denisismagilov - stock.adobe.com

Cisco lays out security, observability plans for Splunk

Cisco disclosed broad integration plans for its $28 billion acquisition of Splunk, now officially closed, that will encompass AI, security, observability and networking.

Cisco's first order of business now that its acquisition of Splunk has closed is to integrate its Talos threat intelligence with Splunk's security tools, among other plans to consolidate and integrate the combined companies' security and observability products.

Company officials laid out a five-point integration plan in a blog post this week after disclosing the deal's closure six months after it was first announced. Integration plans will focus on AI, security, observability, network management and tool consolidation.

The security category included the most specific details of the five, beginning with integrating Talos with Splunk over the next several months. Eventually, Cisco plans to feed cloud, network and endpoint monitoring data from its products into Splunk's security information and event management (SIEM) and security orchestration, automation and response tools. Cisco and Splunk security tools will also combine virtual assistants.

In observability, Cisco plans "a common experience and workflow optimizations across the Cisco and Splunk Observability portfolios," according to the blog post. "In time, IT and engineering teams can expect AI-driven root cause analysis enhancements and assistants, inclusive of Splunk IT Service Intelligence."

Splunk and Cisco tools will combine into a secure networking tool, the blog continued, although it did not provide further detail. Ultimately, "we believe the market trend towards tool consolidation -- and the convergence of networking, security, and observability -- creates a significant opportunity for Cisco and our customers," the post read.

While the two companies have plenty of overlapping products, one Splunk customer said he sees each bringing separate strengths into the product integration.

"Splunk tried very hard in the observability space by bringing in Splunk Observability. We demoed it, and it was decent but nowhere near as mature as other platforms," especially in application performance management, said Steve Koelpin, lead Splunk engineer for a Fortune 1,000 company in the Midwest. "Cisco is much more mature on that front, and it will be really good to bring in Splunk, which is a leader with logs and metrics."

Andy Thurai, analyst, Constellation ResearchAndy Thurai

Still, the amount of overlap between tools could force some potentially difficult architectural decisions, said Andy Thurai, an analyst at Constellation Research. He pointed to the unfinished work of merging logs from Splunk Cloud with Splunk Observability Cloud as an example.

"Then, which model stays," he asked. "AppDynamics? Or do you bring everything into the full-stack observability model that they're building?" 

Cisco has drawn criticism in the past for how long it's taken the company to fully integrate its acquisitions, including AppDynamics, which Cisco acquired in 2017. Full integration with other Cisco acquisitions such as ThousandEyes and Portshift, both acquired in 2020, didn't become generally available until mid-2023.

Integrations with Splunk will likely happen faster than that, Thurai said. But he predicted it will be at least two years before Splunk integration plans come to fruition.

"It's a pretty decent portfolio, but how it all comes together is anyone's guess," Thurai said. "Given the size of this acquisition, nothing is going to happen at least for a couple of years. … That's not new or just for Cisco. The same thing happens with any big company."

Security-observability consolidation is trendy

Cisco-Splunk is hardly unique in combining security and observability tools. Most observability vendors have gone a similar route recently, from New Relic to Sumo Logic, Elastic, Datadog and Dynatrace. All of those vendors also want to position themselves as the data management vendor of choice for AI systems.

Both sides of the Splunk-Cisco merger had also already begun their own combinations of IP from multiple acquisitions into more comprehensive security and observability tooling. Splunk took steps after naming a new CEO in March 2022 to better unify its traditional log analytics and newer observability businesses built around its 2019 acquisition of SignalFx. It also introduced data management and log migration features that more closely unified its security and observability tools as well as launched a set of AI models for SecOps teams.

Talos threat intelligence with Splunk, which is one of the most [popular] SIEM tools, makes total sense immediately. Cisco could also go beyond that and offer different messaging on network and app security, especially given that now they have AppDynamics and ThousandEyes in the mix as well.
Andy ThuraiAnalyst, Constellation Research

Cisco reworked its full-stack observability back end around open source OpenTelemetry data collection and rolled out Secure Application to offer security views into observability data. It has also begun to integrate eBPF-based observability tools from its December acquisition of Isovalent into its Security Cloud.

That the two companies are now coming together compounds both the complexity of these integrations and their potential upside given Cisco's sales channel clout and ability to reach thousands of enterprise customers it already shares with Splunk, Thurai said.

"Talos threat intelligence with Splunk, which is one of the most [popular] SIEM vendors, makes total sense immediately," he said. "Cisco could also go beyond that and offer different messaging on network and app security, especially given that now they have AppDynamics and ThousandEyes in the mix as well."

Long-term, Koelpin said he's most intrigued by the combination of security and observability tooling between the two companies.

"Using Splunk to do deep correlations on unstructured, real time streaming data combined with Cisco's observability platform is going to be huge," he said. "It will be important to have a single vendor to provide a comprehensive security [product] from IPS [intrusion prevention systems] to SIEM to hardware. ... Tool sprawl is bad because you're not maximizing the value from the tools you've got. It's tough finding and retaining niche experts, and it's even harder to get these tools to talk to each other."

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out on X, formerly known as Twitter, @PariseauTT.

Next Steps

Cisco charts new security terrain with Hypershield

New Cisco-Splunk observability roadmap details emerge

Dig Deeper on IT systems management and monitoring