Splunk Enterprise Security Reviews

Our technical teams are demoing various enterprise tools to develop experience and knowledge so we can better serve our clients. In addition to Splunk, we are evaluating IBM QRadar and one other solution. One of our customers is asking about the Splunk MSP model.

Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs. Splunk is costly, but it's better than other products. It speeds up security investigations. It helps us detect threats faster. Everything is faster. The only part that's lagging is the management. Otherwise, Splunk is good. It took about a month to realize the solution's benefits. 

We get few alerts except for the other solutions we have integrated with Splunk. We'll monitor those alerts and support their customers, but we don't have any other mechanisms for databases or something outside of the infrastructure. 

Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.

We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious. 

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

Splunk Enterprise is stable. 

Splunk Enterprise is highly scalable. 

We haven't had to contact Splunk support because we can find all the answers we need online. 

We also use IBM QRadar.

Deploying Splunk is straightforward. We had no issues. 

Splunk is more expensive than most solutions, but it offers lots of value. If a customer wants the cheapest solution, we'll use that.

I rate Splunk Enterprise Security an eight out of ten. I would give it a ten if it had built-in threat management. 

We primarily use the solution for monitoring, intrusion detection, and prevention. It is mostly a lot of security and network and server monitoring.

It automated the way we look at intrusion detection and prevention. It automatically picks up intrusion attempts within our environment.

The monitoring and the security functionality are the most valuable aspects of the solution.

It is easy to set up.

It is very scalable. 

You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

We've used the solution for roughly, one year and a half years.

The solution is highly scalable.

We have four people that use the solution and they were split between infrastructure and security.

We don't have a plan to increase usage as we're almost at capacity with our servers, for our purposes. I don't think we're going to scale it as we're using everything we can from anything we need. However, it's intensely used for security purposes.

Technical support is perfect.

Positive

The initial setup was straightforward. It was done by Splunk entirely. After that, the configuration took a bit of time, however, we bought professional service days from them to help us build the configuration.

The full deployment took about five months due to the fact that we have quite a lot of servers.

I'd rate the experience a five out of five in terms of ease of execution. 

The amount of people you require for deployment and maintenance depends on the complexity of the environment. It can be run and managed by a single person if the environment is not highly complex. If you're talking about probably less than 200 servers, and a couple of network endpoints, one person can manage it easily after it's been configured. Otherwise, I wouldn't be able to say. In more complex environments where you've got several geographical locations, several data centers in geographical locations, and so on, you'd probably need more than one.

Splunk handled the implementation. It was a joint effort between them bringing the knowledge and us doing the actual work.

It's a great investment, especially if you want to strengthen your security stance.

It's yearly a yearly license on a three-year contract. On a three-year contract, you get a discount basically - rather than putting it on a rolling yearly contract.

On pricing, if I base it on the functionality of the system out of the box, I would rate it five out of five.

They have several prepackaged modules you can purchase. For example, for the security type, they have Security Enterprise, with the default products getting security essentials. With Infrastructure, the same. We've got an ITOps enterprise, which again, is payable on top of the standard license. 

It's pretty much how much you can actually build in-house. The difference between AT&T, LogRhythm, and Splunk, while AT&T and LogRhythm are pretty out of the box (it's click and configure), Splunk is highly configurable. 

You can make it do whatever you want to, as long as you know how to edit the configuration files. What ITOps and Security Enterprise do, instead of you having to build all that from the ground up, so the dashboards, the logic behind it, the configuration files, and so on, become prepackaged and pre-installed.

We did test AT&T and LogRhythm as well. We chose this solution as a balance between cost and functionality.

AT&T was a great security tool, however, it lacked a lot of the infrastructure things that Splunk does, in terms of server monitoring and network monitoring. LogRhythm did have a dose, however, at a very prohibitive price. It was almost twice the cost of Splunk.

We've got a version of Splunk Cloud. I'm not sure of which version.

I'd advise users to get more professional service days. You get five professional service days with the product, when you buy the license, usually. Definitely get at least ten more.

You need to have some strategy before. You definitely need a strategy. Before you do your PS days, definitely have a look at your strategy and make sure you've arranged your questions rather diligently. Based on how you think you're going to use the system, where you are where you want to be, just box them into separate parts - security, infrastructure, and monitoring. It's going to make life a lot easier when you talk to consultants as the consultants are very, very knowledgeable. However, you need to ask the right questions.

I'd rate the solution ten out of ten.

It's the mainstay of our monitoring solutions that we have for auto-logging, et cetera, for our enterprise solution.

The most valuable aspect of the solution is the ability to capture the different data streams. We also appreciate the reporting in that aspect of Splunk. If we can grow now, with any security arena, it's going to be proactive, not reactive. It allows us to digest the information, the data, the different data streams, so we can make decisions based upon information that we receive, and it is pretty robust.

The configuration could be better.

We would like to see improved pricing, however, I'm kind of out of that arena. I make suggestions based upon the flexibility with which we serve our customer base, which is millions of our veterans. I would say that if someone was not familiar with it, one of the things that I've heard is that it's kind of hard for them to understand the whole thing. Splunk is just one piece to the puzzle. It's not the whole puzzle. It's kind of not the solution's fault, in that sense. That said, if it could be more accessible to people with different skillsets, that would be ideal.

We'd like to see reporting where there's a way that we can get a higher description without being too technical, for example, where it's kind of more of an executive-level of technical.

I've personally been using the solution for over ten years. At this point, it's been more than a decade. I've used it for a while now. 

We're partners and end-users. We don't have a business relationship with Splunk.

We use the latest version. I'm not hands-on. I'm called the architect, however, we do use the latest version as that's a part of our configuration management framework, that all of our applications - especially in security - are up-to-date with the latest and greatest updates, bells, and whistles. We use both public and private clouds.

In terms of creating the solution, for what we do from an enterprise standpoint, everything from monitoring to data capture to reporting, we would rate it at a nine out of ten.

We use the solution in our SOC to support SOAR. We use its alerting capabilities and integrate them with our SOAR platform. Additionally, we tie it in with cyber threat intelligence, cyber threat hunting, and adversary emulation tools to identify gaps in our environment and alert us to notable events.

The tool drastically reduces SOC overhead. Its integration with our tool suite is great and helps us correlate events. The solution is also a lot faster than our standalone instances. 

Splunk Enterprise Security helps address our customers' missions. We want to ensure that our environment is secure and safe and detects anomalies and threat actors as soon as possible. 

The solution helps my organization's ability to ingest and normalize data. It has also improved resilience.  

Enterprise Security is expensive. 

I have been working with the product for three years. 

Splunk Enterprise Security is very stable. 

The tool is very scalable. We can deploy agents seamlessly and get reports. 

We have had good success with customer support. We haven't had any issues contacting them and getting problems resolved. 

Splunk Enterprise Security's deployment is hit or miss. Recently, we got UBA. We were able to spin up an environment easily with Terraform. However, the recent upgrade caused many hiccups and slowdowns. We are working with support to resolve them. Some legacy code is choking the system and slowing us. 

We do market evaluation and continuous research every year to check for alternatives to our security tools. 

It seems like the tool is improving. It incorporates AI into the platform to streamline event identification processes. 

Splunk Enterprise Security does a good job. However, we need many analysts to correlate searches and populate data models, and some overheads are needed in any SOC environment. 

We have a lot of data to process from different sources. However, we have only limited data analysts. It takes time to find malicious threats or what we seek. 

No specific metrics are tracked, but we report this to our leadership weekly, focusing on continuous improvement. Regarding reducing the mean time to resolve, especially with our SOAR integration, we can swiftly address major issues by leveraging alerts to initiate tickets. This allows us to notify the teams and address issues immediately. 

I rate the overall product a ten out of ten. I don't think there is another alternative with similar capabilities. 

We use Splunk Enterprise Security to monitor our environment.

The threat intelligence and monitoring of Splunk are good. 

We have integrated Splunk Enterprise Security with ServiceNow so whenever there is a detection it will automatically raise a ticket and send it to the appropriate team for analysis. The integration was seamless.

Splunk has helped reduce our alert volume by 20 percent and sped up our security investigations.

It does a good job detecting threats fast.

Splunk's reporting functionality would benefit from enhanced customization capabilities, allowing users to tailor reports to their specific needs for better data visualization and analysis.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The initial deployment was straightforward.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security ten out of ten.

For reporting we don't use the Splunk dashboard, we use Tableau and Power BI.

I would recommend Splunk to others.

While Splunk Enterprise Security offers robust features for large organizations, its cost might be prohibitive for smaller businesses. To address this, I recommend exploring open-source SIEM solutions for small and medium organizations and Splunk for larger organizations.

The solution is used to detect and protect against threats using a hypervisor infrastructure that works with artificial intelligence. 

There are a lot of third-party applications that can be installed. You get a lot of good visibility on your infrastructure regarding risk. It's very data-driven, and it integrates into systems well. 

We are able to monitor multiple cloud environments with Splunk. Each data source has different stuff that requires monthly payments. 

I have used its threat intelligence management function. It can be a very useful feature for customers. 

The MITRE ATT&CK framework is helpful for helping uncover the scope of incidents. It offers a good level of simplicity.

Splunk Enterprise Security is great for analyzing malicious activities and detecting breaches.

It's costly. 

The data speed between apps could be improved. It could be faster. 

I've been using the solution for 2 years.

The stability is mostly fine. 

I haven't attempted to scale the solution. I'm not 100% sure of how well it scales. 

The technical support is very good. They also offer a lot of basic resources. 

Positive

I'm also familiar with Microsoft Sentinel, and I find Splunk to be better. That said, although I have more experience with Splunk software, I find it a bit slow. Sentinel is much faster. 

The setup is pretty straightforward. It's not overly complicated. I don't have too much experience with the setup, as I'm currently involved as a consultant and only help with support. 

The cost is very high. It's got a fairly high price point in terms of price range. 

I work in cybersecurity consultation. 

I'd recommend the product to others. I'd rate the solution overall 9 out of 10. 

The visibility that it provides is awesome. You can connect it to whatever you want and create whatever visibility you want. 

Its insider threat detection capabilities for helping our organization find unknown threats and anomalous user behavior are great. They have a lot of built-in capabilities for analytics, and they can provide a lot of visualizations and insights into whatever is being brought into it. The threat intelligence that is part of the platform itself is awesome.

In terms of actionable intelligence, it depends on what you bring to the table. The platform itself gives you the capability to make threat intelligence actionable, but if your feed is not good, it is of no use. There is a lot of noise within the SIEM. This is not on Splunk. This is on the SIEM, but Splunk does help to eliminate a bit of the noise and create a more cohesive view of the intelligence you digest.

Splunk is very good for analyzing malicious activities and detecting breaches. Its ability to connect things that are manually hard to connect is awesome. It is a bit lacking when you compare it to Microsoft Sentinel because Microsoft Sentinel already brought the SOAR solution, which in the case of Splunk comes at an additional cost. When I used it, they did have it quite expensive, but as a SIEM, if you compare Splunk to other SIEMs, it provides you with a great ability to detect and understand that you have something that is suspicious and anomalous within your network. Its ability to connect us to that otherwise cannot be connected by humans is very good.

It helps to detect threats faster, but I do not have the metrics. When it comes to reducing the alert volume, it is not Splunk. It is more of the analyst's work on top of Splunk.

Splunk definitely helps speed up our security investigations. It has the ability to connect and bring information with the click of a button. 

I have used Threat Topology and MITRE ATT&CK framework. It was very good for management but not so much for analysts' day-to-day work. It is a cool feature that helps you bring money from management, but it is not something that an analyst will use on a day-to-day basis.

The ability to digest any information and then correlate it in accordance with what you need is valuable. The ability to connect to pretty much everything and bring the information in the same format is also valuable. On top of that, we can use their language in order to create and customize the dashboards, correlations, or analytics that we want to incorporate. They also have a lot of out-of-the-box correlation that we can use, which is awesome.

They can incorporate the SOAR solution within the actual product so that we do not require two different products, two different installations, and two different pricing methods. In regards to UBA, I am familiar with the UBA that existed two years ago. I am not updated about it today, but two years ago, UBA required such an amount of data that from a cost perspective, it was not worth it. When you compare it to what you get out of the box with Microsoft Sentinel without additional costs, there is no match. 

I have been working with it for the past five or six years. 

It is very stable. I did not have any crashes or malfunctions. It does have a bit of a stretching point when you are doing a very large query or you are retrieving a lot of data. For example, when you are retrieving months of logs in order to conduct an investigation. However, that is at the edge of the product. On a day-to-day basis, it is very stable. It does everything that you need to do. We did not have any crashes in either of our implementations. We did not have anything major.

In the on-prem environment, it is scalable, but it requires work because you need to install indexes and forwarders. It requires more work from someone who is specialized in that domain, but in the cloud environment, it is super easy. It is very scalable. You can just grow as you need.

Their support is awesome. I would rate them a ten out of ten. It is not just the technical support. Their documentation is also good. The whole support system is awesome.

Positive

I used it in my last organization. In my current organization, we have adopted Microsoft Sentinel. I am creating a new managed service company, so it is going to provide service to multiple clients. We have multi-tenancy and full cloud environments and monitoring of on-prem solutions. When I implemented Splunk, it was not used for multi-tenancy. Their multi-tenancy was not that great. It was the old solution, but they now have the cloud environment that is more supportive of multi-tenancy, but with their on-prem solution, for multi-tenancy, we could just play with permissions. It was not the best. It was not proper multi-tenancy where you need different databases and different control planes. It was not the ideal solution, but now they have the cloud environment.

The experience that I had a few years ago was for on-prem, but now, I do have an implementation that is cloud-based. We are implementing it cloud-based for one of our customers. It is deployed on AWS.

The initial deployment is very fast. It is very quick. The on-prem can take a few days, and it is up and running. If it is on the cloud, it is already installed. You only need to connect all the source logs. The duration depends on the number of source logs. It differs. I had a project where I connected all my source logs in one week, and I had a project that took about four months, but the number of logs was different. The complexity was different. We had to create our own connectors and our own parsers.

The pricing is very complicated, and it is very pricey. You do require a lot of different licenses in order to get a comprehensive solution that is not just the SIEM solution.

To someone who is evaluating SIEM solutions but wants to go with the cheapest solution, I would recommend QRadar.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are several reasons for not rating it a nine or a ten because the pricing is very complicated, and it does require someone who is knowledgeable in the platform. You need someone who is specialized in that. Fortunately, I have these people, but when I tried to look for one in the beginning, it was not an easy job to find someone who was very skilled in this platform. Once you have such a person, it is awesome. You can do whatever you want. The sky is the limit. In fact, not even the sky is the limit. It does provide a very comprehensive solution. It does provide tons of flexibility. It is the platform that you should go for when you need something that is not ordinary or not your typical SIEM solution for a typical organization. It is the platform when you need something that will provide more. For example, one of the projects that I worked on was related to a SOC that needed to digest information from multiple organizations that already digest information, and we had to create cohesive use of that. In such a case, this is the platform to work with because it provides the flexibility that no one else provides.

Our customers utilize Splunk Enterprise Security for either their cybersecurity program or their data warehouse program.

Splunk Enterprise Security's threat detection capabilities are effective in assisting organizations to uncover unknown threats and identify anonymous user behavior. However, this effectiveness is dependent on using the UBA modules and having the proper infrastructure in place.

MITRE ATT&CK is the framework that we use to detect and track well-known threats. When there are well-known threats, we can utilize the MITRE ATT&CK to identify any anomalies.

Splunk Enterprise Security has its own routine and process defined for analyzing malicious activities and detecting breaches. Mainly, we baseline the client's business process and day-to-day activity and then use it to detect malicious activity through various scenarios.

Splunk Enterprise Security assists us in detecting threats more quickly. We have an abundance of unrelated and meaningless data from the raw logs, and the solution aids us in organizing and correlating this data so that we can extract meaningful events and take appropriate action. This is the primary objective for the majority of our clients. 

In most cases, we provide monitoring and intelligence to our customers based on how they use the solution. This allows other technical teams, such as PC, system support, and other tech units, to take appropriate actions. Our main role is to provide them with alerts and use case scenarios, while the detection and actions are primarily related to other aspects.

When we initially implement Splunk Enterprise Security, there are many alerts and false positives. However, with time, we are able to align our configuration with the client's requirements and do more baselining, reducing such issues.

Splunk Enterprise Security helps to expedite security investigations. Without a security solution, our security team is unable to identify threats because the log and auditing data are unrelated and uncategorized. Consequently, we cannot access them promptly. Therefore, having a solution like Splunk Enterprise Security is crucial for our cybersecurity program. For certain clients' needs, we prefer using open-source applications like ELK and ESK. However, if they opt for an enterprise and commercial product, Splunk is among the top three choices.

The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.

I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier. 

I have been using Splunk Enterprise Security for six years.

I rate the stability of Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security can be easily scaled once it has been installed and deployed.

Cyber threat levels are increasing every day, especially during the pandemic when most employees needed remote access to their business services. As a result, many organizations experienced a surge in attacks and required a resilient SIEM and cybersecurity solution.

I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.

The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.

The initial setup is straightforward, but we need to make some configurations afterward that can be a bit complex. The deployment time depends on the size, but it usually takes several months to ensure stability and requires two SIEM engineers.

Splunk Enterprise Security is hardly affordable for most of our clients, causing many of them to resort to using open source solutions instead.

In addition to the licensing fee, there is also a support and maintenance charge.

I would rate Splunk Enterprise Security an eight out of ten due to its high total cost of ownership, difficulties in maintenance, and the complexity of configuration immediately after deployment. 

Splunk Enterprise Security may not be cost-effective for small and even some medium-sized companies. While each organization has different requirements, we do recommend Splunk for medium and large organizations.

Organizations should take into account the complexity of their environment. For instance, if they have a purely vendor-based environment for their network security appliance, it may be easier for them to handle security, fabric, and architecture requirements. However, if they operate in a multi-vendor and mixed environment, they need to conduct more research on how to integrate various components. Often, they rush into negotiating their cybersecurity program without sufficient research, leading to potential problems for clients.