Tom Wise, Engineering Lead at Adarma Security
As the Engineering Lead at Adarma Security, an Elite Splunk partner for many years now, I had the privilege of attending Splunk’s .conf24, not only to see the great talks and meet like-minded Splunkers, but I was also there to be inducted into the SplunkTrust for the 5th year in a row. This honour (and fez) is bestowed upon anyone who engages and supports the vast Splunk community in both slack and Splunk community spaces. It helps that I am a co-leader of a User Group in Edinburgh and have over 8 years of expertise with Splunk products, with SOAR being my main area of expertise. This year marks the sixth annual Splunk user conference I’ve attended, with four of those being in person. It was an especially significant event this year, as it was the first conference following Cisco’s $28 billion dollar acquisition of Splunk. Here are some key highlights and takeaways from the week:
During their keynote address, Cisco’s go-to-market president and Splunk GM Gary Steele, along with Cisco CEO and Chair Chuck Robbins, emphasised the integral role of Artificial Intelligence (AI) in all future collaborative efforts between Splunk and Cisco, particularly in safeguarding data and networks.
Steele hailed AI as “the most transformative technology of our lifetime” with “limitless potential.” In my opinion, however, while AI has immense potential, it must be harnessed with caution. The adoption of AI by security teams should be based on defined and aspirational business outcomes. Security teams should perform experiments involving candidate AI tools, techniques, and models prior to their adoption.
Full-Stack Observability
Keynotes at .conf24 focused heavily on the concept of observability. The term “full-stack observability” was frequently used to describe the upcoming integrations between AppDynamics and the Splunk Platform, Observability Cloud, and IT Service Intelligence. Observability is an area where Splunk excels, particularly with the added data and capabilities from Cisco products such as Cisco’s ThousandEyes, a tool that enables organisations to detect, diagnose, remediate, predict, and optimise conditions impacting connected experiences across any domain. Splunk has also added links between its Splunk Cloud log data and Splunk Observability Cloud application performance management tools.
Among Splunk announcements were advancements to Splunk Enterprise 8.0, which empowers security teams to proactively manage and mitigate risks effectively. Through these advancements, Splunk Enterprise Security 8.0 moves closer towards achieving the elusive “single pane of glass” for security events.
An exciting development is that Splunk has replaced its Incident Review capability by integrating the Case Management function of Splunk Mission Control into Enterprise Security. This integration simplifies interactions with SOAR, which remains external. This development will benefit our customers who are currently using Enterprise Security or are considering transitioning to the Premium Security Application space. The Adarma Enhanced Managed Service will use Mission Control as a case management tool to give customers a seamless view of the event lifecycle when events are closed or escalated to them. This will also enable us to create strong automation to improve the case management experience for our customers.
Mike Horn, senior vice president and general manager of Splunk Security Products, believes that the latest advancements in Splunk Enterprise Security 8.0 “revolutionise” the Threat Detection, Investigation, and Response life cycle experience for analysts. “Splunk Enterprise Security 8.0 serves as a foundation for the SOC of the future, driving proactive defence in an ever-evolving threat landscape,” he said.
Splunk SOAR has introduced a long-awaited feature called External Prompts. Previously, interacting with the SOAR platform required a “seat” or a highly engineered solution to respond to automation requests. Although there was no demonstration, it appears that email will be used as the prompt medium, which can now be sent to non-SOAR users. Any reply will be parsed and used to determine the next step in the automation process. This development should open up many more use cases where simple approvals are needed.
The Splunk Attack Analyzer (SAA), which was showcased last year at .conf23, has now become generally available and features links to Enterprise Security and an app in Splunk SOAR. This is particularly relevant for complex automation use cases like phishing, as it reduces the need for multiple enrichment playbooks. It will greatly reduce the Mean Time to Respond (MTTR), especially when integrated with Enterprise Security and/or Splunk SOAR. Access to a Not-For-Resale version for partners is eagerly anticipated. After attending multiple talks and workshops at .conf24 I’m looking forward to getting more “hands-on” with the tool and developing ways of using it to enhance cyber resilience for Adarma’s customers. I am very excited about the potential of these developments.
he new Asset & Risk Intelligence app helps identify unknown assets in data and continuously contextualises them within Splunk. Although it doesn’t require Enterprise Security to run, it would enhance the Assets and Identities Framework in Enterprise Security, leading to better alert prioritisation and risk modification.
The Splunk AI assistant is now integrated into Enterprise Security, enabling users to obtain answers faster using natural language during investigations. Hao Yang, Splunk’s vice president of AI, explained how new generative AI assistants in observability cloud and security offer security providers improved IT visibility and threat detection, defence and response.
“AI is the cornerstone of Splunk’s strategy for driving enhancements with our industry-leading security and observability solutions,” Yang said. “Our AI Assistants are designed to help users do their jobs easier and faster.”
Research unveiled at .conf24 revealed that digital downtime, any service degradation or outage of a business system, costs Global 2000 companies $400 billion annually, equating to 9% of their profits, underscoring the escalating significance of cybersecurity. The cost of downtime in Europe is estimated at around $198M, where workforce oversight and cyber regulation are stricter.
56% of downtime incidents are due to security incidents such as phishing attacks, while 44% stem from application or infrastructure issues like software failures. Human error is the number one cause of downtime and the biggest offender for both scenarios.
On a positive note, the report found that resilience leaders, or companies that recover faster from downtime, share common traits and strategies that provide a blueprint for digital resilience. They also invest more strategically rather than simply investing more.
Gary Steele, President of Go-to-Market, Cisco & GM, Splunk, commented on the report findings, “How an organisation reacts, adapts and evolves to disruption is what sets it apart as a leader. A foundational building block for a resilient enterprise is a unified approach to security and observability to quickly detect and fix problems across their entire digital footprint.”
Although no date or location has been announced for .conf25, I anticipate that the event will continue to grow and impress, especially with the influence of Cisco, known for hosting large and elaborate events. I look forward to seeing how .conf evolves in 2025.
I will be hosting the next Edinburgh Splunk User Group on the 23rd of July, both in person and online, and will present a much more detailed rundown of the announcements and developments at .conf24. If you would like to join the User Group please register here: https://usergroups.splunk.com/edinburgh-splunk-user-group/
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
