Splunk Enterprise Security Reviews

I work in a SOC team where I study threat hunting and threat determination. Most of my work is based on looking for malware traffic or suspicious traffic in Splunk Enterprise Security. I belong to the SOC team.

The best feature about Splunk Enterprise Security is its clean interface and the detail it provides. It helps us manage logs with a very clean interface, which is not available in other software. 

They also provide extensive learning resources on their official site that help us while performing tasks. Its documentation and community are very strong, making it a perfect SOC tool. If we come across any problem, we can search the community or consult the documentation for solutions. 

It is very clean and detailed, helping us detect threats easily. Splunk Enterprise Security performs 80% of our work on its own; we just have to do the remaining 20%, which gives us the freedom to explore and detect threats more effectively.

The machine learning capabilities of Splunk Enterprise Security are good, but they can be improved. In a changing threat landscape, its machine learning capability can be improved in behavior-based analysis because signature-based analysis does not work very well currently.

It can improve in detecting new types of attacks or IOCs through behavior-based learning capabilities. For example, if there are malware traffics incoming, it should detect them using network logs more precisely, as most malware traffic uses the same kind of port or attack.

There should be a community program or hackathon-type events where people can develop more advanced and sophisticated machine learning models for Splunk Enterprise Security to enhance its functionality. 

Adding a chatbot similar to GitHub Copilot in Splunk Enterprise Security would be beneficial. It would help write different kinds of sophisticated queries and assist in solving problems we encounter, similar to what we have in VS Code.

There is good scope for developing Splunk Enterprise Security for low-level systems such as Raspberry Pi. However, for server deployment, a robust server is essential. Development should focus on making Splunk Enterprise Security capable of running on devices such as Raspberry Pi.

I used Splunk Enterprise for a long time in previous organizations. I have also used the Community version for my personal projects, which is available for free. I have experience with both Splunk Enterprise Security and the normal Splunk Community version. I still use Splunk Enterprise Security quite frequently when working with SOC and related processes.

Splunk Enterprise Security is highly scalable, which is why approximately 95% of the industry uses it without experiencing scalability problems. It performs exceptionally well when discussing scalability.

I do not remember contacting technical or customer support. Whenever I faced any problem, I usually consulted the documentation or community, and 99% of my problems were solved that way.

I have used Wazuh, Elasticsearch, Kibana, and some basic Linux SOC management tools such as Zeek and Wireshark as alternatives to Splunk Enterprise Security. However, I find Splunk Enterprise Security to be much more advanced than those tools, as they lack automation and machine learning capabilities, requiring customization from the user. Splunk Enterprise Security is more refined and offers a better experience.

Its deployment is difficult. I remember when I first started learning, I faced several challenges, especially when deploying VMware in a virtual environment. It was quite a difficult task. However, when deploying on a server, I would consider it to be at a medium level of difficulty. On the other hand, if you're deploying for a learning lab or something similar, it’s pretty much on the hard side.

For personal home labs, it is a one-person job, meaning a seasoned professional can handle it. For enterprise-level deployment, a person managing operations and a person handling server management is sufficient. After the initial deployment, one person is enough for a mid to low-level company, while a higher-order company requires a team to operate Splunk Enterprise Security.

Splunk Enterprise Security requires very little maintenance on my end, as it has improved significantly. If there are no frequent changes in the server, there is not much maintenance required. I have not invested much time in updates or maintenance, so once deployed, you just need a good professional to use it; maintenance is not much of a concern.

The pricing of Splunk Enterprise Security is fair for what it provides. If someone wants everything for free, it is not a reasonable expectation. Everything comes at a price, and I find it to be affordable, which is why every industry uses it. Its pricing is fair, and the community version works well for learning purposes.

I would rate Splunk Enterprise Security an eight out of ten.

My usual use cases for Splunk Enterprise Security include normal reporting.

Splunk Enterprise Security has positively impacted my organization by increasing security defense. It provides a good environment for defense.

The most valuable features of Splunk Enterprise Security are reporting capabilities. It is a good tool for checking systems and analyzing situations. I find it useful to check my systems and analyze situations.

The documentation and training resources available for knowledge and training can be expanded. We need to learn more about Splunk Enterprise Security and new security attacks.

I have been working with Splunk Enterprise Security during the last year.

I would rate Splunk Enterprise Security an eight out of ten for stability. In security, nothing is 100%.

I would rate the scalability of Splunk Enterprise Security an eight out of ten. I have not tried anything to scale up or scale out as it is a new setup, but I believe it will be easy for that.

I would rate the technical support of Splunk a seven out of ten. Sometimes there are delays. It is related to their giving a response after some time.

Neutral

I used QRadar. The switch from QRadar to Splunk Enterprise Security was a management decision. We moved to Splunk Enterprise Security because of its benefits. Splunk's support is better, and its reporting is easier and better. There are also pricing advantages.

It is a normal process. It isn't complex, but it is a new setup with new interfaces and a new way of thinking. It is always a challenge to use new software, and it takes some time to get familiar with it.

I can install Splunk Enterprise Security myself, though some things require dealing with external assistance.

We have not calculated ROI in our environment. I have not received any assignment or recommendation to calculate ROI.

The pricing of Splunk Enterprise Security is somewhat high, but comparing it with its benefits, it's acceptable. It depends on the type of business.

Overall, I would rate Splunk Enterprise Security an eight out of ten.

We have customized use cases for Splunk Enterprise Security as per our environment, due to our infrastructure related to cloud, virtualization, and a few application servers, along with Active Directory management, where we look for user interface and access management. We receive alerts related to any password breaches or unauthorized user access, or if any applications stop running. 

Consequently, we created multiple customized use cases, and accordingly, we receive alerts on Splunk Enterprise Security. It integrates with other tools for threat intelligence and anomaly detection. We are enjoying a good experience so far, and our admins ensure that the use cases are well-maintained. Additionally, they perform fine-tuning as needed. 

We have some database servers integrated for alerting us about unused services. We communicate with our database admins regarding incidents related to data management issues. We suggest actions to the database admins based on these alerts for better data management.

Splunk Enterprise Security is highly customizable, which is an excellent feature. We are continually fine-tuning it to meet our requirements, and everything has been smooth thus far. We also have well-designed dashboards that allow us to visualize data from various use cases in comprehensive graphs, which is beneficial for management reviews, especially during inspections, to display the status of our environment.

We monitor multiple environments, and those environments are integrated with Splunk Enterprise Security, functioning effectively.

In terms of visibility, it offers insights into integrated devices such as firewalls, cloud infrastructure, and virtual machines. The extent of visibility corresponds to the number of devices we integrate with Splunk Enterprise Security. We have access management servers and Threat Intelligence integrated, enhancing visibility across various elements in our environments.

Splunk Enterprise Security provides good visibility into our environments.

Splunk Enterprise Security aids us in detecting threats faster. Over time, it has incorporated enhanced AI support that enables self-analysis and offers valuable feedback. It operates as an intelligent tool, parsing and generating relevant incidents effectively.

Splunk Enterprise Security significantly improves our organization's business resilience. Since my introduction to Splunk Enterprise Security in 2022, I have observed an increase in its intelligence levels, and I look forward to integrating more infrastructure with it. Our reliance is shifting more towards Splunk Enterprise Security for providing solid decision-making capabilities and easy integrations with multiple cybersecurity and IT infrastructure controls.

Splunk Enterprise Security has helped reduce our alert volume to a good extent. It goes beyond mere incident handling by providing feedback to IT infrastructure personnel and database administrators. The incident responses have enabled us to make several environmental corrections, reducing flaws and incidents over time. For instance, alerts related to unnecessary service account logins have prompted us to give feedback to admins, which reduces their workload. False positives are a notable aspect we address to minimize unnecessary alerts, while true positives associated with malware or MITRE framework indicators prompt effective management action.

Splunk Enterprise Security accelerates security investigations. The tool contains extensive data, and the key lies in how to extract that information, depending on the analyst's capability. Our company emphasizes obtaining Splunk Core admin and user certifications to enhance our understanding of the Splunk Enterprise Security product.

I find it beneficial that Splunk Enterprise Security easily integrates with other tools. Due to its excellent API capabilities, it facilitates connections with various cybersecurity tools. We utilize different controls, such as Anomaly and Threat Intelligence, and also integrate it with Data Diode, which assists in one-way communication for infrastructure. Splunk Enterprise Security can seamlessly receive logs from various infrastructures, including Data Diode and firewalls.

We utilize Threat Topology and MITRE ATT&CK features, as these aspects fall under the MITRE ATT&CK framework. They provide coverage for continuous user activities and password issues. The MITRE ATT&CK framework is beneficial for detection and outbound traffic, and it offers a good number of default use cases that we have implemented in our environment.

In terms of recommendations for improvement, when performance degradation occurs, we need to do a root cause analysis. The repeated tendency to inform us about memory utilization complaints encourages us to consider adjusting our query needs. Improving the infrastructure behind Splunk Enterprise Security is vital—enhanced cores, CPUs, and memory should be prioritized to support better processing power. When we execute heavy, resource-intensive queries over long periods, the performance dips. Our admin quickly intervenes to correct resource bottlenecks, allowing everything to function properly again.

I have been working with Splunk Enterprise Security for approximately two years now.

I find it easy to scale Splunk Enterprise Security for our environment, and I would rate its scalability an eight.

I have sought assistance from Splunk Enterprise Security support in the past, particularly during deployment, and they provide friendly and effective help.

Having experienced using QRadar from IBM, I find Splunk Enterprise Security more intelligent and supportive.

The deployment of Splunk Enterprise Security is straightforward, and integration with other security controls is quite easy after the initial setup.

Initially, we required the assistance of Splunk Enterprise Security consultants for the deployment process.

I have noticed a return on investment with Splunk Enterprise Security, as it delivers substantial value for money. This is why we are keen on expanding our infrastructure under Splunk Enterprise Security rather than other SIEM options.

We are currently using Splunk Enterprise Security for our SOC in our office, and as long as the office continues its use, we will still be using it.

I haven't faced any other difficulties apart from the CPU resource issues. I find Splunk Enterprise Security to be very customizable and user-friendly. The only consideration is that if we want to increase the volume of logs processed, we need to buy more licenses.

Maintaining Splunk Enterprise Security requires personnel, especially due to the existence of different search heads and various forwarders in our robust setup, supporting a centralized logging environment.

I find it easy to scale Splunk Enterprise Security for our environment, and I would recommend that potential users consider their capacity to invest financially based on the criticality of their infrastructure, as adoption comes with licensing costs.

I would rate Splunk Enterprise Security an eight out of ten.

I'm part of the Splunk operations team, which means I support Splunk functionality and occasionally conduct threat management onboarding. We assist various teams with threat-related tasks. If they need help bringing log sources into Splunk, we guide them through the process. Once the logs are onboarded, we create correlations to identify threats, troubleshoot issues, and help mitigate potential risks.

We handle incidents through a queue configured in our event management system. This includes automated incidents for our Splunk infrastructure, like server health checks, and user-reported issues where functionalities like the fetch score aren't working. We address all incidents, whether automated or user-raised, through this system.

We've made significant improvements to our Splunk infrastructure to support our internal teams. This ongoing effort focuses on helping application teams onboard logs from various applications for their review and troubleshooting. We've streamlined the onboarding process, improved data quality, and ensured smooth data consumption for our internal users.

Splunk Enterprise Security offers multi-cloud environment monitoring capabilities that we can utilize for our users if they require it.

We can build a dashboard in Splunk to centralize the monitoring of critical information. This dashboard can display key metrics for onboarding methods and LogSources we actively track, providing a clear view of our entire monitoring environment.

While Splunk Enterprise Security offers good threat detection capabilities, our current process limits visibility into user activity. When users request correlations, we create the code and configure everything on our end, and then they test and work on it from theirs. This lack of transparency extends to threat management, as we can't directly see tickets in their separate ServiceNow system. If they encounter issues, they share details in a document for us to review and address.

It comes with a large collection of correlation searches, but we'll need to review them to find the ones that match our specific needs for monitoring malicious activity. Once we've identified the relevant searches, we can customize or recreate them within the correlation settings to best suit our environment.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security is a good monitoring tool that allows us to track specific details by creating custom queries. For instance, to monitor a particular organization's infrastructure, we would first onboard their logs and then create queries to capture relevant information. This way, any suspicious activity, attacks, or other events would be easily identified within the infrastructure. Additionally, Splunk's checkup operation minimizes the chance of missed alerts by automatically identifying detections, ensuring near-complete coverage of around 99 percent unless there are outages or limitations with global agents.

Splunk Enterprise Security helps us speed up our security investigations.

The customizable dashboard for our security operations is a good feature.

The most valuable features in Splunk Enterprise Security are the cluster capabilities.

The licensing price is high and has room for improvement.

I have been using Splunk Enterprise Security for four years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security can scale according to our needs.

The technical support has been successful in resolving the majority of our cases.

Positive

While the deployment process itself is simple, the number of personnel needed varies depending on the infrastructure size and user base. A small deployment for 50 users can be completed by two people, while larger deployments supporting over 500 users may require up to 15 people.

The Splunk Enterprise Security license is expensive.

I would rate Splunk Enterprise Security eight out of ten. Splunk improves user efficiency by streamlining workflows and enabling the detection of anomalies within data.

Splunk Enterprise Security is deployed across multiple locations in our organization.

To ensure our data remains secure, Splunk servers require monthly maintenance. This maintenance includes installing security patches that address vulnerabilities and prevent unauthorized access to our information.

I lead a team that does Splunk administration. We mainly worry about the platform itself, ensuring everything works, log sources are coming in, and assisting with searches. We have a dedicated security team that represents the user side, the consumers of that data. We try to get all the log sources in for them so they can create detections, alerts, dashboards, and their own custom app integrations. We support them as much as we can in the platform, and they do their security work based on that.

The biggest thing that Splunk is known for across all its platforms is aggregation. We have thousands of log sources coming in, and Splunk Enterprise Security does a great job of correlating that information and making it very searchable and usable for the end user. This is my most enjoyable feature. 

Splunk Enterprise Security is a huge value-add to us because I can confirm that our security team treats it as a normal component of their daily operations. They access Splunk Enterprise Security multiple times every single day doing their job. This proves substantial value given they need it that frequently, and considering the proportion of our contract.

Even though aggregation is one of the best features, they do poorly at integrating their own products with each other. There is Splunk Cloud, which handles searching, and there is Splunk Enterprise Security. In the backend, these are separate instances, even though the data comes from essentially the same database source. When I make changes on one platform, it may or may not affect the other side. This leaves me with uncertainty between what I'm doing in one, not knowing if it will affect the same thing on the other side. By extension, I sometimes make redundant changes already done on the other side. The discrepancy between the different search heads leaves me confused most of the time about these changes.

Their support also needs improvement.

I have been using this solution for about two years now.

For stability, I would give it an A grade. The platform generally runs exceptionally. It occasionally experiences brief interruptions, but their operations people who manage the cloud side typically have the system back up before I receive a response to my submitted ticket. They are very aware of their system's stability on the operational side.

For performance, I would give it a B grade. Some of the performance issues could be due to our own tuning that we could improve. However, Splunk is designed to handle vast amounts of data, and in my opinion, it should operate a bit faster, especially when initiating searches or processing smaller jobs. It would be helpful if these tasks could run more quickly because, once the search actually starts, it performs well. The initial parsing phase, when running a new search, can take quite a while, and I find it frustrating to have to wait during that part.

In terms of infrastructure, I cannot speak to it since it is cloud-based and operates as a black box regarding scaling. However, when it comes to handling increased data loads, Splunk Enterprise Security performs exceptionally. When we onboard new things, new log sources, or experience extra volume from heavy firewall activity, Splunk Enterprise Security processes all the data efficiently. From the time a log is generated on a system to when it reaches Splunk Enterprise Security is extremely fast. Though search time might be slightly slower than preferred, ingestion time for logs to hit the cloud is fantastic.

Both quality and speed are lacking. Quality-wise, tickets sometimes go in circles, with unnecessary complications and escalations requiring repeated explanations.

Speed is particularly problematic. I submitted a high-priority ticket for a broken login configuration to Splunk Enterprise Security, called twice, and received no response from Friday until the following Monday. After escalating to our sales team requesting immediate response for our security team's broken access, we finally received assistance, and we were able to get back on track, but I was really unhappy with the situation. It was a critical priority issue that they were not addressing appropriately. We have paid for Splunk support, and we’re not on the free tier hoping for assistance; we are a significant customer and invest a lot in this service. Given our active contract, we expect to receive better support. This area definitely needs improvement.

Neutral

I previously used AlienVault, an open source solution, but was not as deeply involved with it as I am with Splunk Enterprise Security.

The initial setup precedes my time with the company. When I started using it, it was a bit of a challenge. Splunk Enterprise Security is extensive and complex. The setup was not necessarily more difficult than regular Splunk Core since they are integrated, but the learning curve was quite steep. It took approximately six months to feel comfortable administering the full system independently.

The solution requires significant maintenance. It is very stable, but to keep things moving forward, we must do considerable work. Apps or add-ons we install require our own updates if they are not default ones offered by Splunk Enterprise Security. The baseline configuration gets upgraded automatically, which I appreciate. However, maintaining all other add-ons falls to us, which requires substantial work, especially as Splunk Enterprise Security is aggressive with their updates and minor versions. We must constantly do compatibility checks or create technical debt by staying behind versions sometimes, not knowing what features we might miss.

The pricing is very reasonable for what it offers us. Out of our entire contract, Splunk Enterprise Security represents approximately 15% of our total Splunk expenditure. Splunk Enterprise Security is a huge value add to us because our security team treats it very much as a normal component of their daily operations. They go into Splunk Enterprise Security multiple times every single day doing their job. That means that it proves a lot of value to where they need it that frequently. Given the proportion of our contract, there is a lot of value right there.

Splunk Enterprise Security has approximately seven different AI capabilities. These include natural language processing for search query assistance, machine learning for alerts and data processing, and plugins such as Tensor for external AI processing. However, I remain cautious about enabling all AI features without understanding their performance impact. 

I would rate Splunk Enterprise Security a nine out of ten.

Our primary use case is for detected malware. 

The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.

We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it. 

We would probably see more time savings if we used Splunk more. 

We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.

Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.

Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful. 

It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.

I have been using Splunk Enterprise Security for two years. 

The stability is pretty good. It's fairly stable. I haven't had any issues with it so far.

Splunk support is difficult for us. There are gaps in the network. I work for a government entity so getting a classified rep to come out is difficult. 

I would rate their support a five out of ten due to their availability and talent. 

Neutral

It took what took us a while to groom all of our data correctly so that it worked well with ES. That took two weeks. As far as the finish, there's definitely room for improvement.

I would like more assistance with use cases and help with teaching us how to use it once it's installed. 

We deployed through professional services. 

We're a young team so we're still evaluating processes. We already had Splunk Core. It was already installed when I started working here. I was part of the installation team when they deployed Splunk Enterprise Security.

I would rate Splunk Enterprise Security a five out of ten because I'm still figuring it out.

Our SOC is using Splunk Enterprise Security as a SIEM. There are multiple use cases because it is the main tool for SOC analysts. We have plenty of use cases. It is being used for IT security monitoring. We also have some custom use cases for securing applications, and then we have some of our internal customers developing their own use cases, but the main purpose is for the SOC. 

We also have additional work that is much more tricky. It is related to using AI to detect insider threats.

We are incredibly increasing our coverage as per the NIST framework that we are using for our operations. We are always extending. That really took off after implementing Splunk. It was a big moment. I have been there from the very beginning when we started implementing Splunk. Like everything new, there was a little bit of difficulty, but after we implemented it, there was an incredible increase in our SOC efficiency.

Splunk Enterprise Security helped reduce our mean time to resolve based on my knowledge, but I do not know how much because I left the department one year ago. On the security monitoring side, we have very good MTTR globally due to Splunk and the processes that we have implemented. We have other kinds of tools. Compared to the other tools that we have, our MTTR is far better with Splunk. Compared to last year, it was reduced by half. It was already good, but it got reduced a lot again.

It is lovely to have everything we need in one tool. Everything is quite centralized.

AI is everywhere, and I feel we need to discover AI for cybersecurity. For the last five years, I myself have been setting up a product and evaluating AI, but I did not do it directly in Splunk because there was some fear about the performance on the platform. That is why we chose to build our own platform based on S3 and AWS to execute and run all the algorithms and send the data back into Splunk. We now have a good base with innovation. We have a better base to directly include machine learning use cases in Enterprise Security, but they need to provide more capability and autonomy to the customers because there is so much to do. When you are lucky enough to have a team of data scientists, they want to have free hands, so a balance has to be found between giving a lot of autonomy and putting enough control so that they do not do something stupid on the platform, which can impact the performance of the standard use cases as well. There is a compromise there. However, AI is growing so fast that you absolutely need to give autonomy to the team to manage and utilize AI. This means providing easy access to a new library to build machine learning. They need to give us some flexibility, and it seems that with the new toolkit, it would be okay. Data scientists love to have freedom.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk. That is something that can be implemented. For instance, when it comes to data loss prevention, it is known that somebody who is about to leave the company is much more likely to take data. If you have this information soon enough, because the person will tell HR in advance, you can increase the level of risk for data loss for that user, but you do not always get to know that in advance. In such cases, some indicators in the behavior of the users who are leaving could be connected to AI. For instance, if you are using natural language programming, you can grab emails with words like farewell. There are plenty of keywords that you can catch that would give you an indication that the person is about to live. When you have internal and external partners, they can leave at any time. You do not always get the information in advance, but there are always farewell parties or goodbye emails. You can use this kind of information to raise their risk on the specific alert. It is efficient in the sense that you decrease your false positive rate. To me, AI is something that can help them accelerate and improve on what they are already doing.

Splunk Enterprise Security is very costly. Pricing is probably its weakest spot.

I have been using Splunk Enterprise Security for five years.

It is difficult for me to answer this because I am no longer in charge now, but it has been stable from my point of view. 

Its scalability is good provided you have the right license agreements.

It depends on the situation. The problem at our end that is causing an issue with Splunk support is that we have a customized environment. All the problems that we submit are specific, and they can be a bit difficult to solve. Sometimes, their support is efficient, and at other times, we have to wait a bit too much. I would rate their support a seven out of ten.

Neutral

I arrived at the time of transition. We were probably using RSA. We switched to Splunk Enterprise Security because we needed to jump to another scale. At that time, there was a complete change in the organization. We went from the old-school cyber to Cyber 2.0. We had a lot more visionary managers who came from other companies where they were using Splunk. We had good guidance.

It was a bit difficult. The team that was developing the use cases did not have access to the real data because it was not ready yet. Developing a SOC use case without the data is something difficult. That is why it was difficult at the start, but it was not because of the tool. It was more of a matter of project management. After we moved on from the difficult stage, we were able to set up this use case factory where some of the users were themselves in a bit of self-service mode. This was a very good opportunity to enlarge our capability to cover all the applications in the best way.

For Splunk, we use AWS. We have a private cloud. We have difficulty using cloud-managed services.

Pricing is probably its weakest spot. As compared to some competitors, Splunk is really expensive. The problem is that Splunk is like Rolls-Royce. It, for sure, is the best one. Gartner says it, and the customers say it, but sometimes, you do not need a Rolls-Royce to get to the supermarket.

The problem is that the licenses that we have are based on the volume of data that we ingest in a day. The data that we ingest is only growing. We have initiatives right now for better management of data. It makes sense in terms of storage and sustainability. The pricing model, especially for Europe, is difficult. I am just out of the negotiation for the renewal of the license. We bought it for three more years. This is good news for Splunk and us as well, but it was difficult to discuss with the sales and explain that we do not want to increase the cost because it is already too high, and if it could decrease, it would make sense. It is very difficult to have this understanding from the salesperson. It was difficult for my Splunk account partner, but we succeeded in the negotiation. It was a win-win situation.

They need to be fair and adjust the price as per the usage. If the price goes too high, we would just have a no-go from the top level of the company, which would be a pity. It can happen. It has happened in the past. At some point, we had a big contract with Microsoft for Office, and we are now with Google. It was a shock for the partners and people inside the company, but we did it. We now have Google and we are happy with it. We still have a bit of Microsoft. It is important to keep the balance.

We are looking at the data usage with Splunk's team. We are looking at whether the data onboarded and dashboards that were developed are really being used to avoid wastage. If any data is not necessary in Splunk, we just stop onboarding it. We have other data to onboard anyway. My idea is to be much more efficient in the way we are managing the data and not to go the way we did it in the past.

I did not evaluate other solutions but the company surely did.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools, but it is not due to the tool. It is due to our company's structure. I have been part of the two teams. Previously, I was a part of the cybersecurity team, so I was mainly using Splunk Enterprise Security. Now I am leading the monitoring team, so I am much more on the SOC side of it. My team provides service to the cybersecurity team that is using Splunk Enterprise Security. In the end, we would like to have one solution, which would be Splunk. I would like to have IT monitoring and observability with ITSI in the future. This centralization would bring efficiency. One log being used for cybersecurity purposes can also be used for other purposes. Everything centralized would give us the most efficient way to access the data and limit duplication. It would be helpful for efficiency, cost control, and data governance.

It is absolutely crucial for us to have end-to-end visibility. For our cybersecurity needs, we should be able to reach anything. We even have this concept of Watch the Watcher, so visibility is absolutely key. We have the opportunity to audit the activities of even cyber analysts, so visibility at every stage is absolutely key. For example, all the SIEMs could be under attack, which would be a nightmare. Imagine it being an insider threat where the attacker knows what exactly we are monitoring. With AI, these kinds of risks are even higher. That is why we are all in for AI for Cyber and Cyber for AI. We need absolute visibility, but we also need protection.

Splunk Enterprise Security has not helped us reduce our alert volume. We are not at that level of maturity at this point. It is still growing.

I would rate Splunk Enterprise Security a nine out of ten. It is a good product. It needs some progress with AI, but based on what I have seen in the presentation for version 8, it seems promising.

We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.

In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.

 We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.

We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things.  They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use. 

We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand. 

Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.

Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.

The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.

The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.  

Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.

I have been using Splunk for five years. 

Splunk is stable. We haven't had any downtime or performance issues. 

I rate Splunk support 10 out of 10. Splunk has lots of training materials online where our engineers can learn at their own pace. The courses are easy to understand and use simple language. You don't need to learn Java queries. The main reason we rejected QRadar was the fact that it is such a closed solution. If you want to learn something, you have to contact IBM support and request the materials. 

Positive

I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing. 

ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most. 

Splunk can be an expensive solution. It all depends on how we configure the alerts and the events from the endpoints. You can save some money if you do that correctly. If not, it becomes an expensive solution.

If you don't have the money, you can go for an open-source solution like RedELK, which is based on Elasticsearch. It's cheaper, but you have a lot of support issues. There are no security upgrades. Those are not well supported. If somebody has a basic understanding of the technology and the necessary budget, I would say stick with Splunk. Its ease of use is attractive to an engineer.

I rate Splunk Enterprise Security nine out of 10. There's always room for improvement.