Cisco has strategically moved to enhance its cybersecurity offerings by acquiring SnapAttack, a threat detection startup initially developed by Booz Allen Hamilton. Nearly a year after Cisco’s $28 billion acquisition of Splunk, this new acquisition aims to significantly bolster the capabilities of Splunk’s Security Information and Event Management (SIEM) platform. The deal will also play a crucial role in Cisco’s broader vision for the Security Operations Center (SOC) of the Future, which focuses on automating routine SOC tasks using artificial intelligence. Through this acquisition, SnapAttack’s cutting-edge threat detection and engineering technology will be integrated into Splunk Enterprise Security (ES), offering security analysts and administrators unprecedented control and visibility in security operations.
Enhancing Splunk’s SIEM Platform
The incorporation of SnapAttack into Splunk’s SIEM platform marks an essential step toward realizing Cisco’s ambition for the SOC of the Future. Splunk’s SIEM platform will now leverage SnapAttack’s technology, significantly boosting its proactive threat detection capabilities. Integrating SnapAttack will provide an enriched visual representation of potential attacks, helping security professionals understand and counter threats from an attacker’s viewpoint. This enhanced perspective is invaluable for assessing security risks comprehensively and tailoring defenses accordingly.
Mike Horn, Senior Vice President and General Manager of Splunk’s security business, points out that some of the largest organizations in highly regulated industries already utilize SnapAttack. The acquisition promises to offer a more robust defense mechanism as SnapAttack supports the entire detection content lifecycle. This ranges from discovering new threats curated by the latest threat activities to validating, testing, and continuously assessing deployed detection content. Such capabilities ensure that security teams remain vigilant and responsive to emerging threats.
Proactive Threat Detection
One of SnapAttack’s most compelling features is its aptitude for proactive threat hunting and detection engineering. The platform continuously validates detection logic against the MITRE ATT&CK framework, enabling security teams to identify and rectify gaps within their defenses. Keeping detection logic up-to-date is crucial in today’s rapidly evolving cyber threat landscape, where speed and accuracy can differentiate between a minor incident and a significant security breach.
Furthermore, SnapAttack’s threat emulation library and real-time dashboard provide a dynamic approach to understanding threats. By emulating attacker behavior, the platform allows security analysts to foresee potential threat paths and responses, helping them stay one step ahead. This proactive model is essential not only for immediate threat response but also for crafting long-term security strategies that can adapt as new threats emerge, providing a holistic approach to cybersecurity.
Operationalizing Threat Intelligence
SnapAttack’s ability to operationalize threat intelligence is another significant advantage. This involves translating raw threat data into actionable detection content that can be swiftly deployed within security infrastructures. The platform’s thorough assessment of an organization’s performance within the MITRE ATT&CK framework also provides invaluable insights into detecting gaps and weaknesses, ensuring that defenses are continually updated and fortified.
Initially developed by Booz Allen’s Darklabs incubator, SnapAttack moved from using basic indicators to focusing on behavior-based analytics and detection engineering. The innovation was designed to yield more actionable and rapid threat intelligence, aligning with the needs of large government and commercial organizations. The positive feedback from these deployments validated SnapAttack’s commercial viability and led to its eventual spin-off into a separate entity, a move orchestrated with support from venture capital partners.
Seamless Integration and Interoperability
SnapAttack’s robust integrations with over 30 SIEM and Endpoint Detection and Response (EDR) platforms underscore its interoperability and flexibility. This feature is especially beneficial in the commercial market, where organizations often face the challenge of migrating and managing threat data across multiple environments. The platform’s detection translation capabilities will streamline the modernization of Splunk’s SIEM offerings, significantly reducing transition costs and operational efforts.
Moreover, SnapAttack hosts thousands of correlation rules and search queries, which can be essential for an organization’s threat management strategy. These features enable seamless migration of threat data and provide continuity in security operations, regardless of the platform in use. This interoperability assures security teams that their analytics and detection efforts will be consistently effective, irrespective of the underlying technology.
Leveraging AI and Machine Learning
SnapAttack brings additional enhancements to Splunk’s detection content discovery, authoring, and lifecycle management capabilities through artificial intelligence and machine learning. This continuous validation, prioritization, and coverage mapping of detection content ensures that defenses are always aligned with the latest threat landscape. Leveraging AI and machine learning allows for real-time adjustments and updates, making the system more responsive and adaptable.
Such advanced technologies not only enhance existing capabilities but also introduce new forms of threat detection and management that were previously challenging to implement. This innovation aligns with broader trends in the cybersecurity industry, where automation and predictive analytics are becoming indispensable. By providing a more comprehensive security solution, Cisco aims to strengthen its position as a leader in the cyber defense space and address the sophisticated nature of modern cyber threats.
Strategic Insights
The integration of SnapAttack into Splunk’s SIEM platform marks a critical advancement toward achieving Cisco’s goal for the future SOC. With SnapAttack’s technology now part of Splunk’s SIEM, there will be a significant enhancement in proactive threat detection. This merger brings an improved visual insight into potential attacks, enabling security professionals to view and tackle threats from an attacker’s perspective, which is crucial for thorough security risk evaluation and defense adaptation.
According to Mike Horn, Senior Vice President and General Manager of Splunk’s security business, some of the biggest firms in highly regulated sectors already use SnapAttack. By acquiring SnapAttack, Splunk aims to provide an even stronger defense system as SnapAttack supports the entire detection content lifecycle. This includes identifying new threats based on the latest activities, validating and testing, and continuously evaluating the deployed detection content. These comprehensive capabilities ensure that security teams stay alert and capable of responding to new and evolving threats effectively.