The rumors started in February and became reality this week. Microsoft acquired CyberX. The price is not a material event for Microsoft. It will never be officially released. A recent article claimed the price was $165M, and I predicted it would be substantially less if it occurred based on the acquisition prices of fellow Tier 2 vendors Indegy and Sentryo.
Why Did Microsoft Acquire CyberX?
Azure … as Microsoft wrote:
CyberX will complement the existing Azure IoT security capabilities, and extends to existing devices including those used in industrial IoT, Operational Technology and infrastructure scenarios.
CyberX is a good fit for Microsoft. They had great tech and a strong technical team. All that ICS protocol and system understanding, existing code and ability to quickly spin up support for other ICS and IoT protocols is the value in this sale. Plus Microsoft had experience working with CyberX to integrate the CyberX solution into their Azure IoT Hub and Azure Security Center for IoT.
It was CyberX’s operations/sales/marketing that held them back from being Top Tier in the ICS Detection Space. And since they weren’t Top Tier, the acquisition price, even if it was $165M, was less than acquiring a Top Tier solution. CyberX’s installed base was likely not of great importance to Microsoft.
So the CyberX technology will become a part of a Microsoft branded Azure IoT Edge / Azure IoT Hub offering, and the CyberX team will help Microsoft understand and develop what is needed for the higher end, ICS and IIoT, not IoT, customer in the Azure Security Center for IoT. How they will get the data that CyberX sensors detect to Azure is an open question, unless you believe the CyberX sensors will survive. I hope to get Microsoft on the podcast soon to discuss their ICS strategy.
The value of CyberX technology to Microsoft could be more valuable for moving ICS and IIoT contextual data into Azure than for security. For example, Azure IoT Edge now has support to read data via Modbus and OPC UA. They now have the ability to support a lot more ICS and ICS protocols to pull a lot more data into Azure. OSIsoft may have more to worry from this acquisition than Claroty, Dragos or Nozomi.
What This Means For Cyber X Customers
This is not good news if you had purchased and liked the CyberX offering. It makes no sense for Microsoft to continue this product as is. The market is way too small, particularly for the CyberX management GUI. (Note: Microsoft made the same decision back in 2007when they considered a much more logical and compelling case for a special manufacturing version of Windows.) The sensors also are likely to go away, or perhaps Microsoft spins those off or makes the technology available as open source.
To be clear, CyberX states the complete opposite:
the platform will continue to be enhanced and supported by CyberX personnel. In addition, Microsoft is committed to the channel and will continue working with CyberX’s strategic reseller and technology partners worldwide. The CyberX platform will continue to be available in a hybrid model supporting both cloud-connected and air-gapped networks.
At 22:40 in the video below, I advise asset owners to make sure they tell executive management that whatever detection product is purchased today will need to be replaced in the next two to three years. Set appropriate expectations. Acquisitions are the main reason for this. What Cisco, Forescout, Tenable and now Microsoft want out of this technology is very different than what the niche OT detection vendor envisioned.
If you are a CyberX customer this is not the time to panic and rip it out. You have a solid solution in place. Use it, but probably don’t deploy a significant expansion of the solution. The market will look different in 18 – 24 months. Use your deployed CyberX solution and understand how this type of technology fits into your detection and response strategy. And let the market sort itself out before you decide on your next ICS detection solution.