Splunk revitalizes legacy SIEM and SOAR with new product and focus

Splunk made multiple product announcements at their customer event, but the upgrades to their SIEM and SOAR platform deliver on their focus around resilience, and will likely impact the most customers.

Tom Casey,  SVP of Products and Technology (L) and CEO Gary Steele (R)

LAS VEGAS – At their .conf23 customer event here, cybersecurity vendor Splunk announced a broad range of products. These cover a broad range of areas, but the ones likely to impact the most customers affect Splunk’s SIEM and SOAR products. They have been the longtime leader in the SIEM space, although in recent years the space as a whole has been buffeted by newer and less expensive technologies that do somewhat similar things. Their acquisition of Phantom, the first significant SOAR player, also gave them an advantage there, although SOARs as well have been challenged by newer technologies. Splunk has responded with a unified security and observability platform, and announced major enhancements at this event, including Splunk Analyzer, which leverages the technology acquired in 2021 with TwinWave. The result puts Splunk in a stronger position to advance its strategy of deepening customer resilience to a level appropriate to each customer’s journey.

“We are laying out our vison for you,” Splunk CEO Gary Steele told customers in the first customer keynote of the event. “This is our 20th anniversary, and Splunk has evolved and changed. We believe that being digitally resilient will be one of the defining features of successful companies this decade.”

Steele defined three key pillars of this strategy, with one of them being commitment to a multi-cloud hybrid environment.

“We will continue to innovate on-prem,” he emphasized. “We will not force customers to move to the cloud till they are ready. We will not deprecate on- premise environments. We will continue to support customer licenses for on-prem for the foreseeable future.”

The other two pillars are a comprehensive visibility across all environments – cloud and on prem – and driving leadership in unified security visibility powered by AI.

“In order to drive comprehensive visibility, we have been investing at the edge,” Steele said. “Traditionally people went to third party vendors and paid for this, but we don’t think it should cost you anything. Our Edge processor is available to all of you today.

“There have also been traditional blind spots in visibility, such as unlogged environments, common in OT, where it can be tough to get information out of that,” he added. “Our new solution for this is Splunk Edge Hub, which gives visibility into IT environments, eliminating those blind spots and letting you bring OT data into your IT environments.”

Edge Hub is a physical hardware device, which comes with many sensors built in.

“Bringing security and observation together has tremendous value where you don’t have two teams seeing things differently,” Steele added.

“Our entire portfolio is designed to help you become more digitally resilient,” said Tom Casey,  SVP of Products and Technology at Splunk. “We have designed a prescriptive path of digital resilience. Every business is at its own place in the journey.”

A key product enhancement is Splunk Attack Analyzer, a rebranding and enhancement of the technology Splunk acquired with TwinWave in 2021.

“Splunk’s TDIR [threat detection, investigation and response] solution is driven by our SIEM and SOAR products,” said Mike Horn, SVP and GM of Security at Splunk, who came with TwinWave.

Patrick Coughlin, VP, Technical GTM at Splunk, who is essentially in charge of the company’s sales engineers globally, and who also came from TwinWave, explained the evolution and state of this acquired technology.

“Originally, we were all about sharing anonymized intelligence, to end the days of cyberattacks en masse,” he said. “Companies didn’t do that because of concern about liabilities. We let them share data in a verifiably anonymous way. We still do that, but along the way, we learned that there is an even bigger problem. Threat intelligence comes in different formats, and companies use different models and structures. This makes it hard to operationalize this, so we relied on the human to make educated guess about maliciousness. We took data from open source and from paid sources, and normalized them to a single data model, so you can see a sum total from more than one source on indications of compromise.”

This, Coughlin said, made Splunk want to acquire them.

“Once we started to do intelligence normalization, customers wanted integration for their SIEMs,” he stated. “They would take our summary enrichment and add new decisioning in how you prioritize events and incidents – or ‘notables’ as they are known in SplunkSpeak.

“This is stuff operators didn’t have before,” Coughlin added. “They could bring intelligence right into the notable. Customers also asked if we could work with SOARs so they could point at  the TruStar API rather than at multiple intelligence sources, and could collapse multiple playbooks into one.”

This has reinvigorated Splunk’s SOAR business, Coughlin said.

“SOAR promised the panacea of easy button automation,” he noted. “The challenge was you have to know what you want to automate, and in the early days you had to be a Python wiz to write playbooks for Phantom. This choked SOAR for a long time. We have now moved closer to no code, and SOAR has  accelerated faster than any other product in the portfolio. That’s what we have really focused on in the last 18th months and it’s really paying dividends.”

The old product continues to have a free standing capability.

“The app pre-acquisition continues to exist, although it has been reskinned to look more Splunky and the name TwinWave is nowhere to be found,” Coughlin said. The integrated tech intelligence is not a separate SKU or product. It’s a feature of a world class SIEM and SOAR capability..

The addition of Splunk Attack Analyzer lets security teams automate the analysis of malware and credential phishing attacks to uncover complex attack techniques used to evade detection. Through an integration with Splunk SOAR, Splunk Attack Analyzer also enables security analysts to automate threat forensics that provide accurate, timely detections and reduce the time and resources spent on manual investigations.

“We are going to develop and innovate not in every use case where this could be valuable, but for use cases especially reliable for digital resilience,” Coughlin said. “We work with our customers on their digital resilience, and help them use Splunk products to align to their use cases.”

Horn also reviewed other SIEM and SOAR enhancements, including the recent 6.1 version of the SIEM software

“With this addition we have the most complete TDIR with SIEM and SOAR,” he said. “Our new version of Mission Control which supports cloud now, will support on-prem later this year. We are also announcing the expansion of streaming analytics to ML powered analytics using our own data, as an add-on for Splunk Enterprise Security.”

Horn noted that they also responded to customer requests by allowing them to add as many correlation searches as they want, and by bringing back Timeline and Auto Refresh for Incident Review.

“SOAR has been busy building more prebuilt playbook packs, and we will be adding Logic Loops so you can build more robust playbooks,” he said. Coming soon are new Connector Updates, including Palo Alto Networks.

Open Telemetry Enhancements include Open Telemetry Collector, a new technical add-on now available in preview, and Zero Configuration for Open Telemetry to discover and instrument your applications and languages, with more of both coming. It is now in GA.

Federated Search for S3 will become GA next quarter, allowing you to search data in S3 for analysis without having to rehydrate the data. A private preview of cross-regional data recovery will be starting next month.

“Many of these things are ready now,” Casey said. “The work we do every day only really matters when a customer can do things they couldn’t do before.”