Karissa Breen [00:00:14]:
Welcome to KB On the Go. This week, I’m coming to you from Cisco Live 2024 at the Melbourne Convention and Exhibition Centre, where AI is taking center stage in driving the future of technology. Here in Melbourne, we’re surrounded by the buzz of innovation and industry leaders, all exploring how Cisco’s latest technologies are enabling us to work faster, safer, and smarter. Stay tuned for the inside scoop from some of the world’s leading experts presenting at Cisco Live 2024 here in Melbourne as KBI Media brings you all of the highlights.
Karissa Breen [00:00:57]:
Joining me now in person is Tom Gillis, SVP and General Manager Security Business Group at Cisco. And today, we’re discussing the steps to robust security. So, Tom, thanks for joining and welcome.
Tom Gillis [00:01:06]:
Thanks, Karissa. Good. Thanks for having me.
Karissa Breen [00:01:08]:
Okay. So, Tom, you talk about 3 steps to robust security as I’ve seen, in your Cisco newsroom in terms of detecting, preventing, and remediating security threats. So tell us, what are the steps?
Tom Gillis [00:01:20]:
Well, those are sort of the foundational steps that you need in security. First thing, you know, if you can’t detect it, then, you know, there’s there’s really not much of a conversation. So so detection is fundamental. Well, really, I would argue
Tom Gillis [00:01:32]:
first thing is actually prevention. Right? So we
Tom Gillis [00:01:32]:
wanna put in place safeguards to make sure that we can keep the bad guys out. But as good as we are, we know for a fact that stuff is gonna slip through. Right? That’s just the way security has worked, you know, for decades, and that’s always gonna continue. And so the detection will be the 2nd step. Right? Detect the stuff that leaked through, and then how do we remediate? That that formula has been around for 20, 30 years. But the building blocks that we use to implement each one of those steps are changing at an explosive pace. I mean, unbelievably explosive. And I’ll even be very practical.
Tom Gillis [00:02:07]:
When I look at the demos that some of the, products we have in development, I periodically review the demo. I’m kinda busy, so it might be a month from when I see a demo to when I see it again. In the course of 30 days, the capability that we can deliver is just a step function more advanced because of this AI capability. And AI helps in terms of our ability to code things. Right? So the AI is doing the coding, and we provide the logic. Right? So we don’t have to do the semantics of writing the software, but it also provides the ability to analyze and understand things that are happening in the infrastructure that just simply weren’t possible, you know, a year ago. So it’s a very, very interesting time. When you have a period of significant change like the one we’re heading into, there are always winners and losers.
Tom Gillis [00:02:57]:
Right? And so I think there are gonna be opportunities for us to deliver both prevention, detection, and remediation that is, you know, transformative in how customers experience it. But at the same time, the adversary is using the same tool sets. Right? And so if you look at that, you know, as good as we are, they’re using the same kind of automation. And here’s a way it really manifests itself. If you look at the time lag from when a vulnerability in an application is announced publicly to when we see it being exploited. That timeline used to be weeks, couple of years ago, then it was days. Now it’s hours. So you announce a vulnerability within 4 hours, we see activity around it.
Tom Gillis [00:03:43]:
You know, that it can only happen with AI automation. And the challenge for customers,
Tom Gillis [00:03:49]:
maybe
Tom Gillis [00:03:49]:
the folks that are listening, practitioners that are listening to this, is just keeping up with known vulnerabilities. Forget the complicated exotic stuff. These are just vulnerabilities that are announced. It is simply not reasonable to patch all of your infrastructure, patch all your applications in hours. It’s just not reasonable. So we have to think differently about how we can put security controls in place that are highly automated, that will create more resilience in the infrastructure without humans being involved.
Karissa Breen [00:04:22]:
Okay. So prevention, detection, remediate, as you said, it’s been around a long time. In your experience and, you know, your caliber of experience, well, specifically, where do you think customers have the most like problem out of those 3, would you say?
Tom Gillis [00:04:35]:
Well, okay. If we did a really good job of intervention, then then it’s much easier to do detection or remediation. Less stuff gets through. And and so I think Cisco’s opportunity is to really focus on the first phase, which is build preventative controls that make it much, much harder for an adversary to get through. It’s never impossible, but we can make it much, much harder. And, you know, there are many, many different facets to security where Cisco where I’m personally focused and Cisco, the company’s focus, where we put point our investment resources is leveraging the network specifically and the infrastructure a little more broadly. And so so what we wanna get to is a world where applications are highly declarative. Right? So it’s not random stuff that’s running.
Tom Gillis [00:05:20]:
We know exactly what’s supposed to be running. And when we know exactly what’s supposed to be running, we can lock down the infrastructure underneath it and make it immutable, if you’re familiar with that term. Right? So immutability means it does what it’s supposed to do and doesn’t do anything else.
Karissa Breen [00:05:33]:
Is that what you mean by random stuff?
Tom Gillis [00:05:35]:
Yeah. That’s what I mean by random stuff.
Tom Casey [00:05:36]:
Got it.
Tom Gillis [00:05:36]:
Right? And so so so so the concept of immutability is is it only does what it’s supposed to do and doesn’t do anything else.
Tom Gillis [00:05:43]:
Mhmm.
Tom Gillis [00:05:43]:
Again, not a new idea. Immutability has been around for for 20 years. It’s not been practical to implement immutability because applications change. Right? And so all of a sudden, it’ll do something that is new that might appear random, but it’s not random at all. It’s event driven. Right? Or it’s an update to an application. AI allows us to have an interpretation and understanding of the context to start to drive closer to immutability. So I believe that we can and I hope this isn’t too much technical detail, but I believe that we can drive security preventative solutions that are much more approximating immutability and will make it very hard, not impossible, but very hard for an adversary to gain a foothold, you know.
Tom Gillis [00:06:28]:
And then we can talk about advanced forms of doing detection or remediation on top of that. But but long answer to a short question, Cisco needs to be great at preventative security controls.
Karissa Breen [00:06:37]:
So then you mentioned before, Tom, you said there’s winners and there’s losers. So were you talking more around, like, the adversaries and then, like, customers or just
Tom Gillis [00:06:44]:
Unfortunately, that rule applies everywhere. So adversary versus defender. It applies to, you know, customers that are in the right side of this problem versus wrong. It also applies to the vendor landscape. Right? And that that that Okay. Every vendor, I mean, you know this, you’re in the business, every vendor you talk to is talking about AI. Sure. So it’s a question of how you walk the walk.
Tom Gillis [00:07:01]:
Right? Not simply talking about, oh my god, AI this and AI that.
Tom Gillis [00:07:04]:
Do you
Karissa Breen [00:07:04]:
think people are doing that? Talking about doing AI and not really doing the walk?
Tom Gillis [00:07:08]:
Well, you tell me. What do you think?
Karissa Breen [00:07:10]:
Yes.
Tom Gillis [00:07:10]:
Hell yeah. Right? You know, like it’s almost to the point of absurdity, like they talk about AI, I don’t even know make any sense. So so, you know, I’m less interested in talking about AI. I’m more interested in delivering products that have AI in them. I can tell you right now, I have products that you can use. Like imagine a network security device that can write its own rules, test its own rules, qualify its own rules, deploy its own rules, and then upgrade itself overnight. I got, you know, more than 20 customers that are using that system right now. And so, yes, it’s young.
Tom Gillis [00:07:39]:
Yes, it’s formative. But, like, this thing is transform it’s gonna transform how we do that prevention of cybersecurity because it’s just very, very high levels of automation. In fact, it wasn’t even possible to build this thing without AI. It’s not like I grafted AI onto it. Like, we built this system taking advantage of AI to deliver that level of autonomy.
Karissa Breen [00:08:01]:
Because of the velocity then as well. Yeah.
Tom Gillis [00:08:03]:
Exactly. And what we’re all all trending towards just this notion of immutability. Right? Like, stuff that’s supposed to happen is allowed to happen, and stuff that’s not supposed to happen is detected and prevented. It. Like, sorry. You can’t do that because that’s not normal.
Karissa Breen [00:08:14]:
You mentioned before about, like, patch management. Like, as you know, like, we haven’t got patch management right for 20 plus years. Correct. So what happens now on that front?
Tom Gillis [00:08:23]:
Yeah. Yeah. So this is the first use case that we’re tackling with Cisco’s HyperShield. So our view is is vulnerabilities are gonna continue to grow and it is not reasonable to patch these things. You know, the answer can’t be let’s try harder. You know, let’s be smarter about how we patch. That just is not gonna work. So what we have the ability to do is to apply a compensating control Mhmm.
Tom Gillis [00:08:48]:
That can shield those vulnerabilities while the application team is going through the process of testing and qualifying and updating a new patch. That process can take weeks. Right? A lot of these complex systems, you don’t just patch them overnight. If they’re running databases in production, You know, it’s gonna take days and, you know, maybe longer. And so with HyperShield, we have the ability to apply a compensating control that doesn’t touch or modify the application, but can be that kind of finger in the dike that provides shielding from the vulnerability. The other thing I’ll point out about a compensating control, it doesn’t obviate the need to patch. You still need to patch this stuff because a good attacker can find a way to get around a compensating control. Sure.
Tom Gillis [00:09:29]:
But it provides immediate protection that is driving us closer to that goal of immutability. Right? Don’t change the stuff that’s not supposed to change. We’re going to observe the things that aren’t supposed to change to prevent them from happening.
Karissa Breen [00:09:41]:
It’s on HyperShield. So obviously, you know, it’s pretty cool what you guys are doing. I spoke to one of your guys down on the demo floor. I can’t remember his name, but he explained it in a way that made sense. But what was covered in my mind was, do you think in your experience that, let’s look at the CrowdStrike incident, could that have been prevented if there was the digital twin, the HyperShield Absolutely.
Tom Gillis [00:10:02]:
Sort
Tom Gillis [00:10:02]:
of Like, you can say that that’s not a controversial answer. Absolutely. Yes. So here’s here. Now we’re getting into a little bit of this is very technical, but I think it’s important. There’s a little bit of shape of the industry issue.
Karissa Breen [00:10:14]:
What do you mean by that?
Tom Gillis [00:10:15]:
Security processes need to update, you know, as often as possible. Like, very you know, you wanna have the constantly churning.
Tom Gillis [00:10:22]:
Sure.
Tom Gillis [00:10:22]:
You see something, push a new rule. See something, push a new rule. Right? The infrastructure, so the kernel of an operating system is exactly the opposite tempo. You almost don’t want to never update that thing. Right? You want the Linux operating system or the Windows operating system, you want a nuclear hardened and then just let it run, run, run, run, run, run. Very carefully, very slowly upgraded. So there’s just an inherent different tempo to security processes versus infrastructure processes. And the problem that security has is that in order to do meaningful enforcement, you need to put stuff in the kernel, pull the kernel module.
Tom Gillis [00:10:57]:
So what went wrong with CrowdStrike is they had a security update that went bad. Mhmm. Like, it’s real easy for me as a vendor to sort of throw a rock at them be like, oh, look at those guys. You know, they really screwed up. But the fact is it could easily have been me. Like, that’s what happens when you’re pushing out security updates rapidly. Sure. Yes.
Tom Gillis [00:11:13]:
They made some operational mistakes, but I think it’s kind of the nature of the business. But where it got disastrous is you push those that bad update into a kernel module, it takes a whole system down. And that’s a very widely deployed solution that took down a giant swath of infrastructure. So with this new modern operating system protocol called extended Berkeley Packet Filter, eBPF, and the reason this is what we’re talking about is this is is applicable broadly across infrastructure, not just OS. But let’s talk about the operating system. So the big deal with eBPF, extended Berkeley Packet Filter, is it allows a process running in user space to look into the beating heart of the OS, the kernel, without actually running in the kernel.
Karissa Breen [00:11:54]:
Right.
Tom Gillis [00:11:54]:
Right? So we can see every system call, every function call, you can see memory, you can see every IO operation, but if that security update goes Kerfluey, does that translate? You know what Kerfluey means, right? If it goes sideways, the kernel keeps running.
Karissa Breen [00:12:08]:
Sure.
Tom Gillis [00:12:08]:
K? So so this was developed for cloud native applications, which means it was done for Linux Run. And for containers. We own the commercial company behind eBPF. EBPF is open source. It’s standards based. It needs to be standards based. It’s always gonna be standards based. The company behind it, sort of sort of the red hat of EBPF Mhmm.
Tom Gillis [00:12:28]:
Is a company called Isovalent. Cisco owns Isovalent. We’re gonna continue to invest in it. We’re gonna continue to keep it open. We’re because it needs to be ubiquitous, But as owners of the platform, when we get to shape the direction of it and what we’re focusing on is taking this thing that was born in the public cloud and bringing it back to private clouds, which means 2 things. It means support for Windows, which would solve the CrowdStrike problem.
Tom Gillis [00:12:49]:
Mhmm.
Tom Gillis [00:12:50]:
And it means support for VMs, VM workloads as well as containers. So we’re actively working on both those directions. But I do believe that eBPF, yeah, it’s not an exaggeration, it’s a little bit of hyperbole, but it is the future of networking because it allows us to do magical things in the heart of the OS without actually being in the heart of the OS, and it’s gonna allow us to drive towards the immutability that you and I talked about earlier.
Karissa Breen [00:13:11]:
So what do you think then moving forward? So, you know, we can’t keep having CrowdStrike incidents. And I spoke to, you know, g two Patel specifically about this, on how much of an impact in a ripple effect it had within like a day across the world. So what do you think happens now?
Tom Gillis [00:13:26]:
Yeah. It was a big deal. In the US, I I took my car in to get my oil changed. I couldn’t get my oil changed because, the CrowdStrike thing was down. So, you know, yep. Affected my oil change. Right? In addition to, like, a lot of other more important things. So the world has learned and we’re building this this this technical architecture that allows security and infrastructure to coexist but they are it’s what I call tightly integrated but loosely coupled.
Tom Gillis [00:13:52]:
Okay? So think about a world where the security stuff can be updated constantly and the infrastructure stuff is is very, very reliable and upgraded slowly and carefully. Let’s apply that same concept to a network device. So for a long time, people have talked about the intersection between security and networking. And people have done things like, oh, let’s take a firewall and let’s, like, sort of embed that into a switch or a router. And there’s been 2 big challenges with it. 1 is performance. When you turn the firewall on, it makes the switch, like, grind to a halt. And the second is you need to update the security stuff constantly, and network infrastructure is not designed to be updated constantly.
Tom Gillis [00:14:30]:
Right? It’s it’s more like the it’s like the kernel of an operating system. So with HyperShield and as we start to introduce it into Cisco switches, we have the same approach where it is tightly integrated but loosely coupled, which means there’s a lump of silicon in one of these switches called a DPU, data processing unit. A DPU is made by NVIDIA, Intel, AMD, and it’s evolved version of a network interface card, NIC. And it’s evolved to the point where it’s a little tiny firewall on a chip. So these DPU chips are amazing. Yeah. I used to run the DPU team at VMware, so I spent years working on them. They’re very, very powerful, very, very capable.
Tom Gillis [00:15:08]:
But we wanna be able to update the software on that DPU on a continuous basis. The network processor, the NPU, is Cisco’s chip Silicon 1. That’s the thing that does the packet forwarding. You wanna update that very carefully, very methodically, very slowly because it’s ultra stable, ultra reliable, and its only job is processing packets. So as we start to merge security functionality into the networking, it’s gonna look kinda like eBPF in the host where there’s a security thing that’s constantly dynamically updating, and there’s a networking thing which is ultra stable, ultra reliable doing the packet forwarding. And if the security thing goes kerfluy, what happens to the network thing? Keeps working. Right? So so that CrowdStrike phenomenon of, like, oops, security took down the infrastructure, that can never happen again, and that is a problem that we can solve.
Karissa Breen [00:16:04]:
Joining me now in person is AJ Shipley, vice president, product management, threat detection and response at Cisco. And today, we’re discussing the Cisco and Splunk acquisition. So, AJ, thanks for joining and welcome.
AJ Shipley [00:16:15]:
Yeah. Absolutely. Thank you.
Karissa Breen [00:16:16]:
Okay. So let’s get into it. Splunk acquisition with Cisco. Talk me through what’s going on.
AJ Shipley [00:16:22]:
Yeah. So 4th largest software acquisition in history, I think. It’s been going exceedingly well, you know, by by all standards. You know, closed 6 months ahead of plan, which is really good news for our customers. They’ve had a lot of questions about what this means for them. If you look at you know, obviously, Splunk has been the market leader in the security operations center for a long time. And there’s been you know, anytime there’s a big acquisition, there can be a little bit of concern or trepidation about what’s gonna change, especially in something as critical as security operations. But so far, customers have been super, super thrilled about, our plans for leveraging all of the telemetry and data sources that we have from a Cisco perspective in order to deliver better outcomes to those Splunk customers.
AJ Shipley [00:17:00]:
Because ultimately, at at the end of the day, I would argue, we still have a lot of work to do in the security industry to deliver better outcomes as evidenced by the fact that ransomware still continues to, you know, happen and proliferate across networks. And so I think that’s what we’re excited about is the combination of Cisco and all of the network telemetry we have and endpoint and 100 of thousands of authentication records every single day. And then Splunk, you know, the world’s best ability to get data in and apply analytics on it to derive insights. The combination of those two things, I think, is ultimately gonna gonna deliver superior outcomes for our customers.
Karissa Breen [00:17:31]:
So you’re right. There is when there’s an m and a that sort of happens, there is this trepidation reservation. And part of my sort of job, in inverted commas, would be that I go and crowdsource questions that people have. And one of those was around, you know, people when this acquisition happened, like, people sort of saying me, like, that’s unusual.
Tom Gillis [00:17:51]:
Why do
Karissa Breen [00:17:51]:
you think people are you know, is it because they didn’t sort of expect Cisco to acquire Spine? I mean, it seems obvious now in terms of, you know, the telemetry and then having sort of more of a single pane of glass and more of a holistic view. But why do people sort of, I don’t know, be asking those questions in from your experience?
AJ Shipley [00:18:09]:
I don’t know. I don’t I haven’t gotten that it’s unusual. I think, you know, if you just look at the size of the acquisition, there’s very few vendors that, you know, could pull it off. I would even argue that actually, if you look at some of the other security vendors in the space, and I won’t name them, they probably would have loved to have been able to do the same thing, but they couldn’t afford it, candidly.
Tom Gillis [00:18:26]:
I was just
Karissa Breen [00:18:26]:
gonna say, but they couldn’t afford it.
AJ Shipley [00:18:27]:
They couldn’t afford it, and we could afford it. And so I think and look, you saw, you know, Palo kind of follow suit pretty quickly with QRadar, and, you know, CrowdStrike bought Humio. And, you know, obviously, Microsoft has Sentinel and they’ve got Defender for XDR. I think there’s a recognition, you know, by the industry broadly that there is a combination or a set of solutions that are necessary in order to be able to do threat detection, investigation, and response broadly across the ecosystem.
Karissa Breen [00:18:53]:
Sure.
AJ Shipley [00:18:53]:
And that there’s not a single product that can scale to meet the demand or sophistication levels of every customer from nation state level search all the way down to, you know, a small independent shop. And so the combination of solutions, whether it’s an organic kit, you know, offering like Cisco XDR along with a, you know, best in market SIM capability from Splunk and then all of the threat intelligence that you can, you know, provide from a Talos perspective. You start to put those things together recognizing that it’s about the right product for the right problem, for the right, you know, sophistication level of that customer at that point in time. You start to put those things together and it starts to get really, really compelling because I would argue we probably have the most complete solution set out there. But certainly we’re not the only ones that are trying to put these solutions together as evidenced by some of the other we’re not the only ones that are trying to put these solutions together as evidenced by some of the other acquisitions that you’ve seen in the industry.
Karissa Breen [00:19:38]:
Getting it just like anything though? Like, when when someone starts to buy another company, there’s always gonna be people that question it or perhaps, you know, not sure exactly where that company is gonna go that you mentioned before at the start of the interview. So you’re like, when a company gets acquired, like, people say, if are things gonna change? Yeah. Are things gonna change, would you say?
AJ Shipley [00:19:55]:
No. Well, I mean, yes. That that old adage, right, haters wanna hate or something like that. I mean, there’s always there’s always gonna be the haters. Look, we are focused 1st and foremost. And as somebody who was intimately involved in the due diligence and the investment thesis of the acquisition, one of the things that we identified early on as one of the most valuable assets that came along with this Splunk acquisition was just the really vibrant user community and, you know, kind of market perception of what is a premier asset. Right? And if you talk to, you know, Splunk customers, and I’ve talked to a lot of them, I have yet to find a single Splunk customer that doesn’t say, I love Spork. Right? Like, I love that product.
AJ Shipley [00:20:32]:
And so that user community, we looked at it and said, man, if we can make sure that we don’t alienate those folks, that we really kind of embrace them and lift them up, they can also be one of the biggest advocates for what we’re trying to do from a Cisco security perspective. Right? And so first step in doing that is making sure that we don’t alienate them, that we don’t change all of the stuff that they’ve come to love about Splunk. But how do we make it better? How do we deliver better outcomes for the same level of investment, not deliver the same outcomes for less investment? And that’s where I think we we have a tremendous opportunity, again, with all of the telemetry, with all of the threat intelligence, with all of the authentication records, all of those things that we can combine. I’ve heard some accounts that 80 to 85 percent of the world’s digital traffic traverses a Cisco device of some type or another. Being able to take all of that telemetry and use Sponk, which has solved the problem of getting data in at scale and applying analytics to drive insights, being able to do that in a way that lifts that community up and and allows that community to advocate on behalf of what we’re doing was one of the things that we identified early on, and we are laser focused on making sure that we don’t deviate from that. So that’s a very long way to answer to say, not everything you know and love about Splunk is gonna stay the same. Right? What are the reasons we cleared regulatory hurdles so quickly? Because the question that came up from these different, you know, regions was, Cisco, when you close this acquisition, are you immediately gonna shut down all of the third party integrations that exist with all of these 1300 other vendors out there? Is that gonna be a bad outcome for those customers? And we said no and no and no over and over and over again until we finally had to say, look, it would be the height of stupidity for us to spend this amount of money to buy this premier asset that was built on the foundation of an open, you know, vibrant ecosystem, and immediately shut that down. We’re not gonna do it.
AJ Shipley [00:22:13]:
And and once the regulatory agencies understood that it would fundamentally destroy all of the value that we just spent a lot of money for, they got very comfortable with the fact that we were acquiring them because they knew that we weren’t gonna do that. So ultimately, I think that’s just a point of proof that highlights the fact that Cisco is committed to maintaining and over time in enhancing the outcomes that we can deliver through this asset. But first and foremost, it is do no harm and do not alienate that community that loves Splunk because it’s an amazing product.
Karissa Breen [00:22:40]:
So you said before, Ajay, you don’t wanna deliver the same outcomes. You wanna you wanna deliver better outcomes. How so?
AJ Shipley [00:22:47]:
Take Cisco’s own environment. Cisco’s a big Splunk user. Cisco has a relatively large Splunk license in terms of ingest, you know, terabytes of day to day. And Cisco still sends a tiny fraction of the telemetry that we generate, you know, in a day to Splunk. Because, 1, it is, you know, can be very expensive to send all of that data in. And, 2, if you could get all of that data in anyways to a centralized location, the amount of compute that you would have to put on that data to be able to derive an insight is gonna bump up against the bounds of, you know, what is possible. Really, what we’re focused on is how do we distribute analytics throughout the network so that we can detect things closer to where they’re happening and be able to respond, you know, in in a much, you know, kind of shorter time period. So an example of that is what Tom mentioned this week, HyperShield, where we’re kind of melting security into the network.
AJ Shipley [00:23:38]:
That analytics has to come from somewhere. Even if we distribute it through there, that analytics has to come from somewhere. Being able to process all of that telemetry has to happen, you know, throughout the network. You can’t move all of that data to a centralized location. But if you could process all of that telemetry, and our own C cert team says, we would love to be able to process a 100% of the telemetry that we generate, but we can’t. If you could start to process it to find the things that are lurking in an environment and be able to take action in a much shorter period of time, that’s an example of how we can deliver better outcomes without having to move all of the data to a centralized location, which just isn’t financially or even computationally possible.
Karissa Breen [00:24:16]:
Okay. So that leads me to my next question. With that being said, what do you what’s your view then on, like, defining the new SOC? And what what does that look like in your eyes? Like, how we sort of traverse now moving forward as an industry, or more specifically, Cisco Splunk acquisition leading?
AJ Shipley [00:24:31]:
So look, I think what continues to be true is that this is the game of cat and mouse. You know, like you, I’ve been doing this, you know, a long time. And adversaries continue to adapt their tactics and techniques in order to try to exploit an organization. And unfortunately, people still make mistakes and build products and ship code with vulnerabilities in it, and the adversaries find ways to take advantage of that. So nothing’s changed there. I think what has changed though, is just the massive amount of data that are being generated and the ways that adversaries are finding ways to exploit organizations that that effectively, you know, lives off the land. Like, you know, they’re called living off the land attack that lives off the things that exist in the environment and don’t require somebody doing something stupid like clicking on a link or downloading a piece of malware. And so that constant, like, you know, kind of game with cat and mouse is only gonna continue, but it’s gonna happen over orders of magnitude more data.
AJ Shipley [00:25:24]:
And so how are we going to be able to mine that data in order to be able to detect and respond to those adversaries as they’re getting more and more sophisticated, but they are not encumbered by rules of law or societal norms? Well, we now have technology at our disposal that we didn’t have even a couple of years ago. Right? And, you know, some people will say, you know, Gen AI is the most overhyped or underhyped technology in the last 20 years, depending on where you sit. What I do know though, is that we didn’t have access to things like Gen AI before October 2022. I do know that we are no longer really constrained by bandwidth
Tom Gillis [00:25:55]:
limits or compute limits.
AJ Shipley [00:25:55]:
In fact, the big constraint that we have now is power. Right? You see, limits or compute limits. In fact, the big constraint that we have now is power. Right? You see you see, like, I think, Microsoft, you know, spinning up a nuclear reactor in order to power a data center, because power is the bottleneck. But compute’s not the bottleneck. Bandwidth is not the bottleneck. There’s all kinds of data. What are the technologies that you have to apply on all of this data knowing that the compute’s no longer the bottleneck? And what can you then do with these technologies in order to be able to detect and respond to adversaries? That’s where I think this SOC’s gonna go, is we have to automate more tasks than we can.
AJ Shipley [00:26:27]:
You can’t automate a 100% of stuff. But there’s probably 80% of the stuff that happens in an environment that you can automate. I’ll give you a good example. Say I have 2 people in an organization. 1 is a summer intern, one’s a CEO. Let’s say I see reconnaissance activity on a summer intern’s laptop, and I see reconnaissance activity on a summer intern’s laptop. I can probably, with a high degree of confidence, remote wipe that summer intern’s laptop, open up a ticket in ServiceNow, and tell IT to go over there and reimage it, and completely automate that whole process without too much concern. I’m not gonna do the same thing on a CEO’s laptop.
AJ Shipley [00:26:59]:
Right? You want somebody to put eyes on glass, make sure that they understand what’s happening. You might wanna actually monitor to figure out how it got on there, who’s doing it. Those are 2 relatively similar use cases. 1, I would argue, you can fully automate with very little concern. The other one, you’re gonna wanna let your smartest people go and put eyes on glass and figure out what to do next. I think we just gotta start looking at the problem space a little bit more through that lens of what’s the 80% of stuff that we can confidently automate? Leveraging some of this new technology like AI, leveraging the the massive amounts of compute and bandwidth that we have at our disposal, so that we can then free our analysts up to go focus on the 20% of things that you really want a human in the loop on.
Karissa Breen [00:27:37]:
Yeah. Because that’s always been, like, people to me, oh, like AI is gonna, you know, reduce jobs and all sorts of stuff. And it’s like, yeah. But then if you’re automating trivial, mundane, banal tasks, you can actually get the 20% to your point, Ajay, to actually do more strategic thinking. Yeah.
AJ Shipley [00:27:51]:
I’ll give you I mean, so we we implemented a feature and, you know, we’re not we’re not unique. I think other people have done this. One of the the early uses of Gen AI is in the summarization of large technical datasets and saying, you know, in 3 paragraphs or less, tell me what happened here. One of the things that every SOC analyst I talk to hates most about their job is having to write an after action report 3 weeks after an incident and try to remember what happened and try to remember what they did. Because they don’t have time to do that during the middle of an incident. Right? They’re in a war room. They’re, like, responding real time. But at some point, their boss or the board’s gonna wanna know what happened.
AJ Shipley [00:28:26]:
Sure. That’s an area where Gen AI actually can generate that executive summary action report of what’s happening in kind of human readable format, right, in a PDF or whatever, at that moment, send that to your your your boss or send it up to the board so that they know what’s going on. That analyst doesn’t have to spend time typing stuff out. If they need to make some changes, they can edit it. Right? But 98% of it is, you know, a pretty good representation of what’s happening. And meanwhile, that analyst can go focus on the triage and the investigation and the remediation, and then not have to worry about 3 weeks later coming back and writing that after action report. That’s a really great use of generative AI to improve productivity. That analyst’s job isn’t going anywhere.
AJ Shipley [00:29:04]:
If anything, it’s just allowing them to go focus on responding to more incidents, letting the Jet AI write the the after action reports that somebody can go read at their leisure.
Karissa Breen [00:29:13]:
Because they would have, like, their boss’s CEO, and they’re back saying, what’s happening? What’s happening every 2 seconds.
AJ Shipley [00:29:17]:
Standing over them, like, in the heat of the moment. And the last thing they want is, like like what they really wanna do is they wanna say, like, go away and let me do my job, and I’ll come back to you once we figured it out. But they can’t say that. Right? Now what they can do is they can hand them a PDF that gets generated by the AI based on all of the tactics and techniques and timestamps that we’re seeing. And with high degree of confidence, say, this is what’s happening and here’s what we’re doing about it. Now let me go do my job.
Karissa Breen [00:29:40]:
And would that sort of develop, like, a bit of a timeline then as well embedded into that in terms of, like, these as chain of events is what happened?
AJ Shipley [00:29:46]:
Oh, yeah. It’s amazing. Like, if you actually look at it in a in a product like Cisco XDR, it’ll it’ll break it down to to write, like, you know, at, you know, 12:43, this process ran. And, you know, 2 minutes before that, the user received an email with this, you know, kind of, you know, subject line. And 2 minutes after that, it created an inter internal network connection, and that whole timeline gets generated by the AI based on the timestamps of the logs or the telemetry that’s coming in, the tactics and techniques that it sees that it sees, and then says, hey, in 3 paragraphs or less, tell me what happened. And it puts it in sequential order and creates basically and writes out the entire attack chain for you. It’s a pretty incredible what what the technology can do. Do you think
Karissa Breen [00:30:28]:
as well, if you’re then if you’re an analyst, SOC analyst, for example, you’re gonna obviously speak in a different discourse to, like, a CISO or a CIO. So can it then actually generate the right language and vernacular to speak to that executive?
AJ Shipley [00:30:42]:
I think in the fullness of time and the fullness of time is is not, you know, years. It’s probably not even months. It’s I mean, it is getting so much better so quickly. Right? I mean, the first one, GPT 1, I think that came out in October versus what you see now is, I mean, it’s it’s orders of magnitude better. But if you read some of their reports, sometimes I, I look at it and I go like, nobody would ever talk that way. Right? Like, it’s, it’s very you can tell that that, you know, there’s kind of a computer behind the scenes. Again, like I said, 98% of it’s right. But that’s also why we give the analyst the ability to edit some of this stuff.
AJ Shipley [00:31:15]:
Right? Like, you can go in there, scan it real quickly. Let me change that word. Like, that’s not exactly how a human would talk. And so and then when you do that, the gen AI learns, and it gets better over time. Right? So it’s gonna continuously improve. Right? And ultimately, I think we get to the point where, hey, okay, you know, I’ve got my 5 paragraphs and then you feed it back and you say, up level it for me. Right? Like, I need I need the 2 sentence pithy report for the board member. Right? I don’t need 5 paragraphs.
Tom Gillis [00:31:41]:
You need
Karissa Breen [00:31:41]:
the exact summary.
AJ Shipley [00:31:42]:
Yeah. Exactly.
Karissa Breen [00:31:45]:
Joining me now in person is Tom Casey, senior vice president and GM products and technology at Splunk, a Cisco company. Today, we’re discussing full stack observability. So, Tom, thanks for joining and welcome.
Tom Casey [00:31:58]:
Thank you. It is fantastic to talk to you, Carissa.
Karissa Breen [00:32:01]:
Okay. So, Tom, I before we got on here, I was saying that I stalked your LinkedIn. I’ve just seen your keynote. I saw your keynote at Cisco Live in Vegas. So I’m familiar with some of the stuff that you’ve been talking about. But perhaps from what you’re sort of seeing in the market about, you know, Splunk, there’s there’s been the acquisition. So let’s start with that first, and I’d like to sort of get into that a little bit more.
Tom Casey [00:32:21]:
Sure. So I think, you know, some people are curious about the acquisition and what motivated the acquisition. And obviously when you spend, you know, almost $30,000,000,000 US on an acquisition, it’s a pretty strategic big bet for you. So, you know, at a simple high level, Splunk brings leadership and security and observability to Cisco and also brings the strength of the Splunk data platform. And at Cisco, now as one Cisco, we really look at the value of the data, the criticality of data for advancing not only security and observability, but the strength of experiences that you get across the network, how you build that AI ready data center that we talk about, how you future proof that workplace and allow people to work anywhere and everywhere, but actually have a great experience doing it, and how you make sure you stay resilient across, you know, your applications, your services, and your complex infrastructure in the cloud on prem.
Karissa Breen [00:33:20]:
So I have more of a perhaps a rudimentary question, as in historically, like Splunk. For my understanding, like, Splunk logs are quite costly. So what this was historically working in a bank. That was some of the feedback. So what’s sort of the vision now? Obviously, you guys are, you know, gonna be more integrated. You spoke about that. Dave West spoke about that as well, why it makes sense. Well, what do you sort of see now moving for? What can people expect? Because obviously now cost is always a big thing that’s coming up for CTOs, CIOs, CISOs.
Karissa Breen [00:33:50]:
No wants to pay for more things that they don’t have to. So what’s what’s your view on that front?
Tom Casey [00:33:54]:
That’s right. And so the there is a common trend there around cost and cost management. If you consider that about 90% of the world’s data was born in the last 2 years, What people need is more value per byte of data that they’re operating on in the environment. And so while you’re correct, some of the conversation comes at us when we talk to customers around just cost and the cost of managing logs. That’s really fundamentally a value conversation. It’s, am I getting adequate value out of it for what I’m doing? And what happens somewhere along the lines, Splunk’s been a leader in this space for 20 plus years. Our particular approach to doing log management and allowing you to not have to pre structure it and we can search it all in a dynamic way is highly effective and valuable. However, people, policies, regulations, and habits got to the point where people just started ingesting everything, right, and keeping it around for long periods of time.
Tom Casey [00:34:48]:
And so To keep it around? Sometimes many, many years. I mean, if you think about it in highly regulated industries, you have 5, 7, up to 10 years in some instances in some sectors where people have to keep things around. So And, historically, people would put that in Splunk and just keep it in Splunk because of because of the the convenience and because most people wanna get one thing done and get on to the next thing. Right? So now talk about where we’re at in the industry. Both security and observability. One of the most common trends in the environment is tools consolidation. And that’s happening for two reasons. It’s happening because of cost, as you talked about, people don’t want to pay for so many tools with so many different vendors.
Tom Casey [00:35:29]:
And 2, it’s happening for, lack of kind of skilled labor. I mean, just having to have people specialized in so many different things. So what we’ve been doing at Splunk independently and now as part of 1 Cisco is turning that tools consolidation conversation into a data consolidation conversation.
Karissa Breen [00:35:48]:
I wanna flip over into the data consolidate sorry, data. Date every time I’m speaking to you in a rare confession, I always say data. No. It’s totally fine. So before we cross over into that, going back to the tools, from my understanding, a large enterprise on average has 70 different tools.
Tom Gillis [00:36:02]:
Most of
Karissa Breen [00:36:02]:
those aren’t being utilized.
Tom Casey [00:36:03]:
Some customers in the observability space had told me they have more than a 150 tools.
Karissa Breen [00:36:08]:
Wow. That’s nuts.
Tom Casey [00:36:09]:
Yeah. You’ve you said it.
Karissa Breen [00:36:11]:
So how come no one’s sitting there going, why are we paying for all these vendor products and no one’s using them?
Tom Casey [00:36:17]:
They are. They actually are. That’s an incredibly common conversation that comes to to us. And in fact, it is one of the things that then we bring about revisiting your data management. You’ve got to get eyes on not
Tom Gillis [00:36:29]:
just the traditional infrastructure applications and services that you’re monitoring for security and
Tom Casey [00:36:29]:
for the experience people have, but you actually need to get eyes on what’s happening on the network, the routes in the public internet, what’s happening between the managed services and the CSPs and the CSPs front doors. All of those things need to happen in the environment. And for you to do that, you need to start to get richer signal at each layer. So what we’re guiding customers through is 2 different things. 1, we’re out having more strategic engagements with customers about how to categorize their data into kind of high value operational and analytics data for in for use in the SOC and use in engineering and IT ops. And that conversation is about getting that ad hoc analytics and operational data in Splunk. And then we’ve invested to help them manage and federate their data out to their data lakes, Amazon S3, and in the future, a variety of others. So that’s number 1.
Tom Casey [00:37:29]:
So those are very active conversations around rethinking your telemetry data strategy. The second major trend that we see in approach that we’re taking is, as you’ve heard me talk about on stage here today, again, really recognizing in the security operations center that there are 3 or 4 things people need, and they have to be a consolidated toolset. The SIEM, which for us is enterprise security, organizes the work of the SOC. SOAR orchestrates and allows you to apply your policies consistently, and consistency is a big deal, as you know, as someone who, you know, worked in a SOC environment for a long time. But then you also have to get stay safe and stay safe, report on your compliance on a regular basis. So we added asset and risk intelligence in our portfolio as well, where we discover and monitor the devices in the environment. And that helps people report to the board, you know, keep track of ephemeral devices and and other assets across the environment. And then finally, this is key.
Tom Casey [00:38:25]:
If people are already struggling with data overload, we can’t just give them all the signal from the network, unfiltered, unprocessed. And so here we start to see specialized detections as kind of this 4th dimension. And there we have stuff we introduced last year, like Splunk attack analyzer for phishing, helps automate phishing response and detection and remediate it fully. But that’s where the power of Cisco’s understanding of the network comes in. So we can take things like real time detections lower in the stack from XDR or for security, and we can turn that just a meaningful detection there into a notable event that flows up into Splunk. We can take a detected configuration. This is something we’re working on now, a detected configuration change ThousandEyes that appears to be having latency impact on a route in the network that’s gonna affect might affect your user performance, and just send that as an interesting notable event up into Splunk. So we don’t have to look at all the 2 or 3 orders of magnitude of network traffic, which is normative.
Tom Casey [00:39:25]:
We can look at the subset of that that’s indicative of something. And that’s really key. And that in turn shifts the dialogue. Those two dimensions really shift the dialogue to how do you get more value out of the data you have, and how do you start to set yourself up to get higher fidelity signal from the entire digital footprint?
Karissa Breen [00:39:46]:
Okay. There’s a couple in there a couple of things in there which is quite interesting. Okay. So more value from the data that you have. So, again, we’ve sort of seen a shift. I don’t know. 12 years ago, it was all about, you know, huge data lakes, like Cloudera and Friends. And then it’s been like, oh, now we’re scared about having too much data, but it’s like now we need all the data to be able to, you know, do the observability side of things.
Karissa Breen [00:40:06]:
What would you say in your experience people, as in your customers, are most concerned about now? Because we’ve seen this shift, as I just explained.
Tom Casey [00:40:15]:
Specifically around kind of the shift in data and kinda where it Yeah.
Karissa Breen [00:40:17]:
Like, having it all, then not having too much in case we have a data breach. And now it’s all kinda needed again because we need to look at all the things.
Tom Casey [00:40:24]:
What you just said nails it. And so where people had historically been is into a model where they put their data in a tool like Splunk and then archive that data, you know, kinda unindex it, heat the raw around if you need it, reattach it, reindex it, or give it to a third party to do your all of your forensic investigation. Sure. That’s not very resilient. That’s not very efficient. It also leaves you, you know, sort of a layer of indirection where somebody else has to do a piece of that work for you. Instead, by us embracing federation as a common thing, not just Federated Data Management, but Federated Search and Analytics, which is something you heard us announce this past summer.
Karissa Breen [00:40:59]:
Yep.
Tom Casey [00:41:00]:
Now directly from the Splunk platform, I can search my Amazon s three buckets. But now directly from Splunk as of this summer sorry. As of I said summer. That’s in North America. As of just a few months ago, you can also directly from Splunk’s enterprise security product, start an investigation on the data that’s in Splunk that’s active, you’ve retained for 90 days or 12 months or whatever it is, and then you can extend that forensic investigation directly into the Amazon security lake. And we’ll handle optimizing access to that data because what was retention only data for a while for you just suddenly became really interesting for a period of time.
Karissa Breen [00:41:41]:
So as a result of doing that would then mean the cost would substantially be reduced?
Tom Casey [00:41:46]:
Because you’re only accessing the stuff you need when you need it. And further, because you’re in a tool like Splunk Enterprise Security, which understands the workflow of the SOC, and it understands how that data relates to basically extending the search to this new data, the data it already has, we can effectively fault in that data temporarily. So instead of using 2 different tools and swivel chairing over here to a console in Amazon or Azure or Databricks or whatever it is, and just using that to search, I don’t have to learn anything new. I stay in enterprise security, and we can avoid multiple egress charges every time you go access that information. Right? I can just pull in and effectively temporarily cache what you need. And then we’re working through with our customers as we understand their usage patterns of this, as many are starting to do this. We’re working through with them to understand when and how they want to effectively release control of that data again. So again, it’s still sitting there in your data lake, but we’ve made it hot for the period of time that it became critical to you.
Karissa Breen [00:42:46]:
And do you think this is sort of like if you even in my, you know, my own thoughts sometimes going back to my experience with Splunk, like, more so, you know, at the coalface of it. I I would say that’s people’s reality of it. The old version of Splunk around, you know, the the cost of the logs and all that. But now you obviously just spoken about how that’s being significantly reduced. Yeah. Is that sort of now with the acquisition is sort of saying, okay, well, now we’re on this new evolution of what this sort of means. Yes, for observability, but also as Dave West was saying around having all of the data has that value and having that holistic approach. So would you say that what does the future sort of now look like with the acquisition, things that you’re sort of seeing, people moving away from the old version of Splunk with this this new version with, you know, with Cisco powering it? What what’s your view?
Tom Casey [00:43:32]:
Well, so this is not a new thing for us. We started a couple years ago on this journey of really embracing federation. You know, Splunk Splunk’s been a leader in security and observability for a long time. And what we really wanted to do was underneath the covers, help customers with the overall data management and data value problem. And so we focused on that starting a couple of years ago. You saw us make some announcements well before the Cisco acquisition. We introduced Federated Search, gosh, 18 months ago, and the core platform. Those, some of those very innovations are the things that really matched up super well with Cisco’s desire to get create better networking, get more value out of the networking and correlate that data with other information.
Tom Casey [00:44:14]:
And so it was the fact that we were headed down this path of federation, and Cisco was beginning to think about the distribution of security into the network. As as we talked about melting security into the network, those detections, melting optimizations with ThousandEyes and Exedeon into the network, those sorts of things are tremendous complement that allow us then we were already kind of moving in the same direction independently. We can now move in the same direction together and deliver the SOC of the future in a way that it is both federated in the way it manages data and responds to issues, but also distributed in the way it does detections and takes actions even down at the network layer. And those things are key. That ultimately gives us a better networking experience, better security, better observability, better data, you know, better signal from the data as a whole for the organization. And then as we started this conversation, it gives you better economics because it’s all working better and you have this ability then, you know, to get it from one customer who has this vision of consolidating these things and making them or one vendor who has this, you know, idea of consolidating and making them complementary.
Karissa Breen [00:45:23]:
So that that’s a that’s a good point that you raised. So, again, going back to, like, this theme in terms of IT, we all had, like, point solution for a long time. Well, sorry. We had, like, everyone outsourced to IBM, then it was like, let’s do point solution. Let’s get specific specificity with specific vendors. Then it’s like, okay. Well, now there’s too many of them. There’s a 150, for example.
Karissa Breen [00:45:42]:
It’s all too much. We want that single pane of glass, for example, buzzword. But then it’s now we’re moving back to what you’re saying. And I’ve spoken to Jeetu Patel, who you know, around having, you know, limited people to actually sorry, limited vendors because therefore, you you don’t wanna move across different, you know, platforms, etcetera. Yeah.
Tom Casey [00:46:01]:
You’re also not gonna have just 1. Let’s be really clear. There’s a lot of value going from a 150 to say, you know, 10. And one of our commitments is Splunk. Even as part of Cisco, even as we’re making all Cisco products better in the way they integrate with Splunk, we remain committed to meeting our customers where they are and being heterogeneous and open in everything we do. So I mentioned on stage a few minutes ago, we’ve had a couple quarters of updating all Splunk kind of technical add ons sorry, all Cisco technical add ons for Splunk to a new gold standard. We’ve also updated the top 10 non Cisco security kind of in endpoint solution detection products and others to to that same gold standard. So so the world is a crazy mixed up heterogeneous place and will continue to be that.
Tom Casey [00:46:51]:
We are not confused about that. We think that the more people consolidate, the more the complementary nature of these products will allow them to get, again, greater value per byte of data, greater value per dollar spent. But you just don’t you don’t modernize everything in your world all at once. And that is another trend customers are recognizing, that you have traditional applications that you need to connect and protect, that you need to optimize and have interact with the new things that you’re trying to do. What you really want to do is continue to manage those at a log based level or with traditional APM with like AppDynamics, which we now call Splunk AppDynamics that runs on premise in that environment. It will really optimize for traditional application performance management. But we are doing the lifting to natively connect that to Splunk Observability Cloud, IT Service Intelligence, the core Splunk platform, and making it seamless for the developers, the IT ops people, to just drill back and forth across those experiences and see aggregated views across that stuff without having to come in and saying, you know what, Carissa, you just, yeah, you’re going to have this great new experience, but just upgrade everything. That’s not the story.
Tom Casey [00:48:04]:
The story is let’s meet you where you are. Let’s meet you where you are and let’s recognize that where you are has multiple different modalities for interacting with devices. You have old and new stuff and we are gonna, we are gonna be the ones that bring all that together for you. And the, as you modernize things with Cisco software and hardware, physical and virtual in the environments, you’re gonna get implicitly more value for networking security and observability out of it.
Karissa Breen [00:48:34]:
So going back to the gold the new gold standard, to use your words, would you say the new gold standard is obviously the c that Cisco Cisco and Splunk acquisition? What happens if people are on, like, a a silver standard? What does that sort of look like?
Tom Casey [00:48:49]:
Well, let’s the gold standard is actually something we talk about from a technical add ons perspective, the way you connect inflow data into Splunk. So that was the context in which I was using that. And that’s just trying to kinda differentiate and saying the best type of signal and the easiest to manage connectivity in an environment when you have 100 and thousands of data sources are gonna do these sorts of things. So we published a new standard around those, and we’re encouraging everybody that writes a connector to write to that new gold standard. That’s what I meant there. I, you know, when you when you were asking about that in the context, if I think you were implying if using all the everything from one vendor from Cisco gives you the greatest value, what’s the next best thing? Is that what you were getting at?
Karissa Breen [00:49:33]:
Yeah. And, like, where do we go from here? And what if people aren’t leveraging this? Are they the the silver standard?
Tom Casey [00:49:38]:
No. And nobody’s left behind. But, for example, you you know, it’s probably not as likely that if you’re you if you’re using as as we evolve something like Hyperfabric in the environment, right, You’re not going to get kind of automatic load balancing or reconfiguration at your firewall layer. You may not get the value of a fabric that is detecting patterns and anomalous behavior and potentially sending notable events directly into Splunk. You’re gonna have to get all the data from that other vendor’s firewall sis solutions, flow it into Splunk. Splunk still lets you, using the power of Splunk, cross correlate it, but you may not get as immediate response. You may have to do extra work in the SOC.
Karissa Breen [00:50:21]:
And no one wants to do that.
Tom Casey [00:50:23]:
No. People do wanna do that, and people will do that.
Karissa Breen [00:50:25]:
But, I mean, the extra work because, like, people already burnt out. They’re already, you know, alert fatigue. They got too many things going on all the time.
Tom Casey [00:50:33]:
Actually, that’s not even it. It’s back to our original conversation. It’s cost and it’s capability. And it’s a bunch of work, and what’s one of the biggest things affecting talking about security specifically, what’s one of the biggest things affecting, you know, the SOC today? It’s a lack of skilled labor. Right? And so do I wanna teach a bunch of people to do that, or would I rather use assistive technology and things that are natively built in? And this is something with Cisco that’s natively built in. Built into the fabric of the network. That’s where we’re headed.
Karissa Breen [00:51:06]:
In terms of where we’re heading, obviously, you know, with the acquisition, what do you sort of see moving forward as we now traverse into 2025? What can people expect?
Tom Casey [00:51:13]:
So we’re they can expect continued innovation across Cisco and Splunk, across our product lines independently. I just announced today the general availability of Splunk Enterprise Security AO with a raft of new capability, including fully integrated SOAR capability, automated and response. They can expect practical integrations that that work with the products that they have today. So for example, in just our first 6, 8 months here together as one company, we’ve connected IT service intelligence from Splunk, Splunk Observability Cloud, the Splunk platform together. Some of this stuff is kinda table stakes stuff. You can use single sign on across all of it, which means you’re not having extra admin burden. You can do the basic BI concepts of drilling up, down, and across to do analytics and have these products interact with each other. And that speeds up troubleshooting so much.
Tom Casey [00:52:07]:
Right? You’re not swiveled doing swivel chair work or having to phone a friend. You can actually do this stuff seamlessly, which is incredible. And so really practical things like that, you’re gonna see from us on the integration front. And then you’re also gonna see a whole bunch of these capabilities that won’t exist anywhere except from Cisco, where we have a deep understanding of the network. So you’ll see us take things like XDR. So in Q1 of next year, we’ll be taking notable events, basically events detected from extended detection in a large enterprise, forwarding that into Splunk as sort of a already indicated notable event, a thing you should pay attention to because we detected a real time thing and took some action to isolate it. For example, XDR is part of the breach protection fee suite from Cisco. Maybe Tom is trying to access a trusted domain in the environment, but is failing to log in to the source management system.
Tom Casey [00:53:05]:
Does that are we is that just Tom doesn’t do that very often? Because believe me, I’m not checking in a lot of code anymore. Or is it and he’s forgotten his password. Or is that maybe not Tom? At that point, we don’t know. We just know those two things are true. And I can have a rule that’s sitting there with XDR that’s saying, you know what I’m gonna do? I’m gonna snapshot the source management system services right now in case this is a ransomware attack, you know, come into play. That now is a really interesting event that flows into the SOC, natively into Splunk, as a notable event
Tom Gillis [00:53:36]:
where it
Tom Casey [00:53:36]:
can be cross correlated with other information, and somebody can figure out whether Tom’s just an idiot and forgot his password, and he’s doing a project that, you know, some IP research or something that he’s trying to do in isolation for a little while to get a handle on something. Or is do we need to take broader steps and more remediation here to follow a potential bad actor? That sort of differentiated capability is something that we’re melting into the network, but in a way where it doesn’t disappear. We wanna melt the activities of detection into the network and then surface and highlight the interesting things in the SOC as part of some Splunk. And that same pattern follows with ThousandEyes integration with, Splunk Observability Cloud, for example. It’s the same pattern, bringing insight from the depth of the network into the light of, you know, kind of centralized management and security and observability.
Karissa Breen [00:54:29]:
So, Tom, do you have any sort of final thoughts for our audience today?
Tom Casey [00:54:33]:
Yes. I think the tools consolidation opportunity is a serious one in the environment, and the cost pressures in the environment are a big deal. The world’s getting more complicated. You’re gonna have more third party solutions and services. You’re gonna have every one of them is gonna have its own AI and machine learning baked into it. So you know that the environment’s gonna get more complicated. Get after those tools consolidation conversations, but turn them into a data consolidation conversation. Turn them into a modernization conversation around your SOC and the way you do IT operations and observability in the environment.
Tom Casey [00:55:05]:
And ultimately, you’re gonna have the ability to engage us as a strategic partner in those conversations, knowing we have a longitudinal view around this. We want to help you build the sock of the future. We want to help you because we’ve, you know, we’ve, we’ve got industry leading capability. We’ve recognized Gartner 2 years in a row as a leader in observability with Splunk Observability Cloud, but we also have differentiated and leading capability in AppDynamics and traditional APM. And I can run on premise as well as in every cloud, natively, not just monitoring those services, but I can run co located with where those signals, applications, and data are. And nobody else can do that. So the message I have fundamentally is lean into the primary things that are challenging you in the SOC and your IT operations and invite Cisco in. Because as one Cisco, we have the ability to help you see north, south, and east, west in a way nobody else can in the environment and enough experience to be strategic partners, probably.
Karissa Breen [00:56:13]:
And there you have it. This is KB on the go. Stay tuned for more.
