SIEM market segment, and said HP is focused on evolving with advanced threat detection as well as pushing big data, but the focus is always on being able to scale.

According to Neil MacDonald, vice president and distinguished analyst with Stamford, Conn.-based research firm Gartner Inc., ArcSight is a dominant player in the SIEM market, but it is facing growing competition, specifically from San Francisco-based upstart Splunk Inc.

"Splunk is having a noticeable impact on the entire SEIM space," said MacDonald. "The security use cases are all relatively new, but Splunk is making inroads with their strength in the IT side, with a robust community for sharing rules and patterns, and their third-party ecosystem of apps built on Splunk."

MacDonald said that he saw HP's Threat Central threat intelligence platform as a response to Splunk, but said that it didn't go far enough.

"It's one thing to share threat intelligence, like Threat Central," MacDonald said. "It's another to share the rules and patterns that allow you to get value out of the data. Splunk is much more free-form like that."

MacDonald would like to see HP add big data capabilities, integrating its Vertica big data analytics technology with its security products, and hopes HP will build security products based on HAVEn, HP's major big data platform. MacDonald said these moves would help HP to offer post-incident analytics and reporting, which is beyond what ArcSight was built for.

Threat response and data protection

Once threats are identified, they are mitigated by HP's network security TippingPoint product line, which includes IPS, firewall, malware monitoring and sandboxing.  

Mong said that if customers had a TippingPoint IPS device set up automatically, the Heartbleed vulnerability and exploits based on Heartbleed would have been blocked hours before the threat was publicly known.

Holland speculated as to whether TippingPoint might, like ArcSight, be falling behind the competition.

"TippingPoint's challenge is that IPS is seen as a last-gen product and not useful against today's threats," said Holland. "HP needs to create better workflows between products for automation."

MacDonald said that he would like to see more from TippingPoint's sandboxing feature, which he said does not measure up to products from FireEye Inc. or Cisco Systems Inc.

Improving the portfolio

HP's enterprise security portfolio is large, but even Mong admits that there are ways to improve. In addition to improving threat correlation in ArcSight, Mong said that HP is focused on across-the-board improvements in malware detection.

"Finding the infected device, whether laptop, mobile phone, or access point, is very difficult," said Mong. "If you get a sophisticated malware in your environment, it can mimic normal. All your sensors will overlook it, so we have ways now to find that device that's been infected that looks normal."

Mong also noted that HP was focused on identity access management (IAM), which he said is something that has been around a long time, but hasn't really taken off.

"IAM is too complex to get to work across a large enterprise;it's difficult to merge user bases, and becomes hairy to deal with," Mong said. "We haven't found a way to solve that, so I think that's interesting."

MacDonald believes that while there are a number of ways that HP could bolster its security product portfolio like improving endpoint security, email protection, gateway protection, or mobile device management, the main area he would like to see improved is data protection.

"HP really has nothing comparable for data protection story," said MacDonald. "It can't compete with IBM InfoSphere Guardium, or Imperva for data-centric monitoring and protection."

Holland said that HP's strengths include individual controls, strong consulting services and strong application security with Fortify and WebInspect, but said that customers he has talked to want to see HP develop the endpoint security that is  missing from TippingPoint.

"HP doesn't have an endpoint story. McAfee has the endpoint story, and network security. PaltoAlto and FireEye each have network and endpoint combined," Holland said. "People want their next-gen IPS or firewall to work with endpoint protection. HP could generate buzz by acquiring an endpoint startup, like CrowdStrike or Invincea."

Next Steps

Learn how HP's Atalla gives IT pros cloud data security control.

What will 2017 bring for SAP S/4 HANA and HCP?

Dig Deeper on Security vendor mergers and acquisitions