SAN FRANCISCO — At RSA Conference 2024, Cisco shed light on how it is integrating Splunk technology into its security products following the completion of the blockbuster acquisition.
Cisco announced last September an agreement to acquire analytics giant Splunk in a deal worth $28 billion. When the deal closed in March, Cisco laid out its plans for the new acquisition, saying the integration of Splunk technology would focus on AI, security, network management, observability and tool consolidation. For security, the networking vendor said it would incorporate Talos’ threat intelligence with Splunk in the coming months and eventually integrate Cisco technology into Splunk’s security portfolio as well.
At RSA Conference 2024 on Monday, Cisco unveiled its first inter-product integrations with the addition of capabilities from its extended detection and response (XDR) product into Splunk Enterprise Security (ES). The integration, according to Cisco, will feed XDR alerts and detections into Splunk ES to enhance customers’ investigation and remediation efforts.
Tom Gillis, senior vice president and general manager of Cisco’s Security Business Group, told TechTarget Editorial that Splunk provides context that is passed down to the XDR for enrichment, and the XDR feeds alerts based on that context back to Splunk.
“It’s the first in a series of steps to bring analytics and infrastructure closer together [as well as] applying intelligence about how we gather data and how we process that data to drive more secure, more effective security outcomes,” Gillis said.
Cisco also detailed further application of AI and machine learning into products such the cloud-native application protection platform Panoptica. The company said the platform now uses AI in two capacities: First, AI and machine learning technology generate real-time detections and alerts for emerging threats. Second, Panoptica’s GenAI Dynamic Remediation feature offers security teams contextual descripts of potential threats with actional remediation guidance.
Additionally, the networking vendor’s AI Assistant for Security, which it announced at RSA Conference 2023, launched Monday. Cisco said the AI assistant is designed to help security analysts respond faster by providing them with contextual intelligence, recommendations and automated workflows.
In addition to Splunk integrations, Cisco revealed new developments for its zero-trust security product Cisco Duo as well as Hypershield, the AI-native data center system it announced last month.
For Cisco Duo, the company announced two new identity security-related features. The first feature in Duo Passport is designed to reduce authentication fatigue by minimizing repeated requests. Second, Cisco is integrating its recently announced Identity Intelligence tool into Duo as a new feature named Continuous Identity Security.
For Hypershield, meanwhile, the company said it introduced capabilities to detect and block attacks originating from “unknown vulnerabilities within runtime workload environments.” Gillis explained that an AI agent can be trained on an attack’s tactics, techniques and procedures as well as block anomalous behavior that looks like these TTPs.
“If attackers are using PowerShell to launch certain processes and modifying these registers, and we see something that that has similarity to that, then we know it can be bad even though we don’t know exactly what the vulnerability is,” Gillis said. “It provides protection against unknown vulnerabilities as well as known vulnerabilities in this distributed mesh.”
Although Splunk and Cisco technology will become increasingly integrated, Gillis said the plan is to still offer both product suites separately.
“What we’re showing at RSA is the Splunk Platform and Cisco platform interoperating in a way that they’re better together,” he said. “Splunk is still a platform, Cisco Security is a platform, but we’re putting hooks in. Less than two months after the close of acquisition, we have product integration which we think is going to be meaningful and impactful.”
Eric Parizo, an analyst at Omdia Cybersecurity, said Splunk gives Cisco important SecOps capabilities.
“Cisco’s revamped XDR solution is more focused on an integration-centric approach to TDIR [threat detection and incident response], while Splunk gives Cisco a much broader play in not only SecOps but also other related areas like observability, which is a key part of Cisco’s existing solution strategy,” he said.
Parizo said Splunk gives Cisco a meaningful way to increase its total addressable market.
“For years, Cisco resisted acquiring a SIEM vendor, essentially stating that such an addition would be beyond its strategic remit, which has long been focused on network and cloud security,” Parizo said. “However, more recently, Cisco’s ambitions in enterprise cybersecurity have expanded through a long list of acquisitions that have made it a player in areas such as endpoint security, identity and access management [as well as] vulnerability management, among others. In light of this more ambitious strategy, adding Splunk to the mix makes a ton of sense.”
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.