Splunk Enterprise Security Reviews

I need the product for SIEM, Security Identity Event Management. I also need it for security operations, automated response, as well as mapping adjusting of security components as well. It helps us with how best to look at various events, and orchestrate between various different hyper-scalers.

The solution has made us more secure and has allowed for more definable mapping.

The SIEM is the most valuable feature of the product.

Having a better integration method and then ingesting and mapping the information have been somewhat easier than some of the other tools that I've used previously (other than QRadar and Rapid7).

The initial setup is pretty simple.

The solution is scalable.

Stability has been quite good. 

The pricing is pretty decent.

The documentation is in definite need of improvement. 

There are pieces of it that are somewhat just daunting and there should be better orchestration and automation. 

I've done some automation with it, with Terraform, and also with some other sources. If it wasn't so proprietary, that would be ideal.

I'd like to have it so that Splunk integrates better with Terraform and Python.

I've used the solution for eight years. I've used it for quite a while. 

Splunk is probably the best brand in terms of stability. I'd rate its reliability at a four out of five. There aren't bugs or glitches. It doesn't crash or freeze.

The scalability is great. I'd give it a score of four out of five. If a company needs to expand, it can do so. 

We have 450 people in our organization that use the product. We've also done this for clients that needed access for over 200,000 people.

We use the solution extensively and likely will increase usage.

The support is okay, however, there are a couple of things that they couldn't figure out and they couldn't help me with automation or stuff like that. It could have been better from there, however, it's not that bad. 

I've previously used QRadar and it wasn't ideal.

There were certain times I integrated with other solutions too.

The initial implementation is pretty simple and straightforward. It's not too complex. I'd rate the experience at an eight out of ten.

The initial deployment took us about two weeks or so.

The amount of personnel you need for deployment and maintenance tasks depends on the size of the deployment. Typically, it's just one or two people. That said, it needs to be proportionate to certain sizes. Usually, the staff is from procurement or provisioning.

I handled the implementation myself. I didn't need any outside assistance from any integrators. I'm a consultant myself.  

We've seen quite extensive ROI, however, it's more of a qualitative assessment and I don't have numbers to share. It works well and customers are happy. That's what counts. 

It's a little bit more expensive than some of the other tools. It's not as expensive as QRadar. That said, it's more expensive than LogRhythm or Sentinel.

There aren't really other fees beyond the standard costs of licensing. 

I evaluated other things. I also integrated with other solutions too. I decided to go with Splunk due to the fact that it worked well.

I'm a consultant. I'm also a customer and use it myself. 

We use multiple deployment models, including public and private clouds. 

We typically use the latest version of the solution. 

I'd advise potential new users to get a proper plan. They should have a good partner or someone that can help them and quickly map and orchestrate.

I'd rate the solution at a ten out of ten.

We are using Splunk to look at the logs, and see what is happening.

The most valuable feature is that it's very good for log aggregation.

Splunk is very complex. The implementation and the scanning of the logs can be difficult.

I have been using Splunk for approximately three years.

In general, Splunk is stable.

It's a scalable product. it's pretty good.

Technical support is usually pretty good.

They are responsive, knowledgeable, and helpful.

The initial setup was relatively straightforward.

The price is comparable.

I would rate Splunk and eight out of ten.

100%. VMware needs log information to troubleshoot; it's not easy finding problems.

Downloading and uploading logs have become an issue.

• In-depth logs
• Add-ons 
• The ability to ingest data from other tools
• The detailed log view
• It's easy to read

• The amount of time it takes to troubleshoot not-easily-available data
• Also, hours on the phone with VMware techs.

The primary use case is for log analytics. Although, we have been using it as a hammer which hits all the nails. We have sort of overused it in some areas where it doesn't need to be used.

We have a one stop dashboard for health of some of our services where you can click in and it takes you to other dashboards that have custom near real-time metrics that show the application's health. From there, you can drill in to see the real deep dive example of what is happening in your environment. It has reduced our time to resolve incidents. 

The most valuable feature is its centralized log analytics.

The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer. Splunk is good about viewing data within the last seven or 14 days, but if you want to see a year-over-year trend, you have to do a lot of work to get to that point. If there was a better way to extract the data point and put it into a long-term viewing ability for a year-over-year analysis, then compare that to your other business metrics. That is what I am looking for, as an example, for a call center you want to see the time it takes for your customer to be handled on their need comparatively to the system performance that is happening, then overlay that data. 

We put a lot of trust in it. It has been pretty rock-solid outside of a couple of changes that we made. Upgrades sometimes don't always go smoothly, but otherwise the system performs, and operates. 

When we were trying to implement an enterprise solution on-premise, we had scaling issues. It was very difficult to search the data retention beyond a few days. A lot of talent was given to the ability to go into AWS and scale with our need. We still had to do some administrative things to prevent consumers from trying to search all records for all time in very inefficient searches. This could sometimes bring our core system functionality to a halt, so we had to do some user administration in it.

I don't engage with the support directly. Another member of my team does. Any time that we have needed support, he hasn't had an issue opening a ticket and receiving the help that he needs.

The integration and configuration in the AWS environment was pretty good. They have a consumption method for pretty much every service. They might be able to do a little better at advertising different patterns for best practices for different service, but overall there's a method to get everything.

We have had a reduction in the time it takes to resolve issues and correlate what has failed. This has significantly helped.

We looked at the Elk Stack, Kibana, and Sumo Logic.

We chose Splunk because their cost is better, the maintenance factor is a little higher, and the core functionality is higher than what other products provide. The core functionality is out-of-the-box. E.g., with a Toyota Scion, you can customize the parts to make it whatever you want, but it's a lot of work to get there. Where if you buy a Cadillac, you pay the Cadillac's price, but it's a Cadillac. It will work right out-of-the-box.

It works well when searching logs. If you looked to try to do things beyond this, the problem that we ran into is that we treated it as the hammer which hits all nails. That is not really feasible, and there are other tools out there that can do more specialized things.

User administration is key. Trying to prevent users from being able search records all the time is a huge problem. You need a tight approval process on dashboards, making sure the dashboards are queried in the most efficient way possible. 

The on-premise version that we had was not scalable at all. It was very difficult to use. We have EC2 instances in the cloud with Splunk installed, which is more scalable and easier to use. It now works much better.

The primary use case is to analyse and monitor big data, creating various dashboards, alerts, etc.

• We can do things in minutes instead of days.
• We solve issues that we previously could not since we now have the data.
• We can quickly search for almost anything across many log sources in seconds.
• Teams have the dashboards or alerts that they need.

There are too many features to list, but here are a few:

• Schema on the fly

• Ease of onboarding data

• Machine learning

• Apps or Splunkbase.
• Great list of apps to use and build upon once you learn more about how Splunk works.
• Ease of correlation, creating correlation searches (easy), and you can combine multiple sources with little effort.

• Data Models Acceleration for super fast searches across tens of millions of events.

• Common Information Model

• Security Essentials App

• Enterprise Security

• Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities.

• Log storage or compression is great and retention is not an issue.

• Dashboards are simple to create and has input options, like time range and text.
• Drop-downs are simple to create.

• The integration with cloud solutions is great and keeps getting better.

The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this will become a non-issue.

Also, AngularJS/ReactJS inclusion could be made easier in GUI.

Personnel costs are saved by not having to involve domain developers from multiple teams when tracing a problem that spans multiple platforms.

We build many of our own apps by leveraging the logic in others.

We use Splunk primarily to provide our security and ops groups with important insights to more efficiently make decisions and take action.

My favorite example of improving of organization is saving a $60k/mo in payroll fraud and $10k/mo in wasted API credits by using simple searches and clear reports.

Splunk's schema on demand is incredibly useful. I do not have to worry about what my users will need when we onboard their data. They can make connections that we could not have foreseen. They dig deeper when they are searching.

Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run.

While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged.

Security and incident management, which is helpful when organizing the data from different systems and running analysis on all the data together.

We have a more secure, robust environment, which keeps the harmful software out of the zone required.

The most valuable features are:

• Risk analysis
• Machine Learning Toolkit
• dbConnect
• Cisco products
• eStreamer
• SIEM. 

Visualizations are the best way to understand deviation techniques from the norm.

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

• Monitoring IT and other processes for a large university.
• Leveraging alerts and dashboards to detect and predict security breaches and other events.

Splunk has enabled us to detect, even predict potential security issues, before they become severe. It has enabled our operations and development teams to more efficiently monitor and troubleshoot their systems.

The search language is easy to understand and teach to new users. The SDK is comprehensive and has incredible levels of integration with the platform and data. 

• Certain sections of the developer documentation could use some updating and clarification.
• Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. 
• Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).

Support is quick and competent.