Splunk Enterprise Security Reviews

Operational intelligence monitoring for several different systems. We collect logs from applications and performance data from hardware, as well as information pulled from databases.

The ability to quickly search logs, performance data, and other inputs has helped tremendously with troubleshooting. The visualizations are easy and well received by business and management users. 

It is ease to integrate with other solutions, like Slack, JIRA, Remedy, etc. 

The user community is extremely beneficial, particularly with Splunk Answers and the Slack User Groups.

The licensing model can be expensive, but the value it provides is significant.

The recent acquisition of Phantom makes the future seem bright with more automated responses.

We primary use Splunk for log aggregation and search across multiple systems with Splunk Enterprise Security layered on top. 

Splunk has significantly reduced the time in performing the task of aggregating logs, reviewing as well as time spent during investigations. This has not only
increased our speed of response, but our efficiency dealing with the issue(s)
raised.

Aggregation searches, allowing for conditions to be automatically found in the data, have reduced time and difficulty of identifying trends and conditions which need to reviewed.

The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement.

• We can do things in minutes instead of days.
• We solve issues which we could not before since we have the data.
• We can quickly search for almost anything across many log sources in seconds
• Teams have the dashboards or alerts that they need

There are too many features to list, but here are a few:

• Schema on the fly

• Ease of on-boarding data

• Machine learning

• Apps or Splunk base.
• Great list of apps to use and also build upon once you learn more about how Splunk works.
• We build many of our own apps by leveraging the logic in the others.

• Ease of correlation, creating correlation searches are easy and you can combine multiple sources with little effort

• Data Models Acceleration for super fast searches across tens of millions of events

• Common Information Model

• Security Essentials App

• Enterprise Security

• Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities

• Log storage or compression is great and retention is not an issue

• Dashboards are simple to create and the input options like Time Range, Text
• Drop-downs are simple to create.

• Integration with cloud solutions is great and keeps getting better.
• Can get info from rest API’s easily and there are apps for services like ServiceNow, Azure, Office365, etc.

The GUI can be improved to include some of the capabilities that other BI solutions have. Basically, the layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this could become a non-issue.

There were no issues with stability.

There were no issues with scalability.

Technical support is excellent. They also have Splunk Answers, which is community driven and it great.

We were not able to get the value we needed from the previous solution. It was too difficult or complex. With Splunk, we can do things we want and things we have not even dreamed of yet.

The initial setup was straightforward. We had the POC up in minutes. Within days, we got more value out of this solution than our existing solution.

While licensing can be a concern, there are ways to reduce the licensing costs including filtering some events. We have replaced many solutions with Splunk, which have more than paid for the Splunk licensing.

We evaluated ArcSight, QRadar, and LogRhythm.

Do a PoC and you will be amazed. Also, check out the Splunk .conf sessions to see what is possible. If you are into security, watch Mark Russinovich’s RSA 2017 presentation about Sysmon. Check out free EDR type capabilities.

We use Splunk Enterprise Security for our enterprise security.

Adding more use cases to Splunk can improve our threat detection speed.

It has helped normalize our data.

Splunk Enterprise Security has helped reduce our alert volume and speed up our security investigations.

The graph visualization is the most valuable feature.

Splunk Enterprise Security needs to improve its stability.

The UI can be difficult to understand for non-technical people.

I have been using Splunk Enterprise Security for four months.

I would rate the stability of Splunk Enterprise Security a four out of ten. Some bugs cause downtime.

I would rate the scalability a six out of ten.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security's robust framework enables it to support a wider range of use cases, making it more adaptable and versatile for tackling diverse security challenges.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security's visualizations are detailed and help users normalize data, making it extremely useful.

The vast array of use cases enabled by Splunk Enterprise Security empowers security teams to address diverse threats and enhance overall security posture.

Splunk just acts as an extra presentation layer, and we tried it because of the plugins they have to try and get more logs into the environment.

Splunk would be my choice for the presentation layer because it comes with inbuilt reports and a dashboard that you can customize.

Aside from the 5GB limit on the community version, I believe it is the same as ELK. It's a useful tool, and nothing comes to mind right now.

I haven't found a way for me to create my own plugins and integrate them into Splunk, but this isn't necessarily a limitation; it could simply be a lack of knowledge on my part.

Splunk is a stable solution. I am very happy with the stability of Splunk.

Splunk can be scaled to any environment. The way it's designed, it's cloud-ready, and it has a lot of performance, in-built indexing, and performance tuning options. Splunk is easily scalable.

I am happy to report that I've never needed to contact technical support. The README tutorials and the existing forums provide me with practically everything I need. So far, I haven't had to do so. This should be a testament to the solution.

We broaden the scope of IT governance and IT security.

We look at everything from SIEM to network management to endpoint protection, server protection, database protection, and anything else that can aid in visibility, policy enforcement, and monitoring.

Our organization is using a combination of Splunk and Elasticsearch. We get most of what we need from the ELK suite. ELK Stack is usually the primary focus.

ELK has the same inbuilt reports and dashboards that you can customize, but ELK is better for central logging and log aggregation. Once they've all been aggregated, you'll be able to run any kind of queries and APIs to query the logs on ELK and then use Splunk as a presentation layer for the consumers to use.

Security tools, in my opinion, are business tools and should be used by businesses rather than security engineers. I'm experimenting with a hybrid of the two, in which ELK serves as the engine for central logging and Splunk handles the presentation layer and aggregation of additional third-party logs from tools that might be difficult to integrate into ELK.

I would rate Elasticsearch a ten out of ten.

It's a cloud-ready package. It has the same characteristics as ELK. From a deployment standpoint, I don't have any issues with it. The material is freely accessible to anyone who wishes to use it. There is a virtual machine option. You can get a virtual machine by downloading it. The deployment options are simply numerous, and it is up to the implementer.

It wasn't that difficult for me. There are no complaints from me. The material is present, and there are numerous options for deployment. It's relatively simple to go from zero to viewing data with Splunk. ELK is the same way. It is now up to the implementers and their environment to provide you with more data about it.

They could improve their discounts. I think it's a good solution, and it's gaining a lot of traction, maybe they are recouping their R&D costs, Further reductions would be fantastic, and I believe that more and more people would flock to it.

We provide IT consulting services. Our customers occasionally ask us to assist them in locating specific solutions.

I would recommend this solution to others who are interested in using this solution.

I would say the forums and READMEs provide more than enough information about Splunk. Most people struggle because they move too quickly through the implementation process. As long as you follow the guidelines, particularly the specifications for environment requirements and implementation methodology, these solutions should work out of the box.

Splunk is a very good solution, I would rate it a ten out of ten.

The solution is primarily a SIEM tool and it basically helps companies with security.

It's basically one of the best SIEM products on the market.

The scalability is great.

We have found the solution to be stable. 

Technical support is helpful. They respond in a timely manner. 

I'd like to see more documentation on the product.

The initial setup is not straightforward.

You do need a lot of training and certification with this product. Other than that, it's pretty good.

I've been dealing with the solution for about three years. It's been a while. 

The stability of the product is very good. The performance is reliable. There are no bugs or glitches. it doesn't crash or freeze. We've had no issues. 

The scalability of the solution is great. If a company needs to expand it, it can do so. It's not a problem.

We have about nine customers that are using Splunk.

I've dealt with technical support and it's pretty good. They are helpful. I find them responsive. 

The initial setup is not straightforward. It depends upon the IT infrastructure that the customer has. If they have a lot of security solutions, such as DLP and other security solutions, then it is more complicated. The more you have the more complicated it gets.

The deployment of Splunk takes about three weeks.

We have six or seven team members within our organization that can handle deployment and maintenance tasks. 

I handled the implementation myself. It was done in-house. 

Splunk requires a paid license. There's no free option. Customers have to pay for the license, implementation, support - everything.

The solution can be deployed both on-premises and on the cloud. 

I'd rate the solution at a nine out of ten. We've been very happy with the product.

I would recommend the solution. It really is the best.

We typically use it for centralized log management and SIEM functionality.

I am using the most recent version of it.

As per government requirements, a lot of government sites have to have the active monitoring of logs. So, we use their security appliance add-on that essentially combs through the log. It pre-filters and brings out the critical events so that you can focus on those instead of having to create your own searches and whatnot. It helps simplify the process of monitoring security events in the logs for people.

The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard.

It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.

To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.

I have been using Splunk for about seven years.

It has been very stable. It is pretty rock solid.

It is as scalable as you can afford. We have a pretty small user base of 75 users, and it is mostly data center administration staff, application administrators, and security people. It is more of an in-house solution than a customer-facing solution.

Our usage is moderate. We're okay right now. We primarily use it as a SIEM and log aggregator. We could use it for other things, but the cost is what is preventing us from that at this point.

We've had a few calls, and they're very responsive.

We were using an assist log backend with Rsync and Kiwi prior to that. It was more of a co-solution than a cobbled-together solution. Splunk was a big improvement. The main reason for going for it was just the rate at which we were growing. We needed to have something that was more scalable than what we had before.

It was pretty straightforward as compared to most applications. It had the ability to auto-deploy agents to end devices. Splunk infrastructure itself wasn't difficult to deploy or set up. They package that process, and it is pretty well-rounded. They even offer a jumpstart install service to help get it off the ground when you buy in, and those components work really well together.

It was all done within a day. Some of the endpoints took a little bit longer, but the basic install was done in the day.

We used packaged professional services from a partner of Splunk. Our experience with them was very good.

In terms of maintenance, it is pretty simple. There are fewer patches than there would be for supporting a Windows device. There is not much labor to maintain it.

It can be cost-prohibitive when you start to scale and have terabytes of data. Its cost model is based on how much data it processes a day. If they're able to create scaled-down niche or custom package offerings, it may help with the cost. Instead of the full-blown features, if they can narrow the scope where it can only be used for a specific purpose, it would kind of create that market for the product, and it may help with the costing. When you start using it as a central aggregator and you're pumping tons of logs at it, pretty soon, you'll start hitting your cap on what it can process a day. Once you've got that, you're kind of defeating the purpose because you're going to have to scale back.

They're kind of pushing everybody away from perpetual licensing into subscription-based models, which a lot of companies are doing too, but in most environments that I've been in, they prefer to go the perpetual license and then just pay maintenance on top of it. That's because it's easier for them to forecast the big expense up front.

I would advise definitely taking advantage of their professional services and making sure that the administrators and whoever is going to be using the tool go through the training. The cost for the training, which depends on if you're commercial or government, is not that much, and there is a definite value there because if you're trying to learn it on your own with a book, it is going to take forever.

I would rate Splunk a seven out of 10. 

Security. We have built SIEM solutions three times from the ground up (not ES) using Splunk for some of the largest companies in the world.

Out clients went from unhappy using inflexible, poorly-supported products (in some cases barely functionally) to confident and excited when using Splunk. Not only are they able to do their security jobs and investigations, but they are also easily able to modify and evolve their implementations themselves to keep up with the shifting sands, which is the SecOps landscape.

• Core Splunk
• Saved searches
• Dashboards (SimpleXML) 

With good domain knowledge, one can build almost anything. If you throw in Alert Manager or an integration with ServiceNow. Then, you have your own SIEM.

• It needs integration with a configuration management solution. 
• It could use better password management for forwarders. 
• It needs a better way to export dynamic views without requiring a ton of code and user/pw.

Almost 10 years.

Unfortunately, lately every release has a new memory leak.  Be SURE to upgrade late and READ THE RELEASE NOTES, especially the "Known Issues" section.

We only ever have issues when deployed on VMs and the VM admins do not do what we tell them to do which is EXCLUSIVELY RESERVE OUR RESOURCES.

It used to be great (but perhaps that was because my employer at the time was a key prospect in a vertical where Splunk had no customers) but Splunk support is definitely a victim of Splunk's explosive growth.  The first tier support is as bad as it is most places and getting worse all the time.  If you KNOW your problem is not run of the mill, ask for escalation immediately.  Also the clock on the case does not start until somebody adds a note to the case so always call in and ask if they got your diag file (always attach a diag) and the person who answers will have to add a note to the case which will start the clock.

I have dabbled with LogRythm and ArcSight and they are both OK, but Time-To-Value is WAY shorter with Splunk, IMHO.

Use bare metal severs on Linux and you will be fine.  Use Windows and you will have much trouble.  Use VMs and your admins will cheat you and you will have much trouble.  Do not use NAS!!!!

In-house.  We at Splunxter are Splunk experts.  We can do anything with Splunk.  We always hit homeruns.

We usually get multi X-factor within a quarter.

Get free PS if you can (ask) or USE THE DOCS.  The documentation will get you to success.  If you are not getting more value out of Splunk than the license you are paying, then you are doing something wrong and should spend a tiny bit more to get a consultant like Splunxter.com to help you.

No,we went with the free trial and got so much value so quickly we bought in.

You can also get GREAT help at answers.splunk.com.