Cisco significantly bolsters security portfolio with $28B Splunk buy

Looking to significantly reinforce its security software portfolio, Cisco has struck a $28 billion cash deal to acquire enterprise and cloud protection company Splunk.

Founded in 2003, Splunk’s software platform is known for its wide-reaching ability to search, monitor and analyze data from a variety of systems. Network security teams can use this information to gain better visibility into and gather insights about network traffic, firewalls, intrusion detection systems (IDSes), intrusion prevention systems (IPSes), and security information and event management (SIEM) systems, from on premise and or its cloud-based package, according to Splunk.

With Splunk software in place, network operations teams can monitor network traffic for signs of malware, login activity, and meld data from multiple sources to identify the root cause of a security problem or more quickly spot abnormal traffic patterns, according to the company.

Cisco expects to bring all of those capabilities and more to its security portfolio.

“Together, we will become one of the largest software companies globally,” Chuck Robbins, chair and CEO of Cisco told analysts during a call about the acquisition. “Our combined capabilities will create an end-to-end data platform to enhance digital resiliency.”

Robbins said, for example, that Splunk security capabilities complement Cisco’s existing security portfolio particularly through integration of Cisco’s new Extended Detection and Response (XDR) and Security Cloud platforms.

Cisco’s XDR service brings together a myriad of Cisco and third-party security products to control network access, analyze incidents, remediate threats, and automate response all from a single cloud-based interface.

“Our best security insights and Splunk security information and event management offering will be able to help our customers move from threat detection and response to threat prediction and prevention,” Robbins said.  “In terms of observability our complementary capabilities will offer observability for the full IT stack from the application to the network across hybrid and multi cloud environments. Together Cisco and Splunk will deliver an end-to-end enterprise grade Full Stack Observability (FSO) platform.”

The FSO integration could be interesting in that Cisco just launched its FSO platform in June and has only recently begun adding new features to the system. Cisco’s FSO is designed to correlate data from application, networking, infrastructure, security, and cloud domains to make it easier for customers to spot anomalies, preempt and address performance problems, and improve threat mitigation.

When asked about potential product overlap particularly in the observability area, Robbins said: “I don’t think we have significant overlap. But I think we have if you think about the data platform and the observability progress that [Splunk] has made, and you couple that with our application visibility with ThousandEyes we think we can actually extend well.”

Analysts said the companies will likely figure out software integration and overlap concerns.

“Cisco’s ThousandEyes and AppDynamics are fantastic platforms and  Splunk has some technology that could impact them but I would expect a software integration roadmap over the next 12 to 18 months post-acquisition close so I think they’ll figure that out,” said Steven Dickens, vice president and infrastructure practice leader of The Futurum Group.  “Cisco’s product management team does a great job of determining direction — but it’s something to watch.”

Robbins also said Splunk integration will only bolster Cisco’s ongoing investment in all things AI.

“As we mentioned in our most recent results we’ve already taken half a billion dollars of orders for AI infrastructure,” Robbins said.

“There’s also a huge opportunity with enterprises to help them responsibly unlock the opportunities that come with AI,” Robbins said.  Factoring in the acceleration and adoption of generative AI, expanding threat surfaces, and multiple cloud environments, it creates a level of complexity that is unlike anything organizations have faced, Robbins said.  With hyper-connectivity growing and increasing cyber threats, the value of data only increases, and that’s why this deal makes sense.”

Once the deal closes, which Cisco expects by the end of the third quarter of 2024, Splunk’s CEO, Gary Steele, will join Cisco’s Executive Leadership Team and the company’s employees will be blended into Cisco’s security team.

“Cisco and Splunk have had a long and successful partnership, underpinned by products and capabilities that fundamentally complement each other and enhance the value we deliver to customers,” Steele wrote in a blog about the acquisition.

Analysts said the acquisition could have a number of impacts on the enterprise security arena. 

“I think $28 billion seems a fair valuation because  Splunk has a compelling position in observability and security in the market with a lot of community adoption, a lot of clients — a big fan base, if you will, with security practitioners,” Dickens said. “From a Cisco perspective, this positions them to double down on their transition to being a software company, rather than a hardware company.”

Others said Cisco is looking to obtain Splunk’s IT observability capabilities. And it is not just SIEM and IT observability Splunk offers, according to Mitchell Schneider, senior principal analyst, Gartner.

“Splunk’s security operations suite consists of SIEM, user and entity behavior analytics (UEBA), security orchestration, automation and response (SOAR), as well as threat intelligence platform (TIP) to aggregate threat intelligence data,” Schneider said

“Coming from the security operations side, the SIEM market continues to grow. Gartner still sees SIEM being very much a part of an organization’s threat, detection, investigation and response (TDIR) capability and at the center of the security operations center (SOC) ‘solar system’,” Schneider said.  “At the same time, the market continues to see innovators and disrupters enter the market, including cloud service providers, such as Microsoft and Google. My belief is that Cisco is simply following market demand by offering a comprehensive stack for detection and response — not only including SIEM, but through prior acquisitions of XDR as well.”

The Splunk buy is Cisco’s sixth since June, its 10th this year and one of the largest it has ever undertaken.  For example it spent $6.9 billion on Scientific Atlanta in 2006, $2.6 billion on Acacia Communications in 2019 and $1.2 billion on Meraki in 2012.

Most recently, Cisco said it intended to acquire cloud native mobile core developer Working Group Two (WG2) for an undisclosed amount.  WG2 is known for its mobile technology that helps public and private service providers and enterprise customers build secure and scalable mobile backbones.

Earlier this year Cisco grabbed up startup Border Gateway Protocol monitoring firm Code BGP.  Privately held Code BGP will ultimately become part of Cisco’s ThousandEyes network intelligence product portfolio and bring a cloud-based platform that among other features, maintains an inventory of IP address prefixes, peering and outbound policies of an organization via configured sources, like BGP feeds. BGP tells internet traffic what route to take, and the BGP best-path selection algorithm determines the optimal routes to use for traffic forwarding.

In July Cisco announced its intention to acquire security startup Oort for an undisclosed amount. Oort offers an identity threat detection and response platform for enterprise security. 

Cisco also recently announced plans to acquire privately held broadband-network monitoring company SamKnows for an undisclosed amount.

SamKnows uses a global network of software agents dispersed among home systems, mobile devices and service provider networks, for example, to get a real-time measurement of internet performance and customer experience. Through a central dashboard, the company can analyze the results, spot faults, and identify the root cause of problems to help with remediation.

Another fresh deal is Cisco’s planned acquisition of Accedian Networks for an undisclosed price. Accedian’s performance analysis and monitoring platform — aimed at mobile backhaul, data center services, service providers and cloud connectivity customers — provides network visibility, diagnoses problems and recommends remediation.

Cisco’s other acquisitions this year include Armorblox for large language models, Smartlook for mobile application monitoring, Lightspin for cloud security, and Valtix for cloud network security.

Jon Gold, senior writer with Network World, contributed to this article.