Splunk Enterprise Security Reviews

Our primary use case is for security but we also use it as a soft tool. It gives us an advantage over traditional SOC or security tools. We get to use the existing data in Splunk to make use of the security. 

It definitely does help with both auditing and as well as regular monitoring. SOC does more monitoring, but ES also gives you other features that are auditing-related. The dashboards are also beneficial. 

Our auditing team gets benefits from Splunk, not just ES but also from general Splunk Enterprise. It's cross-functional. 

Enterprise Security has helped us reduce our mean time to resolution by 50%. Without it, there are many manual steps. You have to go to different products to see specific things. With Splunk, you have the benefit of seeing them together in one place.

The notable events and the incident review features are the most valuable. It gives you an overall idea of what's going on in terms of security in the environment. 

I also like the automation. We write custom scripts and automate certain tasks. That's also interesting. This feature saves us time.

Splunk is capable of doing a lot in real-time with data coming in that is a terabyte in size, you can still do searches in real-time. We have correlation searches that do similar functions.

It has a lot of the features we're looking for. 

I have been using Splunk Enterprise Security for a year and a half.

It's quite stable. It's a mature product. 

We can make it as scalable as we want. We can scale it horizontally as much as we want on our cluster.

We get support when we need it. I would rate support an eight or nine out of ten. There's always learning and improvement to do. Sometimes the communication with support happens with multiple staff. They should reduce the time to resolution.

Positive

I would rate Enterprise Security a nine out of ten. Not a ten because everything has room for improvement. 

The biggest value of the Splunk conference is meeting people.

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

We have been working with Splunk Enterprise Security for one and a half years.

It's a very stable solution. 

It is very highly scalable.

The technical support is very good.

Positive

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

Our clients' implementations are mostly on-prem and in the cloud.

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.

We are using Splunk in the standard information security use case. We're also using it for various application use cases around identity management, windows active directory, and those types of use cases.

Splunk has provided a venue for us to determine student engagement during COVID, for which we didn't really have any other way except by looking at data that we captured off of our student systems and our authentication servers to see who's logging in, and who's logging out, and for how long they've been logged in.

The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.

We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.

Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.

By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.

I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective. 

Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.

That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.

I have been using Splunk for probably 10 years.

At least in our environment, it is super stable. When you think about how much time you spend working with other applications, just Windows Server requires more feeding than Splunk does, you see that Splunk is a very low maintenance care and feeding product.

We have probably 150 users in the environment and their roles vary from being application management folks to application engineering folks to the executive suite, so lots of different use cases. The executive suite tend to prefer more curated content and the application owners have a mix of curated content and dynamic search functions they can perform. Then the engineering tier basically gets some curated content and some free reign to do whatever they want for the most part. I'm the guy that supports this instance. So there's one person.

I support not only Splunk, but I am also the campus security engineer and I'm also the dude that runs or is responsible for all of our campus monitoring infrastructure. So that tells you how little maintenance is required.

We are adding new use cases on a fairly regular basis and we are adding more licensing to our indexing license. I don't see Splunk going away. There's nothing else that I think provides the ability to do this much data analytics from just the numbers of equipment that you need to run it. Also, the number of people that you need to actually make sure that it's functioning well. In higher ed., everybody always says we should do open source. And I respond that what I do in Splunk with 20 systems, I would need three racks of equipment to do on an open source platform. I have basically 70 - 75% of the racks now and I'd need three times that or more to run this as an open source product. And it wouldn't be as cute and it wouldn't be as beautiful or as flexible.

I know other folks in the higher ed. space that are running petabyte size instances with Splunk. So I would have to say it scales very well just from talking to the folks in my market silo.

Their technical support sucks.

My engagement with their technical support was for a product which they basically took over from an open source product and they just seemed to not be able to figure out why it's not doing what it's supposed to do. The number of times I've had to engage with Splunk for solutions has been for a couple of use cases. And in every one of those use cases, support was very painful. It took a very long time and it seemed like they were more interested in burning their queue volume than actually satisfying me as a customer.

I work in higher ed. Here in higher ed., it costs us a lot of money to run it. The support from the company that you spend a lot of money with is pretty poor. I get most of my support through the Splunk sales folks because they seem to know more and they're more incentivized to keep me as a customer. When I call in to open a ticket with Splunk support, they really don't know, and this is going to sound terrible, they don't really care whether I have a 50 Meg license or a 50 petabyte license. If it's not on their workflow, their pre-programmed triage, they can't do it.

Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.

Splunk is a complex critter to put in and it's a more complex critter to keep running. We have 10 search heads and four indexers and universal and a heavy forwarding cluster. We have clustered indexers and clustered search heads. This is definitely not a drag and drop product.

We engaged a third party Splunk integrator to help us do our Splunk deployment and they did our initial deployment. We used a different integrator to do some of our upgrades, which we probably won't use again. Our implementation strategy was we really just wanted to look at the classic security use case when we put this in 10 years ago. Then after that came in, and everybody was happy with what it was doing, we added some other use cases and universal forwarding and so on and so forth.

We used an integrator.

The integrator we used to do our initial deployment was excellent. The integrator we used to do our last round of upgrades was less than excellent.

When I hire an integrator to do an upgrade in an environment, I expect them to come back and say "all of your application layer apps are upgradeable, but your OS's need to be upgraded. Do you want me to do that? Or should you do that?" I now have different versions of OS's under Splunk running in my Linux world and it would've been nice to upgrade the system OS and then upgrade Splunk, even if it was more disruptive. I guess I have to read the statement of work more closely in the future.

The TCO and ROI are really great if you're in the private, non-public sector and you're in a more standard business sector. The return on investment in total cost of ownership on Splunk is from somebody who doesn't fit into that neat silo. Do we calculate that stuff? So our return on investment is by being able to solve problems that we never knew we could solve. My answer to it is the flexibility to be able to figure out student engagement when COVID hit. This was the only platform we could do it on.

I can comment on price in this way - in education in Ohio, we're part of the Ohio supercomputer consortium, and they act as a collective bargaining agent. So we get our licensing as a piece of the State of Ohio's Splunk license. So my pricing is very much not list or even reduced list because of the volume that the state buys.

We generally spend about $20,000 a year in third party integrator costs to get us past some of the rough edges that we get with Splunk support.

We briefly looked at the open source product and we obviously looked at a Check Point product. When we looked at Splunk it seemed like they had a smaller cost to procure it, and a much smaller cost to maintain it than all of those other solutions. So it was kind of why we went with Splunk. This is very non-intuitive since everybody says they love Splunk but it costs too much.

My advice to anyone considering Splunk is to understand exactly how much data you want to look at and you want to bring in on a daily basis. Then create a rational strategy to bring the data in, in reasonably sized chunks, that fulfill a use case at a time.

On a scale of one to ten, I would rate Splunk a really good nine.

I'd rate it a really good nine because it's really versatile. You can do a lot of things with it. It allows you to do a lot of analytics in the platform without needing a bunch of other third partyware to help you figure it out.

I went to a cybersecurity boot camp through Penn University, and we went over this topic for a decent amount of time. It was more of a testing environment where they gave us different file formats that we had to go through. We would upload those files to Splunk, and it would give us good examples of what it would look like under different circumstances, such as when an organization is getting hacked, when there is a DDOS attack, and so on.

It is a good way of seeing the network traffic as a whole. With network traffic, there are a lot of things going on, especially in a big organization. It organizes the information and makes it more usable for average people. If you use Wireshark, you'll get a ton of information, and it is super easy to get lost in it. Even if you put Wireshark on for about 30 minutes, you can very easily get lost. Splunk simplifies the information, and it gives you charts and different means of seeing that information, making it easily understandable for people.

From my experience, the visual aid that it provides is most valuable. There are charts and other means to provide information.

Its user interface for everything other than the charts can be improved. Some parts of it can be simplified a bit, such as when importing documents that have the network traffic. When you're going through the information about the network traffic, you have to have the expertise, but even if a program is supposed to be for IT support, it is good to make it user-friendly because it gets easier to train people. When something goes wrong, the more difficult a program is in terms of UI, the harder it is to fix the issue.

I've been using this solution for a little while. 

In terms of stability, I really liked it. I didn't see any issues as far as stability was concerned. Whenever I needed it, it was there. It was available, and it worked. It was pretty good.

Its scalability seems pretty good. If you are working with a lot of information, it would be usable.

Its users would depend on the organization. Mostly network engineers, network analysts, and SOC analysts would be dealing with this. 

There were instructors who knew how to fix a lot of the issues. If there was an overarching issue, they would deal with it.

At the boot camp, we also used Kibana, which looked a little bit more friendly, but when we got into the details, I liked Splunk a little bit more. It was more intuitive, and it did a little bit more on its own rather than Kibana. With Kibana, it felt like I had to hold its hand all the way through the whole process. There were 20 people, and I know a number of people were leaning towards Kibana. It just came down to personal preference.

We saw some of the basics for deploying it within an environment, but it was very minimal. 

It isn't complex, but there is a little bit of a learning curve. Once you get the hang of it, it is very easy to get in and do things, but there is definitely a learning curve. I am not speaking just for myself; other 20 or more students that were in that class at the time also had a difficult time getting the hang of it, but once you get the hang of it, it is smooth sailing. You can fly through the program. Making it a little bit more simplified would help.

I remember Splunk being relatively affordable. Kibana was more reasonable, but you get more with Splunk. If I was suggesting something, I would probably suggest Splunk because it is better to pay a little bit more and get a lot more.

I would advise making sure that your staff is very aware of how the program works. After one or two classes, I got the hang of it, and it felt like I knew everything that was there to know about it, but when we went into the next class, I realized that there is a lot more. So, if you are going to use the program, I would advise making sure that everyone is trained and everyone really understands it. You should take your time to go into the nitty-gritty. You can very easily think that you know everything, but when you make mistakes in Splunk, at least from my experience, it can get messy quickly. So, you want to make sure that everyone has a very good understanding of what they're doing so that you can keep everything organized and accurate.

I would rate it an eight out of 10. When we're getting into the nuts and bolts and looking at the data, it is an eight, but when we are just navigating through the website, it is a seven. Only its UI needs improvement. It isn't bad, but there is room for improvement. They should make it a little bit more user-friendly.

We are using it for information assurance, system alerting, and compliance. We are using its latest version.

It integrates into our VMware environment and provides infrastructure alerting and monitoring.

The ability to ingest different log types from many different products in our environment is most valuable.

It seems to have everything in terms of features. Every time I think of something, I go out to their site, and I can pretty much find it.

The biggest problem is data compression. Splunk is an outstanding product, but it is a resource hog. There should be better data compression for being able to maintain our data repositories. We end up having to buy lots of additional storage just to house our Splunk data. This is my only complaint about it.

I have been using this solution for about five years.

It is excellent in terms of performance and reliability.

Its scalability is excellent. Its users are mostly on the backside. I know there are a lot of opportunities to allow developers and engineers to access Splunk for doing different things, but we use it purely for information assurance and system monitoring. So, our engineers and IA professionals are the only ones who access Splunk. We have a couple of them, but it supports thousands of users.

We started with Splunk Light, and now, we're using Splunk Enterprise across most of our projects. It is being used extensively. It is our primary SIEM product. I'm sure its usage will increase, but that's managed at a much higher level. The company has an agreement with Splunk on how our licensing model is established.

Their support is great. I've talked to them many times.

We used InTrust. We switched to Splunk because of its flexibility and capability.

Its initial configuration is pretty straightforward. Their repository for information and help is really good, which makes it pretty straightforward. You can just go out to their site and do a search for any question. Usually, someone else would have experienced the same issue.

It took us hours. We obviously expanded it as we were building the environment because we did it from scratch, but it only took hours to get it up and running and configured to do ingestion. We then deployed more forwarders and tweaked it as we went along.

It was implemented in-house. Its maintenance is pretty lightweight, and I take care of it. I have a couple of other team members to help make changes. We have engineers who are available for adding capacity. We have a team of six or seven people to support our Splunk Enterprise.

It is expensive. I used to buy it early on, but then they combined it into a higher-up organization. They buy it for multiple systems now. Last time, I paid around 60K for it.

There is just the licensing fee. That's all.

I would advise making sure that you incorporate enough storage and processing in order to properly support the environment.

I would rate it an eight out of 10. It is definitely the best tool I've ever used, but nothing is perfect. They could do a little bit better on data compression and system resource management, but outside of that, it is an excellent product.

We will have clients that generate events through our platform and wish to export those events as data points to Splunk.

The solution improves our customers' integrations. They really want insights into what their users are doing. They want to be alerted to anomalies, general pain points, or popular areas in the integration to understand what's working and what's not.

The metrics and trends that Splunk Enterprise Security generates using all the data points we send allow customers to understand better what their users are doing.

Splunk Enterprise Security should provide a better and richer integration. It has a regimented integration, where we had to build a Python library. It was a very tough way to integrate officially and get into the marketplace. We'd like to see more options so that we can better send data over to the Splunk platform.

The requirements of building the integration had to be a very specific and certain way to get onto your marketplace. Once it's there, it's fine, but it took a little effort to get it exactly that way. That's not as maintainable as we like, so we'd rather that be a more robust integration.

We've had an integration available for the better part of three or four years.

The solution provides good stability.

We haven’t seen any issues with the solution’s scalability.

We mostly interacted with the marketplace community. Although our support experience was not great, the issue was straightforward.

Our customers have seen a return on investment with the solution. We have seen customer satisfaction as it was a highly sought-after integration, and they're happy now that it exists.

The end-to-end visibility that the solution provides into our environment is incredibly important to our organization. We like to see it as the total answer. Any data point can be picked up, and you can really build anything you need from the integration. It's incredibly valuable with the data that it's generating. What the tool provides once integrated is highly valuable and sufficient for us.

Finding any security event across multi-cloud, on-premises, or hybrid environments with Splunk Enterprise Security has been incredibly easy. Using the rest of the Splunk platform, you can trigger whatever you need off the data coming in through the integration.

The solution has helped improve our organization's ability to ingest and normalize data. It also generates more customer activities so that there's a stickier relationship.

The Splunk integration triggers the necessary events so that downstream alerting isn't necessary.

Splunk Enterprise Security has helped speed up our security investigations. It's a great direct integration so that our customers can react quickly when necessary.

In principle, the solution has helped reduce our mean time to resolve, but not necessarily data points that we see as the integrator.

Overall, I rate the solution an eight out of ten.

There is a lot that we monitor with it. We monitor outbound URLs. We monitor unusual traffic, unusual user logins, and excessive user logins. We monitor whether or not users are logging in from VPN or not, what IPs they are accessing, or whether a user is signing in from multiple IP addresses minus the VPN. 

My organization was already using Splunk Enterprise Security when I was brought in, so I cannot say how it has improved the organization, but I can see that if they did not have Splunk Enterprise Security, there would be a significantly more workload. They would definitely need more manpower. Splunk Enterprise Security definitely helps with a lot of the prebuilt dashboards and other things that come with it out of the box.

Splunk Enterprise Security has reduced our mean time to resolve by 50% to 75%.

Being able to track impossible travel logins and things of that nature is valuable. We can track user logins from various IPs, various countries, and at various times to see if everything adds up. We can check to see if it makes sense that someone logged in from China and in the US within an hour.

There is machine learning with Splunk Enterprise Security, and based on the keynotes at the Splunk conference, there is going to be some AI involved as well. My biggest struggle with Splunk, in general, is memorizing all the commands. If I want to know which users have logged in between certain hours, I cannot write that query out. It would be helpful to have AI so that I can explain in simple terms what I want and then the search gives that back to me. I am waiting for that. That is going to be my bread and butter because my big thing is that I just cannot remember all those commands.

If you have a dashboard that is too large with too many searches, it tends to get bogged down. If you create various different dashboards, you can bypass the issue of not having enough resources to load all the things you need to load.

I was brought onto the team recently. They have been using it for about two years, so I am just catching up in learning as I go. All in all, my experience with Splunk and AWS is about ten months to a year.

It is very scalable.

I have not had to interact with Splunk support. Most of the issues that I ran into can be solved by reaching out to a team member.

I have not used any other similar solution previously. Prior to working with Splunk, it was just basic IT administration work involving monitoring with different tools, such as Trellix FireEye. I am not sure how to compare them with Splunk.

My organization had Splunk Enterprise Security before I got in.

I have not seen an ROI because I am not at level two, but I am sure my bosses have seen an ROI.

We have definitely seen a time to value in terms of being able to take what Splunk Enterprise gives us and view it. It gives us more information in an easier way versus us doing everything ourselves. That alone saves time. If we save one second a day over a year, we are going to save minutes, so these little bits of time add up.

The price can always be lower, but it is fair at the moment.

The cost efficiencies depend on the licensing and how much data we are bringing in. We have a fairly large footprint, so it is cost-effective.

Being at the Splunk conference and seeing all the ways in which Splunk can be used versus the way that I use Splunk is mind-blowing. It is a Pandora's box of tools. One of the things I saw today was manufacturing and the types of data that manufacturers can receive from Splunk within the technologies that they have. It is mind-blowing. Splunk is awesome.

Overall, I would rate Splunk Enterprise Security a nine out of ten.