Splunk Enterprise Security Reviews

Security analysis to identify issues and for use in incident handling. Correlating logs across over 1000 servers with different operating systems and applications logs to provide security insights. 

Before we analyzed required manual correlation of individual log files, and this was almost impossible to do. With Splunk, what was once almost impossible, is now unbelievably fast.

Low barrier to start searching with the ability to normalize data on the fly.  

I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs.

I would like to see Splunk improve its posture as a production operations tool.  This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have.

I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.

It has absolutely improved the efficiency of my security team.

No stability concerns.

We did encounter scalability issues. As we scaled out in search heads, we found that some of our activity could only be found on the search heads that it was originally done on. For example, the history of search runs are stored locally, so I needed to logon to each search head to try and find it.

Most of my interaction is with the user community, which is how Splunk wants it.  When I need help, that community is very hit or miss.

I previously used LogRhythm. I found this tool particularly difficult to use. It was more rigid in its normalization of data.

The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files.

We evaluated our existing tool, LogRhythm.

Growth in data ingested will be much larger that you anticipated. If you need to prove this first, consider using an ELK Stack Logstash type of solution before using Splunk.

We started using Splunk to serve as a SIEM. In addition to correlating security information, we have begun to use it as a developer and customer advocate by analyzing user behaviors and system response times. 

Log files which were previously either not reviewed or reviewed incompletely are now being used in operations daily. Security and operational events are discovered and resolved with greater efficiency than we have ever before. The way Splunk allows for data to be correlated together has given our organization a more complete picture of our system security status and how users organically move through our applications. This information has allowed us to focus development efforts which will directly benefit our customers the most. 

The ability to manipulate data in Splunk is unparalleled. Splunk’s powerful, flexible query language can morph difficult to understand log formats into usable data. 

Correlating data across different systems via one interface will allow you to know your environment or identify incident data in ways you never imagined.

There is a definite learning curve to starting out. However, there is quite a bit of documentation out there to help you get started. 

The community (Splunk Answers/Slack Channel/User Groups) can help get you started. 

We previously used ArcSight, but found Splunk to be more cloud capable.  

Truly evaluate the data you want to ingest and go slow. Pulling in data that can provide no use to your mission only wastes data against your license.  

Other options were evaluated, such as ELK, but Splunk was identified to be more feature rich out-of-the-box.

Pick it up and jump into the community!  It can help get you started a lot faster.

Security and incident management, which is helpful when organizing the data from different systems and running analysis on all the data together.

We have a more secure, robust environment, which keeps the harmful software out of the zone required.

The most valuable features are:

• Risk analysis
• Machine Learning Toolkit
• dbConnect
• Cisco products
• eStreamer
• SIEM. 

Visualizations are the best way to understand deviation techniques from the norm.

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

• Monitoring IT and other processes for a large university.
• Leveraging alerts and dashboards to detect and predict security breaches and other events.

Splunk has enabled us to detect, even predict potential security issues, before they become severe. It has enabled our operations and development teams to more efficiently monitor and troubleshoot their systems.

The search language is easy to understand and teach to new users. The SDK is comprehensive and has incredible levels of integration with the platform and data. 

• Certain sections of the developer documentation could use some updating and clarification.
• Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. 
• Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).

Support is quick and competent.

Splunk is our monitoring and investigating Swiss Army knife for key applications and systems. If we run it, we Splunk it.

We are much faster finding and addressing issues with Splunk. We reduce the MTR and get more done.

So many of Splunk's features are invaluable to us:  

• Machine and business data retention
• Solid HA and distribution
• Adaptability to custom data
• Search, Search, Search.

I would like to get visibility into the data pipelines on heavy forwarders and indexers to see exactly their source and the cause of saturation when it occurs. This would help us learn even more about our high use applications.

No stability issues.

No scalability issues.

The support team is very competent.

The initial setup is very straightforward.

We implemented in-house

Our ROI is high.

We evaluated LogRhythm.

I love this product.

IT service analytics: 

• Server machine data
• Monitoring data
• Alerting data
• ITSI KPIs
• Real-time reporting
• Month-over-month reporting.

It allows for transparency into IT metrics for insightful business analytics.

It brings together all sorts of data. It has the ability to correlate data, analyze and review it. This makes weekly ops reviews and monthly executive management reporting much easier by saving hours of collecting data. Report automation has been a life saver.

• Free-floating panels in the dashboards are like a glass table. 
• It needs more formatting control without having to be an admin.

Previously, only the service owner could see the data and he might have gone to several places to obtain it. Now, it is all in one place and easy to access. 

Operational intelligence monitoring for several different systems. We collect logs from applications and performance data from hardware, as well as information pulled from databases.

The ability to quickly search logs, performance data, and other inputs has helped tremendously with troubleshooting. The visualizations are easy and well received by business and management users. 

It is ease to integrate with other solutions, like Slack, JIRA, Remedy, etc. 

The user community is extremely beneficial, particularly with Splunk Answers and the Slack User Groups.

The licensing model can be expensive, but the value it provides is significant.

The recent acquisition of Phantom makes the future seem bright with more automated responses.

Primary use is business intelligence. 

Splunk allows us to find insights that we were not able to with traditional BI tools using ETL. It allows us to dig into raw events. 

Splunk is extremely flexible, which allows us to create custom visualizations along with other customizations. The flexibility of Splunk as well as the resources available for learning and support are the best in the business. 

The product was designed for security and IT with business intelligence needs, such as PDF exporting, but this has not been the highest priority. While the functionality is there, it could be developed more. 

We ingest roughly 30GB/day. We have a small environment, but it provides big insights.