Cisco Security Exclusive: Execs Say New Security Blueprint Will Help Partners, Enterprises Battle ‘Varsity Team’-Level Attacks

Having a hyper-distributed approach to cybersecurity is crucial, especially as the growth of AI takes hold, Cisco Security and Splunk senior vice presidents tell CRN at the RSA Conference 2025.

To say the cyberthreat landscape is dynamic and rapidly evolving is an understatement, not to mention the impact that AI is having on cybersecurity. Attacks are increasing in sophistication due to AI as is the accelerated time to exploitation, and IT administrators must fight fire with fire.

Enter a new security architecture that emphasizes distributed data storage, analytics and policy enforcement, according to Tom Gillis, Cisco senior vice president and general manager, infrastructure and security, and Mike Horn, senior vice president and general manager, Splunk Security. Partners play a big role in the new security landscape, the executives said, as customers need help assessing and acting on their data. AI, in the meantime, can help the channel by enhancing security efficiency and creating room for more managed services.

Cisco also took to the RSA Conference to unveil a handful of updates to its security portfolio, including the new Instant Attack Verification feature that integrates data from the Splunk platform, endpoints, networks and threat intelligence and uses agentic AI to automatically create investigation plans. The new automated XDR Forensics capabilities provide deeper visibility into endpoint activity, and a new XDR Storyboard will visualize complex attacks and are all now part of Cisco XDR.

The two security leaders for Cisco and Splunk sat down with CRN ahead of Cisco’s Wednesday keynote at the RSA Conference to share their vision for a new security blueprint for channel partners and end customers. What follows are excerpts from the conversation.

What kind of impact is AI having on the cybersecurity landscape right now?

Gillis: It’s pretty well understood that the landscape is changing pretty dramatically, and in the threat world there’s been a consistent increase in the severity and sophistication of attacks. The latest round of [news] that made the headlines about nation states attacking our telco infrastructure, it just highlights that this is the varsity team we’re dealing with, and the stakes are very, very high. The motivation of the attackers has been insidious in that they’re breaking in and staying in and can turn the lights off, literally, so that’s definitely a concern.

Horn: It’s been bad, and AI is only accelerating things when we think about time to exploitation and a vulnerability being announced. What used to take potentially months to show up in the wild now suddenly is showing up in hours, or at most a couple of days. The quality of attacks, as much as I hate to say it, goes up with being able to use AI to generate high-quality lures. ChatGPT can write you a really nice email from HR that tells people that they’re not getting their bonus because there was a problem, right? You can get some really credible things generated. So, the landscape is definitely shifting and then you still have the drumbeat—the financially motivated people haven’t gone anywhere either, the people trying to steal IP or money—and you have the added, increasing factor from these nation-state actors. So the challenge is harder, and the thing that we’re protecting—the nature of the applications themselves—is also changing very, very dramatically. An AI-based application looks and behaves very differently than a traditional application. The way I described it is [with] a traditional app, you have the presentation layer, app logic layer and then the data layer. Now there is a new layer called a model. And something that people don’t realize is that when a model learns something, it never forgets. You can’t delete data in a model. A model acts in a nondeterministic way, which means you can ask it questions, and it may just say something it’s not supposed to say. So it’s certainly a tricky space. The folks that are building, using and deploying these models at scale are the large-scale AI clouds right now. We’re very close to these folks because we sell chips to them for the network, and one of the things we notice is that the speed of these chips is growing exponentially because the amount of data that an AI-based app can generate and produce are orders of magnitude more data than a traditional app. So, we’ve got these apps that behave differently to produce tons and tons of data, and attackers that have a whole new toolset to get at that data, and I would argue that the current security architecture simply isn’t going to adapt to this new world.

Tell us about the new distributed security blueprint that Cisco is suggesting to partners and enterprises.

Horn: We’re laying out what we think is a blueprint and an architecture for tomorrow. The three key pillars you’ll hear us talk about in that architecture is distributed data storage, so shifting [away] from a central data lake to rule them all. When you have distributed data storage, that means you also have to have distributed data analytics because you need the data and the analytics to live together. And then when we think about, ‘Well, how do I act on that?’ You need distributed policy enforcement. You need to be able to say, ‘How do I have a granular response to something that was detected through insight?’ So those are the foundational elements of this new architecture. And there’s some really key technologies that are driving why we can do this now and we couldn’t do it before. We have things like Federation, which is a set of technologies that help us look across a broad set of data stores. And we talk about data stores, data lakes, data ponds, data puddles. We have technologies like [endpoint protection platforms] EPPs …and [data processing units] [and] that’s driving fundamental changes in switching technology and different hypervisors, so this is technology that’s just emerging. Then there’s AI, which is accelerating a lot of these things, so I think that’s the mix of new ingredients that are coming together that let us power this new architecture.

How big is the partner opportunity around the concept of a distributed approach to security?

Horn: One of the things I think is interesting is this is a great opportunity for partners to be bringing new value. There’s a lot of companies that are trying to figure out how to navigate this change. What’s the governance model that makes sense? Which technologies are they ready to consume, and which things should they be thinking about? How should they be thinking about the security? Everything from the big systems integrators who were doing a ton of work with companies on AI adoption, all the way down to a VAR that is helping a customer pick their next firewall. If we think about things like firewall policy management and technologies like Hypershield, AI is fundamental to some of those technologies.

Gillis: We couldn’t do it without these AI building blocks. In very practical terms, what this means is we have built a firewall that writes its own rules, tests its own rules, deploys its own rules and then upgrades itself overnight. At an enterprise company, that could be a team of 20 or 30 people. These are very skilled people that frees them up to go work on what I would argue are much higher-value security problems, like the SOC, which is, I think, another interesting point. What impact are these AI tools having on the SOC operator? It’s allowing entry-level SOC operators to perform like an experienced analyst, so these changes are dramatic, and I think every customer is going to be looking to channel partners for consultation on, not just the tools, but how do I use these tools? What do I do if I don’t need firewall administrators anymore? Is this real or not? How do I operationalize all this stuff?

How critical is a distributed approach to security as data sovereignty becomes increasingly important?

Horn: It’s actually another reason that this Federation concept of being able to leave data where it originated takes on even more importance. I know I certainly have this conversation quite a bit where people are interested in cutting the cord. If something happens between these countries, how can I continue to function and have my solutions and capabilities running, but in a ‘cut-the-cord' fashion where it can reside in a local or regional data center? I think that is a trend. That conversation is far more frequent now than it was six, nine, 12 months ago. And I think it’s an important element of [giving] your data flexibility to customers in terms of where do they store it? What do they store? How long do they keep it? But at the end of the day, they need to be able to get the insight and value from that data, which is where Federation and some of the Splunk technologies come into play.

That whole data strategy is, again, an area where I think the partners have a strong opportunity to play a role in helping organizations assess their data and data strategy and do they have the right technology components in place to achieve the big things they’re trying to do?

Where should partners start in helping their customers manage the distributed security landscape?

Gillis: One good place to start is we have just introduced a product called AI Defense that’s using actual AI and LLMs to analyze the behavior of a customer’s application. The first capability that it delivers is discovery—just show them who’s talking to who, what is happening and who’s downloading what models. And then the second thing, which is pretty meaningful, is the speed at which models are being introduced is very, very rapid. So, we have the ability to automatically do what’s called ‘model red teaming,’ which you can think of as a kind of vulnerability assessment of the model. A brand-new model shows up. No one’s ever heard of it. You push a button, and this thing uses its own algorithm to try to trick the model and find the places where it’s going to give up and reveal the secrets that it’s not supposed to and then you characterize it. That has been extremely well received. We can’t shift that fast enough, like, literally every single customer is interested in that, and then we funnel that telemetry up into Splunk. And Splunk has a holistic view of that activity, the AI application and the context around it.

Horn: One of the things I’m excited about is this was the first Cisco security application product that got built with native Splunk capabilities on day one. So, when we talk about, ‘Hey, how are we helping our customers that are joint customers at both Cisco and Splunk?’ This is a great example where we’re taking security alerts that are generated by AI Defense and making those actionable and providing rich investigation capabilities in our Splunk and enterprise security products and taking more telemetry data so people can do visualizations of different things as far as what’s happening in their LLMs and different conversations, etc. It’s exciting to start to see—customers are always [wondering], ‘What’s the better together going to be?’ And this is a great example of where we’re delivering on that.

What do you want partners to take away from your RSA keynote?

Gillis: What we’re talking about is a radical new architecture for not just the SIM [security information management], but the devices that collect the data and then do the enforcement. This distributed model means we’re infusing what used to be a firewall—we should kind of melt it into the fabric of the network—and then instead of trying to shove all that telemetry in one monster data lake, it lives in those little data ponds. That’s a pretty cool angle because one of the biggest challenges with any SIM is that if you try to adjust all that data, that is not free [and] it gets very, very costly. And so this is just a more intelligent and more elegant architecture. The efficiency of this architecture, I think, will make advanced security analytics like Splunk more accessible to a larger segment of the market. And the managed service aspect of it, this is a great opportunity for resellers because this is a high-margin, high-value business, and with these AI-based tools the barrier to enter that business if you’re, let’s say, a Cisco reseller and you’ve been selling boxes, it’s getting easier to deliver these managed security services than it ever was before.

Horn: I think the thing that I’d love for [partners] to walk away with is to reinforce what [Gillis] said. There’s a lot that was well-defined, like, ‘Here’s how you’re going to think about firewalls and how you’re going to think about zero trust.’ Things are all getting thrown up in the air again, and it’s a rich environment for a partner to learn these different technologies, to understand how the landscape is shifting, and then help guide their customers to the right products to help them solve things that are going to future-proof them in this new world.