Siarhei - stock.adobe.com

What Cisco’s Splunk acquisition means for APAC customers

APAC organisations can expect better visibility and insights into their networks and applications along with automation and response capabilities to improve their digital resilience

Cisco recently closed its $28bn acquisition of Splunk, paving the way for the two companies to come together to address some of the most pressing cyber security challenges faced by organisations today.

The blockbuster deal is seen as a good fit, with Splunk’s stronghold in consolidating and analysing telemetry and log data complementing Cisco’s deep portfolio of networking, security, application performance management and threat intelligence capabilities.

On 18 March 2024, Cisco outlined a five-point integration plan spanning security, artificial intelligence (AI), observability, network management and tool consolidation. These include baking Cisco’s Talos threat intelligence into Splunk and unifying the two companies’ AI assistants for security to provide a common experience for security teams.

In an interview with Computer Weekly, Dave West, president for Cisco Asia-Pacific, Japan, and Greater China, and Simon Davies, senior vice-president and general manager of Splunk in Asia-Pacific, unpacks the integration plans and what they mean for customers in the region.

Cisco has just closed its acquisition of Splunk. Can you tell us more about this means for your respective customers in the region?

Dave West: We’re partners on this journey and we’re excited about the opportunities. We have a great cultural fit and we’ve had great feedback from our customers on our capabilities to drive synergies together. We’re also bringing in incredible engineering talent.

In this region, we get to partner with someone like Simon, and the synergy between our CEOs is really special, which makes a big difference with Gary Steele reporting directly to Chuck Robbins. That tells you that Chuck is very committed and sees incredible opportunities. Our teams are very excited about it, but we’ve got to let Simon do what he needs to do to onboard his team.

If you combine Splunk’s capabilities around AI, security, insights and visibility with Cisco’s deep portfolio in security, networks, datacentres and cloud, we can help customers build an incredibly resilient enterprise and give them visibility, insights and the ability to make decisions that they’ve never been able to make before. 

Simon Davies: From early on, we’re going to leverage Cisco’s Talos threat intelligence capability for security detection, automation and orchestration, which is going to be super powerful and generate better outcomes for our combined customers.

From a solution point of view, we genuinely see a lot of complementary capabilities that many of our customers historically have had to pull together on their own. As part of the same family, we can remove that complexity and allow customers to focus on high-value activities.

For example, service disruptions – whether it’s a platform going down, an application failing, or a cyber incident – is massive for organisations, so being able to quickly identify what happened, where it happened and remediate it is crucial. At the same time, regulatory frameworks are changing across the region, where critical infrastructure is becoming part of board-level conversations. So, again, having that ability to detect, remediate and respond is top of mind for customers.

For me, it has also been about innovation because if you take away that complexity and make it easier for customers to achieve a level of digital resilience, then we can focus on how to continue to evolve the way we serve customers and launch new products and offerings, which is pretty compelling.

You talked about integrating Talos’ capabilities which is pretty clear to me. But at the same time, both companies have overlapping products, including those on the observability side. What’s the thinking around rationalising the product portfolio between the two companies?

West: It’s a good question. When you look deep into our offerings, there’s not that much overlap. In fact, there’s more synergy than overlapping areas. Being able to take threat intelligence from Talos and make decisions from that is a pretty easy step.

As a next step, we’ll look at integrating the AI engine and generative AI assistants we’ve built for security to help with workflows. With that same engine, which works across the Cisco Security Cloud, as well as our XDR (extended detection and response) and edge security capabilities, we will be able to work with Splunk data sources as well. That work has already started.

Think about the early events that we could see in the network that might not be automatically fed into Splunk just because we were not working every day together before. The integration will just make it easier to get insights, do correlations and use AI systems to make the right decisions
Dave West, Cisco

On the security side, what we’ve done at the edge and access provides greater security capabilities when combined with Splunk. With Splunk’s ability to ingest the data, you can build visibility and insights around security, then orchestrate, automate, respond and recover based on something that would happen. All of those are synergies and if there are areas where there could be overlaps, I think we can easily deconflict those.

On the observability front, we can feed Splunk’s observability and log capabilities into AppDynamics and use those capabilities for application performance management. In fact, on day one when we completed the acquisition, we moved the AppDynamics development team to Splunk.

The teams are working hand-in-hand to make this solution incredibly robust, and where there are overlaps on the observability front, we’ve found ways to make sure we can support customers on-premise and in the cloud. We can get very granular with application performance management and allow Splunk to do what they do best, which is to provide overall observability and visibility that we could have never done before.

Davies: One of the early priorities is around providing visibility across metrics, traces and logs, which are necessary when you think about what a full observability portfolio looks like. As Dave said, there are great synergies around how the different solutions fit together.

But there are also some unique capabilities that Splunk was already bringing to the table around delivering full fidelity and trace analytics for high availability environments and microservices architectures. Those capabilities could provide visibility across different applications and technology stacks that support the orchestration of business processes. That holistic view is very much what the team is focused on.

Based on what you said, are we then inching closer to self-service and self-healing networks?

West: We’ve always talked about self-healing and self-provisioning networks that can respond automatically. I think generative AI will help tremendously. We’ve showed a couple of demos around soliciting feedback from an AI engine to help customers make better decisions around potential vulnerabilities and different aspects of a network.

The question is whether we give the AI engine the ability to execute decisions on their own. We are starting to get to a point when we can almost do that as long as the competence is there. Today, there’s probably still a human in the middle who pushes a button to execute what needs to be done, like shut down a port, deny access to a user or make sure an application is segmented from others. But if the AI engine is telling us that this is what we need to do to defend our infrastructure, then I think we’re getting to the point where we could allow AI to do that.

Is Cisco working on a large language model focused on security now that you have the data from Splunk?

West: Right now, we are working with a lot of large language models which we train with synthetic data. There’s a lot of work on the AI front and it’s not just large language models, it’s also small language models. We’re working very deeply on use cases to make sure that we’re solving the right problems.

We have a responsible AI office, and we need to be very ethical in the use of customer data and large language models to make sure that the data we get back is accurate. We’re providing the right guidance to our customers and making sure that we never expose customer information.

Davies: One of the commitments is that Splunk’s existing roadmap will continue in the foreseeable future. We’ve already announced our security and observability AI assistants that will be embedded into workflows in the very near future.

We genuinely see a lot of complementary capabilities that many of our customers historically have had to pull together on their own. As part of the same family, we can remove that complexity and allow customers to focus on high-value activities
Simon Davies, Splunk

The AI capability that harnesses the power of the connectivity to the network to bring data in for things like drift analysis and anomaly detection already exists in the Splunk platform. While standalone events may not cause a red flag or trigger an event from a security point of view, aggregating them using AI engines that you then tune based on the risk profile of your organisation is what many of our customers are already leveraging. Moving forward, as we embed AI – not just generative AI – into workflows, we’re thinking about the practitioner and the work they need to do and how we can help them.

Splunk is a well-known as a SIEM (security information and event management) solution used by security operations centres (SOCs) around the world. How does the two companies coming together help customers accelerate their SOC modernisation efforts?

Davies: SOC modernisation is one of the biggest challenges when organisations think about their security capabilities and posture. Technology is an element of that, but it’s also people and processes that become critical. The challenges many organisations face, first of all, is visibility and understanding what’s going on.

With organisations increasingly relying on SaaS (software-as-a-service), hyperscalers and hybrid applications, that visibility gets more complex. That’s something Splunk has been very good at, whether it’s looking at data coming out of Cisco offerings or taking feeds from XDR and other third party tools and technologies.

We have roughly 3,000 pre-built integrations and connectors that allow you to bring that data in. You can use that data for detections and empower your SOC operators with insights, whether it’s a notable event that’s fired from an XDR solution or credential compromises.

Once you have the insights and understand what’s going on, you can then deal with those incidents more effectively. With the use of AI in risk-based alerting, you can take a series of events, score them, and once you get to a certain threshold, you can turn that into a notable event.

We’ll then use AI to take that event and map it into the Mitre framework, identify remediation steps, help you with incident response and to report what you need to do from a compliance perspective. By automating those steps and applying the right techniques, you can be more productive and efficient while reducing false positives.

West: It’s not like we don’t work together in SOCs. But think about tomorrow when we’re going to be integrating and developing together. We talked about integrating Talos directly into Splunk. In the past, there may have been an agreement to pull intelligence into the SOC, but it’s now seamless.

Think about the early events that we could see in the network that might not be automatically fed into Splunk just because we were not working every day together before. The integration will just make it easier to get insights, do correlations and use AI systems to make the right decisions. And instead of having one of our systems integrators patch it all together, I think you’ll see that work much easier tomorrow than it does today.

Speaking of systems integrators, are there plans to merge your respective partner programmes?

West: Right now, we want to make it seamless for our partners. Splunk will continue to run their partner programme and so will Cisco. For Splunk partners, we’re giving them easy vehicles to come onboard to Cisco. The overlap between our partners is pretty big, which is great. For those that don’t overlap, we’ll try to make it as easy as possible to come onboard. As we go through this fiscal year and into next fiscal year, we’ll continue to evolve the programmes to best support our partners.

Read more about cyber security in APAC

Read more on Information technology (IT) in ASEAN

CIO
Security
Networking
Data Center
Data Management
Close