Splunk Enterprise Security Reviews

Our technical teams are demoing various enterprise tools to develop experience and knowledge so we can better serve our clients. In addition to Splunk, we are evaluating IBM QRadar and one other solution. One of our customers is asking about the Splunk MSP model.

Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs. Splunk is costly, but it's better than other products. It speeds up security investigations. It helps us detect threats faster. Everything is faster. The only part that's lagging is the management. Otherwise, Splunk is good. It took about a month to realize the solution's benefits. 

We get few alerts except for the other solutions we have integrated with Splunk. We'll monitor those alerts and support their customers, but we don't have any other mechanisms for databases or something outside of the infrastructure. 

Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.

We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious. 

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

Splunk Enterprise is stable. 

Splunk Enterprise is highly scalable. 

We haven't had to contact Splunk support because we can find all the answers we need online. 

We also use IBM QRadar.

Deploying Splunk is straightforward. We had no issues. 

Splunk is more expensive than most solutions, but it offers lots of value. If a customer wants the cheapest solution, we'll use that.

I rate Splunk Enterprise Security an eight out of ten. I would give it a ten if it had built-in threat management. 

We are using Splunk in the standard information security use case. We're also using it for various application use cases around identity management, windows active directory, and those types of use cases.

Splunk has provided a venue for us to determine student engagement during COVID, for which we didn't really have any other way except by looking at data that we captured off of our student systems and our authentication servers to see who's logging in, and who's logging out, and for how long they've been logged in.

The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.

We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.

Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.

By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.

I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective. 

Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.

That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.

I have been using Splunk for probably 10 years.

At least in our environment, it is super stable. When you think about how much time you spend working with other applications, just Windows Server requires more feeding than Splunk does, you see that Splunk is a very low maintenance care and feeding product.

We have probably 150 users in the environment and their roles vary from being application management folks to application engineering folks to the executive suite, so lots of different use cases. The executive suite tend to prefer more curated content and the application owners have a mix of curated content and dynamic search functions they can perform. Then the engineering tier basically gets some curated content and some free reign to do whatever they want for the most part. I'm the guy that supports this instance. So there's one person.

I support not only Splunk, but I am also the campus security engineer and I'm also the dude that runs or is responsible for all of our campus monitoring infrastructure. So that tells you how little maintenance is required.

We are adding new use cases on a fairly regular basis and we are adding more licensing to our indexing license. I don't see Splunk going away. There's nothing else that I think provides the ability to do this much data analytics from just the numbers of equipment that you need to run it. Also, the number of people that you need to actually make sure that it's functioning well. In higher ed., everybody always says we should do open source. And I respond that what I do in Splunk with 20 systems, I would need three racks of equipment to do on an open source platform. I have basically 70 - 75% of the racks now and I'd need three times that or more to run this as an open source product. And it wouldn't be as cute and it wouldn't be as beautiful or as flexible.

I know other folks in the higher ed. space that are running petabyte size instances with Splunk. So I would have to say it scales very well just from talking to the folks in my market silo.

Their technical support sucks.

My engagement with their technical support was for a product which they basically took over from an open source product and they just seemed to not be able to figure out why it's not doing what it's supposed to do. The number of times I've had to engage with Splunk for solutions has been for a couple of use cases. And in every one of those use cases, support was very painful. It took a very long time and it seemed like they were more interested in burning their queue volume than actually satisfying me as a customer.

I work in higher ed. Here in higher ed., it costs us a lot of money to run it. The support from the company that you spend a lot of money with is pretty poor. I get most of my support through the Splunk sales folks because they seem to know more and they're more incentivized to keep me as a customer. When I call in to open a ticket with Splunk support, they really don't know, and this is going to sound terrible, they don't really care whether I have a 50 Meg license or a 50 petabyte license. If it's not on their workflow, their pre-programmed triage, they can't do it.

Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.

Splunk is a complex critter to put in and it's a more complex critter to keep running. We have 10 search heads and four indexers and universal and a heavy forwarding cluster. We have clustered indexers and clustered search heads. This is definitely not a drag and drop product.

We engaged a third party Splunk integrator to help us do our Splunk deployment and they did our initial deployment. We used a different integrator to do some of our upgrades, which we probably won't use again. Our implementation strategy was we really just wanted to look at the classic security use case when we put this in 10 years ago. Then after that came in, and everybody was happy with what it was doing, we added some other use cases and universal forwarding and so on and so forth.

We used an integrator.

The integrator we used to do our initial deployment was excellent. The integrator we used to do our last round of upgrades was less than excellent.

When I hire an integrator to do an upgrade in an environment, I expect them to come back and say "all of your application layer apps are upgradeable, but your OS's need to be upgraded. Do you want me to do that? Or should you do that?" I now have different versions of OS's under Splunk running in my Linux world and it would've been nice to upgrade the system OS and then upgrade Splunk, even if it was more disruptive. I guess I have to read the statement of work more closely in the future.

The TCO and ROI are really great if you're in the private, non-public sector and you're in a more standard business sector. The return on investment in total cost of ownership on Splunk is from somebody who doesn't fit into that neat silo. Do we calculate that stuff? So our return on investment is by being able to solve problems that we never knew we could solve. My answer to it is the flexibility to be able to figure out student engagement when COVID hit. This was the only platform we could do it on.

I can comment on price in this way - in education in Ohio, we're part of the Ohio supercomputer consortium, and they act as a collective bargaining agent. So we get our licensing as a piece of the State of Ohio's Splunk license. So my pricing is very much not list or even reduced list because of the volume that the state buys.

We generally spend about $20,000 a year in third party integrator costs to get us past some of the rough edges that we get with Splunk support.

We briefly looked at the open source product and we obviously looked at a Check Point product. When we looked at Splunk it seemed like they had a smaller cost to procure it, and a much smaller cost to maintain it than all of those other solutions. So it was kind of why we went with Splunk. This is very non-intuitive since everybody says they love Splunk but it costs too much.

My advice to anyone considering Splunk is to understand exactly how much data you want to look at and you want to bring in on a daily basis. Then create a rational strategy to bring the data in, in reasonably sized chunks, that fulfill a use case at a time.

On a scale of one to ten, I would rate Splunk a really good nine.

I'd rate it a really good nine because it's really versatile. You can do a lot of things with it. It allows you to do a lot of analytics in the platform without needing a bunch of other third partyware to help you figure it out.

When configuring our use cases and describing the overall purpose of Splunk Enterprise Security, I would focus on the main use cases that I encountered with this tool.

The ease of use and building queries, specifically SQL queries, is notably beneficial as it is easy to build, and the data model itself is very simple. The advanced correlation capabilities are very useful for identifying patterns or malicious activity of users.

I have worked with Splunk Enterprise Security for two years.

I have contacted the Splunk Enterprise Security support team once, but mainly the other team responsible for onboarding contacted them.

I am preparing my master's degree and conducting this review for completing it at KFUPM University, King Fahd University of Petroleum and Minerals, located in Saudi Arabia, to prepare for my defense. I have experience with blue team tools, specifically Splunk Enterprise Security and some other solutions.

The company name is Cyberani Solutions, and my email is first name dot last name at cyberanisolutions.com. PeerSpot will create an account and email the login credentials, and my feedback will be published and possibly shared with third parties if I choose to not remain anonymous.

I would rate Splunk Enterprise Security an eight.

I implement Splunk products in customer environments. I am not an end user. I implement the product on customers' cloud stack.

I have full experience in the implementation part. I know the end-to-end configurations in Splunk. I know how to configure it, index the data, and then how to use it to get some alerts.

Splunk Enterprise Security has improved our incident response time quite a bit. What we usually do in the customer environment is to configure it with their ticket management tools. It creates alerts and pushes the alerts to the ticket management tool so that their analysts are able to view the tickets and then do an instant investigation. It provides a good solution for instant response.

Splunk Enterprise Security has complete information about the entities and the users in the organization. In the case of any alert, we do not have to manually verify the computer name and its owner name. In the alert itself, Splunk Enterprise Security populates the necessary data that we need. It is a great feature of Splunk Enterprise Security.

We have created dashboards related to critical alerts. For example, we have a dashboard for the inbound and outbound traffic flow of firewalls. We use a few other products or IT systems to monitor the CPU and memory utilization. We are also able to integrate web applications, Kubernetes, Linux systems, Windows systems, etc. We integrate whatever data sources are available.

We monitor most of the cloud environments with Splunk Enterprise Security. We have different cloud providers such as AWS, Azure, and GCP. We have separate add-ons and apps for them. It is quite easy to integrate those. Third-party developers are also able to develop their apps and publish them at Splunkbase. We can utilize them for visualization of the data that we are interested in from different sources.

We configure most of the frameworks available inside Splunk Enterprise Security such as threat intelligence, identity management, and risk management. Whenever alerts are triggered, these frameworks do the correlation and give us visualization over the dashboards, which improves the incident response time.

There is something that we can configure to reduce false positives. If any alert is triggered, it checks against various threat IOCs, such as IPs, URLs, domains, emails, file hashes, etc. If it matches any of the threats, we can take it forward.

Splunk Enterprise Security has helped speed up our security investigations.

They can also improve their capability of ingesting data from different IoT sources. It supports IoT data, but they can add some additional apps or add-ons to easily integrate the IoT devices.

I have been using Splunk Enterprise Security for the past two years.

It is a stable product as compared to other premium solutions. I do work with other premium solutions. Splunk Enterprise security is a more stable product.

It scales very easily. We can have as much data as we want. We have customers who are ingesting more than 400 TB of data per day, so it does not matter how much data you have.

We have customers that have the Splunk application deployed in a multi-cluster environment.

Their support is good, but they can have a customization team to help us with any customizations. I would rate them an eight out of ten.

Positive

This is my first tool.

We have deployed it on-prem and on the cloud. Its deployment is straightforward. Any Splunk engineer can do it.

It requires maintenance in terms of upgrades. Apart from that, it does not need any maintenance. There is a one-hour or two-hour maintenance window to upgrade the apps.

I would recommend Splunk Enterprise Security. Its frameworks make it stand out among other tools. 

It is a great solution with multiple in-built frameworks. With other solutions, there can be limitations in configuring different frameworks within the same solution.

Overall, I would rate Splunk Enterprise Security a seven out of ten.

We are using Splunk Enterprise Security for collecting and analyzing logs. We are keeping up with the SLAs with Splunk Enterprise Security.

Splunk Enterprise Security has helped reduce our alert volume. There is about 30% reduction.

Splunk Enterprise Security improves our organization’s ability to ingest and normalize data, but it requires lots of effort from our side. Splunk Enterprise Security can do that, but we also need to put effort into it. It is good enough to achieve that.

Splunk Enterprise Security has helped reduce our mean time to resolve. We have seen a reduction because doing this manually through queries is crazy. It helps to find out the root cause and things like that. It is helpful. 

We have an on-prem environment. Our information security team is using the data security features. Its security features are satisfactory.

It is pretty good. We can extract the metrics we want on the dashboards. We are able to react to the incidents. We are also able to monitor the service. In addition to the incident response, we can also do investigations, fraud detection, and other things like that.

We have this issue of data versus pricing. Its pricing can be better. There should also be a more flexible licensing model.

There is a learning curve in order to start using machine learning. We have been trying to do it for three years, and we have not managed anything. It is too complex.

Its ability to identify and solve problems in real-time could be better. We would like to have pattern recognition. There should be some kind of pre-made model to help detect something. For example, at the time of the incident investigation, there should be an option to ask questions, such as if anything changed. It is pretty hard to find out the patterns that are occurring currently because you have to have deep knowledge about your log content. There should be an option to ask a question like, "What has changed as compared to a week ago?" We should be able to specify a time frame and compare.

We have been using Splunk altogether for probably five years.

It has not failed over the last year. There were no failures, so it is pretty good.

Its scalability is quite good if you are willing to invest in the new design and do the manual work. You have to deploy new servers and things like that. In terms of architecture, it is scalable.

Based on the few problems that we have had, I would rate them a seven out of ten. For an issue, we did not get the answer we needed within the timeframe we were expecting. They took more time, and some IT guys were disappointed. The experience varies from case to case.

Neutral

We were not using any similar solution previously. We were only collecting logs through open-source means. We went for Splunk Enterprise Security because we needed visibility into the logs. It was the primary requirement.

We are also using Elasticsearch. We have two parallel systems.

Splunk Enterprise Security is better in terms of query language and the capability to do great searches, whereas Elasticsearch has a little bit less functionality. It is more complicated for end-users to use. However, Elasticsearch is better in terms of pricing because they do not charge based on the daily ingestion amount. You can put whatever amount into the system. Elasticsearch also has lots of additional logging capabilities. It has file beats and metrics beats capabilities, so you can use it more widely. You can also get end-to-end visibility because you can make integrity checks with it. It helps with IT operations as well. They can include these capabilities in Splunk Enterprise Security.

Its deployment was not very complicated. It was easy.

The hard part comes after you have deployed it. You have to educate people to start using it and understand the relevant information in your logs. The configuration itself is pretty simple, but field extractions and tagging are complex.

We are just using it and doing our queries and dashboards. We have not been calculating the ROI. It has been quite easy. We invest and create our dashboards and reports. Sometimes, when a dashboard becomes too complex or too expensive, we start to think about alternatives. Other than that, we have not thought of ROI.

The pricing can be better. We are already considering Elastic because Splunk is too expensive. 

You have to pay based on per-day ingestion. There should be a more flexible model for the use cases where one day you have a huge amount, and on other days, it is quite less.

Splunk Enterprise Security provides end-to-end visibility into an environment, but it is not our use case currently.

Splunk Enterprise Security does not really provide the relevant context to help guide our investigations because, in our country, Splunk is not represented, so it is pretty hard to get the relevant information.

Overall, I would rate Splunk Enterprise Security a seven out of ten. Its pricing is not good, and the learning curve for machine learning is not good. However, the parts that are working are working very well.

I use the solution for data analysis and log collection. 

Splunk Enterprise Security helps with advanced reports and keeps the system scalable and flexible. It provides a clear picture of the current status of any incidents. As a CISO, I see a lot of potential for future innovation, which is interesting. I've noticed better performance, especially with the reports.

Splunk Enterprise Security can provide more details and help CISOs resolve vulnerability situations better. The reason is that the tools we choose for data analysis and log collection cannot collect all the data and logs. Splunk Enterprise Security should help me with this, but it cannot.

I have been working with the product for four years. 

Splunk Enterprise Security's stability is very good. The system consistently performs well, and we don't encounter many issues. Ticketing problems are minimal, which is significant because it handles a lot of logs and data persistently without causing frustration.

The tool's customer support is good. 

Positive

We chose Splunk Enterprise Security because it was simple and had better data analysis capabilities. 

A reseller helped us with the deployment. 

The tool's licensing is good and we haven't received any complaints from the team handling it. 

I haven't used it for multi-cloud environments. As for on-premise, it's meeting my current needs quite well. When it comes to identifying and solving problems in real time, sometimes it's challenging to understand the situation, and generating reports can be difficult. But overall, it's good for monitoring activities like endpoint and authentication incidents and normalizing.

The solution has helped us reduce alerts by five to ten percent. It processes data and allows us to look back at incidents to see what happened and where they occurred.

I rate the overall product a nine out of ten. 

We employed Splunk Enterprise Security for one of our projects. Integrating it into our environment involved opening network ports and making necessary connections.

We had the opportunity to assess visibility in various environments, including on-premises. On-premises visibility has proven to be both satisfactory and advantageous.

We use the threat intelligence management feature. 

We have been considering implementing certain frameworks, such as MITRE ATT&CK or threat topology features.

It contributes value by enhancing resilience, crucial for adopting a Security Information and Event Management solution. Site resilience is imperative for our organization, meeting a key security requirement.

I have been working with it for three years.

It provides good scalability capabilities.

The technical support is among the best in the market. While we didn't have extensive interactions with the support team, we are satisfied with it. It offers support services locally in my country. I would rate it ten out of ten.

Positive

The initial setup was straightforward.

The integration and initial setup of Splunk were managed with the assistance of local support.

Overall, I would rate it eight out of ten.

The features are fine; they aren't exceptional in any way.

We are using Microsoft 365 and we're using the Exchange Mail Service. It's good for monitoring that in particular. 

The visibility we get has been good. 

Inside threat detection capabilities are good. 

It's helped us to reduce our alert volume a little. I haven't properly calculated it fully so it's hard to lay out a percentage. 

We'd like to have customer service in Hong Kong. I tend to wait a while for their response. We'd like to have more best-practice rules and instructions on how to create a dashboard.

I've only been using Splunk for two years. I make use of it to incorporate other solutions. I need to spend more time mastering Splunk. Sometimes it's a little bit difficult to use. I'd like to get more certificates, et cetera, and have spoken to their main office about that. It's got a high learning curve.

It hasn't helped us speed up security investigations. 

I've been using the solution for about two years. 

I've never had any issues with Splunk's stability.

The solution does not lack scalability. 

I haven't had any communication with Splunk's technical team.

I did not previously use a different solution. 

The setup time is quite long. To this point, I haven't deployed it to all servers and devices. I'm still in the process of deploying. 

I have not evaluated other options. 

We are Splunk customers. 

We do not use it in multiple environments. We just use it on-premises. 

I'm not yet using the threat intelligence features. 

We do not use the mission control feature. 

I have not created any customized dashboards as of now. At some point, I will create one for, for example, Windows Security.

I'm still in the process of mastering threat detection and XDR. 

I'd rate the solution eight out of ten. I haven't used it for such a long time, so it's hard to give comprehensive details about the solution.