Splunk Enterprise Security Reviews

Central repository for log collection and analysis in a complex environment. We have used it for a variety of use cases involving SIEM and operational support.

Speeds up root cause analysis and can help identify issues that your organization never realized were occurring. It helps streamline troubleshooting and log analysis.

It has a low barrier to entry, but it is extremely extensible, allowing it to be tailored to highly specific use cases. It makes searching through a wider variety of logs much quicker and enables you to correlate events from one log to another.

It can be tough to determine if you are getting all of the value out of your investment at times. However, our sales seems to be flexible and will work on an organization to organization basis to negotiate license terms. 

On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security.

Pricing can be a limiting factor. You have to continuously tune what you are bringing in and make sure what you bring in is of value. 

We used it to create a full security operations center (SOC) for our IT department by adding all network and security devices, the AD, and mail servers to it. Then Splunk started to receive their logs, it analyzed them, and provided useful reports.  

It helps the IT staff to monitor the full structure. It also makes use of all logs and takes proactive actions.

Integrity with many vendors: This simplifies the implementation and integration with different devices. 

Enterprise security: Splunk must work on clarifying the solution to customers and explain how to gain more from it.

• Searches the logs for all network devices and server. 
• Monitors clients' hardware, networking, and security operations. 
• It is good for the administrator to use it when maintaining the whole IT Infrastructure.

Alerts when a server is malfunctioning, monitors external attacks, and takes action to stop spreading viruses.

Searches logs from all devices and gives valuable information to the organisation, so it can drill down on all reports and security threats. 

Make it easy to use and the cost cheaper. This will help all organisations to implement Splunk. 

No, we have not suffered a network breach.

Yes, the solution has improved the efficiency of our security team.

No stability issues.

No scalability issues.

I have received a very good response from support that I have not seen in more than 10 years of my experience. 

We are using OpManager to monitor server logs. 

I implemented it myself.

It made our organization better through integration.

Make it cheaper to help small organisations implement it easier. 

We evaluated QRadar.

I have been using Splunk to increase my security experience. 

Our primary use case of Splunk has been on the implementation side for clients. Splunk has proven, on multiple occasions, to be extremely useful in the proactive monitoring of clients' hardware, networking, and security operations. Some use cases that we have implemented include, but are not limited to, proactive account lockouts based on machine learning of a typical person's average number of failed login attempts, aggregation of a servers logs in order to predict downtime/maintenance/hardware failures quite accurately, as well as helping administrators of all sorts to gain a full picture of their environments under a single screen.

Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some predictive and proactive models, which are programmed to take action on anything outside of the normal usage. These actions range from alerts being sent to the Splunk page, administrators being notified, and if escalated enough, automatic account locks.

The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

We did about a year and a half ago. The implementation was able to notify me 34 seconds after the initial breach had happened, but our implementation was already configured to auto-logout any "suspicious" users (our internal networking team had set this detection code up) which alleviated the problem, before it really became a problem for us.

Immensely, I cannot stress enough the positive impact this has had on our security team.

Our personal implementation brings in only around 48GB to 48.5GB of events per day. Depending on the amount of remote workers in the office, it averages around 50 million events daily.

We did not encounter any issues with stability.

We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster.

I have not personally dealt with customer service/technical support.

We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.

The initial setup is very straightforward, unzipping a tar, creating a service, starting the service.

My team was the team who had set up this implementation. I would be remiss if I didn't say that our level of expertise is quite high with an average of 4 Splunk certifications per person on my team.

ROI is estimated at saving my team roughly 10 to 12 man hours per week in troubleshooting for our company as well as what our profits had been from our services of installing, configuring, and supporting other clients with the product.

Setup cost is cheap: It is free, it is user-friendly, and it is fast. 

I would highly recommend anyone evaluating this option to download the free trial which allows for the ingestion of 500MB of data per day in order to get a feel for what Splunk does at its core. It will get pricey once your ingestion rates start to sky rocket, but I would consider it expensive given the amount of information that it allows you to analyze and react on straight out-of-the-box.

We evaluated the ELK Stack, of which recently we have implemented with a customer who was looking for a more lightweight, cheaper alternative that would work "Good Enough". They felt they did not need all of the bells and whistles that came with Splunk.

If you have an R&D department within your company that is looking for something new to increase the efficiencies and effectiveness of your company's operations, I would highly recommend having them get the free trial to test out.

It was used for security event management on landscape hosted over AWS.

It helped the organisation to proactively monitor threats and reduce its threat footprint.

Deployment server for deploying changes in one go.

It is quite stable.

No.

Professional support is great, but too expensive. Otherwise content published over website is good.

Not applicable.

Do proper estimation on log ingestion per day as that will impact pricing and licensing.

It was the customer's choice.

It provides a great range of plugins and one can really take great advantage of utilising inbuilt dashboards to derive the desired monitoring.

Our company consults for different customers and are in a good position to recommend the best solution to our clients.

• We can do things in minutes instead of days.
• We solve issues which we could not before since we have the data.
• We can quickly search for almost anything across many log sources in seconds
• Teams have the dashboards or alerts that they need

There are too many features to list, but here are a few:

• Schema on the fly

• Ease of on-boarding data

• Machine learning

• Apps or Splunk base.
• Great list of apps to use and also build upon once you learn more about how Splunk works.
• We build many of our own apps by leveraging the logic in the others.

• Ease of correlation, creating correlation searches are easy and you can combine multiple sources with little effort

• Data Models Acceleration for super fast searches across tens of millions of events

• Common Information Model

• Security Essentials App

• Enterprise Security

• Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities

• Log storage or compression is great and retention is not an issue

• Dashboards are simple to create and the input options like Time Range, Text
• Drop-downs are simple to create.

• Integration with cloud solutions is great and keeps getting better.
• Can get info from rest API’s easily and there are apps for services like ServiceNow, Azure, Office365, etc.

The GUI can be improved to include some of the capabilities that other BI solutions have. Basically, the layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this could become a non-issue.

There were no issues with stability.

There were no issues with scalability.

Technical support is excellent. They also have Splunk Answers, which is community driven and it great.

We were not able to get the value we needed from the previous solution. It was too difficult or complex. With Splunk, we can do things we want and things we have not even dreamed of yet.

The initial setup was straightforward. We had the POC up in minutes. Within days, we got more value out of this solution than our existing solution.

While licensing can be a concern, there are ways to reduce the licensing costs including filtering some events. We have replaced many solutions with Splunk, which have more than paid for the Splunk licensing.

We evaluated ArcSight, QRadar, and LogRhythm.

Do a PoC and you will be amazed. Also, check out the Splunk .conf sessions to see what is possible. If you are into security, watch Mark Russinovich’s RSA 2017 presentation about Sysmon. Check out free EDR type capabilities.

Splunk has great interoperability with other applications through their SplunkBase app store. The apps can quickly provide visibility and streamline complex data mining tasks.

Unlike other cloud based analytics platforms, at the time of this writing Splunk Cloud is a dedicated instance per customer rather than a shared tenancy platform. While this is beneficial from an overall performance standpoint, the product lacks the seamless integrations one has come to expect from a cloud solution. This translates to a much stronger reliance on Splunk's support organization out of necessity, as the customer cannot make most changes in a self-service manner.

We have been a Splunk customer for five years.

Our Splunk Cloud deployment was a migration from an on-premise implementation of Splunk. The migration took much longer than expected due to constraints within Splunk's cloud team, but there were no technical issues with the launch.

The customer support team at Splunk is very good.

The technical support team at Splunk is highly responsive and knowledgeable.

Some of my clients had rudimentary home-grown security solutions that Splunk ES has completely replaced.

In these cases, the improvement was dramatic; they had visibility into systems and activities that they never had before.

In the case of clients who already had a SIEM solution, the change was more incremental. However, in my opinion, the Splunk ES solution is superior because it is so flexible. It can consolidate data from almost anything.

Splunk Enterprise Security is most valuable, my clients use it as a SIEM solution. Splunk gives them the ability to bring multiple, disparate types of data together, then correlate and report on them.

The GUI can be improved. Splunk has always suffered from having a kind of goofy UI, it needs some updating.

There were no stability issues. It is one of the most stable systems that I have worked with.

As of now, no scalability issues were experienced. Splunk is highly scalable, so don’t anticipate that. However, scaling can get very expensive with their pricing model.

Technical support is excellent! It is of top notch level. The customer support folks really know their stuff, the turnaround is fast.

Previously, we were using HPE ArcSight.

That’s a hard one. The initial setup is easy but making it actually work is complex. However, the complexity is something that just comes with all top SIEM tools. Very few companies have exactly the same data and issues, so a great deal of data onboarding and normalization are always required.

We evaluated HPE ArcSight.

Plan your implementation carefully. Be sure you have someone to implement it, someone who knows what he is doing. Splunk’s inherent flexibility is a great thing, but it also provides an opportunity to really mess things up.

The ability to see logs and correlate them using Splunk has greatly improved our organization's functionality with auditing and troubleshooting.

Splunk's capability to receive any types of logs and index them is a very good feature. To get visibility from your network devices, servers, and security devices is a great feature.

Better directions on search head clusters. A lot of the documentation that I saw was either old or out of date. I believe I ended up doing a lot of searching and ended up not completing the feature. I opted out of creating a search head cluster.

Not at all.

None.

Customer Service:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

Technical Support:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

No solution was available at the time.

No the initial setup was fairly basic.

In-house. We had professional services however, we did the install prior to the consultant arriving. So, his workload was light considering we had already installed and configured the Splunk servers.

We purchased and paid for it as an annual subscription for three years and working on purchasing the Perpetual edition.

Pricing is pretty fair. However, I would suggest you trial for at least 90 days if you can get the sales person to offer you the option to renew your 30 day trial a couple of more times to evaluate. The 30 day trial is not enough.

The other SIEM solution providers we looked at were ArcSight, QRadar and SolarWinds LEM.

Splunk is a good product. Pricing is a bit high however, after it's installed you can understand why and get caught up in reading the logs that are available.

Splunk helped reduce development cost since it provides free applications on Splunkbase that can save a huge amount of time and effort. It also gave us the ability to dig into logs to find not just one needle but many needles in the haystack of data, and that helped solve multiple production issues and reduced system downtime.

A great improvement brought by Splunk is the ability to remove sensitive data before displaying it in reports. This allows Splunk administrators to filter data according to the user’s clearance level.

Splunk can be seen as a huge box that allows the storage of all sorts of logs. This allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar. Splunk allow schema on the fly and therefore simplifies all the data onboarding process. All that leads to flexibility when it comes to defining the metadata since it is not necessary to have all the fields defined and extracted to be able to use Splunk.

Another great feature is the field extractor that allows persons with little or no experience with Regex to define fields and extract valuable information from the data.

Finally, the ability to connect with various sorts of databases, NoSQL solutions, makes it a very powerful tool, not only as a SIEM but also as a datalake for machine learning and data analysis.

Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources.

Released versions are quite stable. We encountered some visual bugs following major upgrades but that was due to custom CSS that we had edited into Splunk.

Splunk is a data analytics platform and is designed to scale easily. Adding or removing machines from a splunk index can be done without affecting any of the existing members of the infrastructure.

In my opinion Splunk has three levels of support. First level is their forum (Splunk Answers). The Forum is very rich and solves 90% of the issues that can be encountered. Then comes the real technical support team that replies quite fast, depending on the SLA. Finally comes the professional services team, which provides a very advanced level of expertise and can solve any issue.

Yes, ArcSight. We switched because of how slow the support can be with HPE sometimes and also because Splunk is simpler to use, is more data oriented, and is more adapted for business security use cases.

We started Splunk on a stand-alone server. Installing that was very easy, a basic RPM install for Linux and an installer for Windows. When we moved to a distributed environment, it was a bit more complicated but the documentation on Splunk Docs was clear and easy to use so we had no problem there.

Splunk licensing model might seem expensive but with all the gain in functionalities you will have compared to traditional SIEM solutions I think it’s worth the price. Also, when you have small volumes of data to index daily (which might account for high EPS) you will be gaining the full advantage of using Splunk for a very low price.

Yes, Graylog and QRadar.

You're in for a nice surprise, Splunk is fun, easy to use, and will give you the results you are looking for and more. It's a great tool for security and business analysis, you're looking at a big data platform that will allow a lot more than what the good old SIEMs could do.