MI-One Issue #16 - Solstice Edition

Hello there.

We're coming to you halfway through 2025 with the security landscape shifting rapidly beneath our feet, driven by an unprecedented wave of strategic partnerships and AI-native innovations.

This quarter's big theme? Strategic cloud partnerships and platform consolidation.

The industry continues evolving at breakneck speed, but this time it's less about acquisitions and more about deep strategic alliances. We're seeing major players like Elastic signing a five-year strategic collaboration agreement with AWS to deepen their cloud integration, while security vendors are forming powerful defensive coalitions.

Key partnerships reshaping the landscape include Exabeam integrating its New-Scale Security Operations Platform with Vectra AI's network detection and response capability to detect lateral threat movement across cloud environments, and Mimecast partnering with Zscaler to automatically exchange security intelligence between email security and the Zero Trust Exchange platform for real-time multi-vector threat protection.

In a strategic move, Zscaler also announced its definitive agreement to acquire Red Canary, combining their Zero Trust platform with Red Canary's threat detection expertise to deliver an AI-powered SOC expected to close in August 2025. These integrations signal a shift toward connected security ecosystems that share threat intelligence automatically rather than operating in isolation.

We would also like to highlight Wiz's launch of WizOS last month. Their hardened, minimal, near-zero-CVE container base images are built for secure software delivery. This addresses a fundamental problem where a single critical CVE in a shared base image can halt deployment across dozens of services, forcing developers away from feature work to address inherited vulnerabilities. WizOS shifts the approach from reactive patching to proactive foundation hardening, with every component built from source with signing and provenance.

On the automation front, we're seeing continued advancement in AI-driven platform engineering, with Cisco unveiling JARVIS, their AI assistant that integrates with several tools to streamline complex platform workflows, reducing tasks that previously took a week to under an hour. For example, when a developer needs to set up a CI/CD pipeline, they can simply assign a Jira ticket directly to JARVIS, which then autonomously executes the entire setup process that previously required multiple manual steps across different platforms. Additionally, resource provisioning tasks such as creating S3 buckets, EC2 instances, or LLM access keys that used to take half a day are now completed in seconds. The trend toward AI-native automation continues gaining momentum across security operations and infrastructure management.

Similarly, Palo Alto Networks released the Prisma AIRS MCP Server in public preview, designed to help organizations embed security into AI agents built using the Model Context Protocol (MCP), with sample code now available on PyPI and GitHub. The trend toward AI-native automation continues gaining momentum across security operations and infrastructure management.

The shift toward interconnected security ecosystems suggests that standalone point solutions are becoming less viable. Organizations need to start prioritizing vendors that demonstrate strong API capabilities and proven integration partnerships, as the future belongs to platforms that can seamlessly share threat intelligence and automate cross-platform responses.

Further in this month’s issue, we'll explore how these partnerships are reshaping vendor selection criteria, examine the practical implications of an integrated security ecosystem, and highlight specific product updates. But first, we’ll take a closer look at one multi-tool suite in particular.

Let's get into it.

Under the Lens — Splunk

In this section, we take a deep dive into specific security platforms and their evolving capabilities, examining how major vendors are adapting to the changing threat landscape and what their product roadmaps signal for the broader market.

Expanding your organization's security playbook can appear daunting at times. With so many tools, platforms, and integration options available, it's not always clear where the most immediate benefits lie.

Fortunately, numerous providers offer comprehensive, multi-tool suites that can cover a range of security needs. In this month's edition, we're taking a closer and curated look at the Splunk suite of security products.

Splunk is a provider of security and observability solutions that turns machine data into actionable insights across security and IT operations. The name applies both to the company and their comprehensive range of products that form an integrated platform for enterprise resilience.

It delivers comprehensive data analytics through its Splunk Enterprise platform for on-premises deployments and Splunk Cloud Platform for scalable cloud-native analytics. Splunk Enterprise Security provides advanced SIEM capabilities, while Splunk SOAR automates security orchestration and response. Splunk Observability Cloud ensures full-stack monitoring, and Splunk IT Service Intelligence delivers operational intelligence for IT service management.

Together, these solutions create a unified data-to-everything platform.

Let's examine the key security solutions within Splunk's portfolio:

Core Data Analytics Platform:
- Splunk Enterprise serves as the foundational data platform that ingests, indexes, and analyzes machine-generated data from any source, providing real-time search capabilities, customizable dashboards, and advanced analytics to transform raw data into operational intelligence across the enterprise.
- Splunk Cloud Platform delivers all the capabilities of Splunk Enterprise as a fully managed cloud service, offering elastic scalability, automatic updates, and reduced infrastructure overhead while maintaining the same powerful search and analytics capabilities for organizations embracing cloud-first strategies.
Security Operations:
- Splunk Enterprise Security (ES) provides comprehensive SIEM functionality with correlation rules, threat intelligence integration, and investigation workflows, enabling security teams to detect threats, conduct forensic analysis, and maintain regulatory compliance through unified security monitoring.
- Splunk SOAR (Security Orchestration, Automation and Response) streamlines security operations by automating incident response workflows, integrating disparate security tools, and standardizing playbooks, allowing security teams to respond to threats faster and more consistently while reducing manual effort.
Observability & Monitoring:
- Splunk Observability Cloud delivers comprehensive full-stack observability through infrastructure monitoring, application performance monitoring, and real user monitoring, providing end-to-end visibility into modern applications and infrastructure to ensure optimal performance and user experience.
- Splunk IT Service Intelligence (ITSI) transforms IT operations through service-centric monitoring that correlates data across systems and applications, providing predictive analytics, anomaly detection, and service health scoring to enable proactive issue resolution and improved service reliability.

Splunk is currently running a critical beta program for the next major version of Splunk Enterprise, formerly known as the OpenSSL3 Beta Program. This pre-release initiative addresses significant infrastructure updates that will impact all Splunk deployments.

The upcoming Splunk Enterprise release represents a foundational infrastructure upgrade designed to keep the platform current with modern security standards and development frameworks. Organizations should prioritize participation in this beta program to identify potential compatibility issues with existing configurations, custom applications, and integration workflows before the production release. We have covered it in detail in our Lyrid Edition.

Optimizing Splunk Platform Usage

To maximize your security operations' effectiveness, focus on these strategic implementation approaches that leverage Splunk's integrated capabilities across data ingestion, threat detection, and automated response workflows:

Leverage Core Platform Capabilities:
- Utilize Splunk's Search Processing Language (SPL) to create powerful searches and reports that transform raw machine data into actionable insights. Build reusable saved searches and alerts that automatically trigger notifications or actions based on specific data patterns.
- Take advantage of the Common Information Model (CIM) to normalize data from different sources into consistent field names and structures for unified analysis across your environment.
Data ingestion and optimization:
- Ensure data quality by implementing universal forwarders and data input configurations with parsing and indexing strategies. Machine data can be ingested into Splunk and automatically parsed using built-in sourcetypes for consistent field extraction.
Maximize Enterprise Security effectiveness:
- Leverage Enterprise Security's pre-built correlation searches and notable events framework to detect security threats using proven detection logic and investigation workflows.
- Implement adaptive response actions to automate initial incident response steps, such as enriching events with threat intelligence or creating tickets in external systems.
Orchestrate operations with SOAR:
- Build comprehensive playbooks in Splunk SOAR that automate multi-step security processes, integrating with existing security tools and ticketing systems to standardize and accelerate incident response.
- Use SOAR's case management capabilities to track investigation progress and maintain audit trails for compliance and process improvement.

Splunk's strength lies in its unified approach to security operations – by combining analytics with automated response capabilities, organizations can transform from reactive security postures to proactive threat hunting and rapid incident resolution. The platform's integration between Enterprise Security and SOAR creates a seamless workflow from detection to response.

Security Application and Version Updates

Elasticsearch has released version 9.0.2, marking the latest update in the major 9.0 series with significant architectural changes and enhanced search capabilities. Key highlights of this release include:
- Advanced Ranking Capabilities: Introduction of the rank_vectors field type for late-interaction ranking and ES|QL LOOKUP JOIN in technical preview, enabling more sophisticated search scoring and data correlation workflows.
- Semantic Search GA: The semantic_text field type has been promoted to General Availability, providing production-ready semantic search capabilities with support for sparse_vector queries and knn vector queries for AI-powered search experiences.
- Modern Infrastructure Foundation: Permanent transition from Java SecurityManager to the new Entitlements security system, bundled Java 24 JDK, and upgraded Lucene 10.1.0 engine provide enhanced security, performance, and compatibility with modern Java ecosystems.
Splunk released version 8.0.4 of Enterprise Security on 30 April 2025, introducing several major enhancements focused on unified threat detection, investigation, and response workflows. Key highlights of this release include:
- Unified TDIR Workflows: Integration with Splunk SOAR (Cloud) enables seamless pairing of playbooks and actions with case management features, creating a cohesive investigation experience.
- Enhanced Detection Capabilities: Improved detection authoring with risk-based alerting allows security teams to build high-confidence groups of findings using new event-based and finding-based detection editors. Detection versioning enables backup and management of multiple detection versions without requiring complex SPL knowledge.
- Streamlined User Experience: Reorganized navigation menus, simplified terminology aligned to the Open Cybersecurity Schema Framework (OCSF), and consolidated analytics dashboards under a single tab improve overall usability and accessibility.

Insights: From Our Integration Factory

Reco AI + CAASM: This integration of Reco AI with the CAASM platform aims to establish a basic data feed that transfers incident information for enhanced visibility and analysis within the CAASM environment.

This integration aims to provide a unified security experience, allowing security teams to monitor and analyze incident data from Reco AI within the CAASM platform. It bridges the gap between incident detection and comprehensive attack surface management, offering enhanced visibility into the organization's security posture and enabling streamlined analysis through graphical and tabular visualization formats.
Abnormal Security + BAS: This integration of Abnormal Security with the Breach and Attack Simulation (BAS) platform aims to enhance email security testing and validation capabilities by incorporating advanced behavioral analysis and threat intelligence into simulated attack scenarios.

This integration aims to provide a comprehensive security validation experience, allowing security teams to test email security controls using Abnormal's AI-driven threat detection insights within the BAS platform. It bridges the gap between email security monitoring and proactive security testing, offering enhanced visibility into email attack surface vulnerabilities and enabling continuous validation of security controls through sophisticated simulation scenarios.