By: Omer Singer, VP of Strategy, Anvilogic 

‍This article was originally published by Cyber Defense Magazine.

The smoke has cleared on Cisco’s largest acquisition ever: that of Splunk for $28 billion in September. This acquisition has added a new layer of uncertainty for users, many of whom were already wondering what the future holds for threat detection and response in the cloud.

The steep buyout premium (31% over the market price) reflects an expectation that customers will stick around and gain a preference for additional Cisco security products. Organizations that spent years investing in Splunk infrastructure and content have good reasons to stay on. They fear that severing ties with Splunk would wreak havoc on workflows that Security Operations Centers (SOC) rely on to assess and mitigate security threats to the business. 

But years of delays in their cloud transition, along with leadership shuffles and recent layoffs, have sparked interest in potential alternatives. Improved offerings from the cloud hyperscalers and advanced data lake offerings have kicked off a wave of SOC modernization initiatives.

‍Over the last few months since the acquisition of Splunk, we’ve been waiting for the other shoe to drop, and it finally has. 

‍

Solving for What the SOC Needs Now: Flexibility and Optionality

The cybersecurity ecosystem is reshaping itself. The technology, the leaders, everything now is shifting so that security teams can have a more open future – a future where they’re not locked into a single SIEM, one with freedom for detections, and freedom for response. 

From data pipelines to threat detection platforms, an unbundling is taking place. Security organizations increasingly prioritize flexibility and optionality, driving demand for decoupled solutions. Analytics separate from data storage, stand schemas and open table formats are all gaining mindshare.

Interest in decoupling threat detection from log storage is fueled by the huge difference in cost between data platform options. Where tightly coupled SIEM solutions impose a steep ingest tax,  cloud data lake options charge by usage and don’t limit retention. Use cases whose data can be analyzed outside the SIEM often see cost savings upwards of 80%. The combination of improved visibility and lower spend makes new data platforms appealing. As a result, CISOs have started demanding the flexibility to explore cost-effective alternatives on a per-use case basis.

‍

A New Era of Freedom for Splunk + Snowflake Users

Enterprises are being pushed by lock-in fears and pulled by opportunities for better scale. They are looking for ways to augment Splunk with data platforms that deliver efficiencies and support the latest machine learning. But “rip and replace” is not an option for most, so a bridge is needed for the transition from monolithic SIEMs to a security data lake architecture.

In my experiences working with customers at Snowflake, I saw the immediate impact when they could start using Snowflake alongside Splunk. They no longer only had one option for their security data. They had more choices, they had freedom.

Splunk isn't disappearing. Beyond its continued relevance in cybersecurity, Cisco will invest heavily in bolstering Observability and application monitoring. At the same time, the "all in one" approach is being replaced by a SOC architecture that utilizes the most suitable home for each data source and use case.

Security teams demand the liberty of choosing where their data lives and the flexibility to detect threats equally well across their SIEM and data lake of choice. I look forward to helping organizations do just that in my new role at Anvilogic.