Share your experience using Masergy

My use cases for Splunk Enterprise Security involve mostly standard use case detections. Essentially, whatever log sources we ingest into the platform, we define use cases for detecting anomalous behavior, with most of our use cases tied to that. 

Additionally, we utilize threat intelligence; we always use lookup tables or MISP integrations to enrich those use cases or create reports and dashboards to monitor them periodically, depending on how noisy those alerts are. 

Other use cases include compliance-based use cases for auditing purposes, as there are compliance policy breaches we want to monitor proactively on a 24/7 basis. We do that, often within a mix of MSSP environment versus in-house.

The specific features I find the most valuable in Splunk Enterprise Security include the amazing UI and good integrations, and I can say this from a practitioner standpoint. 

It is just comfortable. Splunk Enterprise Security is easy to use for an analyst, and the whole analyst experience is great; it is pretty insane. It is honestly very addicting. 

As I told my fellow colleagues, they love using Splunk Enterprise Security. Once you go to any other platform, it is similar to going through withdrawal sometimes. You have to set up use cases, update data models, and link the right use cases to the right data models for those detections to happen. 

In terms of challenges, there are none; Splunk Enterprise Security is one of the best vendors in the security analytics space.

Splunk Enterprise Security has implemented improvements that may help reduce false positives, as it has some amazing features that go underutilized, such as the machine learning toolkit. The gap in skill set within the SOC environment is the reason for this underutilization.

Splunk has some amazing features we are not utilizing. For example, ML. I have not specifically utilized AI-driven security initiatives or machine learning within Splunk Enterprise Security; even the ML toolkit is not related to advanced AI components. It operates more an advanced SQL query based on existing data trends without offering out-of-the-box advanced ML capabilities to provide significant value.

The dashboards for some default use cases are provided. Similarly, default dashboards and reports are provided. You can pivot off of these and drill down on your investigations. The Splunk query language is definitely very easy to understand and use on a regular basis. The learning curve is also very low. So, from a practitioner standpoint, you're not going to face so much struggle in learning the Splunk query language. In fact, for other solutions, you might need AI capabilities to translate natural language. 

Additionally, Splunk Enterprise Security claims to reduce data storage to a certain extent. I'm not sure if that's the case, however, I have heard that that was the case.

Lookup tables are very useful in Splunk. 

The effectiveness of threat detection and response in Splunk Enterprise Security depends on how the team leverages it. Splunk Enterprise Security is not something that automatically picks things; you have to set up use cases, update data models, and link the right use cases to the right data models for those detections to happen. This is SIM-tool agnostic. If you do not have the right use cases, nothing will be detected at the end of the day. 

One challenge under that note is if your company goes through some kind of digital transformation or major solutions being replaced, and all these logs are being ingested into Splunk Enterprise Security, the data models do not get updated proactively. Splunk Enterprise Security does not have a mechanism to identify that certain data models have stopped sending logs. How do we update our data models accordingly? This issue reflects back to our use case detections.

In discussing areas for improvement in Splunk Enterprise Security, I assert that their default threat intel is inadequate. When ingesting threat intel from other sources, it would be beneficial to have capabilities that enrich the information within Splunk Enterprise Security with less dependence on a threat intel platform. The default threat intel feeds create many false positives and noise, which is counterproductive.

The UEBA aspect of Splunk Enterprise Security should also see enhancement, as it lacks that functionality.

Splunk search can sometimes take a long time; it can even time out. You have to make sure your query is very specific. It would be useful if Splunk used AI to help you write queries. I'm not sure if AI is used this way just yet.

My experience with Splunk Enterprise Security is from within the last 18 months.

Regarding stability with Splunk Enterprise Security, I do not recall facing performance issues at the moment. 

The solution can scale. When your environment scales, the search operations can lag significantly.

One entity I worked with was a managed service company that managed companies of all sizes, up to 30,000 or 40,000 employees. We work with large firms. 

The technical support of Splunk Enterprise Security is quite good, and I would rate it a four out of five (eight out of ten) easily. They are responsive and effectively resolve issues. 

The community marketplace is also useful; often, you do not need to rely on Splunk Enterprise Security support due to the wealth of online documentation available—Splunk docs are truly beneficial.

Positive

I enjoy my work with Splunk Enterprise Security, and while I can say the same for Elastic, I have found other vendors such as QRadar, Exabeam, LogRhythm, and Sumologic not to be as impressive. I prefer ElasticSearch since it allows for quicker searches, making threat hunting and proactive activities easier, whereas Splunk Enterprise Security searches can take considerable time.

AlienVault's open-source solutions seemed inadequate compared to this, and QRadar was even worse. Thankfully, they are no longer relevant.

I was somewhat involved in the initial setup of Splunk Enterprise Security. That said, it was not complex enough for a clear comparison with larger environments. 

Deploying indexers and forwarders is straightforward, though human errors can potentially occur in the process. It is challenging for me to compare the implementation of other similar tools versus Splunk Enterprise Security, however, the clarity on implementation could be enhanced. 

Maintaining Splunk Enterprise Security on-premise is not difficult at all, especially compared to other platforms I have not maintained as extensively. Many resources are available in the market to help with Splunk Enterprise Security, so finding people skilled in it is relatively easy due to the market's maturity.

One area Splunk Enterprise Security fails to improve is the pricing aspect; while the initial pricing seems fine, the licensing cost can skyrocket over time, creating trauma for organizations.

It's really hard to justify the pricing. The only way it makes sense is if you reduce the number of nodes being ingested over time. If you can optimize that as you scale, it can stay affordable. 

Now that Splunk Enterprise Security has been acquired by Cisco, I am uncertain whether it will retain its current traction or be dissolved in the coming years. 

I would rate Splunk Enterprise Security as a product an easy eight out of ten.

However, it is an easy eight as of now. Post-Cisco acquisition, the future remains uncertain. Would I recommend Splunk Enterprise Security to someone else? Absolutely. Splunk Enterprise Security is amazing. Despite all the issues, it simplifies the lives of everyone who uses it, and there is not a steep learning curve. 

Compared to other tools I discussed earlier, Splunk Enterprise Security is significantly better. Personally, I would choose Elastic and Splunk Enterprise Security over any other options.

The typical use case for Splunk Enterprise Security is to meet regulations and requirements for critical infrastructure. It is used to audit changes and authentication logs. The second purpose is for security operation center management and security management.

The most valuable features of Splunk Enterprise Security are the main component, which is the correlation engine that can specify detailed conditions such as how many events there need to be, what notification I will get, and if I get it per event or one per batch. 

There is also throttling; in basic Splunk, there is no throttling at all. In Splunk Enterprise Security, there is an additional layer of control of these alerts. I appreciate the correlations and the alerts in that product.

The asset management is particularly useful. We can enable asset lookups to show in every event. We define one, and it will translate to all events, allowing asset management to be easy. 

Splunk Enterprise Security helps to reduce alert volume because the language is similar to SQL with Google-style functionality above it. We can use these terms to specify what is in the allow list. We can specify what's in lookups, what should be there, and what's not. It definitely helps to reduce the numbers of full score.

Splunk Enterprise Security helps to speed up security investigations. When the finding is created, there are many correlations. You can quickly see what asset it is, what identity is involved, and you see the historical progress of what happened. Right from the findings, you can call VirusTotal and other resources, which is definitely helping.

I assess Splunk Enterprise Security's insider threat detection capabilities for helping to find unknown threats and anomalous user behavior as great. It regularly checks new events through the correlation search and compares them with threat intelligence. The threat intelligence is refreshed regularly, downloading new threat information. Splunk has a special research team for security content and intelligence, which distributes its own threat list to Splunk Enterprise Security.

It's great for finding anonymous threats. It checks new events and also works with the latest threat intelligence. At least once a day, it develops new threat information. In Splunk, there is a special research team. They are also distributing their own threat lists. The solution is capable of very good threat detection.

In basic SPL, with the Splunk query language, we can detect brute force without threats. It scans every event, and if it finds patterns, IOCs, it can trigger notable events, which are now called findings. The new version includes an internal Git repository, so when the SOC team makes improvements to the correlation search and makes changes, it automatically keeps a history of that correlation search, what was changed, when, by whom, and you can revert if it breaks.

The value that Splunk Enterprise Security offers in resilience is vital. It helps customers distributing gas across the Slovak Republic, ensuring that critical infrastructure, such as operational pipelines, are running. If there were an outage that delayed recovery, the economic impact could be significant. 

It's good for analyzing malicious activities and detecting breaches. The interface sometimes can be very essential.  

Splunk has helped us reduce alert volume. We can use terms to specify what is whitelisted and we can search like we would on Google. 

We've been able to speed up security investigations. We a finding is created, there are many correlations. You can quickly see the asset, the identity involved, the history, et cetera. 

Splunk Enterprise Security can be improved mainly from the user interface regarding the visualizations. They are working on it, yet there are only five to ten very basic visualizations. When you have your data all set and the customer wants some new dashboards that would help them, it is pretty complicated to build them from the built-in visualizations. 

This is one of the blocking points in Splunk, however, they're working on a new layer called Dashboard Studio. It is still limited. An older version of Splunk allowed implementation of JavaScript to capture events when a user clicked by mouse, which enabled great features. In the improved Dashboard Studio, this is not possible. They have improved one part and have made the other part worse, so it still lacks a premium feeling. Cisco will improve it, however, it seems they are focusing on what the big companies want. They will implement it if it's usable for these big players that pay, but for small companies, it's too pricey to use this solution.

I've been working with this solution for seven years.

The stability of Splunk Enterprise Security is very impressive; it is a very stable product. They handle these things perfectly and conduct internal testing thoroughly. 

They test it very thoroughly before release, and our customers have Splunk running for months without issues. 

When I observe how customers work with Splunk in the cloud, it is also very good. They manage maintenance windows and inform customers, resulting in little to no interruptions to workflow. In terms of stability, I would give it a full score.

We work with medium to large organizations. Our typical environment has 500 servers. In volume, we're looking at 100GB in storage. From Splunk's view, we're doing rather small volumes. It's big in a Central European context, and small from a Splunk North American context. It can be pricey for small companies. 

I would rate technical support from Splunk Enterprise Security as a six out of ten. 

It's average, considering it's a very big product, and they handle several hundred tickets a day. I have opened 20 to 30 cases, and they helped me with only three to five of them. They try to close issues as soon as possible, often just offering documentation links. 

Even when I provide them with the core problem, they do not help much. The customer often has to rely on workarounds, custom scripts, and solutions which are somewhat lacking.

Neutral

Before Splunk Enterprise Security, I didn't use a different solution; this was my first job, and I started working full-time with Splunk about eight years ago. 

In the beginning, when they were testing, I was shown the OP5 and Nagios operating monitoring; we used tried them out, however, they were not really security-related.

You can quickly set up Splunk by downloading the package, unpacking it, and starting to work. It's straightforward to get a quick view of your data, and you do not have to worry about connections to databases; it will start parsing the data as soon as you hand it over. For bigger environments with several hundred servers, Splunk Enterprise Security is the best solution.

Customers see the value in investing in this solution, particularly when it helps resolve issues quickly, turning a potential 20-hour response into one hour.

It's still pretty pricey. It's an expensive solution for smaller companies. 

That said, if someone evaluating SIEM solutions wants to go with the cheapest solution, Splunk Enterprise Security is a very good option. It has difficulties in administration and setup, however, in comparison with other products, it's still a great platform.

My relationship with Splunk is that we are a partner and reseller partner. My organization does not monitor multiple cloud environments; we primarily monitor M365 and Azure environments from cloud products. We use the Microsoft Add-on for Splunk to read Exchange and Microsoft audit logs from the cloud. However, we still prefer on-premise solutions in our country.

We use the Mission Control feature. It's replaced another component. I don't use it too much myself. It's like a connector for SOAR. We're investigating its capabilities and have not implemented it fully.

Overall, I would rate Splunk Enterprise Security a nine out of ten. If you want to see your data quickly and in full view, it's very good - specifically for bigger environments.