dale-peterson.com Open in urlscan Pro
104.198.8.198  Public Scan

Form analysis
2 forms found in the DOM

GET https://dale-peterson.com/

<form role="search" method="get" class="et-search-form" action="https://dale-peterson.com/">
  <input type="search" class="et-search-field" placeholder="Search …" value="" name="s" title="Search for:">
</form>

GET https://dale-peterson.com/

<form role="search" method="get" id="searchform" class="searchform" action="https://dale-peterson.com/">
  <div>
    <label class="screen-reader-text" for="s">Search for:</label>
    <input type="text" value="" name="s" id="s">
    <input type="submit" id="searchsubmit" value="Search">
  </div>
</form>

Text Content

 * ADVISORY
 * ARTICLES
 * PODCAST
 * SPEAKING
 * S4
 * CONTACT
 * ADVERTISE


Select Page
 * ADVISORY
 * ARTICLES
 * PODCAST
 * SPEAKING
 * S4
 * CONTACT
 * ADVERTISE




OT DETECTION MARKET – Q2 2023 UPDATE

23 May 2023 | 2023, Detect

It has been 18 months since my last OT Detection Market Update. The market shook
itself out in 2020/2021 and changes have been smaller. No serious new
competitors entering. The VC money coming into the space is greatly reduced,
although this is likely due to economic issues more than market dynamics.
Acquisitions are also way down.

Note: While I have historically called this the OT Detection Market, because
this was the initial purpose of the products, most of the solutions also include
an asset inventory, vulnerability management, and increasingly risk management
capability.


PURE PLAYS


TOP TIER

Two Companies With Little Competition Between Them

Dragos and Nozomi Networks (Nozomi) are the clear top tier pure plays in the OT
Detection Market. The funny thing is the decision when these two go head-to-head
is simple. If asset inventory and vulnerability management is most important to
you, then Nozomi wins. If threat intel and incident response is most important
to you then Dragos wins.

Where they excel is based on each company’s heritage, their leadership, their
philosophy, who they hire, and everything else. It’s not a flaw or something to
change, and they both have credible offerings in other areas (with the exception
of incident response which Nozomi outsources to partners and in some cases is
actually Dragos).

I slightly prefer Dragos’ position because it is harder to get cut out. I’ve
predicted for five years now, and I’m still asserting, that a large part of the
market will move to sensors in containers in switches sending info directly to a
SEIM like Splunk or QRadar. And your Splunk and QRadar will have increasingly
sophisticated OT Add Ons. OT specialized threat intel and IR doesn’t go away
even if this prediction comes true.


TIER 2

Claroty and Armis

Claroty drops down from Top Tier to Tier 2 as expected at the last update in Q4
of 2021. It isn’t a product issue as they are a close competitor to Nozomi from
a technical standpoint. It’s been leadership and execution, which to be fair has
been a huge challenge in this fast growing market.

Claroty ‘acquired’ healthcare IoT company Medigate weeks after my last update.
Acquired in quotes because it was tied with a $400M Series E round, and could
have been a graceful way to get needed cash and avoid a public down round. This
may give Claroty an advantage in healthcare at the cost of less focus on the
traditional verticals (electric, oil/gas, water, manufacturing) buying OT
detection. While Tier 2, they still win deals and their Team82 research group is
impressive.

The big miss in my last update was leaving off Armis. It was a blind spot for me
since they got removed from RFPs I saw due to the cloud-only offering. They are
investing a lot to go after the OT market and cloud is not so scary any more. In
fact, Nozomi is seeing a lot more of their business come from their Vantage
cloud option. It may be premature, or predictive, to move them up to Tier 2, but
I would include them in a RFP if cloud-only was an option you are willing to
consider.


TIER 3

Otorio is noteworthy in this group as they are showing a positive activity
level, as compared to other Tier 3 participants who may have peaked. Figuring
out the right time and price to be acquired will be key. Indegy and Security
Matters nailed it, some others have missed their window.

RunZero, formerly Rumble, also joins Tier 3, primarily because it is led by HD
Moore of Metasploit fame. It is limited to asset inventory and vulnerability
management, so it’s a stretch putting it in against products that do that plus
detection.

There are some other companies that continue to fight in Tier 3, such as
SCADAfence, Radiflow, and Industrial Defender. They can still win some deals
with a good team on the sale, but it is hard to see them scaling up to get to
Top Tier. Time to sell or pivot.


IT / OT INTEGRATED SOLUTIONS

Tenable and Forescout

Tenable added OT with their acquisition of Indegy. Forescout added OT with their
acquisition of Security Matters. This significantly hurt their ability to win
pure OT detection deals. I’m guessing this is not a surprise or even considered
bad news for these companies. They want OT so they can provide a complete
solution to customers who use their enterprise solutions and have OT.

Most of the product advancements have been to integrate the OT solution into the
enterprise product family so the security team and CISO can have the vaunted
single pane of glass. There are real benefits to this. Tenable enterprise
customers should consider the Tenable OT solution. Forescout enterprise
customers should consider the Forescout OT solution. Even if the OT product lags
a bit due to less attention, the integration benefits often are worth it.

Cisco

Cisco has a great theoretical solution. Get the sensors with the Cisco switches.
Pay based on ip address, regardless of the number of switches. You would think
this, and a desire to get into this market, would make Cisco very price
attractive. Not so, and this is a problem.

Cisco doesn’t have a good track record acquiring security products and making
them successful, or even keeping them around. The Cisco firewall, originally
called PIX, was largely successful because it was sold at about 10% – 20% of the
price of the market dominating Checkpoint firewall.

The other difficulty Cisco is having is their channel sales model. Why would a
channel want to spend the time and money to develop an experitise on a hard to
sell and support, low volume product as compared to other Cisco offerings?

Cisco is either going to change their strategy or fade out of this offering.

Microsoft

When Microsoft acquired CyberX, it seemed obvious they wanted the ICS protocol
technology for Azure rather than the product offering. This has proven to be
true and they have faded from the OT Detection market.

I do wonder though if they could try to use other peoples sensors and compete in
this area with a cloud only, asset management focused option. I need to think
and research more on this.

———————-

As always I welcome your comments, corrections, additions and differing
analysis.

Full Disclosure: Many of the vendors mentioned in this article are sponsors of
past and future S4 Events. No company pays for inclusion or analysis in my
articles or the Unsolicited Response show.


Search for:

RECENT POSTS

 * OT Security and the Family Budget
 * OT Detection Market – Q2 2023 Update
 * OT Security Cover Songs
 * Unwarranted Confidence On Mount Stupid
 * Three Thoughts On The OT Security Workforce

PODCAST: PWN2OWN MIAMI

Audio Player
https://traffic.libsyn.com/secure/unsolicitedresponse/21-6_Pwn2Own.mp3

00:00
00:00
00:00

Use Up/Down Arrow keys to increase or decrease volume.


ICS SECURITY ARCHITECTURE

Video Player

https://youtu.be/MANDmOQWkwk

00:00
00:00
53:04
Use Up/Down Arrow keys to increase or decrease volume.


 * Twitter
 * RSS

Copyright © 2023 Digital Bond, Inc All Rights Reserved
Record Your Question