Splunk Enterprise Security Reviews

My use cases are SIEM basically, which means using Splunk Enterprise Security as our SIEM effectively. We are taking all of our data from on-prem and some of our cloud services and importing them into Splunk Enterprise Security, then creating and generating alerts and reports based on some of our security use cases.

What I appreciate the most about the product is the flexibility with data ingestion and searching, which is very powerful; you can do whatever you want with it. We were able to see its benefits pretty much right after we got it implemented.

The UI sometimes can be laggy and not responsive. Additionally, some places need to be refreshed from a UI visual standpoint; I think they're starting to get better at that. Splunk Enterprise Security has come along much better since when we started looking at it.

We use the cloud version, the Splunk Enterprise Security Cloud version, so we don't have access to a lot of the back-end functionality. Not having used it on-prem and just going straight to the cloud means there are some nuanced differences in how things are managed. If you look up documentation it says, 'You need to update this file,' and I cannot access that file. The translation between on-prem and cloud for some of the configuration elements needs clarification.

I have been using it for a year and a half.

Stability and performance are pretty good for the most part, with only the UI lagging sometimes. Depending on the screen, it can take a while to load.

Regarding scalability, it's hard to really say as we haven't had to build out anymore since implementation. However, we've been able to input most everything into it, and we don't have to do any rescaling as it happens automatically, which is beneficial.

I have contacted their technical support, and they are pretty good for the most part. There have been a few times when things were prolonged, but overall, the support has been good.

I have not used any alternative solution.

The initial deployment was pretty easy for our company. It took us three months to fully deploy it, and we are maturing as we've been progressing. We have had many transitioning use cases, but getting the data in was pretty straightforward.

Splunk Enterprise Security doesn't require much maintenance on our end, just patching and occasional app updates. Most of it is just configuration work and not application updates, which is beneficial.

Our whole team manages it right now; it's not a one-person job.

I am somewhat familiar with the pricing. Generally, it seems expensive, though I don't think it's the most expensive option. Sometimes it can be confusing to determine the best way to utilize everything based on our pricing tier.

I would rate Splunk Enterprise Security an eight out of ten.

For incident detection, this is the main purpose for which I can use the product. That is the only use case for my team. It may be different for my team who is actually processing the incidents and a bit different for me, as I am a manager. For me, the most important aspect is making statistics over a period, seeing who did what, and extracting all the needed information. It is quite easy and intuitive.

Incident detection is the positive impact I have seen from Splunk Enterprise Security. It probably saved the company from financial losses because of the early detection of the incidents. I cannot say about ROI because I am not involved in financial matters, so I cannot estimate any kind of cost.

There are so many products and features that it may be quite hard sometimes to find something that you are looking for. Search capabilities or maybe some kind of AI assistant helping to find what you want would be beneficial improvements.

I have been dealing with the product for about seven years.

From time to time, there are some glitches with stability. Some logs are missing, and we have an external SOC team handling this license for us. Whenever there is something wrong with Splunk Enterprise Security, they need to raise a ticket, and it can be time-consuming to wait for them to reply; this is also a disadvantage.

It is easy to scale up or down if you have the money. The solution is quite pricey not only because of the license but also when scaling it and maintaining it.

I have not raised any ticket myself, but I have heard some not very good stories about technical support from Splunk Enterprise Security. Support did not provide quick enough help.

Positive

I have not been using any other competitors.

I have no idea about installation because I took no part in it.

We have a dedicated team that is doing all the configuration of Splunk Enterprise Security for us. We are just managing what has been prepared for us.

It saved the company from financial losses because of the early detection of the incidents. I cannot say about ROI because I am not involved in financial matters, so I cannot estimate any kind of cost.

I heard the solution is quite pricey.

I have not been using any other competitors.

Users should know what they are looking for. Splunk Enterprise Security is probably customizable enough that they could achieve their goals, but they need to know what they want to get from it. On a scale of 1-10, I would rate Splunk Enterprise Security an eight overall.

We use Splunk Enterprise Security to detect different anomalies and alerts based on our infrastructure. I work in the telecom industry. We have multiple network and security devices that collect logs. We create use cases to collect logs from all these devices.

The dashboards are very good in Splunk Enterprise Security. There are pretty good options to fine-tune the alerts, to wipe out false positives, and only get the correct alerts as per our requirements. The UI is pretty good and easy to use because it is integrated with different EDR tools. This integration is very helpful for identifying different malicious activities or malware for any of the endpoints, especially the critical servers.

The architecture of Splunk Enterprise Security is really good at collecting and parsing logs. Each detail, how it correlates, and all the features are up to the mark compared to other vendors. The indexing speed is pretty good in Splunk Enterprise Security. 

I used many of its machine learning automatic detections. It's really helpful to identify any malicious activity or the behavior of malware over time. There was a malicious activity that involved privilege escalation from the MITRE ATT&CK framework. It was very helpful in detecting that escalation, and due to Splunk Enterprise Security's machine learning capability, we tracked down the malware, remediated it, and prevented it from spreading further to other endpoints.

There should be more options for adding more visual experience in terms of dashboards. 

The integration feature with other applications, such as anti-DDoS application Arbor, needs to be more powerful.

I have been using it for almost three years.

Issues are very rare, near to zero with no downtime. 

It is highly scalable.

The tech support is really good. 

Positive

I use ArcSight as well. We did not fully migrate to Splunk Enterprise Security. We are using both solutions.

Splunk Enterprise Security has good refresh rates for getting alerts. I prefer Splunk Enterprise Security more compared to other competitors such as ArcSight or IBM QRadar. The health checks are very good. The dashboards, indexing speed, correlations, and machine learning are advantages of Splunk Enterprise Security. Even though other competitors offer the same features, the efficiency of Splunk Enterprise Security is the best.  Except for the price, I don't find any disadvantages compared to other vendors.

The migration process was complex because we were moving from one SIEM tool to another. In the telecommunications industry, there are several teams that we needed to collaborate with, and meetings were essential. Within the network team alone, there are numerous sub-teams to coordinate with.

In my current environment, this complexity made the process challenging. We weren't starting from scratch; instead, we were transitioning from an existing SIM tool to a new one. If we had been implementing the first SIM tool for our company, it would have been much easier. However, migrating from one SIM to another always presents difficulties.

Our company purchased through resellers.

It's somewhat pricey compared to other vendors. However, for big infrastructure companies such as telecom, the price is fair enough. Compared to the features and efficiency it offers, the price is good. For medium-sized companies, it's too pricey.

I would rate Splunk Enterprise Security an eight out of ten.

We have customized use cases for Splunk Enterprise Security as per our environment, due to our infrastructure related to cloud, virtualization, and a few application servers, along with Active Directory management, where we look for user interface and access management. We receive alerts related to any password breaches or unauthorized user access, or if any applications stop running. 

Consequently, we created multiple customized use cases, and accordingly, we receive alerts on Splunk Enterprise Security. It integrates with other tools for threat intelligence and anomaly detection. We are enjoying a good experience so far, and our admins ensure that the use cases are well-maintained. Additionally, they perform fine-tuning as needed. 

We have some database servers integrated for alerting us about unused services. We communicate with our database admins regarding incidents related to data management issues. We suggest actions to the database admins based on these alerts for better data management.

Splunk Enterprise Security is highly customizable, which is an excellent feature. We are continually fine-tuning it to meet our requirements, and everything has been smooth thus far. We also have well-designed dashboards that allow us to visualize data from various use cases in comprehensive graphs, which is beneficial for management reviews, especially during inspections, to display the status of our environment.

We monitor multiple environments, and those environments are integrated with Splunk Enterprise Security, functioning effectively.

In terms of visibility, it offers insights into integrated devices such as firewalls, cloud infrastructure, and virtual machines. The extent of visibility corresponds to the number of devices we integrate with Splunk Enterprise Security. We have access management servers and Threat Intelligence integrated, enhancing visibility across various elements in our environments.

Splunk Enterprise Security provides good visibility into our environments.

Splunk Enterprise Security aids us in detecting threats faster. Over time, it has incorporated enhanced AI support that enables self-analysis and offers valuable feedback. It operates as an intelligent tool, parsing and generating relevant incidents effectively.

Splunk Enterprise Security significantly improves our organization's business resilience. Since my introduction to Splunk Enterprise Security in 2022, I have observed an increase in its intelligence levels, and I look forward to integrating more infrastructure with it. Our reliance is shifting more towards Splunk Enterprise Security for providing solid decision-making capabilities and easy integrations with multiple cybersecurity and IT infrastructure controls.

Splunk Enterprise Security has helped reduce our alert volume to a good extent. It goes beyond mere incident handling by providing feedback to IT infrastructure personnel and database administrators. The incident responses have enabled us to make several environmental corrections, reducing flaws and incidents over time. For instance, alerts related to unnecessary service account logins have prompted us to give feedback to admins, which reduces their workload. False positives are a notable aspect we address to minimize unnecessary alerts, while true positives associated with malware or MITRE framework indicators prompt effective management action.

Splunk Enterprise Security accelerates security investigations. The tool contains extensive data, and the key lies in how to extract that information, depending on the analyst's capability. Our company emphasizes obtaining Splunk Core admin and user certifications to enhance our understanding of the Splunk Enterprise Security product.

I find it beneficial that Splunk Enterprise Security easily integrates with other tools. Due to its excellent API capabilities, it facilitates connections with various cybersecurity tools. We utilize different controls, such as Anomaly and Threat Intelligence, and also integrate it with Data Diode, which assists in one-way communication for infrastructure. Splunk Enterprise Security can seamlessly receive logs from various infrastructures, including Data Diode and firewalls.

We utilize Threat Topology and MITRE ATT&CK features, as these aspects fall under the MITRE ATT&CK framework. They provide coverage for continuous user activities and password issues. The MITRE ATT&CK framework is beneficial for detection and outbound traffic, and it offers a good number of default use cases that we have implemented in our environment.

In terms of recommendations for improvement, when performance degradation occurs, we need to do a root cause analysis. The repeated tendency to inform us about memory utilization complaints encourages us to consider adjusting our query needs. Improving the infrastructure behind Splunk Enterprise Security is vital—enhanced cores, CPUs, and memory should be prioritized to support better processing power. When we execute heavy, resource-intensive queries over long periods, the performance dips. Our admin quickly intervenes to correct resource bottlenecks, allowing everything to function properly again.

I have been working with Splunk Enterprise Security for approximately two years now.

I find it easy to scale Splunk Enterprise Security for our environment, and I would rate its scalability an eight.

I have sought assistance from Splunk Enterprise Security support in the past, particularly during deployment, and they provide friendly and effective help.

Having experienced using QRadar from IBM, I find Splunk Enterprise Security more intelligent and supportive.

The deployment of Splunk Enterprise Security is straightforward, and integration with other security controls is quite easy after the initial setup.

Initially, we required the assistance of Splunk Enterprise Security consultants for the deployment process.

I have noticed a return on investment with Splunk Enterprise Security, as it delivers substantial value for money. This is why we are keen on expanding our infrastructure under Splunk Enterprise Security rather than other SIEM options.

We are currently using Splunk Enterprise Security for our SOC in our office, and as long as the office continues its use, we will still be using it.

I haven't faced any other difficulties apart from the CPU resource issues. I find Splunk Enterprise Security to be very customizable and user-friendly. The only consideration is that if we want to increase the volume of logs processed, we need to buy more licenses.

Maintaining Splunk Enterprise Security requires personnel, especially due to the existence of different search heads and various forwarders in our robust setup, supporting a centralized logging environment.

I find it easy to scale Splunk Enterprise Security for our environment, and I would recommend that potential users consider their capacity to invest financially based on the criticality of their infrastructure, as adoption comes with licensing costs.

I would rate Splunk Enterprise Security an eight out of ten.

The main use cases are with the firewall, DNS, and Windows events. These are the three basic ones to start with. Once they're done with all the compatibility and introductions, custom use cases will follow.

It's currently in the implementation phase. But, it will surely improve response time and make it easier to collect and check everything in one place. Instead of going to multiple dashboards and running multiple queries, all can be integrated into one dashboard. You can just click and then go drill down into deeper levels and get more information.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's very important because: 

1. This tool is used as SIEM implementation. End-to-end visibility is really important in such a case; if something is missed, it's an error. 
2. Also, we belong to the retail sector with over 700,000 employees. We have a lot of endpoints and everything is open, so end-to-end visibility is essential.

It helped our organization to ingest normalized data. With Windows, DNS, firewalls, and the open use cases we've checked, we've gotten more data in. The compatibility with the add-ons helps us add more data in the same compatible format and use data models to elaborate and make it faster.

The investigation dashboard provides a lot of value. In the same dashboard, we get all the drill downs, raw events, and information about what the particular user is doing or where the vulnerability started, all in the same dashboard.

It helps us reduce our mean time to resolve. Now, we can see all the incidents on a single dashboard and it could be assigned to the analysts at the same time on the incident review. People can start working on it right away, so it does reduce the mean time to respond.

Splunk's unified platform helps consolidate networking, security, IT, and IT observability tools. But our major focus or use case is more on the security side. We don't use observability, so we just use logs, matrices, and other security-related features.

Incident review is pretty valuable. You can have everything in one place, review it, and assign things to analysts, and they can work on it. 

We also have different teams segmented; it is not one team. So, we brought that using the teams method in Enterprise Security, which I think most people are not using. This way, different users have different dashboards or lists of incidents.

One thing is multi-tenancy, which is not currently not there. The concept of Enterprise Security assumes only one team using Splunk, but in many companies, including ours, that's not the case. We have multiple security teams operating under one umbrella, with different people using it for different smaller companies. If multi-tenancy could be incorporated, it would surely help us. 

We started with it last year. We integrated it last year, and the SOC team is now handling it. They're making it SIM compatible, introducing the first few use cases, and working with the data. 

So, we bought the license nearly a year ago, and started implementing it about six months ago.

Stability is there, but every release has some bugs. For example, in this release, indexes were down, searches were down, and the monitoring console wasn't working. So, it's a bit tough.

It's still being implemented, and a lot of work needs to be done. But, considering the pricing and everything, I would give it a seven out of ten. It does have a lot of use cases, but a lot of work has to be done beforehand. Our data wasn't totally SIEM compliant because we used prebuilt solutions and changed the data format.

We use Splunk Operator on Kubernetes, so it's not on-prem or Splunk Cloud. Customer support is not good at all.

For example, we upgraded the system on Saturday and raised an incident. With Operator, you can only raise a P3 incident, so we needed to escalate it and get the developers involved. Support cannot handle such cases. We always have to get the developers involved to get the issues fixed. This happened very recently. But it is very common; the support for Kubernetes is zero.  

The company didn't have a SIEM solution. It was more of SOAR, so we used FortiSIEM for that. We still use it. 

Setup is not that difficult. You just have to install the search head cluster and a normal app. Data normalization is the main thing required for Enterprise Security. SIEM compatibility is the most important thing. If it's not there, then it won't work.

The deployment of the solution is pretty simple, if your data is SIEM compliant. If not, then you need to make it SIEM compliant. Otherwise, you cannot use the solution.

We have a Splunk partner that helps us with integration and other stuff.

Pricing is a bit costly. It always is.

We considered a couple of other brands. We ran a couple of POCs with other enterprise tools.

Since we've been using Splunk for nearly four years, it was easier to incorporate Enterprise Security. We did try other SIEM solutions like Fortinet, but since Splunk was already there in place and had all of our normalized data, it made more sense to use Enterprise Security.

There are tons of use cases for Splunk, but our main one is insider threat.

It's easy to deploy Splunk, and mostly, we don't have to reach out to the customer after it's done. It's a simple tutorial with a couple of pages, and they can configure it themselves. The simplicity of deployment has been the greatest asset

Splunk has improved our customer's ability to ingest enterprise data. We don't have to have hands-on every customer's environment. We can farm that out to the local SAs. They find the install, and it's a simple firewall update. We're getting data.  

It provides an all-in-one resource. Before, we had one product for firewalls and one for our gateways. Pairing up with Cisco helped because a lot of our information is based on our network, firewall, or router. Having Splunk intertwined with them will ensure that it's one resource and one solution.

'The solution has helped to fine-tune false positives. Sometimes, out-of-the-box solutions aren't customizable, but Splunk is. It can clone, alter, and make it your own.

Before Splunk, we didn't have a tiered solution where there was some low-hanging fruit that was easily handled by the tier ones and higher-end stuff. It went from level two to level three bordering on level four CCNA. That's what I was looking for, a maturity model. We've developed into a progression from tier one to tier two, etc. At the high end, we have forensics for long-term solutions or advanced persistent threats.

A lot of things can be handled at the tier one level, and there are 12 to 24 hours before it floats to tier two. Resources are underutilized, and not everyone's working. You're not handing a tier-one ticket to a tier-four guy who's just like, "Dude, it's this." The tier-one guy is getting a tier-four ticket. It streamlines the resolution process.

I like the ease of setting up dashboards on Splunk. They're easy to create, manage, alter, and share. You can fine-tune them any way you see fit. One of Splunk's unique features is that you can customize it for your needs, especially if you've got homegrown solutions. It accepts whatever kind of logs and can be normalized at any point. With a one-off solution, you can work with the developer who created it, and they give you the features or key information you want to keep.

Many people are talking about deploying upgrades from the deployment server. It's necessary, particularly from the perspective of insider threat. You can see if something's breached. If you notice an anomaly at 2 a.m., we've got your rules firing, letting you know immediately. It's near real-time notification of any issues.

We have used Splunk for two years.

Splunk's stability is inherent to its scalability. It's malleable and adjustable. It's like pottery that you make to fit your needs.

It's easy to divert resources where they're needed. Often, we have several projects that have reached the end of their life, and we shift the resources. The fact that you can set up a new index or set of indexes and push some feeds into specific structured indexes makes it a lot easier instead of having everything in one giant database and trying to find what you're looking for.

With the streamlining, it's a lot easier for the end customers. They've noticed a quicker turnaround for low-level stuff, and the high-level requests get directed to the right people. We used to have a turnaround window of about a month. Now it's down to a week for most tickets. In the past, they sometimes put a ticket in, and it might be a week before someone even looks at it. Now, we have a system in place where they get a response within 24 hours.

We were using ArcSight but switched because our customer said they wanted to go to Splunk. ArcSight didn't have the reach, and the complexity of deploying it inhibited a lot of customers from using it.

Deploying Splunk was easy. We worked on developing the in-house solutions and passed them off to the customers, providing a network location to download what they needed and the instruction guides. After that, it was simple to unzip and configure the inputs and outputs. We were up and running.

We've probably tripled the amount of insight into our infrastructure and environment.

They looked at Elasticsearch and the ELK Stack—trying to do things with Kubernetes and Kafka. That can be used with Splunk. In terms of cost, complexity, and ease of deployment, Splunk is often on top. It gets the data out there as quickly as possible. The fact that Splunk is as vast as it is means it isn't hard to find a resource that's touched it and can use it.

I rate Splunk Enterprise Security eight out of 10. It's missing some features that other solutions have, such as the ability to upgrade the endpoint and perform endpoint universal forwarders from a deployment server instead of using a third-party solution, such as Puppet or Ansible.

Our primary use case is for detected malware. 

The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.

We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it. 

We would probably see more time savings if we used Splunk more. 

We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.

Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.

Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful. 

It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.

I have been using Splunk Enterprise Security for two years. 

The stability is pretty good. It's fairly stable. I haven't had any issues with it so far.

Splunk support is difficult for us. There are gaps in the network. I work for a government entity so getting a classified rep to come out is difficult. 

I would rate their support a five out of ten due to their availability and talent. 

Neutral

It took what took us a while to groom all of our data correctly so that it worked well with ES. That took two weeks. As far as the finish, there's definitely room for improvement.

I would like more assistance with use cases and help with teaching us how to use it once it's installed. 

We deployed through professional services. 

We're a young team so we're still evaluating processes. We already had Splunk Core. It was already installed when I started working here. I was part of the installation team when they deployed Splunk Enterprise Security.

I would rate Splunk Enterprise Security a five out of ten because I'm still figuring it out.

We use the solution to find systems acting strange or having strange services and security attacks.

Splunk Enterprise Security helps us sift through tons of data to find relevant information we're looking for as far as activity goes.

The solution's most valuable feature is the aggregation of all the logs in one place, using enterprise securities built-in or ESCU use cases to find them.

The end-to-end visibility Splunk Enterprise Security provides in our environment is very important because we might not see everything or miss something without it.

Once you have it set up correctly, Splunk Enterprise Security works great for helping us find any security event across multi-cloud, on-premises, or hybrid environments.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. The ability to identify and solve problems in real-time is pretty robust.

Splunk Enterprise Security has helped reduce our alert volume with RBA and has helped reduce our mean time to resolve. With correlation searches in risk-based alerting, you don't have to sift through information; it is presented to you.

The solution's case management system could be further improved to make it easier for analysts to manage cases. The only limiting factor is the amount of data you're sifting through and the overall size of the number of correlations you're looking for.

I have been using Splunk Enterprise Security for seven to eight years.

I rate the solution’s stability an eight out of ten.

I rate the solution ten out of ten for scalability.

The solution's technical support is awesome, and I love it.

Positive

I've deployed the solution a few times. The deployment is very labor-intensive and takes a lot of work.

Splunk Enterprise Security is an expensive solution.

I would recommend the solution to other users.

Overall, I rate the solution a nine out of ten.

Our SOC is using Splunk Enterprise Security as a SIEM. There are multiple use cases because it is the main tool for SOC analysts. We have plenty of use cases. It is being used for IT security monitoring. We also have some custom use cases for securing applications, and then we have some of our internal customers developing their own use cases, but the main purpose is for the SOC. 

We also have additional work that is much more tricky. It is related to using AI to detect insider threats.

We are incredibly increasing our coverage as per the NIST framework that we are using for our operations. We are always extending. That really took off after implementing Splunk. It was a big moment. I have been there from the very beginning when we started implementing Splunk. Like everything new, there was a little bit of difficulty, but after we implemented it, there was an incredible increase in our SOC efficiency.

Splunk Enterprise Security helped reduce our mean time to resolve based on my knowledge, but I do not know how much because I left the department one year ago. On the security monitoring side, we have very good MTTR globally due to Splunk and the processes that we have implemented. We have other kinds of tools. Compared to the other tools that we have, our MTTR is far better with Splunk. Compared to last year, it was reduced by half. It was already good, but it got reduced a lot again.

It is lovely to have everything we need in one tool. Everything is quite centralized.

AI is everywhere, and I feel we need to discover AI for cybersecurity. For the last five years, I myself have been setting up a product and evaluating AI, but I did not do it directly in Splunk because there was some fear about the performance on the platform. That is why we chose to build our own platform based on S3 and AWS to execute and run all the algorithms and send the data back into Splunk. We now have a good base with innovation. We have a better base to directly include machine learning use cases in Enterprise Security, but they need to provide more capability and autonomy to the customers because there is so much to do. When you are lucky enough to have a team of data scientists, they want to have free hands, so a balance has to be found between giving a lot of autonomy and putting enough control so that they do not do something stupid on the platform, which can impact the performance of the standard use cases as well. There is a compromise there. However, AI is growing so fast that you absolutely need to give autonomy to the team to manage and utilize AI. This means providing easy access to a new library to build machine learning. They need to give us some flexibility, and it seems that with the new toolkit, it would be okay. Data scientists love to have freedom.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk. That is something that can be implemented. For instance, when it comes to data loss prevention, it is known that somebody who is about to leave the company is much more likely to take data. If you have this information soon enough, because the person will tell HR in advance, you can increase the level of risk for data loss for that user, but you do not always get to know that in advance. In such cases, some indicators in the behavior of the users who are leaving could be connected to AI. For instance, if you are using natural language programming, you can grab emails with words like farewell. There are plenty of keywords that you can catch that would give you an indication that the person is about to live. When you have internal and external partners, they can leave at any time. You do not always get the information in advance, but there are always farewell parties or goodbye emails. You can use this kind of information to raise their risk on the specific alert. It is efficient in the sense that you decrease your false positive rate. To me, AI is something that can help them accelerate and improve on what they are already doing.

Splunk Enterprise Security is very costly. Pricing is probably its weakest spot.

I have been using Splunk Enterprise Security for five years.

It is difficult for me to answer this because I am no longer in charge now, but it has been stable from my point of view. 

Its scalability is good provided you have the right license agreements.

It depends on the situation. The problem at our end that is causing an issue with Splunk support is that we have a customized environment. All the problems that we submit are specific, and they can be a bit difficult to solve. Sometimes, their support is efficient, and at other times, we have to wait a bit too much. I would rate their support a seven out of ten.

Neutral

I arrived at the time of transition. We were probably using RSA. We switched to Splunk Enterprise Security because we needed to jump to another scale. At that time, there was a complete change in the organization. We went from the old-school cyber to Cyber 2.0. We had a lot more visionary managers who came from other companies where they were using Splunk. We had good guidance.

It was a bit difficult. The team that was developing the use cases did not have access to the real data because it was not ready yet. Developing a SOC use case without the data is something difficult. That is why it was difficult at the start, but it was not because of the tool. It was more of a matter of project management. After we moved on from the difficult stage, we were able to set up this use case factory where some of the users were themselves in a bit of self-service mode. This was a very good opportunity to enlarge our capability to cover all the applications in the best way.

For Splunk, we use AWS. We have a private cloud. We have difficulty using cloud-managed services.

Pricing is probably its weakest spot. As compared to some competitors, Splunk is really expensive. The problem is that Splunk is like Rolls-Royce. It, for sure, is the best one. Gartner says it, and the customers say it, but sometimes, you do not need a Rolls-Royce to get to the supermarket.

The problem is that the licenses that we have are based on the volume of data that we ingest in a day. The data that we ingest is only growing. We have initiatives right now for better management of data. It makes sense in terms of storage and sustainability. The pricing model, especially for Europe, is difficult. I am just out of the negotiation for the renewal of the license. We bought it for three more years. This is good news for Splunk and us as well, but it was difficult to discuss with the sales and explain that we do not want to increase the cost because it is already too high, and if it could decrease, it would make sense. It is very difficult to have this understanding from the salesperson. It was difficult for my Splunk account partner, but we succeeded in the negotiation. It was a win-win situation.

They need to be fair and adjust the price as per the usage. If the price goes too high, we would just have a no-go from the top level of the company, which would be a pity. It can happen. It has happened in the past. At some point, we had a big contract with Microsoft for Office, and we are now with Google. It was a shock for the partners and people inside the company, but we did it. We now have Google and we are happy with it. We still have a bit of Microsoft. It is important to keep the balance.

We are looking at the data usage with Splunk's team. We are looking at whether the data onboarded and dashboards that were developed are really being used to avoid wastage. If any data is not necessary in Splunk, we just stop onboarding it. We have other data to onboard anyway. My idea is to be much more efficient in the way we are managing the data and not to go the way we did it in the past.

I did not evaluate other solutions but the company surely did.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools, but it is not due to the tool. It is due to our company's structure. I have been part of the two teams. Previously, I was a part of the cybersecurity team, so I was mainly using Splunk Enterprise Security. Now I am leading the monitoring team, so I am much more on the SOC side of it. My team provides service to the cybersecurity team that is using Splunk Enterprise Security. In the end, we would like to have one solution, which would be Splunk. I would like to have IT monitoring and observability with ITSI in the future. This centralization would bring efficiency. One log being used for cybersecurity purposes can also be used for other purposes. Everything centralized would give us the most efficient way to access the data and limit duplication. It would be helpful for efficiency, cost control, and data governance.

It is absolutely crucial for us to have end-to-end visibility. For our cybersecurity needs, we should be able to reach anything. We even have this concept of Watch the Watcher, so visibility is absolutely key. We have the opportunity to audit the activities of even cyber analysts, so visibility at every stage is absolutely key. For example, all the SIEMs could be under attack, which would be a nightmare. Imagine it being an insider threat where the attacker knows what exactly we are monitoring. With AI, these kinds of risks are even higher. That is why we are all in for AI for Cyber and Cyber for AI. We need absolute visibility, but we also need protection.

Splunk Enterprise Security has not helped us reduce our alert volume. We are not at that level of maturity at this point. It is still growing.

I would rate Splunk Enterprise Security a nine out of ten. It is a good product. It needs some progress with AI, but based on what I have seen in the presentation for version 8, it seems promising.

We use Splunk Enterprise Security for our security analysts for them to be able to view incidents. They are not 100% dependent on Splunk Enterprise Security as their incident source. They do have other tools that they use and other things like whois data, threat intel, and lookups for our domain. They are able to quickly look at the activities done for the assets that we have.

I am not from the management or the leadership, but I do feel that it has been helpful for us Splunk engineers who are responsible for looking at all the data and logs. Splunk Enterprise Security quickly gives us a view of an endpoint or a user or identity. If I want to look for an identity or an asset, I just quickly go into Splunk Enterprise Security. I know where to go and get a quick analysis for a respective object. The analysts have their dashboards, and they have their action items. They use it differently. They follow all the common procedures.

We are on-prem. We are not on the cloud. As of now, Splunk Enterprise Security does not provide us with end-to-end visibility, which is one of the drawbacks of why we need to use other tools. It is not that Splunk Enterprise Security cannot do it. It is just the way it is configured right now. We are working with Splunk engineers. We have a lot of professional service hours that we spend with them bringing all parties into the picture and doing working sessions.

Right now, Splunk Enterprise Security is in the middle in terms of helping us find any security event across our environment. Based on the way the configuration is done in our environment, it would not be right to say that the incident would be reported accurately from Splunk Enterprise Security. That is because not a lot of data is being put into Splunk Enterprise Security to make something a notable event and report about it. If we configure it better and have more data models normalized, and then we use it, it will be more helpful. It has been a long-term goal, but we will reach there soon.

Splunk Enterprise Security has helped improve our organization’s ability to ingest data.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools. I am an engineer, and I am more into administration and creating user interfaces on Splunk Enterprise itself, not Splunk Enterprise Security. We have done some work on Splunk Enterprise Security and then left it with analysts. It is up to the analysts now. Splunk Enterprise Security is not 100% configured. Some basic data models have been set up. They are generating notables, and we are generating alerts out of it, but it is not 100% there. They do have to use other tools such as their networking tools to get a full picture for incident reporting.

One of the most popular features that I personally like is that in the case of an event, I should be able to run a desired action for that on a threshold, but that is not how we are using it right now, unfortunately. We have a pretty manual process. We have an operating procedure, and we follow that. I would like to see it automated. I do not want analysts to decide whether the action needs to be done or not. It should be done provided the policy says so. If the policy says it needs to be done, it should be an automatic process rather than a manual process.

At Splunk .conf24, I saw a demo for Splunk Enterprise Security 8. All the things that they have done in Splunk Enterprise Security 8 are what it can be better at. They have put Mission Control as a part of the notable or finding itself. The investigation shows the findings, and the findings allow us to do everything that we are doing in Mission Control right there on that same screen. That is what we want now. They said it is going to be released in two to three months. We are hoping that we will be able to use it. I was hoping that I would be able to see version 8 when I am here at Splunk .conf24, and when I go back, I would be able to help them implement it, but it is still 7.3.

I have been using Splunk Enterprise Security for two years.

It is pretty stable.

It is pretty scalable. We have a huge deployment. It is good.

We are a huge agency. It is in the public sector. We have 15 terabytes of data.

They are good. We have a huge team of Splunk engineers within our company. Some of them are contractors, and some of them are employees. They are pretty responsive.

Based on my interaction, I would rate them an eight out of ten. Some engineers do not understand what is there to solve, and they start pushing their perspective on the customer, which is not how it should be because it is not their environment.

Positive

We did not use any similar solution previously.

The deployment of Splunk Enterprise Security was very simple.

We have professional service hours. We worked with Splunk engineers, and we had live working sessions. We were doing it like that. We did it for over a period of time, but that did not give us the full power of Splunk Enterprise Security. For that, we need to be able to configure our own data models and normalize the data. That is not happening 100%.

It is quite expensive.

We did not evaluate any similar solutions.

At this time, I cannot assess Splunk Enterprise Security in terms of the ability to identify and solve problems in real time, but we do use regular Splunk to pinpoint a lot of problems. It helps us a lot. We are able to pinpoint a lot of things, whether they are vulnerabilities or pointing to some logs in the firewall or authentication logs. All the analysts use it very frequently to write searches.

Splunk Enterprise Security has not helped improve our organization’s business resilience because we are not 100% dependent on it. 

Splunk Enterprise Security can provide us with the relevant context to help guide our investigations. However, the input is not 100% perfect, so the output is not 100% perfect.

I would rate Splunk Enterprise Security a ten out of ten.