Splunk Enterprise Security Reviews

Imagine a single application with 17 application servers and dozens of log files per server that rotate as often as once per hour. How do you track and analyze anomalies in those log files with the ability to go back and correlate data for the past X weeks? That was use case for just our team, not to mention the hundreds of other application teams.

Splunk has a single purpose in life: ingest machine data and help analyze and visualize that data. The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data. It does a great job at handling unstructured data. Breaking data into key/value pairs so that it can be searched is relatively painless.

Deploying Splunk as scale is not easy. It requires a significant amount of relatively complex architecture once you push past the single server instance. Breaking out your search and indexing layer requires someone with Splunk experience. Want to add search layer replication for HA? Want to host in AWS and do cross-region index replication?

Splunk expertise is in high demand today and finding talented engineers to pull off your large-scale implementation is hard. Do your homework.

Out-of-the-box functions are nearly flawless, but when you push at the edges, then things start to get a little flexible in their eloquence. There is a robust community of support to help through most issues and the documentation is exceptional.

There were no issues with scalability, but we invested some serious time and resources to design a scalable infrastructure up front.

Customer Service:

Customer service is excellent both during the purchase and ownership lifecycle.

Technical Support:

Technical support is mediocre. Splunk is struggling to deliver a consistently exceptional support experience. Their senior engineers are very talented, but those folks are in short supply and many of the most experienced engineers are making hundreds of dollars an hour as consultants not answering your support issues.

No enterprise solution was in place.

The initial setup was done without any prior experience and was up and running, including ingesting data, within a few hours. Setup at scale and scalability took months of effort.

We hired a contractor with significant experience with Splunk, Elastic.io, AWS, and custom development. They were expensive, but worth every penny.

TBD.

You will eat up whatever you purchase quickly. The level of insights that Splunk empowers is addictive.

We evaluated Graylog, Elastic.io, etc.

I need the product for SIEM, Security Identity Event Management. I also need it for security operations, automated response, as well as mapping adjusting of security components as well. It helps us with how best to look at various events, and orchestrate between various different hyper-scalers.

The solution has made us more secure and has allowed for more definable mapping.

The SIEM is the most valuable feature of the product.

Having a better integration method and then ingesting and mapping the information have been somewhat easier than some of the other tools that I've used previously (other than QRadar and Rapid7).

The initial setup is pretty simple.

The solution is scalable.

Stability has been quite good. 

The pricing is pretty decent.

The documentation is in definite need of improvement. 

There are pieces of it that are somewhat just daunting and there should be better orchestration and automation. 

I've done some automation with it, with Terraform, and also with some other sources. If it wasn't so proprietary, that would be ideal.

I'd like to have it so that Splunk integrates better with Terraform and Python.

I've used the solution for eight years. I've used it for quite a while. 

Splunk is probably the best brand in terms of stability. I'd rate its reliability at a four out of five. There aren't bugs or glitches. It doesn't crash or freeze.

The scalability is great. I'd give it a score of four out of five. If a company needs to expand, it can do so. 

We have 450 people in our organization that use the product. We've also done this for clients that needed access for over 200,000 people.

We use the solution extensively and likely will increase usage.

The support is okay, however, there are a couple of things that they couldn't figure out and they couldn't help me with automation or stuff like that. It could have been better from there, however, it's not that bad. 

I've previously used QRadar and it wasn't ideal.

There were certain times I integrated with other solutions too.

The initial implementation is pretty simple and straightforward. It's not too complex. I'd rate the experience at an eight out of ten.

The initial deployment took us about two weeks or so.

The amount of personnel you need for deployment and maintenance tasks depends on the size of the deployment. Typically, it's just one or two people. That said, it needs to be proportionate to certain sizes. Usually, the staff is from procurement or provisioning.

I handled the implementation myself. I didn't need any outside assistance from any integrators. I'm a consultant myself.  

We've seen quite extensive ROI, however, it's more of a qualitative assessment and I don't have numbers to share. It works well and customers are happy. That's what counts. 

It's a little bit more expensive than some of the other tools. It's not as expensive as QRadar. That said, it's more expensive than LogRhythm or Sentinel.

There aren't really other fees beyond the standard costs of licensing. 

I evaluated other things. I also integrated with other solutions too. I decided to go with Splunk due to the fact that it worked well.

I'm a consultant. I'm also a customer and use it myself. 

We use multiple deployment models, including public and private clouds. 

We typically use the latest version of the solution. 

I'd advise potential new users to get a proper plan. They should have a good partner or someone that can help them and quickly map and orchestrate.

I'd rate the solution at a ten out of ten.

We use it for security incident event management and for IT service intermediates.

We sell it to clients so clients benefit from Splunk in terms of live security monitoring of their parent IP infrastructure base. Their IP security and network application base is where we have a 24/7 monitoring interface.

Splunk has many good apps and has a contribution from all security vendors. That's where Splunk wins.

Splunk's cost is very high. They need to review the pricing. They have to go back and totally readdress the market.

Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud. 

Its costs are too high and it should be more cost effective because it's going to be a cloud offering. 

Stability is perfect. It's a good product. The market right now is moving towards cloud. We will use cloud in our option strategy. One thing that Splunk does not have is a partner consulting base so Splunk depends heavily on its own consulting, which I think should not be there. They should promote more partners for consulting. In fact, their education program is also very costly for all partners. For example, if you want to get your guys certified it's really costly. Because they have a good solution, they're completely inflexible with pricing. I don't see a lot of enablement from Splunk. 

The initial setup is simple, not very complex. Initial deployment takes around 10 to 15 minutes to set up the entire base for Splunk including all three tiers.

The client has to bear that cost plus the initial infrastructure, Splunk does not come in and install it. The client, retailer or the partner has to do it. Secondly, then comes the software installation part of Splunk wherein you go and install the Splunk components. Then you have the configuration part which includes the revenue use cases on the Splunk apps on the Splunk platform which is another big phase. You can build your project the way you want to. It's a life phase. Use cases are not something which cannot be quantified. Initial set up can be done through the Splunk apps and then, later on, you can modify the use cases as per what the client needs.

Pricing is one factor that hurts everybody on the market; the client, the reseller, everybody that touches it. Only Splunk makes money. It is hard to have it for the long term if it's a stretch for your budget. Pricing becomes a problem and people are just focused on numbers rather than creating a vision for the entire product. That is the biggest factor I found with Splunk, that they just want to make money and they don't care about anything else. They lost national, country-level projects because of this attitude.

I will rate it as a security product an eight out of 10. There's no product which is perfect unless you go back and you create a psychic of the solutions.

We use Splunk primarily to provide our security and ops groups with important insights to more efficiently make decisions and take action.

My favorite example of improving of organization is saving a $60k/mo in payroll fraud and $10k/mo in wasted API credits by using simple searches and clear reports.

Splunk's schema on demand is incredibly useful. I do not have to worry about what my users will need when we onboard their data. They can make connections that we could not have foreseen. They dig deeper when they are searching.

Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run.

While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged.

Security analysis to identify issues and for use in incident handling. Correlating logs across over 1000 servers with different operating systems and applications logs to provide security insights. 

Before we analyzed required manual correlation of individual log files, and this was almost impossible to do. With Splunk, what was once almost impossible, is now unbelievably fast.

Low barrier to start searching with the ability to normalize data on the fly.  

I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs.

I would like to see Splunk improve its posture as a production operations tool.  This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have.

I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.

It has absolutely improved the efficiency of my security team.

No stability concerns.

We did encounter scalability issues. As we scaled out in search heads, we found that some of our activity could only be found on the search heads that it was originally done on. For example, the history of search runs are stored locally, so I needed to logon to each search head to try and find it.

Most of my interaction is with the user community, which is how Splunk wants it.  When I need help, that community is very hit or miss.

I previously used LogRhythm. I found this tool particularly difficult to use. It was more rigid in its normalization of data.

The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files.

We evaluated our existing tool, LogRhythm.

Growth in data ingested will be much larger that you anticipated. If you need to prove this first, consider using an ELK Stack Logstash type of solution before using Splunk.

Security and incident management, which is helpful when organizing the data from different systems and running analysis on all the data together.

We have a more secure, robust environment, which keeps the harmful software out of the zone required.

The most valuable features are:

• Risk analysis
• Machine Learning Toolkit
• dbConnect
• Cisco products
• eStreamer
• SIEM. 

Visualizations are the best way to understand deviation techniques from the norm.

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

We use Splunk for operations, application monitoring, and security. We are both cloud and on-premise based, so it has been very versatile for us. 

It helped us consolidate all our solutions into an easy tool to use for various employees.

• Unstructured data
• Linking things together
• Building out stuff which is actionable.

Once you learn SPL and what data you need to obtain and merge together, it is really useful. 

More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it. 

No stability issues.

No scalability issues.

While we did not have a previous solution, we took what little of Splunk that we have been using and have increased it greatly.

We are a nonprofit, so it is hard to quantify. 

Be upfront about your needs and expectations. Splunk is one of the top SIEM solutions to work with. 

No.

Central repository for log collection and analysis in a complex environment. We have used it for a variety of use cases involving SIEM and operational support.

Speeds up root cause analysis and can help identify issues that your organization never realized were occurring. It helps streamline troubleshooting and log analysis.

It has a low barrier to entry, but it is extremely extensible, allowing it to be tailored to highly specific use cases. It makes searching through a wider variety of logs much quicker and enables you to correlate events from one log to another.

It can be tough to determine if you are getting all of the value out of your investment at times. However, our sales seems to be flexible and will work on an organization to organization basis to negotiate license terms. 

On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security.

Pricing can be a limiting factor. You have to continuously tune what you are bringing in and make sure what you bring in is of value.