Splunk Enterprise Security Reviews

We are an MSSP, and some of our customers have Splunk Enterprise Security, and we run it for them.

Splunk Enterprise Security is very good for helping us find any security event across multi-cloud environments.

Splunk's unified platform works very nicely to help consolidate networking, security, and IT observability tools.

It helps speed up security investigations. There is a 25% to 30% improvement. There is also a 25% reduction in the mean time to resolve, but we are also using a SOAR tool, which reduces that by 70% to 80%. 

After the acquisition by Cisco, we are focusing on our partnership with them as a Gold Partner and Tier One reseller. Following the acquisition, we also shifted our focus to Splunk. I am a system integrator implementing Splunk for customers in their environments.

Splunk has a vast integration with multiple vendors, which makes it easy for our customers to integrate various cloud environments. 

Splunk provides complete visibility when integrated with all installed appliances and applications.

The threat intelligence management feature is a good add-on for startups, especially given its affordability.

Splunk allows organizations to ingest and normalize data effectively.

Splunk simplifies real-time problem identification and resolution by seamlessly integrating existing customer and vendor systems. Its customizable dashboards can be tailored to map and reflect specific environmental needs precisely.

The threat topology and MITRE ATT&CK framework features can help discover the full scope of a security incident, provided they are fully integrated into the customer's environment.

Splunk's comprehensive log visibility enables efficient investigation of malicious activities and breaches. By generating a dashboard that collects logs from firewalls, emails, proxy endpoints, and threat intelligence, Splunk can provide access to critical information within seconds, significantly reducing investigation time compared to other vendors or solutions. This streamlined process, facilitated by Splunk's ability to gather and analyze diverse log data, ensures swift identification and resolution of security incidents.

It helps our customers improve their organization's business resilience.

The unified platform helps consolidate networking infrastructure and security. This single-platform approach offers the advantage of combining multiple technologies and features, streamlining operations and enhancing efficiency.

Implementing Splunk with SOAR capabilities, along with machine learning and AI for alert filtering, can significantly reduce alert volume without constantly interrupting administrators. This streamlined approach ensures that only alerts requiring approval are sent to administrators, optimizing their workflow and efficiency.

The analysts using Splunk, even the free edition, are very satisfied with the information it provides for their investigations.

Splunk has helped customers accelerate their security investigations by integrating AI and machine learning into its platform. This integration automates many basic tasks and saves valuable time.

Splunk helps reduce our customer's mean time to resolve. 

We primarily used Splunk Enterprise Security for data and cloud ingestion. We also leveraged it for enterprise security use case engineering, which encompassed malware analysis, threat management, detection, and the integration of threat and vulnerability intelligence, culminating in comprehensive reporting and dashboards. This was the principal use case for our SIEM platform. In recent years, we have also employed Splunk for user behaviour analytics to bolster insider threat protection.

We implemented Splunk Enterprise Security to improve security monitoring, threat detection, and incident response.

Although Splunk is not the only tool we use, it is essential that it provides end-to-end visibility into threats in our environment.

Splunk is effective for helping find security events across multiple cloud, on-premises, or hybrid environments.

Splunk helps improve our organization's ability to ingest and normalize data.

Splunk helps us identify threats in real-time.

We integrated 50 percent of the MITRE ATT&CK framework's techniques to enhance our incident detection capabilities.

Splunk Enterprise Security effectively analyzes various security events and has helped improve my organization's ability to ingest and normalize data.

Splunk helped us detect threats faster. 

Splunk Enterprise Security reduced the investigation time by consolidating datasets for quick access.

Splunk Enterprise Security enhances business resilience and assists with threat detection by centralizing security data.

I have a positive impression of Splunk's ability to predict, identify, and solve problems.

Splunk Enterprise Security helps reduce our mean time to resolve.

We use it for real-time monitoring and alerts for all instances and servers on our sub-prod instances. It helps in monitoring, getting alerts for specific errors, and identifying various logs. We also use it for log analysis, which is very beneficial.

My use case is more related to production issues. Threat detection is taken care of by another team.

It is our go-to tool for monitoring multiple cloud environments. The difficult part initially is to understand how the logging is happening for particular applications or instances. Once you have an understanding of what you want to see and how they are getting generated, you can just write queries, and you can create exhaustive dashboards for anybody to look at and understand how things are.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. Its threat detection capabilities are good. We can look at the exact activity and task. We can look at a trace and understand what is happening. It gives a very granular understanding. I see emails from the security team mentioning what they have identified, so it seems to be helpful for threat detection.

Based on the org mail that we received, they were able to block almost 95% of threats in real time. That is a pretty good number.

Splunk Enterprise Security helps to reduce alert volume because you can understand patterns, such as where your requests are going and how everything is happening. There has been a 40% to 50% reduction.

Splunk Enterprise Security has helped speed up our security investigations by 40% to 50%. It has helped the security team to get a head start and understand where the issue is originating and where the problem is. We are operating in a very dynamic environment, so any time lost costs the company money.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.

In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.

 We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.

We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things.  They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use. 

We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand. 

Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.

We provide services to our clients as a security operations center and we utilize Splunk Enterprise Security for enterprise security purposes, encompassing various use cases based on client requirements. These include network attacks, malware-related attacks, inbound traffic-related attacks, recurrent activities, web-related detections, internal detections related to root flows, and service account-related use cases.

We are working to secure the enterprise's networks, devices, and infrastructure, as well as enhance overall security. Our goal is to monitor and protect against all types of external cyber-attacks. We will diligently monitor the systems and address any issues at the earliest stage possible.

Splunk Enterprise Security can be deployed both on-premises and in the cloud. We have primarily deployed the solution on Splunk Cloud.

We utilize Splunk Enterprise Security for monitoring multiple cloud environments. By employing an API, we can deploy various forwarders within Splunk. These forwarders gather logs from diverse cloud sources and other types of sources. Consequently, we have the ability to install an API from the Splunk store, enabling us to seamlessly connect with cloud sources such as CloudWatch, AWS, and other similar platforms. Splunk Enterprise Security offers comprehensive visibility across numerous environments.

Splunk Enterprise Security offers excellent threat detection capabilities to help our organization identify unknown threats. Additionally, we utilize threat feeds that index various anomalies. We have integrated threat intelligence platforms, which provide indicators such as advisories and engagement in case of compromises and attacks. This integration assists us in preventing attacks within our environment. Initially, we can obtain this information through the threat feeds. Consequently, we can restrict and block operating systems either within Splunk itself or through other security tools.

We also utilize threat intelligence. We have access to threat feeds from various sources, such as VPN. The threat intelligence management feature allows us to collect detailed information in the event of a data breach affecting an organization on other websites or within the dark web itself. We receive such information, along with details of any attacks or incidents occurring in different environments worldwide. We can obtain these threat feeds instantly through the cyber news channel mentioned.

The threat topology and MITRE ATT&CK features are integrated, allowing us to obtain the tactics, techniques, and processes necessary to solve any remediation process. By deploying the TTP MITRE ATT&CK framework in any use case, we can acquire a detailed explanation and determine the appropriate course of action to follow. Checking the MITRE enables us to easily resolve and remediate any issues. This helps us address any errors or crashes effectively, by following the simple steps outlined by MITRE. It allows us to easily identify and rectify issues, without the need to involve a senior person if they are unfamiliar with the specific use case. Additionally, it enables us to quickly verify and provide remediation, specifically tailored to the respective team that needs to take action.

Splunk Enterprise Security's ability to analyze malicious activities and detect breaches is advantageous to me. When compared to other tools I have used previously, it involves a straightforward SQL query, allowing me to quickly modify the reports in less than five minutes.

Splunk Enterprise Security has helped us detect threats faster. We can integrate multiple security tools, and we can retrieve logs at any time using simple queries, utilizing various indexes and forwarders. These components handle log parsing and aggregation, enabling us to easily identify all the security rules detected using Splunk. For instance, if we provide a hostname or IP source, we can obtain a list of the security details detected in that specific instance.

Splunk Enterprise Security has helped our organization reduce the threats and breaches from security attacks across various threat factors.

Our clients quickly realize the benefits of Splunk Enterprise Security, which is why they have continued to use it for so many years.

Splunk Enterprise Security has helped us reduce our alert volume. The total reduction in volume depends on the new use cases or devices that are onboarded. Initially, there may be a high alert volume, but we will analyze and work based on those alerts. Through this process, we cannot definitively state the exact percentage reduction, but it does significantly reduce the number of false positives in the environment, thanks to fine-tuning the use cases.

Splunk Enterprise Security has helped accelerate our security investigations. Splunk also offers the Phantom SOAR, although I am not currently utilizing it. However, I am familiar with the Splunk platform, which can automate the process and promptly detect and block various types of actions. We can also easily analyze the Splunk programming language.

Splunk can save our analysts ten minutes of additional time compared to our previous solution when resolving alerts, provided that we have the necessary query knowledge. 

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.