Splunk Acquires Caspida: The Future in Advanced Breach Detection is Here


Today, we welcome Caspida to the Splunk family. This acquisition enables Splunk to bring critical analytical capabilities to our customers and extends Splunk’s security analytics leadership. Caspida adds data science-driven Behavioral Analytics to the industry’s most powerful analytics-enabled SIEM solution.

In the last year, I have had several conversations with peers and customers about attack patterns and enterprise compromises. We see three big categories of attackers:

  • Advanced or nation state attackers: they compromise, persist, and run campaigns – not just one off opportunistic attacks.
  • Insiders: trusted parties that abuse their privileges.
  • Fraudsters or cyber criminals: stealing money, credit cards, estore wallets, and conduct fraudulent transactions like wire transfers, and reimbursement or benefits fraud.

All recent high-profile breaches have a common denominator – the attacks happen with compromised credentials. So it would seem, if the account usage is tracked, it is possible to detect and disrupt many of the attacks – especially the ones we read in the news.

I am sure you can imagine many detection methods, such as the same USB thumb drive that is used on multiple systems or an account that is logged into from around the world. To solve these problems we track system registries or authentication IP sources. While these approaches have some merits, we still run into some challenges:

  • How do we baseline these behaviors to be sure we’re comparing apples to apples? e.g., I travel a lot and regularly log in from multiple cities. My developer colleagues – not so much.
  • Wouldn’t we need to keep track of who is related to what? e.g., I don’t use very many business applications, but some colleagues use a number of different apps.

But what if … what if Splunk could solve those problems for us? Splunk has solved so many other problems! Splunk is a big data platform. All the data is already there. Splunk is already used by thousands of organizations for threat detection, incident response and continuous monitoring! This is a Splunk problem! Right?

Yes! You are right! Splunk has realized the need to do all these things. Caspida includes machine learning, semantic classification, kill chain detection, graph/link analysis and threat scoring. With Splunk’s emerging role as the nerve center for security, this new combination increases the insights organizations gain as well as their capacity to detect threats and orchestrate and automate responses.

Splunk security customers will benefit from Caspida’s ability to use these data science techniques to detect known, hidden, unknown and advanced threats from external and internal attackers.

With the Caspida Behavioral Analytics solution, Splunk security customers gain these capabilities out-of-box. As more and more organizations utilize Splunk to build out their Security Command Center, this addition dramatically boosts the SOC’s ability to detect and respond to modern threats. Customers can now get a prioritized list of threats using the context of the kill chain along with the supporting evidence to make investigations more insightful and actionable. This is further strengthened by Caspida’s multi-domain (user, device and traffic applications) approach to anomaly detection.

With the acquisition of Caspida, Splunk continues to enhance and innovate its analytics-enabled SIEM solution so customers can significantly shorten their detect-to-respond time and effort as well as add the new insights and intelligence from anomaly detection into their ongoing monitoring program.

We are listening to you, our customers and industry colleagues. Let’s keep the conversation going.
Together, we can raise the bar for the cyber attackers.


Monzy Merza
Chief Security Evangelist

Monzy Merza

Monzy Merza

Posted by


Show All Tags
Show Less Tags