Cisco Moves Into SIEM With $28B Deal to Acquire Splunk

Cisco signaled it intends to reshape secure information and event management (SIEM) by pulling the trigger on a deal to acquire Splunk for $28 billion. The all-cash agreement, announced today, calls for Cisco to purchase Splunk shares at $157 each, a 31% premium over the closing price of Splunk's stock on Wednesday.

The deal would be Cisco's largest to date. While rumors surfaced in early 2022 that the two companies were in acquisition talks, no deal materialized. Shortly after, Splunk tapped longtime Proofpoint CEO Gary Steele as its CEO. Steele said he will join Cisco after the transaction closes.

Adding Splunk could significantly boost Cisco's already formidable cybersecurity protection portfolio. "Our combined capabilities will create an end-to-end data platform to enhance digital resiliency," said Cisco chairman and CEO Chuck Robbins during an investor call to announce the deal. Robbins anticipates the deal will close in the third quarter of 2024, pending shareholder and regulatory approvals.

Although regulators worldwide have more intensely scrutinized and often nixed many large deals recently, Robbins is confident they will clear this deal. Emboldening his confidence is that the agreement doesn't have to be approved in China because Splunk has a minimal presence there.

While getting large deals approved by regulators in the US and Europe has also become more difficult, Robbins argued that there's little overlap between the two companies' offerings.

"Through the integration of Cisco's extended detection and response platform, our best security insights, and Splunk security information and event management offering, we will be able to help our customers move from threat detection and response to threat prediction and prevention," Robbins said.

Deal Comes as a Surprise

There was little recent indication that Cisco was contemplating a deal with Splunk, which mande the announcement a surprise to industry watchers. In a LinkedIn post, Omdia managing principal analyst Eric Parizo called the Cisco-Splunk deal "a true bombshell move that will have a seismic impact on the entire enterprise cybersecurity landscape," adding it may foreshadow more consolidation.

Parizo believes the deal will position Cisco as one of the dominant players in next-generation SIEM (NG-SIEM), a market that Omdia forecasts will grow to nearly $4 billion in global annual revenue by 2027. "Splunk's established position as a premium offering with the deep resources of Cisco's global salesforce should present immediate upsell opportunities," he adds.

Forrester analyst Allie Mellen agrees the deal could be a significant boon for Cisco's security efforts, but the effect on security practitioners remains to be seen. Mellen warns that Cisco has a checkered past with some of its largest acquisitions.

"Cisco has long been a case study for acquisitions that don't live up to their initial promise and suffer from underinvestment and a lack of focus," Mellen says. "To keep Splunk's massive, loyal user base, Cisco needs to let Splunk deliver what Splunk does best: a flexible, powerful SIEM and observability offering."

Fueling Next-Generation SIEM

The deal comes amid a growing spotlight on next-generation SIEM and organizations needing to move from legacy platforms to those that support multicloud and cloud-native applications and infrastructure. It also comes as platform providers are expanding their XDR capabilities.

For example, at this week's CrowdStrike Fal.Con 2023 conference in Las Vegas, CrowdStrike released the "Raptor" version of its Falcon platform, which integrates an enhanced iteration of LogScale, the company's NG-SIEM offering. LogScale is the outgrowth of CrowdStrike's $400 million acquisition of logging and event management provider Humio. Designed to ingest petabytes of third-party data, CrowdStrike's Raptor release provides real-time event information natively in Falcon.

Over time, CrowdStrike CEO George Kurtz asserted SIEM will be subsumed into XDR. "XDR, in my opinion, will replace SIEM; call it next-gen SIEM," Kurtz said during a media briefing this week. "[Customers] want the ability to ingest data at scale ... to store that data, [and] they want the ability to search that data and query it," he said. "And they want the ability to take an action, and if we put it all in one spot."

Analysts say CrowdStrike's goals are ambitious. "LogScale is a first step toward SIEM, but is essentially more of a proprietary log management system tailored for its own solutions," Parizo notes. "But if it has the bandwidth and appetite to quickly catch up on SIEM, there are certainly viable acquisition targets out there."

Mellen notes that most XDR vendors have shifted to having a SIEM or a SIEM-alternative in their portfolio. "This is a massive shift in the market that gives CrowdStrike and other XDR vendors an opportunity to use to their advantage," she says.

Cisco's acquisition of Splunk would give Cisco "both sides of the coin: XDR with Cisco XDR, and a SIEM with Splunk," she adds.

Roger Thornton, general partner at VC firm Ballistic Ventures, believes that in the short term, customers may become more open to alternative SIEM offerings. "Customers, particularly big ones, don't like it when their favorite vendors get acquired," Thornton says. "Integration always has an impact on support, account management, and the senior sponsors. It will definitely give Google Chronicle SIEM and Microsoft something to talk about with the Splunk installed base."