Splunk Enterprise Security Reviews

Imagine a single application with 17 application servers and dozens of log files per server that rotate as often as once per hour. How do you track and analyze anomalies in those log files with the ability to go back and correlate data for the past X weeks? That was use case for just our team, not to mention the hundreds of other application teams.

Splunk has a single purpose in life: ingest machine data and help analyze and visualize that data. The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data. It does a great job at handling unstructured data. Breaking data into key/value pairs so that it can be searched is relatively painless.

Deploying Splunk as scale is not easy. It requires a significant amount of relatively complex architecture once you push past the single server instance. Breaking out your search and indexing layer requires someone with Splunk experience. Want to add search layer replication for HA? Want to host in AWS and do cross-region index replication?

Splunk expertise is in high demand today and finding talented engineers to pull off your large-scale implementation is hard. Do your homework.

Out-of-the-box functions are nearly flawless, but when you push at the edges, then things start to get a little flexible in their eloquence. There is a robust community of support to help through most issues and the documentation is exceptional.

There were no issues with scalability, but we invested some serious time and resources to design a scalable infrastructure up front.

Customer Service:

Customer service is excellent both during the purchase and ownership lifecycle.

Technical Support:

Technical support is mediocre. Splunk is struggling to deliver a consistently exceptional support experience. Their senior engineers are very talented, but those folks are in short supply and many of the most experienced engineers are making hundreds of dollars an hour as consultants not answering your support issues.

No enterprise solution was in place.

The initial setup was done without any prior experience and was up and running, including ingesting data, within a few hours. Setup at scale and scalability took months of effort.

We hired a contractor with significant experience with Splunk, Elastic.io, AWS, and custom development. They were expensive, but worth every penny.

TBD.

You will eat up whatever you purchase quickly. The level of insights that Splunk empowers is addictive.

We evaluated Graylog, Elastic.io, etc.

MTTR is drastically reduced, because the developers and other IT support staff have instant access to log events.

People costs are saved by not having to involve the domain developers from multiple teams, when tracing a problem that spans multiple platforms.

Security is improved by not having to give as many people access to log on to the servers.

The ability to rapidly diagnose problems in production and non-production, across hundreds of log files, is the most valuable feature.

Official training, even CBT, is expensive so not many people are able to get certified. This leads/causes the users to make use of the most basic functionality only.

It is a challenge to manage the environment in such a way, that one’s log, even with the bandwidth license, isn’t exceeded. Splunk has moved towards not applying hard caps in data ingestion, and this will help us in the future.

However, I’d like an easier way to flag certain source log files as non-critical and have Splunk automatically disable those event sources when the license capacity exceeds an arbitrary value.

There were no stability issues.

There were no scalability issues.

Customer Service:

I haven't had the need to log any critical issues. Most of my support tickets have been revolved around configuration questions. I'm very happy with the way Splunk's support staff respond - they're pretty helpful. I think I've only had one situation where the response was acceptable, but not stellar.

Technical Support:

The technical support is good. I'm sometimes surprised when the support engineer doesn't immediately know the answer to my questions (as I feel they must be fairly common queries). But, this can probably be excused because of the breath of features Splunk Enterprise has.

We were not using any other solution previously.

I evaluated ELK Stack but at the time, Splunk offered more flexibility, better support and was easier for us to implement.

Initial setup was fairly straightforward, but we used an experienced implementation partner and ensured that our team was intimately involved in the installation/configuration process on a technical level.

We used a combintation of in-house (ie. myself) and an experienced Splunk partner.

The product has a lot of value, and I feel that we’re getting the value that we’re paying for.

Splunk Enterprise becomes extremely expensive after the 20GB/month license, but if you take care of what you log, i.e., by not logging excessive application events, then that license will get you a long way.

We looked at ELK Stack.

Use an experienced Splunk architect to design your infrastructure configuration.

Ensure that your tech leads are intimately involved and understand exactly how the product fits together.

Manage your Splunk configuration in a repository (Git).

Educate the end users as quickly as possible to use the tool effectively.

Change practices and encourage staff to use Splunk instead of old ways of getting the data they need. Prevent, or limit, direct access to the servers or server log files if you can.

The network department, for example, has improved its efficiency by 30%. Security relies on this for event correlation and alerts.

• The speed of the search engine

• All the types of data sources that you configure can be forwarded to Splunk.
• The ease-of-use

Cluster management can only be done via a command line. I would like them to add some GUI options for that. Permissions are not very flexible, so it would be nice to have more granular options, such as double factor authentication.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

It is very stable.

It scales out horizontally.

The quality of support depends on the support and license. On the average, I would give them a rating of 6/10.

We previously used ArcSight. Splunk is at another level. It is easier, more stable, and faster.

It is very easy to set up on a standalone server. Of course, if you want a cluster, it is more complicated. In order to manage it, you need skilled people.

It is not cheap :-)

We were using ArcSight before.

My advice is to go ahead with it.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

• Event matching between several appliances
• Correlating data from different sources
• Report viewer

It helps us to detect viruses and security events from our network.

It needs documentation, and "how-to-do" information. It's complicated to build reports and views.

I have used Splunk for about two years.

There were no stability issues. It was running on a VM over Hyper-V.

There were no scalability issues. It was running on a VM over Hyper-V.

I used support a little bit for some templates for formatting data from Cisco and Fortinet logs. They were very fast with their response. I didn't have any support contract, but only entry level support.

This was our first try for log analysis.

The setup was easy.

There is nothing to say. At that time, it was for GBs of data received.

We did not look at alternatives. It was a consulting provider recommendation. It was a rapid implementation to accomplish legal requirements. After we used it for a while, we decided to keep it.

Check for the plugin to format data of already completed templates for the appliance to which you want to keep logs and events.

It is deployed to investigate, detect, respond, and prevent security incidents and threats by providing valuable context and visual insights to make faster and smarter security decisions.

• Splunk delivers a holistic view of an application (the big picture).
• Splunk provides immediate visibility into key business metrics and new business insights that deliver immediate value.
• Significant reduction in mean-time-to-investigate (MTTI) and mean-time-to-resolve (MTTR) production incidents from days to hours.
• Splunk visualization capabilities help pinpoint problem areas, spikes, and anomalies easier and faster.
• Ability to monitor and resolve integration problems before they impact the business user area.
• Splunk is being used as part of the development life cycle, resulting in better quality and more efficient applications.
• Provides additional insights into a 360 degree view of the customer.

We usually have to follow up with technical support on our open cases. Otherwise, Splunk listens to customers and is constantly incorporating their feedback in future releases.

There are no software stability issues. The issues so far have been internal.

There are no scalability issues. If you are planning on using Splunk for security use cases, I would recommend you go with Linux for your OS.

We have the enterprise level of support. This is one area Splunk could improve upon, since we usually have to follow up with them on our open cases.

We did not have a previous solution.

There were no issues with the initial setup. We utilized Splunk’s partner zones for the initial setup. In retrospect, we should have utilized Splunk Professional Services.

Although Splunk is an expensive product, it is designed to be utilized across your organization in order to maximize your ROI and lower your TCO.

We contacted Gartner and other business associates to determine what others are paying for Splunk.

We started researching ELK (Elastic, Logstash, Kibana). But management was so impressed with Splunk that we ended this research.

Ensure you have an executive sponsors to fully deploy Splunk across your organization to maximize your ROI and lower your TCO.

Make use of Splunk Professional Services.

The analytics and querying the indices is super easy.

The data representation options in the dashboards are excellent.

Multiple datasource/filetypes are supported and each can be customized in a few clicks.

Security administration and user access control is pretty basic. This can be improved.

The user access control could be much more granular, so that the admins can control r/w/x access for specific features of the product like dashboards, etc.

If this is improved, with a mapping against LDAP roles, it would be excellent.

We had no stability issues.

We had no scalability issues.

Technical support and the online community are some of the best for any product.

We did not have a previous solution.

The setup was quite easy and there is lot of technical documentation for handholding you through the process.

Pricing and licensing is quite expensive. But for the value the product provides, it seems at par in the market.

We looked at IBM SmartCloud Analytics and Log Analytics.

Please watch out for the licensing agreement. There are a lot of IP specific clauses that Splunk has included in their license agreement. Per my understanding, any plugin available in the community cannot be used OOB, due to licensing restrictions. (This might be specific to our organization.)

• Flexibility when creating dashboards
• Automated cron searches
• Real-time and scheduled searches with alternate functionalities
• User-base integration with LDAP

It alerted many situations before other monitoring systems identified that there is a critical issue.

VMware and security device integration looks a bit complex.

I have used Splunk for almost three years.

As of now, we have had no issues with stability. It is running like a charm.

From a nodes perspective, there have been no scalability issues.

I can say that support is good.

We never used other solutions.

We used the Splunk Cluster setup. It was a bit complex to set up, but management-wise and stability-wise, it was awesome.

License costs fall under the NDA, but Splunk license costs are public, I believe.

We evaluated Logstash and others, but Splunk plays a pivotal role.

I would strongly recommend this product, as it would be very beneficial for service operations and management.

They provide excellent predefined user cases.

This helps us in the footprinting of all the incidents.

When we deep dive into the events for the triggers, we have very little information in some instances.

I have used Splunk for two years.

We raised support cases.

Scalability is always a question for this product.

Response from technical support can be improved. There was always a delay and we had to chase them.

We didn’t have a previous solution.

I was not present during the initial setup.

Pricing and licensing are always high compared to other products in the market. Storage is very expensive as well.

It is a good product, but expensive.

• Collects data from any source
• Powerful search, analysis, and visualization
• Easy to build system on any platform
• API and easily integrated search
• Action script

We have over 7000 devices in our network infrastructure for monitoring, maintenance, and performance assessment.

We achieve this by collecting data and applying the analysis.

I have used this solution for one year.

We did not encounter any issues with scalability. Everything is normal with no bugs.

It’s easy to obtain support from Splunk for technical issues. We also have enough knowledge ourselves to apply fixes.

We used to deploy Elastic Stack. The search language of Splunk is easier and friendlier than Elastic Stack. It has helped me to search quickly and easily. Based on the results, it’s easy to visualize and add results to a previously built, personal dashboard.

Licensing is free. Pricing is based on usage.

We evaluated Elastic Stack and Sumo Logic.

If you are an enterprise and you need the best service for critical business analysis, Splunk would be one of the best choices.

Rapid search is a valuable feature. Performance and incident response were the top priorities for most MSSPs. Breaches of SLAs will have a negative impact on customer trust, which eventually leads to losing customer confidence on services to which they’re subscribing. Hence, the proactive approaches will be the main differentiator from one MSSP to the others.

It has been helping a lot of my clients with fast data mining and information propagation.

The GUI should be improved, in other words, the overall appearance.

I am not the end-user. However, my job was more relevant as a consultant.

Performance upgrades are needed when more processing power is required.

We have not had scalability issues.

Technical support is good.

The client was using an open source solution. They decided to switch to an enterprise product.

The setup can be straightforward, if use cases are well defined.

Overall, it the cost is reasonable and it is easy to upgrade.

Our client was considering the other solutions as well. However, due to their overall assessment, they still considered going with it.

Start off with something at a comfortable level, expand gradually, and then move upwards, expanding steadily.