Splunk Enterprise Security Reviews

Typically, the standard approach for Splunk sizing involves gathering data from the entire IT environment, regardless of whether it's hardware, virtualized, or application-based. This data is then collected and monitored through Splunk as a comprehensive security solution. We also work with Splunk-related platforms like Application Performance Monitoring to provide a holistic view of system performance. Recently, we implemented this solution for a bank in Jetar. Splunk excels at collecting high-volume data from networks, making it ideal for performance monitoring and scaling. During the sizing process, it's crucial to calculate the daily data ingestion rate, which determines the amount of data Splunk Enterprise needs to process and visualize for security purposes. Several factors need consideration when sizing Splunk: tier structure hot and cold buckets, customer use cases for free quota access, and storage choices based on data access frequency. Hot buckets typically utilize all-flash storage for optimal performance and low latency, while less frequently accessed data resides in cold or frozen buckets for archival purposes. In essence, the goal is to tailor the Splunk solution to meet the specific needs and usage patterns of each customer.

One challenge that our customers face is slow data retrieval. Customers may experience delays in retrieving call data due to complex search queries within Splunk Enterprise Security. These queries can sometimes take up to an hour and a half to execute. Our architecture incorporates optimized query strategies and customization options to significantly reduce data retrieval times. This enables faster access to both hot and cold data. 

Another challenge is scalability constraints. Traditional solutions may have limitations in scaling to accommodate increasing data volumes. This can be a significant concern for customers who anticipate future growth. Our certified architecture is designed for easy and flexible scalability. It allows customers to seamlessly scale their infrastructure based on their evolving needs, without encountering the limitations often faced with other vendors' solutions.

The final challenge is complex sizing and management. Traditional solutions often require extensive hardware configuration and sizing expertise, which can be a challenge for many organizations. This reliance on hardware expertise can hinder scalability and adaptability. Our architecture focuses on software and application administration, minimizing the dependence on specific hardware configurations. This simplifies deployment and ongoing management, making it more accessible to organizations with varying levels of technical expertise.

Our architecture leverages Splunk's native deployment features, including: 
Index and bucket configuration. Data is categorized into hot, warm, and cold buckets for efficient storage and retrieval. Active/passive or active/active clustering. This ensures high availability and redundancy for critical data. Resource allocation. Data, compute, and memory resources are distributed evenly across clusters for optimal performance.

For high-volume data ingestion exceeding 8 terabytes per day, we recommend deploying critical components on dedicated physical hardware rather than virtual machines. Virtualization can introduce overhead and latency, potentially impacting performance. Utilizing physical hardware for these components can help mitigate these bottlenecks and ensure optimal performance for large data volumes.

Splunk Enterprise Security provides visibility across multiple environments. IT leaders and management directors often seek a simplified monitoring tool that can handle everything. However, using a third-party tool or a monitoring tool for multiple environments comes with certain considerations. These may include software version upgrades, connector updates, or API integrations for collecting specific metrics beyond the usual ten. Therefore, the key factors for a customer choosing a monitoring solution are, how easily can the tool integrate with existing physical, virtual, microservices, or hyper-scaler environments, whether it can provide a centralized view of monitoring data across multiple environments, and whether it can integrate with existing data analytics tools like Cloudera, Starburst, or Teradata. Integrating a monitoring solution with data analytics is crucial for a complete picture. While a standalone monitoring solution can help with capacity planning, data analytics provides insights for code analysis and historical data. This allows management to plan budgets, reduce costs, and make informed decisions for the future. Combining a monitoring tool like Splunk Enterprise Security with a data analytics engine like Cloudera or Teradata maximizes the value of data and empowers better decision-making.

Our monitoring tools offer various functionalities, including detection and third-party integration. For example, we have an integration with TigerGuard, a platform for threat detection. Additionally, we provide robust auditing capabilities to track changes within the environment. This helps identify potential intrusions and suspicious activity, whether from internal or external actors. To ensure the security of our monitoring tools, we implement several prevention and protection mechanisms. This includes continuous monitoring of logs and audits, even in case of tool failure. Leading enterprise monitoring solutions often connect to dedicated audit servers via SNMP traps, providing a centralized view of all infrastructure changes. This allows administrators, like Splunk users, to easily track modifications and identify potential security risks. Furthermore, individual software products within our monitoring suite have their access control lists and security measures. These may include features like certificates, user authentication, and security manager integration. Additionally, some products offer optional plugins or add-on licenses to enhance their auditing capabilities and meet specific organizational security requirements. Security is a complex and multifaceted topic, encompassing various aspects. This includes data location, user activity monitoring, intrusion prevention, and incident recovery procedures. Addressing these concerns effectively requires a comprehensive security platform assessment that evaluates the entire system, from hardware to applications, ensuring data integrity, encryption, and overall security at every layer.

Threat intelligence management utilizes dedicated tools for both threat and incident management. These tools help organizations define their response plan in case of an event, including how to recover, what the RTO and RPO are, and how to achieve them. This ensures the organization can recover quickly and efficiently in the event of a failure, unauthorized access, or data deletion. While threat incident management strategies may vary depending on the customer, the banking sector typically undergoes rigorous threat management inspections. While I may not be a threat management expert, there are crucial security measures to consider, encompassing personnel training, hardware security, and application controls. These elements, when orchestrated harmoniously, contribute to a secure environment that minimizes the risk of breaches, facilitates successful audits, and ensures data integrity.

The effectiveness of the threat intelligence management feature depends on how the customer responds to various threats, such as ransomware or network intrusions. While the tool provides recommendations, it requires customization to align with each organization's unique categorization criteria like high, medium, low, and specific security objectives. Ultimately, the goal is to protect data, enhance security, and ensure effective incident response procedures. Deploying the threat intelligence tool necessitates customization for each customer. Default settings may not be optimal, as human intervention might be necessary to address potential software errors or inaccurate recommendations. In such cases, manual intervention might be more effective. Therefore, the tool's usefulness depends on the specific threat, its recommendations, and the organization's response approach.

Splunk Enterprise Security is a powerful tool for analyzing malicious activity and detecting breaches. However, its effectiveness depends heavily on proper configuration and skilled administration. They must be able to connect Splunk with the necessary parameters, collect logs daily, and analyze them effectively. They must also have the ability to query Splunk efficiently to gather relevant data, an understanding of use cases and how to integrate with other systems securely, customization of the environment to meet specific needs, including adding connectors and add-ons, and visualization of data in a way that is clear and actionable for both analysts and management. While Splunk is a valuable platform, it requires careful management and expertise to unlock its full potential. Companies deploying Splunk should invest in skilled administrators to ensure its effectiveness in securing their environment.

Splunk helps us detect threats faster. As a Splunk administrator, I can monitor for suspicious activity, such as sudden changes in behavior, high resource utilization on specific file shares, or unusual data transfers. These events can trigger questions, like, Why is the system experiencing high utilization, is data leaking and being transferred elsewhere, why is this application consuming excessive resources, why has data suddenly disappeared from the system? Splunk Enterprise Security provides valuable insights and helps identify potential security issues. However, integrating threat intelligence management with Splunk can further automate this process. When suspicious activity is detected, the system can automatically take predefined actions. However, these actions require customization and testing before implementation. This may involve, customer review and approval of the automated response, POC testing to validate the effectiveness of the response, regular monitoring of the system's behavior and response to threat intelligence, and fine-tuning or customization of Splunk Enterprise Security settings to optimize threat detection and response.

Splunk has been beneficial to our organization from a partnership perspective. Even after Dell's acquisition of Cisco, our strong collaboration and certified solutions continue. This partnership strengthens our position with customers seeking the best solutions on the right platform. For example, if a customer requires a Splunk solution and a competitor lacks certified solutions, it could hinder their trust and purchasing decision. In contrast, our close collaboration with Splunk and certified add-ons for Splunk Enterprise Security adds value. We possess expertise in various Splunk architectures. I've worked with over four banks in Saudi Arabia alone that utilize Splunk and Dell hardware. Globally, we cater to diverse Splunk architectures and platforms, ensuring customer satisfaction with our diverse technology expertise. While we acknowledge competition, the focus here is on how our partnership with Splunk enhances the integration experience, offering both tightly coupled and loosely coupled architectures.

Since implementing Splunk Enterprise Security, we've observed improvements in both stability and the accuracy of data visualization. The low latency allows us to efficiently query the extensive data it provides. Splunk goes beyond collecting basic metrics like CPU or memory utilization; it comprehensively gathers data from various sources, including networks, applications, and virtualization. This unified platform eliminates the need for siloed solutions and enhances the capabilities of existing engineering software. While Splunk is a popular choice for data analysis due to its powerful features, its pricing structure based on daily data ingestion can be expensive. This pricing model, however, allows them to accurately charge based on resource usage. It's important to consider your data collection and visualization needs to determine the appropriate licensing tier. While other monitoring tools might share similar pricing models, Splunk distinguishes itself through its data segregation across various components. This simplifies communication between indexes, forwarders, and searches, allowing for efficient data processing within a single platform. Additionally, Splunk excels in data visualization and analytics, making it a leading choice for security and observability solutions. Their recent top ranking in Gartner's observability category further emphasizes their strengths. This recognition stems from their platform's compatibility with diverse hardware vendors, exceptional data visualization capabilities, and innovative data segregation strategies. Splunk's tiered access control and efficient cold/frozen data storage further enhance its value proposition. Ultimately, Splunk empowers users to interact with their data effectively. This valuable asset, when properly understood and visualized, can provide actionable insights without impacting network or application performance. Moreover, Splunk's customization and implementation potential extend beyond data analysis, offering recommendations and threat intelligence for proactive security measures. In conclusion, while Splunk's pricing might initially appear expensive, its comprehensive features and capabilities justify its cost for organizations seeking advanced data analysis and security solutions.

Realizing the full benefits of Splunk Enterprise Security takes time. While the software itself can be deployed quickly, it requires historical data to function effectively. This means collecting data for some time before you can rely on it for accurate insights. Several factors contribute to the time it takes to see value. First, there is deployment and customization. Setting up Splunk involves hardware, software, and integration, which can be time-consuming, especially during the first year. The second is data collection. Building a historical data set takes time, and the initial period may not provide significant value. There is also customization and training. Tailoring reports and training users requires additional investment, potentially involving workshops and professional services. To expedite the process, Splunk offers various resources including, proof of concept which allows testing Splunk with a limited data set for a specific period. Splunk may offer temporary free licenses for small workloads to facilitate initial evaluation. Splunk provides educational resources to help customers understand and utilize the platform effectively. Additionally, some partners leverage their Splunk expertise to help customers. Partners can educate and guide customers through the process, streamlining their experience, and assist with customizing reports and training users, accelerating the value realization process. By understanding these factors and leveraging available resources, organizations can optimize their Splunk implementation and achieve its full potential within a reasonable timeframe.

Splunk has been recognized by Gartner as a leader in providing visibility for observability and monitoring across various platforms, including physical, virtual, and container environments, for several years. This has made it a popular choice for many organizations, including those in the banking industry. Currently, only one of our banks utilizes QRadar. This may be due to the cost associated with switching from Splunk, which can be expensive. As a result, the customer might be prioritizing financial considerations over functionality at this time. It's important to note that while Splunk is recognized as a leader in platform capabilities, the decision to use a specific solution should ultimately be based on both functionality and cost considerations. This is why we have established a joint engineering team with Splunk to develop a platform that meets the needs of our customers.

I'd like a dashboard that allows me to connect elements through drag-and-drop functionality. Additionally, I want the ability to view the automatically generated queries behind the scenes, including recommendations for optimization. This is just a preliminary idea, but I envision the possibility of using intelligent software to further customize my queries. For example, imagine I could train my queries to be more specific through an AI-powered interface. This would allow me to perform complex searches efficiently. For instance, an initial search might take an hour and a half, but by refining the parameters through drag-and-drop and AI suggestions, I could achieve the same result in just five minutes. Overall, I'm interested in exploring ways to customize queries for faster and more efficient data retrieval. Ideally, the dashboard would provide additional guidance and suggestions to further enhance my workflow through customization and optimization.

I have been using Splunk APM for four years.

The stability of Splunk Enterprise Security depends on how data is tiered. Splunk recommends different storage options based on data access frequency and volume. Hot and warm data: This data is accessed frequently and requires fast storage like SSD or NVMe. Cold and frozen data: This data is accessed less often and can be stored on cheaper options like Nearline, SaaS, NAS, or object storage.

Splunk prioritizes cost-effectiveness and recommends low-tier storage for cold and frozen data, which typically makes up the majority of customer data. This reduces costs compared to expensive SAN storage. However, the decision ultimately depends on the customer's budget and specific needs. Customers with limited budgets or small use cases might choose to store all data on a single platform initially and expand to dedicated cold and frozen storage later. This approach requires manual configuration changes e.g., modifying index.conf and forwarder configurations to redirect data to the new tier.

While Splunk recommends optimal tier configurations for hot, warm, cold, and frozen data, the final decision rests with the customer based on their budget and specific requirements.

Changes to storage tiers can be implemented later through configuration adjustments, but this process might be more complex than using dedicated storage from the beginning.

Overall, Splunk guides the best tier options for different data access patterns while acknowledging the customer's autonomy in making the final storage decision.

We have ambitious expansion plans. As our customer base grows, we see significant increases in data ingestion. For example, one of our largest Splunk customers has increased its daily data ingestion from two terabytes to eight terabytes in just three years. This expansion benefits both the customer and Splunk. The customer gains valuable insights from the additional data, while Splunk increases its revenue through additional license sales. However, it's important to note that expanding data ingestion requires careful consideration of hardware limitations. Increasing data volume necessitates adding more forwarders, indexes, and searches, which can impact Splunk licensing requirements. This highlights the crucial need for comprehensive planning and resource allocation during expansion initiatives. Furthermore, we have observed instances where customers unintentionally exceed their licensed data ingestion capacity. For example, one bank was ingesting six terabytes of data per day while only holding a four-terabyte license. This underscores the importance of close monitoring and proactive license management to ensure compliance and avoid potential licensing issues.

Our expertise extends beyond Splunk. We offer certified architectures for other SIEM solutions like IBM QRadar, catering to diverse customer requirements. However, IBM QRadar does not have as wide of a platform as Splunk Enterprise Security.

Splunk can be expensive, as its licensing is based on the daily data ingestion volume. While we've observed numerous implementations, most are executed remotely by Splunk itself. However, if on-site assistance from a Splunk engineer is desired, it can be costly due to travel expenses from either the Dubai office or Europe. To address this, Splunk is exploring partnerships to offer implementation services at more accessible price points.

For someone evaluating SIEM solutions and prioritizing cost, traditional marketing materials may not be the most effective approach. Customers in Saudi Arabia, like many others, often appreciate tangible demonstrations of value. Therefore, consider offering a POC to showcase Splunk's capabilities in their specific environment. Investing in the customer through various strategies can demonstrate your commitment and build trust. Granting temporary access allows them to experiment with Splunk firsthand. Provide resources and support to help them learn and utilize the platform effectively. Leverage your partner network to offer additional training and expertise. Invite key decision-makers to exclusive events or meetings with Splunk leadership, fostering a deeper connection and understanding. Remember, success often hinges on addressing specific needs. While POCs and business cases are crucial, consider potential customization requirements and existing workflows. If they've used a different tool for years, transitioning may require additional support and training due to established user familiarity. Splunk's investment in the customer journey goes beyond initial acquisition. By offering POCs, temporary licenses, training, and even exclusive experiences, you demonstrate value and commitment, ultimately fostering long-term success. Demand generation, in essence, boils down to two key aspects, Identifying their specific requirements and desired outcomes, and recognizing that different customers have varying budgets, experience levels, learning curves, expectations, and decision-making processes. While some customers may be more challenging to persuade, others readily embrace the extra mile. Enterprise clients often fall into the latter category due to their greater flexibility in resource allocation, dedicated security operations teams, and ability to invest in necessary hardware. Remember, SIEM solutions often involve hardware considerations beyond just software, so understanding these additional costs is crucial for accurate solution sizing and customer budgeting.

Several competitors to Splunk exist in the market, including IBM QRadar, AppDynamics which is used by some customers for monitoring and security, and Micro Focus used for enterprise monitoring, incident reporting, and capacity planning. While Dynatrace is a leader in the field, its presence in the banking sector, particularly in Saudi Arabia, seems limited, perhaps due to having only one certified partner acting as its distributor. In contrast, Splunk boasts a wider network of partners who actively implement and enable customers, leading to its increased market prevalence.

I would rate Splunk APM a nine out of ten.

Monitoring multiple hyperscalers with a single tool can be challenging. While some tools like VMware CloudHealth offer limited cross-platform capabilities, they often focus on specific aspects like virtual instances and storage. For comprehensive cloud monitoring across different hyperscalers like Azure and AWS, third-party solutions are typically necessary. Here at Dell, for example, we focus on monitoring tools for our own workloads and installed base, allowing integration with third-party solutions for cloud environments. This enables customers with workloads across multiple hyperscalers to leverage established enterprise monitoring tools like New Relic, AppDynamics (Cisco), Micro Focus (HP), and Splunk for unified visibility. Ultimately, choosing a solution often involves balancing operational and capital expenditures. By employing third-party tools, organizations can achieve comprehensive monitoring across various cloud environments while potentially reducing overall costs.

We offer various deployment options for Splunk to cater to diverse customer needs and regulations. We can deploy Splunk on various infrastructures, including hyper-converged, bare-metal, two-tier, and three-tier architectures. While cloud deployment is an option, regulations from the Saudi Central Bank restrict customer data storage outside the kingdom. Therefore, most of our customers in the financial sector opt for private or local cloud solutions. While a dedicated private cloud experience for Splunk isn't currently available, customers are seeking access to features like the SmartStore, a caching tier that is now bundled with the Enterprise Security license previously offered separately from version 7X onwards. The chosen deployment approach depends on factors like budget, customer expectations, performance requirements, and compatibility with Splunk's recommended sizing solutions. We utilize both internal sizing tools and Splunk's official tools to ensure proper resource allocation for indexers, search heads, and forwarders based on specific customer needs. We have deployed our Dell servers, storage, and data protection solutions. Additionally, we have implemented a reference architecture. From a hardware perspective, we have everything in place to support Splunk as a reference architecture. This is indisputable, as it reflects our current infrastructure.

I have one customer who uses Splunk on a single site. In contrast, other customers have deployed Splunk in an active-active cluster configuration across two sites, effectively segregating the data across the environments with two-factor authentication. For these other environments, I have observed that each customer has a unique monitoring perspective or performance requirement, reflected in their individual subscriptions.

Splunk is responsible for software maintenance, while we handle the hardware aspects.

Splunk Enterprise Security is one of the most mature security solutions available. While it is expensive, it offers good value by providing the necessary security measurements, monitoring, and auditing capabilities required for running an enterprise environment. 

The combined forces of Splunk and Dell create significant resilience for us. Our joint architecture, strong alignment between the Dell account team and Splunk sales and presales, and collaborative efforts have been instrumental in addressing specific customer needs, such as sizing. This collaboration is mutually beneficial: Splunk focuses on selling licenses, while Dell prioritizes hardware sales. Unlike Cloudera, which optimizes licenses for its platform, Splunk bases licensing on the ingestion rate, demonstrating its alignment with our advanced architecture. This creates a win-win situation for both companies.

My usual use cases for Splunk Enterprise Security include normal reporting.

Splunk Enterprise Security has positively impacted my organization by increasing security defense. It provides a good environment for defense.

The most valuable features of Splunk Enterprise Security are reporting capabilities. It is a good tool for checking systems and analyzing situations. I find it useful to check my systems and analyze situations.

The documentation and training resources available for knowledge and training can be expanded. We need to learn more about Splunk Enterprise Security and new security attacks.

I have been working with Splunk Enterprise Security during the last year.

I would rate Splunk Enterprise Security an eight out of ten for stability. In security, nothing is 100%.

I would rate the scalability of Splunk Enterprise Security an eight out of ten. I have not tried anything to scale up or scale out as it is a new setup, but I believe it will be easy for that.

I would rate the technical support of Splunk a seven out of ten. Sometimes there are delays. It is related to their giving a response after some time.

Neutral

I used QRadar. The switch from QRadar to Splunk Enterprise Security was a management decision. We moved to Splunk Enterprise Security because of its benefits. Splunk's support is better, and its reporting is easier and better. There are also pricing advantages.

It is a normal process. It isn't complex, but it is a new setup with new interfaces and a new way of thinking. It is always a challenge to use new software, and it takes some time to get familiar with it.

I can install Splunk Enterprise Security myself, though some things require dealing with external assistance.

We have not calculated ROI in our environment. I have not received any assignment or recommendation to calculate ROI.

The pricing of Splunk Enterprise Security is somewhat high, but comparing it with its benefits, it's acceptable. It depends on the type of business.

Overall, I would rate Splunk Enterprise Security an eight out of ten.

We use Splunk Enterprise Security for security monitoring.

Advanced correlation capabilities help to identify the patterns of malicious activities.

Machine learning capabilities in Splunk Enterprise Security have been effective for identifying and preventing incidents. Through machine learning, they correlate all the data and create notable events, which helps us identify malicious or suspicious traffic.

We have used the risk-based alerting a little bit. So far, it's been just fine. We haven't gone deep into it. Our other operations team hasn't utilized it to its full capacity, but it makes a pretty good filter overall.

The impact of automated responses provided by Splunk Enterprise Security has been very good on the efficiency of routine security operations.

The incident review in Splunk Enterprise Security seems to be the most helpful feature. 

It would be nice to have more advanced UEBA in Splunk Enterprise Security. Additionally, it would be beneficial if they offered more threat intel feeds for free. 

Furthermore, incorporating Attack Analyzer into the main product instead of having it as a separate paid purchase would be an improvement.

I have been using the solution for about three years.

I've had an issue only once with one of their products, but overall, it's been pretty good.

Its scalability is pretty good.

For Splunk Enterprise Security, it's been pretty good. For the regular Splunk Enterprise Platform, overall, it's like a C-minus. One thing that I probably dislike the most about the Splunk product is their support.

Neutral

I previously used LogRhythm. Splunk Enterprise Security is more advanced compared to other solutions, which makes it stand out as a better option.

I deployed Splunk Enterprise Security using professional services, and overall, it was good. My main responsibility was handling the coordination. The full implementation took about four months.

Approximately 90% of maintenance is done by Splunk.

The implementation was handled by myself.

We purchased Splunk Enterprise Security through a reseller called AccessIT.

Splunk Enterprise Security is a bit expensive overall, but it provides good value.

I would rate this solution an eight out of ten overall.

We use Splunk Enterprise Security for various security use cases, including writing correlation searches. This has significantly improved both our use cases and correlation searches. We can leverage existing resources, making modifications as needed, rather than starting from scratch each time. Splunk Enterprise Security provides diverse use cases across different environments, including AWS, Azure, and multi-cloud setups, while also integrating with Microsoft Sentinel. Additionally, we can integrate Splunk's service orchestration product for further automation. Overall, this allows us to automate tasks that security analysts previously performed manually, such as reviewing incident dashboards. We can fine-tune alerts based on analyst feedback. Splunk's research team ensures that use cases are updated with the latest security content, enabling us to understand and implement necessary steps while customizing them to fit our company's needs. This is what makes Splunk Enterprise Security so popular; it streamlines processes compared to legacy security products that often rely on manual scripts. Clients, including government agencies and banks, are transitioning to Splunk Enterprise Security due to its reduced training requirements and comprehensive features. Everything is consolidated, simplifying training and certification. Additionally, integrating Splunk's service orchestration product further automates tasks and improves response times. The substantial investment in Splunk indicates its staying power; no other product on the market currently offers comparable capabilities. Cisco's acquisition of Splunk reinforces its potential for success, combining APM, data logging, and security portfolios. In one financial project involving 600,000 users, we were able to monitor all incoming traffic, identify security activities, and distinguish between legitimate and malicious traffic, including phishing attacks and potential identity-based threats. Splunk enables tracking individual identities, crucial for detecting attacks where perpetrators hide behind compromised identities, often leading to data breaches and other security incidents.

We implemented Splunk Enterprise Security to assist with AWS security, which includes GuardDuty, CloudTrail, CloudWatch, and Inspector. These AWS components generate compliance and security alerts, which we correlate and use to create dashboard reports and identify security events for various use cases. We then enable the out-of-the-box use cases and send notable events to the dashboard. The implementation is currently in its early stages.

Splunk Enterprise Security operates based on incoming data, making monitoring multiple cloud environments relatively simple due to data availability and integration capabilities. Data from cCloudRail, CloudWatch, Azure, and other diverse environments can be incorporated. While occasional patching might be necessary, most integrations are readily available, offering extensive coverage without customization. Specific customizations might still be required, but most functionalities are pre-built, leveraging code developed by Splunk. This efficient approach involves analyzing data from vendors like Palo Alto and applying add-ons to apply code and automate parsing.

Our visibility into various environments depends on how much data we incorporate; therefore, the more we scan, the better our visibility.

Splunk Enterprise Security's insider threat detection capabilities act as a secondary approval and vetting process, helping our organization ensure there are no unauthorized users.

The MITRE ATT&CK framework allows us to identify criticality levels, helping us respond to incidents. We might integrate incident response with a REST API, where a notable event triggers the creation of a ServiceNow ticket. Information flows from ServiceNow back to Splunk, which then feeds other systems, enabling bidirectional incident management. These processes are largely out-of-the-box, as Splunk integrates well with ServiceNow, except for any customizations. We understand the data integration requirements and leverage Splunk's extensive integration capabilities.

Splunk Enterprise Security does a good job of analyzing malicious activities and detecting breaches. The amount of information the research and threat detection teams receive from Splunk enables faster threat detection of up to 60 percent, eliminating the need to consult numerous sources. This efficiency is a key benefit of Splunk, as its significant investment in security allows for expedited processes.

I have seen the older legacy product where they have this manual process to identify issues, run scripts, try to identify the output, and then go through ten systems to collect data. This could take days. Now, with Splunk, we have everything correlated with multiple use cases, and we have a correlation search between multiple systems, along with application data. Splunk Enterprise Security can stitch all this information together and show it in a single pane of glass, which makes decision-making faster and allows us to focus on the relevant issues instead of wasting time on non-relevant ones. They have done this well.

Splunk Enterprise Security significantly reduced our alert volume. The initial challenge was dealing with a legacy IBM system that generated a massive amount of unfiltered noise, making it difficult to identify relevant events to send to the incident dashboard. This process was time-consuming and inefficient, and the value of the system wasn't apparent. To address this, we fine-tuned both the SOAR system and Splunk by applying filters and conditions to focus on relevant data. Ultimately, Splunk reduced the alert noise from 1,000 events in two hours down to ten, which were then grouped into a single notable event. Despite potentially having hundreds of background events, Splunk condensed this information into a single, actionable item, allowing us to focus on investigating the most relevant issues.

Splunk Enterprise Security accelerates our security investigations by reducing noise, allowing us to focus on relevant use cases. Everything is categorized as high, medium, or low priority, and people immediately start investigating high-priority issues connected to PagerDuty. Sometimes, this leads to on-call situations, sometimes immediate action. Service orchestration and playbook scenarios enable automated responses, like instantly blocking unauthorized access to a system. The possibilities for security use cases with playbooks and service orchestration are vast, and I'm excited to explore them further in the coming days.

The dashboards and reporting capabilities help to aid our security analysis.

We have integrated Splunk Enterprise Security with various services to streamline our security operations. This integration allows us to leverage diverse data sources for creating lookups, data models, knowledge objects, and regular expressions. By automating the development of use cases and regular expressions, we can apply them to data more efficiently, enabling faster implementation and analysis. This approach enhances our ability to detect and respond to security threats effectively.

Splunk Enterprise Security has enhanced our organization's security posture by providing comprehensive security compliance dashboard reports.

I appreciate how Splunk Enterprise Security connects users to the research team and threat documentation, providing access to current events impacting other clients, security vulnerabilities, and relevant use cases. The platform's daily updates offer valuable insights for enhancing our security posture.

Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets. Those familiar with XML coding can further personalize dashboards to align with frameworks such as MITRE. Alternatively, we have the option to use the pre-built dashboards.

I've noticed that onboarding data from various multi-cloud sources and diverse products, such as security network devices, can be challenging. Although Splunk has simplified data onboarding with features like data managers, they need to improve their out-of-the-box parsing capabilities. While they've made significant progress, covering about 70 percent of common products, there's still a 30 percent gap where manual configuration is required. This forces us to spend time understanding and writing custom parsing rules instead of focusing on data analysis. With Splunk's recent acquisition by Cisco, I'm hopeful they will prioritize enhancing this functionality and increasing their coverage to 90 percent or more.

I want to see Splunk Enterprise Security dashboards incorporate more features, such as out-of-the-box AI and user behaviour analytics, which are accessible within a single dashboard.

The technical support response time has room for improvement.

I have been using Splunk Enterprise Security for three years.

Splunk Enterprise Security has stability issues, especially with large data volumes, increased data intake, complex dashboards, custom models, and processing that significantly impact performance. Many customers experience this; even with demos using small datasets, performance degrades with millions of data points. This necessitates capacity planning, dedicated teams, and enforced best practices. These practices include restricting complex searches, blocking problematic users, and providing training to prevent performance degradation. Constant vigilance and proactive measures are crucial to maintaining a stable Splunk Enterprise Security environment. I would rate the stability of Splunk Enterprise Security five out of ten.

I would rate Splunk Enterprise Security's scalability six out of ten. We need to add more shared CPU memory and increase the capacity, and scaling requires a lot of planning and effort.

Splunk's support quality has declined in the past five years. Response times are now slower, and resolving an issue can take weeks. Submitting a ticket and connecting with the appropriate support agent often requires numerous emails and calls.

Neutral

To improve security coverage and user experience, we replaced our outdated legacy solution with Splunk Enterprise Security.

Our Splunk Enterprise Security cloud deployment utilizes a DevOps approach with a fully automated CI/CD pipeline. This automation has significantly improved our deployment speed, reducing the process from a week to a few minutes. Changes are made in the development environment and then automatically pushed to production after a click-through approval process. This streamlined workflow eliminates the previous manual process and associated delays, resulting in a faster and more efficient deployment cycle.

Splunk Enterprise Security's pricing is based on data volume, which generally suits large enterprises.

I would rate Splunk Enterprise Security eight out of ten.

Splunk is widely used across larger organizations. While large organizations often have extensive teams dedicated to Splunk projects and upgrades, smaller organizations can also use Splunk, taking advantage of more affordable pricing options like the free tier for limited data. Cost isn't a significant concern for larger organizations, who prioritize Splunk's security features and are willing to invest in its capabilities.

Splunk Enterprise Security is deployed across all departments, processing millions of data points. Over 500 people manage this data: building dashboards and reports, working with Enterprise Security, discussing use cases, and creating custom data models. This represents a massive effort for any large organization where every department utilizes Splunk.

Government departments are transitioning to Splunk, with daily onboarding increasing the current user base of 5,000.

Because the deployment is cloud-based, the Splunk DevOps team handles maintenance.

Splunk offers a resilient SIEM solution with comprehensive capabilities for research and a wide range of use cases. It is constantly updated, ensuring it remains a valuable and comprehensive SIEM package.

I recommend Splunk Enterprise Security. It is an excellent tool widely used by many organizations, making it a valuable choice for security information and event management.

I work in a SOC team where I study threat hunting and threat determination. Most of my work is based on looking for malware traffic or suspicious traffic in Splunk Enterprise Security. I belong to the SOC team.

The best feature about Splunk Enterprise Security is its clean interface and the detail it provides. It helps us manage logs with a very clean interface, which is not available in other software. 

They also provide extensive learning resources on their official site that help us while performing tasks. Its documentation and community are very strong, making it a perfect SOC tool. If we come across any problem, we can search the community or consult the documentation for solutions. 

It is very clean and detailed, helping us detect threats easily. Splunk Enterprise Security performs 80% of our work on its own; we just have to do the remaining 20%, which gives us the freedom to explore and detect threats more effectively.

The machine learning capabilities of Splunk Enterprise Security are good, but they can be improved. In a changing threat landscape, its machine learning capability can be improved in behavior-based analysis because signature-based analysis does not work very well currently.

It can improve in detecting new types of attacks or IOCs through behavior-based learning capabilities. For example, if there are malware traffics incoming, it should detect them using network logs more precisely, as most malware traffic uses the same kind of port or attack.

There should be a community program or hackathon-type events where people can develop more advanced and sophisticated machine learning models for Splunk Enterprise Security to enhance its functionality. 

Adding a chatbot similar to GitHub Copilot in Splunk Enterprise Security would be beneficial. It would help write different kinds of sophisticated queries and assist in solving problems we encounter, similar to what we have in VS Code.

There is good scope for developing Splunk Enterprise Security for low-level systems such as Raspberry Pi. However, for server deployment, a robust server is essential. Development should focus on making Splunk Enterprise Security capable of running on devices such as Raspberry Pi.

I used Splunk Enterprise for a long time in previous organizations. I have also used the Community version for my personal projects, which is available for free. I have experience with both Splunk Enterprise Security and the normal Splunk Community version. I still use Splunk Enterprise Security quite frequently when working with SOC and related processes.

Splunk Enterprise Security is highly scalable, which is why approximately 95% of the industry uses it without experiencing scalability problems. It performs exceptionally well when discussing scalability.

I do not remember contacting technical or customer support. Whenever I faced any problem, I usually consulted the documentation or community, and 99% of my problems were solved that way.

I have used Wazuh, Elasticsearch, Kibana, and some basic Linux SOC management tools such as Zeek and Wireshark as alternatives to Splunk Enterprise Security. However, I find Splunk Enterprise Security to be much more advanced than those tools, as they lack automation and machine learning capabilities, requiring customization from the user. Splunk Enterprise Security is more refined and offers a better experience.

Its deployment is difficult. I remember when I first started learning, I faced several challenges, especially when deploying VMware in a virtual environment. It was quite a difficult task. However, when deploying on a server, I would consider it to be at a medium level of difficulty. On the other hand, if you're deploying for a learning lab or something similar, it’s pretty much on the hard side.

For personal home labs, it is a one-person job, meaning a seasoned professional can handle it. For enterprise-level deployment, a person managing operations and a person handling server management is sufficient. After the initial deployment, one person is enough for a mid to low-level company, while a higher-order company requires a team to operate Splunk Enterprise Security.

Splunk Enterprise Security requires very little maintenance on my end, as it has improved significantly. If there are no frequent changes in the server, there is not much maintenance required. I have not invested much time in updates or maintenance, so once deployed, you just need a good professional to use it; maintenance is not much of a concern.

The pricing of Splunk Enterprise Security is fair for what it provides. If someone wants everything for free, it is not a reasonable expectation. Everything comes at a price, and I find it to be affordable, which is why every industry uses it. Its pricing is fair, and the community version works well for learning purposes.

I would rate Splunk Enterprise Security an eight out of ten.

My main use cases for Splunk Enterprise Security are responding to alerts, looking for logs, and for investigations.

The features I appreciate the most about Splunk Enterprise Security are the basic search capabilities, seeing what I input into the search and what results I receive, such as the charts and their visibility. These features benefit my organization by helping with our investigations; when we receive something, we're able to quickly find its source and nature. Everything I'm seeing now in Splunk Enterprise Security is effective, especially the AI and the Attack Analyzer, which I found particularly impressive.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is not with Splunk itself, but with our own asset management and knowing what our assets are, particularly regarding visibility.

I have been using Splunk Enterprise Security for about a year.

I have experienced maybe one downtime, crash, or performance issue.

I would describe the stability and reliability of Splunk Enterprise Security as good, with only a couple of issues that were within our own team.

Splunk Enterprise Security has been good so far in scaling with the growing needs of my organization; we haven't been growing too much to where it's a problem, but it's been performing well.

I would say we haven't seen any return on investment with Splunk Enterprise Security because we are still maturing and trying to get everything situated, and we're experiencing roadblocks with other teams not wanting to give us what we need.

Splunk Enterprise Security handles problems in real-time. 

When rating Splunk Enterprise Security overall, I'd give it a nine out of ten. I appreciate that it has a good UI that looks good and works well. I would recommend Splunk Enterprise Security.

My main use cases for Splunk Enterprise Security are detections and security.

The feature I appreciate the most about Splunk Enterprise Security is Search Processing Language. These features have benefited my organization by making searching data a lot easier than other tools I've used.

Improvement for Splunk Enterprise Security is hard to address because I'm not on version 8 yet. The main thing was integrating all the different pages we have into one, which they have accomplished in version 8.1.2. I'm looking forward to using it.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as having no issues so far.

Splunk Enterprise Security appears to scale with the growing needs of my organization. We haven't expanded usage at all yet.

I would evaluate customer service and technical support as seven or eight out of ten. They're normally great. Sometimes talking through email isn't the most effective method, as they go through troubleshooting steps we've already taken, which requires additional back-and-forth communication.

Positive

I would imagine we have seen return on investment with Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is that it is definitely worth implementing, but it must be done properly. Make sure you have all preparations complete before getting the implementation package. I rate Splunk Enterprise Security eight out of ten.

We have customized use cases for Splunk Enterprise Security as per our environment, due to our infrastructure related to cloud, virtualization, and a few application servers, along with Active Directory management, where we look for user interface and access management. We receive alerts related to any password breaches or unauthorized user access, or if any applications stop running. 

Consequently, we created multiple customized use cases, and accordingly, we receive alerts on Splunk Enterprise Security. It integrates with other tools for threat intelligence and anomaly detection. We are enjoying a good experience so far, and our admins ensure that the use cases are well-maintained. Additionally, they perform fine-tuning as needed. 

We have some database servers integrated for alerting us about unused services. We communicate with our database admins regarding incidents related to data management issues. We suggest actions to the database admins based on these alerts for better data management.

Splunk Enterprise Security is highly customizable, which is an excellent feature. We are continually fine-tuning it to meet our requirements, and everything has been smooth thus far. We also have well-designed dashboards that allow us to visualize data from various use cases in comprehensive graphs, which is beneficial for management reviews, especially during inspections, to display the status of our environment.

We monitor multiple environments, and those environments are integrated with Splunk Enterprise Security, functioning effectively.

In terms of visibility, it offers insights into integrated devices such as firewalls, cloud infrastructure, and virtual machines. The extent of visibility corresponds to the number of devices we integrate with Splunk Enterprise Security. We have access management servers and Threat Intelligence integrated, enhancing visibility across various elements in our environments.

Splunk Enterprise Security provides good visibility into our environments.

Splunk Enterprise Security aids us in detecting threats faster. Over time, it has incorporated enhanced AI support that enables self-analysis and offers valuable feedback. It operates as an intelligent tool, parsing and generating relevant incidents effectively.

Splunk Enterprise Security significantly improves our organization's business resilience. Since my introduction to Splunk Enterprise Security in 2022, I have observed an increase in its intelligence levels, and I look forward to integrating more infrastructure with it. Our reliance is shifting more towards Splunk Enterprise Security for providing solid decision-making capabilities and easy integrations with multiple cybersecurity and IT infrastructure controls.

Splunk Enterprise Security has helped reduce our alert volume to a good extent. It goes beyond mere incident handling by providing feedback to IT infrastructure personnel and database administrators. The incident responses have enabled us to make several environmental corrections, reducing flaws and incidents over time. For instance, alerts related to unnecessary service account logins have prompted us to give feedback to admins, which reduces their workload. False positives are a notable aspect we address to minimize unnecessary alerts, while true positives associated with malware or MITRE framework indicators prompt effective management action.

Splunk Enterprise Security accelerates security investigations. The tool contains extensive data, and the key lies in how to extract that information, depending on the analyst's capability. Our company emphasizes obtaining Splunk Core admin and user certifications to enhance our understanding of the Splunk Enterprise Security product.

I find it beneficial that Splunk Enterprise Security easily integrates with other tools. Due to its excellent API capabilities, it facilitates connections with various cybersecurity tools. We utilize different controls, such as Anomaly and Threat Intelligence, and also integrate it with Data Diode, which assists in one-way communication for infrastructure. Splunk Enterprise Security can seamlessly receive logs from various infrastructures, including Data Diode and firewalls.

We utilize Threat Topology and MITRE ATT&CK features, as these aspects fall under the MITRE ATT&CK framework. They provide coverage for continuous user activities and password issues. The MITRE ATT&CK framework is beneficial for detection and outbound traffic, and it offers a good number of default use cases that we have implemented in our environment.

In terms of recommendations for improvement, when performance degradation occurs, we need to do a root cause analysis. The repeated tendency to inform us about memory utilization complaints encourages us to consider adjusting our query needs. Improving the infrastructure behind Splunk Enterprise Security is vital—enhanced cores, CPUs, and memory should be prioritized to support better processing power. When we execute heavy, resource-intensive queries over long periods, the performance dips. Our admin quickly intervenes to correct resource bottlenecks, allowing everything to function properly again.

I have been working with Splunk Enterprise Security for approximately two years now.

I find it easy to scale Splunk Enterprise Security for our environment, and I would rate its scalability an eight.

I have sought assistance from Splunk Enterprise Security support in the past, particularly during deployment, and they provide friendly and effective help.

Having experienced using QRadar from IBM, I find Splunk Enterprise Security more intelligent and supportive.

The deployment of Splunk Enterprise Security is straightforward, and integration with other security controls is quite easy after the initial setup.

Initially, we required the assistance of Splunk Enterprise Security consultants for the deployment process.

I have noticed a return on investment with Splunk Enterprise Security, as it delivers substantial value for money. This is why we are keen on expanding our infrastructure under Splunk Enterprise Security rather than other SIEM options.

We are currently using Splunk Enterprise Security for our SOC in our office, and as long as the office continues its use, we will still be using it.

I haven't faced any other difficulties apart from the CPU resource issues. I find Splunk Enterprise Security to be very customizable and user-friendly. The only consideration is that if we want to increase the volume of logs processed, we need to buy more licenses.

Maintaining Splunk Enterprise Security requires personnel, especially due to the existence of different search heads and various forwarders in our robust setup, supporting a centralized logging environment.

I find it easy to scale Splunk Enterprise Security for our environment, and I would recommend that potential users consider their capacity to invest financially based on the criticality of their infrastructure, as adoption comes with licensing costs.

I would rate Splunk Enterprise Security an eight out of ten.