Splunk .conf24 reflections - Federated data, resilience, and a parade of fezzes

Fresh from the recent .conf24 user conference in fabulous Las Vegas, I thought I’d share what I thought were some of the key points throughout the week.

Along with admiring the traditional display of fezzes and capes throughout the week, we were excited about the great conversations with our customers, business partners, Splunkers, and, of course, the lovely Buttercup. The booth was bubbling with excitement all week with a bit of pent up interest in our new Corelight App for Splunk, which we debuted several weeks ago at RSA.

We also got a ton of positive feedback from customers on Corelight’s ability to pre-correlate the rich network telemetry we export to Splunk and our data enrichment capabilities. Further below you’ll see comments from both Splunk and Cisco executives in their keynotes that this is the type of network insight needed to disrupt modern attacks. Outside the expo hall, we heard about and saw first-hand some of the innovation making its way into the Splunk platform via the Cisco acquisition.

“Not screwing anything up.”
The event kicked off with an inspiring keynote by Splunk CEO Gary Steele, who was both visionary and pragmatic. He waxed on about the boundless potential of AI in cybersecurity, highlighting its capacity to sift through the digital noise to identify the data and insight that truly matters. Like most of us, he also grounded his enthusiasm by recognizing that the tremendous surge of data generated by AI is blasting open the attack surface, which conveniently set the tone for what became the theme of smart data management and digital resilience for the rest of the conference.

He also wisely took the opportunity to reinforce to the Splunk community that Splunk’s unified observability and security platform will reach new heights with the Cisco acquisition. Cisco CEO Chuck Robbins chimed in enthusiastically on how the synergy between the two industry stalwarts will provide the digital resilience and innovation organizations need to thrive in the modern economy. This acquisition, he explained, is about unleashing innovation, not cost savings through consolidation. His reassurance? He committed to doubling down on R&D and integration to ensure what comes next is, “the Splunk you love... only better.”

Hao Yang, Splunk’s new head of AI, shared exciting developments in how the company is incorporating generative AI across the portfolio to enhance detection, investigation, and response through natural language queries, automated workflows, and the creation of incident reports to close out investigations. Similar to what we’ve seen with some of our other platform partners, Splunk is working to simplify the entire threat detection and response process to reduce toil and enable SOC teams to accelerate investigations and ultimately maintain a more secure posture across the organization. No doubt a future our joint customers are already experiencing.

Innovations on the Horizon
Tom Casey, SVP and GM of Products and Technology, took the stage on Day 2 to build on the prior day’s rallying cry of enterprise resiliency through enhanced visibility and analytics. Their mission to lead customers toward the “SOC of the Future” will only accelerate with the strength of Cisco’s networking heritage, he promised. “To be the most resilient, we have to see the whole picture. And with Cisco, now we can.”

As a proof point, he proudly announced the integration of Cisco’s Talos Threat Intelligence with Splunk that will enrich Talos’ indicators of compromise (IOCs) with correlated telemetry data from Splunk. Jeetu Patel, Cisco’s head of Security and Collaboration joined Casey on stage to reinforce this by positing that, “the one who has the most amount of correlated data can best detect breaches and threats.”

Both emphasized the need for SOC teams to make use of rich network telemetry to identify and contain the lateral movement adversaries conduct as part of virtually every breach. Experienced Splunkers know this, and more SOC teams are discovering how the value of Corelight with its Zeek underpinnings can help them. The trick, they asserted, is to focus on high-value, low-volume network telemetry, rather than the high-volume, low-value telemetry that organizations traditionally use. We couldn’t agree more, and this is why we saw such enthusiasm from our customers at the Corelight booth all week.

To leverage this rich network telemetry, Steele described how Splunk XDR can perform some of the heavy lifting around correlating data to detect threats and provide high-fidelity alerts to the SIEM. For Splunk customers, that would be Splunk Enterprise Security, or ES as it’s affectionately called.

Speaking of Splunk ES, we also saw the announcement of ES 8.0 last week that is said to include new AI features and integrate with Splunk XDR and Talos Threat Intelligence. This means Talos IOCs will be enriched with data from ES. All of this is currently in private preview and will be GA in September.

Within the keynotes and other sessions throughout the week, we noticed a pattern of continued innovation around the Cisco acquisition and the importance of data management to enterprise resiliency. Attendees were treated to demonstrations of the new Splunk Attack Analyzer, which was announced at last year’s show. Attack Analyzer was designed to automate the analysis of threats, including phishing and the latest malware, and integrates with ES and SOAR for end-to-end threat analysis and response.

The week also saw an update on Splunk Asset and Risk Intelligence that was announced recently at RSA in San Francisco. This offering provides discovery and visibility of all the assets and users in the environment, which can help customers identify compliance gaps in security controls and accelerate investigations with accurate asset context.

The Splunk team also delved into the significance of data management and federation and announced the preview of Federated Analytics as part of its Data Management strategy. This tool will help selectively fetch data from Amazon Security Lake and build a short-term index for high-performance monitoring, detection, and ad hoc investigations.

Final Reflections
Splunk.conf is always a fun affair, and this year was no different. We saw a lot of old friends (i.e., customers, partners, colleagues, and happy Splunk users) and made a lot of new ones. Despite all the fun, we managed to mix in some learning and were eager to see how the Cisco acquisition would affect the future of the combined company’s security mission. It’s clear that both teams are committed to “not screwing anything up”, which was met with loud applause from the Splunk community.

If you want to learn more about how Splunk users are accelerating their incident investigations and threat hunting with Corelight’s Open NDR platform, visit the Corelight for Splunk alliance page, or log into Splunk’s Boss of the SOC page to see it for yourself.