Splunk Enterprise Security Reviews

• SIEM
• Security information 
• Event management

The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication.

What they need to do more than anything else is, they need to take a serious look at purpose-built modules like the SIEM and put a lot more effort into making them more robust. If they did that I think they would have a better chance on the market. The base tool was great, and if the organization that they're looking to sell into requires a good, solid logging solution then they would have a very good sales statement to make because you could get the logging solution you need that could give you the SIEM at the same time.

It's extremely scalable. It's a very robust solution and certainly has the capability of handling far bigger data requirements than a lot of the other tools. Generally what ends up happening with me is that my clients tend, for the most part, to be mid-tier organizations where the cost of that solution would be accompanying requirements for people just becomes way too prohibitive. Especially considering the model that they use for costing, which is based on the volume of data. Of course, they're going to put everything including the Coke machine as the ability to collect data off of it, because of course the more they can put through the tool the more money they make.

• AlienVault
• LogRhthym
• ArcSight
• QRadar

I've used a whole bunch of different solutions. For a SIEM based solution, they are more purpose-built for that function. Where Splunk is purpose-built for a general logging and data capture solution so you'd be able to capture a lot of different information.

Anything that's not out of the box requires codding. Even up until recently when they finally released their SIEM or their security add-on. Before then there was not security stuff at all. I would actually have to go in and code that within the system to able to do the necessary searches to pull that information. Where a lot of the other tools, they already have those preconfigured which means I don't have to go and recreate the wheel. Now, we finally figured that out to a certain degree, and started putting the new tool in a place that gives you some SIEM functionality.

As a logging solution, I would say it's probably an eight or nine. If you're talking about the SIEM I'd say it's probably about a five. For logging, I think they would have to change the costing model. The costing model is way out of line. It's built for very large organizations.

With the use of Splunk, we were able to identify a brute force attack against a "switch" network device. An external attacker attempted to connect multiple times using multiple usernames. Splunk was able to detect these attempts and immediately blocked these attempts.

Splunk has facilitated the correlation of information security logs to look for incidents which could cause damage to the company's infrastructure, as well as financial losses from leaks.

Splunk's ability to receive all types of data and identify it correctly. It obtains a correlation of the logs and identifies incidents.

Splunk can improve regex/asset analysis as we do not want to crawl until it is done. I could not find a timestamp for when the log was processed and generated.

Splunk is our monitoring and investigating Swiss Army knife for key applications and systems. If we run it, we Splunk it.

We are much faster finding and addressing issues with Splunk. We reduce the MTR and get more done.

So many of Splunk's features are invaluable to us:  

• Machine and business data retention
• Solid HA and distribution
• Adaptability to custom data
• Search, Search, Search.

I would like to get visibility into the data pipelines on heavy forwarders and indexers to see exactly their source and the cause of saturation when it occurs. This would help us learn even more about our high use applications.

No stability issues.

No scalability issues.

The support team is very competent.

The initial setup is very straightforward.

We implemented in-house

Our ROI is high.

We evaluated LogRhythm.

I love this product.

What Splunk calls operational intelligence: fast availability of operational data spread across several servers to prevent or react faster to outages or performance decreases.

MES is a complex and very critical distributed system here. Production WIP is directly connected to it and ICT is required to provide a continuous availability and very stable performance (line production has a costant speed, software cannot slowdown). Collect operational data from hardware, middleware and application software can potentially improve ICT proactive and reactive tasks.

I've ever used it, just studied it.

We also use a traditional monitor, and Microsoft SCOM.

Every stop or slowdown of the production line means lost of money, e.g. 30% reduction when compared to the current baseline.

Every stop or slowdown of the production line means lost of money, e.g. 30% of reduction compare to the current baseline.

IBM QRadar

Great Log management capabilities with flexible and comprehensive search capabilities. Scalable and Easy to use.

Operational Workflow, Use Case Framework, and ticketing systems to make it suitable for SOC environments

3 years

Splunk is extremely scalable with the limit being the hardware in use.

If you get the right people engaged, support can be a bliss.

Setup is simple and straight forward.

http://infosecnirvana.com/splunk-enterprise-need-know/

MTTR is drastically reduced, because the developers and other IT support staff have instant access to log events.

People costs are saved by not having to involve the domain developers from multiple teams, when tracing a problem that spans multiple platforms.

Security is improved by not having to give as many people access to log on to the servers.

The ability to rapidly diagnose problems in production and non-production, across hundreds of log files, is the most valuable feature.

Official training, even CBT, is expensive so not many people are able to get certified. This leads/causes the users to make use of the most basic functionality only.

It is a challenge to manage the environment in such a way, that one’s log, even with the bandwidth license, isn’t exceeded. Splunk has moved towards not applying hard caps in data ingestion, and this will help us in the future.

However, I’d like an easier way to flag certain source log files as non-critical and have Splunk automatically disable those event sources when the license capacity exceeds an arbitrary value.

There were no stability issues.

There were no scalability issues.

Customer Service:

I haven't had the need to log any critical issues. Most of my support tickets have been revolved around configuration questions. I'm very happy with the way Splunk's support staff respond - they're pretty helpful. I think I've only had one situation where the response was acceptable, but not stellar.

Technical Support:

The technical support is good. I'm sometimes surprised when the support engineer doesn't immediately know the answer to my questions (as I feel they must be fairly common queries). But, this can probably be excused because of the breath of features Splunk Enterprise has.

We were not using any other solution previously.

I evaluated ELK Stack but at the time, Splunk offered more flexibility, better support and was easier for us to implement.

Initial setup was fairly straightforward, but we used an experienced implementation partner and ensured that our team was intimately involved in the installation/configuration process on a technical level.

We used a combintation of in-house (ie. myself) and an experienced Splunk partner.

The product has a lot of value, and I feel that we’re getting the value that we’re paying for.

Splunk Enterprise becomes extremely expensive after the 20GB/month license, but if you take care of what you log, i.e., by not logging excessive application events, then that license will get you a long way.

We looked at ELK Stack.

Use an experienced Splunk architect to design your infrastructure configuration.

Ensure that your tech leads are intimately involved and understand exactly how the product fits together.

Manage your Splunk configuration in a repository (Git).

Educate the end users as quickly as possible to use the tool effectively.

Change practices and encourage staff to use Splunk instead of old ways of getting the data they need. Prevent, or limit, direct access to the servers or server log files if you can.

We use Splunk for analyzing data.

The solution allows easy gathering and ingestion of the data.

The solution could improve by increasing the performance. We have run into problems when large amounts of data are processed.

I have been using Splunk within the past 12 months.

The solution has been stable.

Our customers are mostly enterprise-sized companies using this solution. 

Splunk has many partners that provide customer support that can be used.

The initial setup is not easy. Customers have to learn the Splunk language and it is hard to operate it by themselves. They will need Splunk engineers to assist in their projects.

You will need a Splunk implementation specialist for the deployment.

My customers have found the price of the solution to be high.

I rate Splunk a five out of ten.