Splunk makes Cisco a cloud security player
Like Palo Alto Networks, Cisco has made several other acquisitions in this space
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Wow! There’s been a lot of security activity this week both general security, e.g. MGM hack, and M&A. Honestly, the news of the Splunk acquisition surprised me initially, but thinking about it more, I made sense of it. At first, I thought about how Splunk could potentially complement their ThousandEyes or even AppDynamics acquisition because I view Splunk as an events manager and analyzer rather than purely as an SIEM. However, I agree that they are “best known” for their SIEM product. In this newsletter, I share my thoughts on why Splunk allows Cisco to be competitive in the cloud security market.
As a disclaimer, I currently don’t have a direct financial interest in Cisco or Splunk and don’t plan to initiate a position in the next 72 hours.
What are Splunk and Cisco?
Both are major companies that have been around for a while, so I won’t go into too much detail.
Cisco started primarily as a networking business, but it has made several acquisitions that have made it a major player in the security industry, such as Duo Security, CloudLock, OpenDNS, and Kenna.
Splunk started as a log management software, but it found its niche in the security space, where security practitioners primarily use it to ingest security events and analyze them.
Cisco has been on a cloud security acquiring streak
It’s easy to get lost looking at the Splunk acquisition in isolation. It seems that Cisco was just taking private an asset that has struggled on the public markets. However, it makes sense if you look at their recent set of acquisitions.
Before the beginning of this year, Cisco didn’t have a foothold in the cloud security business. They had security assets, such as Duo and Kenna, as well as adjacent assets in the SD-WAN space. However, it’s clear they had missed the cloud security trend that other security companies like Palo Alto Networks and Wiz have managed to capture. As many know, my belief is that cloud security needs are going to exponentially grow over the next decade as more companies move toward the cloud for faster development and lower operational costs. That is, this is not just a growing security market, but it’s a fast-growing one.
Cisco started with their acquisition of Valtix in the cloud security space, but the Lightspin acquisition in the cloud security posture management space (CSPM), was the “true” start to Cisco’s cloud security business. It was a much smaller competitor to Wiz. In fact, Lightspin had the basic capabilities of the first versions of Wiz and Orca. As I’ve described in previous articles talking about Wiz and other cloud security players, having a CSPM tool is insufficient and doesn’t deliver enough value to justify large contract sizes. There’s a need to build a platform for cloud security hence why Wiz is regularly expanding their offerings.
To create a platform, there are two possible avenues: extend toward code or extend toward the endpoint. Cisco already has vulnerability management capabilities to extend toward code with their Kenna acquisition. So, it makes sense they are extending toward the endpoint. Honestly, there’s more room to run on the endpoint and infrastructure side than on the code side as we’ve seen with Snyk and their moves toward CSPM.
Cisco also acquired Oort, which is a platform that detects cloud identity gaps to provide an offer similar to the CIEM offering of Wiz and other CNAPPs. Therefore, with Lightspin and Oort, Cisco has some of the basic but core capabilities of Wiz. It’ll be interesting to see if they integrate Kenna into their cloud security business.
Why Splunk?
There are likely numerous reasons Cisco bought Splunk. Let’s focus on the product reason first. They could have potentially acquired an endpoint security player similar to Wiz’s rumored acquisition talks with SentinelOne, but that isn’t the next logical step. Rather, Cisco needed to find a way to store and analyze all the data from Lightspin and Oort in one spot rather than going directly into the endpoint. Part of the reason, from my perspective, that Wiz wanted to acquire SentinelOne was for their log management capabilities (from the Scalyr acquisition). Cisco is trying to address one of the largest complaints of Wiz — it’s noisy with many false positives. Wiz is primarily based on a set of rules that don’t account for the context of the environment. With Splunk and the AI capabilities of Armorblox, theoretically, Cisco’s cloud platform can store and analyze the context gathered from Lightspin and Oort. They can baseline a customer’s cloud environment similarly to Lacework. With Splunk, they can deliver better cloud security alerts compared to Wiz.
The other major factor is their customer base. It’s likely that many Cisco customers are also Splunk customers, so they can save on cost by eliminating one GTM function. On top of that, Splunk has a customer base that Cisco likely wants to acquire for cloud security tooling. The modern cloud-first players are likely to use Wiz or Lacework, but there is a group of customers in a hybrid environment that likely are looking for something different. They likely have a lot of alerts, and Wiz’s prices are likely too high. However, Wiz doesn’t have a choice given the workloads they have to monitor for these customers, and the effect they have on their unit economics.
If Cisco can deliver a well-integrated product (probably a big “if”), it can capture these customers or even take them away from Wiz because it can deliver a high-quality product at a more reasonable price point. Because it’s likely these customers already use Splunk and Cisco, the additional cloud security features allow them to consolidate vendors. This seems much doable, especially if they can provide feature parity and have better alerts.
What’s next?
Of course, all this is speculative. We’ll have to see what happens, but I’m sure that they see Splunk as an important part of developing their cloud security platform. It seems like they are hoping to take a page out of their competitors’ playbooks to build a cloud security platform quickly through acquisitions. To Cisco’s credit, they bought a small CSPM/CNAPP player, which is probably sufficient because there’s not that much technological differentiation there. However, Splunk’s platform, similar to Datadog, is a lot harder to build and maintain. Despite what the “loud voices” think, Splunk is beloved by many of its customers and has created an ecosystem around itself. It can create a lot of value for cloud security in general.
Takeaway
The Cisco acquisition of Splunk has a lot of product potential, especially for an improved cloud security platform. The GTM integration also seems low friction. Now, it’s a question of how they will execute the integration. Can it make Cisco a dominant player in the cloud security space and give Wiz and Palo Alto Networks a run for its money? What acquisition will Cisco make next to add to its growing cloud security portfolio and build a competitive platform? It’s an interesting time in cloud security, and I’m excited to see consolidation in this space that will hopefully lead to improved products.
I’ll leave with this. Will/should Cisco acquire an endpoint company? Which one? There aren’t that many left that have some scale because of the consolidation in that space. Tanium? Cybereason?