-Sep-22-2023-02-44-16-0551-PM.png?width=2500&height=688&name=MicrosoftTeams-image%20(56)-Sep-22-2023-02-44-16-0551-PM.png "Cisco Acquires Splunk")
Cisco and Splunk: a pretty big deal
The biggest news in cybersecurity in the past few weeks may not be the MGM breach, but rather Cisco’s announced $28 billion acquisition of Splunk.
The surprise announcement is a big one; with Cisco paying a 30% premium over the standing share price, but perhaps one that shouldn’t be a surprise at all considering there were public rumours of a deal as far back as 2022.
What does the acquisition mean for the world of cybersecurity?
So - what can we expect from the deal?
Well, it’s hard to say for definite. Let’s start with Splunk.
At the start of the pandemic in early 2020, Splunk was flying high. But it hit harder times towards the end of the year and in 2021, as it was trying to shift its model to be more cloud-based; a transition was not without hurdles. This happened concurrently with a cooling market for SIEM, which was due to high costs and many organisations questioning the financial and security value.
Splunk’s struggles were no surprise really. In my personal experience at least, the number one topic of discussion when it comes to Splunk is the sheer cost of ingestion. There is also the continuing challenge of security teams needing to understand both their infrastructure and business processes to recognise what data is important, what good should look like, and what should stand out.
The result is often that, on one hand, we’re afraid to ‘miss the needle in the haystack', so we end up ingesting the entire haystack. On the other hand, we now have so much hay that we’re potentially less likely to find the needle, especially as we don’t always quite know what it looks like.
That means higher overall costs, all while having a relatively low level of confidence that we will detect what matters, which can be lower than expected from various MDR/EDR/XDR offerings. It’s no wonder SIEM investments are under more scrutiny than ever, and that we are seeing budgets often reallocated to other areas. That’s not to say it isn’t growing or important, but it is being massively outstripped by XDR, for example.
What about Cisco?
Well, that’s a long story. Many people still picture Cisco as “that networking company”, or “that company that does the IP phones”. Their efforts in the security space are often greeted with cynicism.
In my opinion, part of this is generational: Cisco isn’t a new brand - it isn’t “cool”. The fact that such biases influence what’s being bought to best serve businesses is unfortunate, but it exists. The other part is Cisco. I can say this because Cisco themselves admit they haven’t always had the best security message and have been behind the market in some cases.
But people would have laughed at you 3 - 4 years ago if you’d called Microsoft a security company, and now they dominate a huge share of the market.
I’ve spent quite a bit of time with Cisco lately, and while I still need to see things with my own eyes, I can tell you they’re on a bit of a charge right now. Solutions aren’t just being acquired, they’re also being integrated, and the massive breadth of the Cisco ecosystem is being leveraged to create better intelligence and capabilities.
Throwing loads of developers at a something tends to produce some results. It’s also important to note that the range of solutions and technologies they are wrapping up under this security integration is vast, which takes time.
As a former CISO and auditor; I know one of the biggest challenges in security teams is linking things together so that they can be used effectively. In my personal experience, most security teams really struggle here.
That’s why I think a wide-reaching and well-integrated solutions suite can have real value. It will help many security teams get down to quickly working effectively, rather than spending significant time setting up, or as often happens, not ever getting well set up and working ineffectively for years.
People often insist on best-of-breed solutions, but I can assure you a 20-foot dam holds more water than a 100-foot dam with a gap in it. Holistic cover and integration matter. They really matter.
The other challenge I see (and I believe this is the biggest issue in our industry), is the failure to address root causes. This results in many security functions churning away, endlessly addressing symptoms but seldom sustainably improving the organisation’s security posture.
Addressing these root causes requires authority and influence, but you can’t even start if you can’t determine what the problems are.
And that’s where I think Cisco’s evolving Full Stack Observability (FSO) solutions could play a powerful role; helping security teams strategically address the business and IT issues that lead to their vulnerabilities in the first place. It could help them drive the kinds of changes that lead to cumulative reductions in vulnerability over time.
Being more of a strategist than a SOC analyst myself, those are the things about Cisco that excite me right now.
However, whether you’re working hard in the SOC to detect the anomalies pointing to the threats in your network, or trying to boost the security posture throughout your organisation’s IT and business processes; there’s no escaping the fact that having log processing and SIEM will give us better insights.
There’s also no denying that having a better understanding of your environment through Cisco’s FSO (and of your applications and user behaviours through things like ThousandEyes and AppDynamics) will allow us to significantly improve what we can get out of SIEM.
Could this potential symbiosis give us the XDR solution we’ve all been waiting for? Time will tell, and it will probably require more time and billions more in investment and integration work.
But as a show of commitment, this acquisition is a big one.
One thing’s for sure: Cisco is playing for keeps.
To read Cisco's press release on the Splunk acquisition, please click here.