Big Picture Thinking at Splunk .conf23
What technologies and capabilities, especially new ones, are behind Splunk’s anchor message Building Digital Resilience at their recent user conference, .conf23? The good news for Splunk and its customers is that there was plenty to back up the message. Even better, the new capabilities were wrapped in a message on tool consolidation and collaboration within teams. I’ll call that big picture thinking because it embraces a whole raft of different roles and circumstances where the product capabilities can be deployed.
Bringing IT Together
There were numerous small features announced that clearly delighted the Site Reliability Engineers (SREs) in the audience who whooped in delight. One feature greeted with applause and shouts was unified identity for accessing both Splunk Cloud and Splunk Observability Cloud data. While you would probably have expected it to exist already, this demonstrates that the products are coming together to form a single suite.
Unifying SecOps on a single work surface is the objective of the latest iteration of Splunk Mission Control, and we saw some very nice demos. The user experience is delightfully consumer grade, which is important for many reasons, not just aesthetics:
It helps bring new people into the world of SRE by reducing the learning curve, a theme that applies to several of the new features.
It reduces error rates by making processes and information easy to follow and key data immediately visible.
It eliminates switching between multiple different experiences, accelerating time to finding the trouble.
There really is no need for enterprise software to be dull and grey any more. Progress. Mission Control brings together Splunk Enterprise Security, Splunk Attack Analyzer, and Splunk SOAR. Combining these critical services reduces stress during incidents, and allows for teams to work more easily together normally.
Reflecting Hybrid Reality
The reality of digital infrastructure is that it is fragment, poorly understood, and barely documented. Most organisations rely on a mix of on-prem systems, potentially in multiple locations, multiple cloud providers and a mix of SaaS products. This fragmentation clearly adds to the complexity of running the estate, as well as creating many more edges than were previously present with the potential for increasing the attack surface.
Two quotes from Splunk CEO Gary Steele’s keynote stick in my mind: “you can’t secure what you can’t see” and “you can’t operate what you don’t know exists.” Documentation, where it exists, is usually wrong, sometimes dangerously so. The extension of technology into every branch of business means that things are constantly being changed, with the decentralization of IT budgets resulting in a proliferation of applications, devices and vendors.
This organic growth is why observability is so important, however the long and passive-sounding word observability itself doesn’t help. All too many IT people are reluctant to admit to not knowing what is on their network and most management are clueless about the whole thing. Observability deserves a dynamic upgrade with a more active, even aggressive, title.
Owning the Edge
Edges, furthest from central control, are all too often where things go wrong. As mentioned above, current fragmented, federated IT estates introduce many more edges over which data has to flow. Responding to this need, Splunk has launched two products.
The first is Edge Processor, a software appliance that implements data transformation pipelines for ingesting information. It uses the second generation of Search Processing Language (SPL2) which allows for continuity across the platform and reusing the skills and code.
The second is Edge Hub, a hardware appliance. Yes, hardware. Splunk is working with partners to deploy this device. It’s small but heavy, with a chunky heatsink on the back, but a surprisingly bright touch-sensitive display panel on front. This is not your classic hardware interface, but very much a consumer-grade experience. I am curious to know how this will go down with gnarly industrial engineers.
The device is a veritable Rosetta Stone of industrial protocols, as well as having built-in detectors for temperature, vibration, sound and video. These are designed to support a wide range of operational applications, ranging from monitoring cabinets in a data center or the full industrial spectrum of conveyers, pumps and similar.
The objective is to connect currently unconnected devices, essentially bridging the OT and IT worlds, allowing OT data to be added to the overall pool for analysis. This has the potential to detect all sorts of new trends and opportunities for optimization. It will be very interesting to see what can come from this, I can see immense possibilities for sustainability initiatives.
On the other hand I can see the old antipathy between OT and IT resulting in disagreements and less than optimal implementations. This is where the partners come in. Working through partners is a wise move from Splunk. The selected partners already have the trust of the OT world, with the serious operational credentials that Splunk does not.