For competitors, a Phantom Menace: Splunk's security team highlights automation at .conf19

November 20 2019
by Scott Crawford


Splunk's annual user conference, .conf, showcases the company's ongoing evolution. Since Splunk's inception, security has risen from a compelling use case to one of its primary markets. At .conf19, the entire security business showed off its recent developments (including a clever 'pink mode' skinning of a console done just for the security keynote, in keeping with this year's color theme). But certain aspects of the security portfolio stood out for their potential value to the Splunk platform as a whole.

The 451 Take

Splunk's success is based on a strategy of adaptability to a wide variety of use cases, filling gaps difficult for other technologies to close thanks to the flexibility of search in yielding insight from many operational sources. Acquisitions that fit this profile of broad applicability across multiple uses can go far toward furthering this value proposition. At .conf19, it was plainly evident that Phantom is becoming one such asset for Splunk. Originally purchased for its ability to automate aspects of security investigations and response, it is also a flexible platform for creating playbooks applicable to a wide range of demands. This is in keeping with current industry trends toward domains such as robotic process automation in IT. While most of this year's .conf19 security announcements were incremental improvements, Phantom stood out in two particular aspects. One was in the release of Mission Control, the new consolidated Splunk security console (which also showcases the vendor's investment in a sharper UI and React-based data visualizations). The second, however, is more provocative: in keynotes and elsewhere, Phantom's name was dropped in several contexts across Splunk business lines that suggests just how much engagement the automation platform could see across the company's portfolio.

Pricing is another area where Splunk is seeking to simplify its approach and avoid inhibiting consumption – the very thing that can fuel further growth. Recent announcements that highlight the firm's desire to improve pricing models include changing Phantom pricing to a per-seat basis. The details of the new pricing that aims to put this dilemma in the rearview mirror may not always be clear to customers. But if Splunk gets it right, it will go far toward sustaining what has long been a loyal customer base that has recognized what more the company could do for them if cost were less of a factor.


At .conf19, Splunk highlighted the introduction of its Data-to-Everything concept embracing the full value of the vendor's portfolio. Today, the three pillars of the platform are Splunk Enterprise, Data Fabric Search (DFS) and Data Stream Processor (DSP), all of which are or will be offered both as software for customer deployment and 'as a service' in Splunk Cloud.

The general availability of DFS and DSP was announced at .conf19, expanding data access across the Splunk portfolio. DSP analyzes, transforms and routes real-time data into multiple destinations, including but not limited to Splunk Enterprise. DFS supports complex, high-cardinality analytics of large data volumes in Splunk Enterprise. The vendor also announced the start of a prerelease program for HDFS and AWS S3 connectors for DFS that will expand these capabilities across data residing in multiple destinations. These combined capabilities of Splunk Enterprise, DFS and DSP position Splunk to address a much larger and more diverse set of use cases involving real-time analytics and much larger volumes of data both at rest and in motion.

Throughout the platform, a more responsive approach to analytics is manifested in Connected Experiences, the Natural Language Platform and the Machine Learning Toolkit. Manageability at scale is emphasized by initiatives such as Proactive Monitoring, SmartStore and Workload Management, the Kubernetes Operator, and Access Controls to assure policy priorities. Faster time to value with cloud is enhanced via Simultaneous Release, while the Splunk FedRAMP Service offers a US federal cloud policy-compliant implementation.

Security remains a significant focus for the company, where it has risen from a disruptor to a dominant force in security information and event management (SIEM) with Splunk Enterprise Security, an implementation of its platform for security operations. The preeminence of SIEM is emphasized in 451 Research survey findings that cite it as the technology most important to security operations.

Figure 1
Figure 1: Which of the following information security tools are most important to your organization's security operations center (SOC)? Top five responses: 451 Research's Information Security, Organizational Dynamics 2019

In recent years, the company has augmented its security portfolio with the acquisitions of Caspida for user and entity behavior analytics in 2015, and Phantom for security automation and orchestration (SAO, also sometimes referred to as security orchestration, automation and response, or SOAR) in 2018. Today, the Splunk Security Operations Suite embraces each of these capabilities in Splunk Enterprise Security, Splunk User Behavior Analytics and Splunk Phantom, respectively.


In concert with the introduction of Splunk Enterprise + Splunk Cloud 8.0 and a range of other product announcements across its portfolio, Splunk's security business unveiled new versions of its security offerings at .conf19. Among these, the most striking was a significant new member of the Security Operations Suite, Splunk Mission Control.

Mission Control represents both the unification and the modernization of the Splunk security user experience. Capitalizing on recent developments in the Splunk Dashboard and UI frameworks, Mission Control incorporates findings and tools across the Security Operations Suite using sharp and appealing new data visualizations enabled by the company's investment in React, as well as more modular inclusion of individual dashboard components. Splunk positions Mission Control as the one place for every security team member to manage the security operations lifecycle, from beginning to end. Detection and management of monitoring and event data, investigation of events, hunt for and containment of threats, and other security functions are supported.

Additionally, Mission Control supports user-specific dashboards and case management for more precise workflows for incident response. Dashboards are comprised of several individual components that can be dropped in or customized with data processed via the Splunk Processing Language employed throughout the platform. Analytics extensions can tap into existing or new Splunk instances to unify findings. One of the key values of Mission Control is its unification of the orchestration and automation console with the rest of the vendor's security suite, a desire of the Splunk security community since the purchase of Phantom.

Splunk Phantom itself was updated at .conf19 with the release of version 4.6, including a new approach to pricing based on a number of user accounts. Other Phantom 4.6 enhancements include support for cluster autoscaling and elasticity in AWS deployments, search head clustering for external search, and Splunk IT Service Intelligence monitoring for Phantom environment health. With Phantom 4.6, Splunk also unveiled Phantom on Splunk Mobile, in line with other introductions of mobile applications for the Splunk portfolio. Phantom on Splunk Mobile enables users to triage events, run and monitor playbooks, collaborate with team members, and reduce response times with access to Phantom automation and notifications from any location.

Additionally, Splunk launched version 6.0 of Splunk Enterprise Security at .conf19, with significant performance enhancements among the highlights of the latest release. According to the vendor, Machine Learning Toolkit integration features a 20% improvement in resource utilization, 10% improvement in accuracy and 8% improvement in search performance. Asset and identity framework enhancements – also highlighted in the release of Splunk Enterprise Security 6.0 – bring a performance improvement of up to 2x, with customized metadata tagging and extensible fields providing greater adaptability to security operations needs and richer context for more efficient investigations. Customizable reports tailored to a specific operation's requirements are further supported with analytics for reporting on investigations to help organizations optimize their investigative processes. Reports include numbers of investigations created and closed, aging of investigations, and other metrics of SOC team efficiency.

In addition to enhancements of machine learning in Splunk Enterprise Security, Splunk User Behavior Analytics (UBA) 5.0, announced at .conf19, brought advanced customization of machine learning models that enable users to tailor analysis to specific use cases and create custom content. Enhanced resilience via faster data recovery helps guard Splunk UBA 5.0 against service outages, while increased support for management of known and unknown devices broadens the scope of Splunk UBA 5.0's entity analytics. With new device management features, Splunk UBA 5.0 improves the quality of device inventory, with up to 4x performance enhancements claimed by the company in large-scale (one million-plus devices) deployments.


In SIEM, Splunk's primary rivals include IBM QRadar, whose simplified yet effective approach to event management based on flow data was a disruptor to pioneering SIEM specialist ArcSight, now part of Micro Focus and still serving a loyal following where longstanding deployments continue to be cultivated by deeply invested security shops. Other SIEM contenders include AT&T via its AlienVault buy, Gravwell, LogRhythm, McAfee, Seceon, pioneering cloud SIEM provider Sumo Logic, and Elastic's recently introduced commercial offering based on the open source ELK stack.

In security automation and orchestration, 2016 saw IBM reach for Resilient Systems and FireEye pick up Invotas. Palo Alto Networks entered the field earlier this year with the purchase of Demisto, while Sumo Logic nabbed JASK, which is more focused on SOC optimization, only a week after .conf19. Other SAO players include CyberSponse, D3 Security, DF Labs, LogicHub, Resolve Systems, Respond Software, Siemplify and Swimlane. Rapid7's acquisitions of LogEntries and NetFort give it a presence in both SIEM and network visibility, detection and response, respectively. Vendors extending from UBA toward SIEM include Exabeam and Securonix. User behavior has cropped up most recently with Microsoft's announcement of Insider Risk Management in Microsoft 365 at its Ignite 2019 conference only two weeks after .conf19, while Proofpoint acquired ObserveIT for insider threat vigilance a day before Microsoft's announcement.

Microsoft's moves highlight how cloud hyperscalers have entered more directly into Splunk's markets. Microsoft, which in 2017 bought Hexadite to automate security response and incorporated it into Microsoft Defender Advanced Threat Protection, introduced Azure Sentinel earlier this year as a disruptive entry in the SIEM space. Other potential cloud disruptors in security operations include Google Cloud's recent incorporation of Chronicle. Amazon Web Services has not made a stake in SIEM per se, but it has unveiled several security offerings for AWS – and in 2018 purchased threat-hunting platform Sqrrl, initially for internal operations, but with provocative potential.

SWOT Analysis SWOT Analysis



Splunk's high flexibility and adaptability has always been its biggest differentiator. Success has fueled the vendor's expansion into new markets, echoing its prior success in security, and given it the means to embrace more advanced analytics and automation.

The company has succeeded on multiple fronts, but if there's one thing customers complain about consistently, it's price. Splunk has clearly addressed this with .conf19 announcements targeting improved pricing, but if customers get lost in the details, it won't be the last time Splunk will have to do so.



Splunk's opportunities are as boundless as the challenges to which its enthusiastic and vocal user base can apply it. Trends favor such a flexible approach, particularly in security, where the scale of cloud and IoT will explode prior concepts of just how big the attack surface will become.

In security operations, emerging technologies and changing perceptions about the role of analytics beyond SIEM are altering the nature of the SIEM sector itself. While it is tackling those changes, opportunists are taking on Splunk everywhere – from open source alternatives targeting pricing concerns to cloud providers and as-a-service approaches to security analytics.