For a long time now Splunk has been content to essentially offer up cybersecurity advice made possible by applying analytics to machine data captured within the logs of various systems. That information then would be used to identify anomalies indicative of a cybersecurity breach. But with its move to acquire Phantom Cyber Corp., provider of cybersecurity orchestration and automation software, for $350 million, it’s apparent Splunk is moving from the cybersecurity sidelines.
Haiyan Song, senior vice president for security markets, says Phantom provides IT security professionals with a means to operationalize the analytics that Splunk can surface. In much the same way DevOps teams rely on frameworks to automate the management of IT, the Phantom platform makes it possible to automate routine cybersecurity tasks at scale, Song says.
Spunk also plans to leverage other technologies it has acquired in the realm of machine learning and user behavior analytics (UBA) to inject artificial intelligence (AI) capabilities into security operations to help augment monitoring, for example.
Song says acquiring Phantom builds on a Splunk Automated Response framework the company created in partnerships with cybersecurity vendors including Phantom, Acalvio, AlgoSec, Anomali, AWS, BAH, Blue Coat + Symantec, Carbon Black, Cisco Systems, Corvil, CrowdStrike, CyberArk, Cylance, Demisto, DomainTools, ForeScout, Fortinet, Gigamon, Illumio, Okta, OpenDNS, Palo Alto Networks, Proofpoint, Qualys, Recorded Future, RedSeal, Resilient, Resolve Systems, Sailpoint, Signal Sciences, Swimlane, Tanium, ThreatConnect, Walkoff (NSA) and Ziften.
The goal is to leverage the analytics Splunk surfaces to inform the various cybersecurity products of breaches that may have gotten past perimeters defenses. Based on that data, organizations could further explore those threats and then decide on their own how best to remediate them. The challenge Splunk faces is that there is no shortage of data sources for providers of these technologies, many of which are embedding their own security intelligence capabilities. In fact, there’s an industrywide race on to combine advanced analytics and AI, in part to make up for the chronic shortage of cybersecurity professionals. In the case of Splunk, that will one day manifest itself on a platform where the analytics being surfaced will result in automated malware containment.
It’s unclear to what degree Phantom acquisition will have any of Splunk’s existing cybersecurity alliances. Song also declined to be specific about any other gaps in its cybersecurity portfolio that it might be looking to fill. But what is clear is those ambitions extend beyond analytics and automation.
Even less clear these days is the degree to which cybersecurity professionals will embrace analytics and automation. In theory, machine learning algorithms not only should identify many common threat vectors, but they also get better at spotting those threats over time. IT organizations also like that idea, because algorithms never forget what they learn, take a day off or one day decide to go to work for somebody else.
Of course, none of this is lost on cybercriminals who more than likely are investing in developing their own AI capabilities to extend what already are highly automated operations. In fact, cybersecurity may come down to a battle between AI models. The only question is what role humans will play in first helping to build those AI models, and then over time continuing to tune them.