Takeaways from Splunk.conf 2018
If you weren't able to get to Orlando as one of the 8,000+ attendees at this year's event, I'd like to share my key takeaways and a few experiences that might be useful, or perhaps at least entertaining.
First, day one of the Conference was a madhouse with registration and a pub crawl on the show floor. Splunk pointed out that the attendee count had doubled since 2016 as they increase their momentum in the IT Ops and SIEM space. In two hours, the ExtraHop teams spoke with more than 250 people. Folks were stoked to be there, eager to drink and eat well (steamship turkey roast, not just high-carb munchies), and excited to get light-up bouncy balls. An IDC analyst I spoke with said that the latter are hard to find, so apparently we are filling many needs for IT and security these days.
Boss of the SOC
After the show closed, SOC teams elbowed their way to a reservation-only "Boss of the SOC" contest that lasted from 730 to after midnight. The intensity was amazing. Why? The scenarios were both fun and challenging – kudos to the organizers who claimed that by doing this they could avoid booth duty. Also, the winners are covered in glory with on-stage recognition, free passes, and the envy of their peers. And they have a chance to have Splunk experts help them, which provides real-world value when they head back home. I believe Splunk said it was the seventh year, and it had grown to 700 from 400 attendees just last year. This engagement reinforces the importance of Splunk and its partners to the SOC teams.
New Product News
The opening keynote had interesting product news and some great demos as Splunk increased its feature sprawl. Major audience applause came when they showed a new storage model that may address some licensing and TCO pain (later, however, an attendee said it was only helpful if you were in the cloud). From UI improvements for easier programming to a slick mobile app to monitor and manage alerts to a new stream processor to correlate data from many sources (including wire data and detections from ExtraHop) in microseconds, there was something for everyone.
Phantom Was Not a Ghost
We were especially pleased to see the strong role given to our friends at Phantom, who seem to be taking over powerful roles as they integrate into Splunk. This is a sign that orchestration and automation are considered very strategic, overarching security use cases and likely expanding to cover IT Ops.
With their emphasis on upleveling usability away from the deeply technical users (visual programming, mobile app, less use of SPL) to focus on wider adoption and increased productivity, you should expect to see more traction and more focus in 2019. Anecdotally, in the booth I asked about knowledge of Phantom, and most people weren't aware of it until the keynote, but were planning to learn more at .conf to incorporate it in their Splunk buildouts/expansion in 2019.
We sponsored a Phantom Hackathon on Tuesday night, and the attendees there were few, but mighty. In just its second year (and first as a Splunk event), the emphasis was on education with "crawl, walk, run" style playbook scenarios to help people see the benefits of automated data collection, integrated response, and more. People competed primarily as teams, and I'm sure next year's event will be sold out.
Prediction: they will run an event for security, and another event for IT Ops. Or at least provide separate playbook challenges for those two audiences.
Worth the Trip
Overall, compared with other user conferences I've been to (trust me, way too many), this was a very high quality, high-energy, user- and partner-friendly event. It attracted a cross-section of security and IT folks, with some there to hone their admin skills, and others setting strategy for an increasing commitment to Splunk and its ecosystem. So it wasn't all techies – companies are committed to Splunk as their core infrastructure partner.
For those visiting the ExtraHop booth, more than half of our visitors were from the security side of their companies, looking to enhance visibility, incident detection, and rapid response. Others were eager to complement Splunk with our rich and real-time performance data and detections.
Many long-term and new customers were there, eager to get the latest news (Reveal(x) for Azure, ticketing integration, and remote and branch office solutions) and share their success stories. And quite a few were Splunk staff and partners who felt the buzz and wanted to learn more about us. We were especially gratified that so many consultants from Splunk wanted to know how to recommend us to their clients.
Overall, I think attendees enjoyed the bouncy balls and the Reveal(x) t-shirts (which were worn with pride at the show), as well as the myriad use cases, integrations, and enterprise-grade capabilities of ExtraHop for both security and performance needs.
We'll be back next year, with more extensive integrations, more interesting detections, and some great new chotchkes. I hope to see you there!