Insights From Cisco Live 2024: Splunk Integration, Security (And More Security), And AI Pragmatism
At its annual flagship event, Cisco Live, about 20,000 IT and security pros gathered in Las Vegas to hear the company’s latest announcements, plans for its $28 billion Splunk acquisition, and vision for the future. While there was a heavy dose of AI everywhere, as compared to other vendor pronouncements, Cisco’s AI aspirations are modest and achievable. And like last year, the tech giant sought to simplify its value and competitive differentiation with a simple message: Cisco connects, protects, and provides insights across your entire complex enterprise — including all your locations, owned and unowned networks, devices, hosting models, etc. This roughly corresponds to its major portfolio domains: networking, security, and observability.
There was an additional theme executives aimed to hammer home within this message — the company is committed to deep integration and innovation. To that end, over two days at Cisco Live, it announced a parade of new products and capabilities.
Networking And Computing
Instead of traditional announcements heralding new switching, routing, and wireless products networking, Cisco’s networking announcements centered on the intersection of networking with its new areas of focus:
- AI infrastructure. Cisco revealed its Nexus HyperFabric AI Clusters: a new cloud management system; new Cisco 6000 switches based on Cisco Silicon Open; and predefined, validated designs and configurations for NVIDIA’s AI solution and VAST data platform. Instead of managing AI across Infiniband and ethernet, Cisco’s new offering can help simplify AI networks by consolidating connections using 400 and 800G ethernet switches.
- Expansion of Digital Experience Assurance. Cisco is expanding its Digital Experience Assurance announcement in 2023 — based on ThousandEyes — which provided digital experiences information from private and public cloud infrastructures to enhanced levels of visibility from cloud platforms, LAN, WAN, and WLAN. Basically, clients can map out the connections of an application from an end-user device across the WAN to a microservice or a virtual machine in the data center or cloud. ThousandEyes now collects information from Meraki hardware, Catalyst product lines, and virtual gateways within IaaS platforms. Meraki has a summary (Digital Experience) Assurance page fed by ThousandEyes.
Security
Security was the second theme after (of course) AI. Content-packed keynotes and deep dives helped shed more light on the vendor’s upcoming HyperShield architecture. Additionally, Cisco announced plans for sensible integrations with its XDR solution and Splunk, its largest acquisition to date. Splunk is still hosting its annual .conf user conference which takes place just next week, also in Las Vegas. Security announcements at this year’s Cisco Live include:
- Introduction of Cisco HyperShield and its capabilities. HyperShield is a software architecture that isn’t a product but rather a mesh of software agents embedded to the fabric. Imagine thousands of “baby firewalls” positioned very close to the applications and containers they protect; security policy will be distributed such that each baby firewall only has the policy it needs to protect its tiny domain. AI will be needed to refine and maintain the policy (hence the descriptor “AI-native”). If you think this sounds very much like VMware’s approach to integrating LastLine into NSX, you’re right. There’s an opportunity here for Cisco to capture disgruntled VMware customers. HyperShield can replace NSX. In the short term, they’d have to rely on OpenShift or similar to replace ESXi.
- Autonomous segmentation. The first of HyperShield’s use cases will be to use AI and Isovalent’s eBPF kernel-level filter to both simplify and deepen the vendor’s microsegmentation solution. On servers, this will live as an agent; in the network, as virtual appliances. In the future, it’ll exist on Cisco routers and switches with an AMD DPU embedded into the hardware. HyperShield targets east-west, and the vendor encourages one to think of HyperShield as providing visibility and policy enforcement as a “fabric, not a fence.”
- Integration of Cisco XDR with a variety of products. Integration includes sending data to Meraki MX and Splunk. HyperShield will have dual data paths that will generate orders of magnitude more telemetry, and Splunk technology will be used to digest it all (it claims).
- Introduction of a 1200 series firewall and a Meraki MX650. The 8-port appliance 1200 series will feature integrated SD-WAN and the vendor claims a huge price/performance boost (probably to compete with PANW and Fortinet). The MX650 will move up from the MX450 and have SD-WAN interconnect so an administrator can attach it to existing SD-WAN config objects.
- SnortML. This was another announcement buried under the larger focus of AI and HyperShield. The forthcoming FTD 7.6 release will add the SnortML feature to enhance firewall preventative capabilities, promising better detection by leveraging recurrent neural networks (RNN), improving deep learning to help distinguish good from bad more accurately. Many of the improvements and optimizations announced don’t include Cisco’s ASA platform, resulting in a dubious future for the platform as Cisco hasn’t confirmed plans to phase it out. It can be surmised that “the writing is on the wall” for customers still utilizing the ASA.
- Cisco ISE (yes, that’s right). It’s part of the updates and optimizations with the integration of HyperShield. The goal is for a “seamless integration” of the network and security fabric for selective workflows and to push those flows to HyperShield for L4 inspection with SGT supported. This integration is planned for August. In the meantime, its recent 3.4 release continues Cisco’s vision of common policy, which now extends beyond users and devices to include applications and workloads regardless of where they’re running (cloud or on-premises).
- Security Cloud Control for tying everything together. Much of the early HyperShield will be administered from CDO, with a path to move to SCC in the future.
Unified Observability
The unexpected early closure of the Splunk acquisition, just weeks before Cisco Live, featured prominently in keynotes and breakout sessions. Cisco’s multiyear investment in its Full Stack Observability (FSO) solution will now transform into a broader strategic narrative. FSO and App Dynamics products, and their development teams, will consolidate under Tom Casey, SVP and GM of product and technology at Splunk. FSO’s scalable data integration architecture will play a prominent role enabling use cases for the Splunk platform and its drive for unified observability while ThousandEyes will drive the new Digital Experience Assurance (DXA) initiative.
Carlos Pereira, Cisco’s FSO chief architect, will now head up Cisco’s customer experience efforts for Liz Centoni, an area given considerable coverage during her keynote and something that Forrester sees as a core driver for the future of all operations. With Splunk’s established brand, a modern and scalable data integration architecture, and a clear directive to be experience focused, Cisco could shed its siloed product delivery perception and easily become a dominant AIOps and observability player.
AI
AI loomed over the conference and permeated all of Cisco’s messaging. But following the obligatory “We’re doing AI innovation” statements, Cisco’s AI announcements tacked into “early” specifics and worked to connect its disparate portfolio into the AI boom. And somewhat surprisingly, all announcements were straightforward, leaned into its strengths as a provider, and are achievable.
While there wasn’t anything as ambitious as the model provider’s recent enhancements (e.g., GPT 4o’s multimodal or Gemini’s 1M token context window), Cisco’s announced strategy does outline opportunities where it will play in AI workloads. Announcements revolved around two themes:
- Investments and partnerships. Cisco announced a billion-dollar AI fund, its investments into strategic AI firms like Scale AI, and highlighted a range of partnerships with the likes of NVIDIA, AMD, and even Microsoft. While the partnerships were wide ranging across the Cisco stack, the main logical through-line was — appropriately — integration and multiparty cooperation to pursue better AI outcomes for enterprises.
- Iteration. Cisco also made a host of announcements at Cisco Live on expanding the AI features already in its products, against the themes of “personalized, proactive, and predictive,” increasing out-of-the-box AI functionality (like automated customer support churn analytics). Cisco’s AI assistant, in particular, is getting an expansion, using a skills-based architecture to increase its flexibility and applicability to new domains like contact center and increasing end-user facing automation options, similar to how other providers are now introducing “vendor ecosystem configured” conversational AI systems.
It’s clear Cisco is committed to integration and beginning to deliver — many of its announcements focused on sharing telemetry between offerings, simplifying management, creating common policies, improving user experience, etc. It’s also clear that Cisco is doubling down on the advantages of its extensive visibility into networks, apps, hosts, and devices. Its portfolio and integrations appeal to existing Cisco customers (both IT and security leaders) who want to consolidate the plethora of point products and vendors that create needless complexity and overhead with small advantages.
Where Cisco has more work to do is on innovation. Many of the announcements it characterized as innovation (e.g., single sign-on unification, sharing telemetry, AI assistant availability) are either capabilities customers expect from a portfolio vendor or other vendors already have. To be innovative, Cisco needs to maintain its current momentum while picking a few areas where it can pull ahead of competitors. HyperShield is the most ambitious of its announcements and represents real innovation, as it’s nearly all software-based, highly distributed, and starts with the most difficult security use cases like segmentation.