Splunk Enterprise Security Reviews

We primary use Splunk for log aggregation and search across multiple systems with Splunk Enterprise Security layered on top. 

Splunk has significantly reduced the time in performing the task of aggregating logs, reviewing as well as time spent during investigations. This has not only
increased our speed of response, but our efficiency dealing with the issue(s)
raised.

Aggregation searches, allowing for conditions to be automatically found in the data, have reduced time and difficulty of identifying trends and conditions which need to reviewed.

The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement.

We use Splunk for operations, application monitoring, and security. We are both cloud and on-premise based, so it has been very versatile for us. 

It helped us consolidate all our solutions into an easy tool to use for various employees.

• Unstructured data
• Linking things together
• Building out stuff which is actionable.

Once you learn SPL and what data you need to obtain and merge together, it is really useful. 

More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it. 

No stability issues.

No scalability issues.

While we did not have a previous solution, we took what little of Splunk that we have been using and have increased it greatly.

We are a nonprofit, so it is hard to quantify. 

Be upfront about your needs and expectations. Splunk is one of the top SIEM solutions to work with. 

No.

We use Splunk for both monitoring and SIEM. Our security operations group uses Splunk to track user accounts which may have been compromised as well as follow those accounts through the organization.

Splunk has give us the capability to easily track problems and their status. Our security operations team has been able to use it to track where people login and what they do on those machines.

Personally, I like the capability of removing sensitive data before it goes into Splunk. I also like the ease with which dashboards can be created.

I like Splunk. The only thing which can be improved is that they are too subjective on whom their Splunk4Good initiative can be applied. They market it as you only need to be a nonprofit, but there is more to it.

Central repository for log collection and analysis in a complex environment. We have used it for a variety of use cases involving SIEM and operational support.

Speeds up root cause analysis and can help identify issues that your organization never realized were occurring. It helps streamline troubleshooting and log analysis.

It has a low barrier to entry, but it is extremely extensible, allowing it to be tailored to highly specific use cases. It makes searching through a wider variety of logs much quicker and enables you to correlate events from one log to another.

It can be tough to determine if you are getting all of the value out of your investment at times. However, our sales seems to be flexible and will work on an organization to organization basis to negotiate license terms. 

On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security.

Pricing can be a limiting factor. You have to continuously tune what you are bringing in and make sure what you bring in is of value. 

We used it to create a full security operations center (SOC) for our IT department by adding all network and security devices, the AD, and mail servers to it. Then Splunk started to receive their logs, it analyzed them, and provided useful reports.  

It helps the IT staff to monitor the full structure. It also makes use of all logs and takes proactive actions.

Integrity with many vendors: This simplifies the implementation and integration with different devices. 

Enterprise security: Splunk must work on clarifying the solution to customers and explain how to gain more from it.

• Searches the logs for all network devices and server. 
• Monitors clients' hardware, networking, and security operations. 
• It is good for the administrator to use it when maintaining the whole IT Infrastructure.

Alerts when a server is malfunctioning, monitors external attacks, and takes action to stop spreading viruses.

Searches logs from all devices and gives valuable information to the organisation, so it can drill down on all reports and security threats. 

Make it easy to use and the cost cheaper. This will help all organisations to implement Splunk. 

No, we have not suffered a network breach.

Yes, the solution has improved the efficiency of our security team.

No stability issues.

No scalability issues.

I have received a very good response from support that I have not seen in more than 10 years of my experience. 

We are using OpManager to monitor server logs. 

I implemented it myself.

It made our organization better through integration.

Make it cheaper to help small organisations implement it easier. 

We evaluated QRadar.

I have been using Splunk to increase my security experience. 

Our primary use case of Splunk has been on the implementation side for clients. Splunk has proven, on multiple occasions, to be extremely useful in the proactive monitoring of clients' hardware, networking, and security operations. Some use cases that we have implemented include, but are not limited to, proactive account lockouts based on machine learning of a typical person's average number of failed login attempts, aggregation of a servers logs in order to predict downtime/maintenance/hardware failures quite accurately, as well as helping administrators of all sorts to gain a full picture of their environments under a single screen.

Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some predictive and proactive models, which are programmed to take action on anything outside of the normal usage. These actions range from alerts being sent to the Splunk page, administrators being notified, and if escalated enough, automatic account locks.

The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

We did about a year and a half ago. The implementation was able to notify me 34 seconds after the initial breach had happened, but our implementation was already configured to auto-logout any "suspicious" users (our internal networking team had set this detection code up) which alleviated the problem, before it really became a problem for us.

Immensely, I cannot stress enough the positive impact this has had on our security team.

Our personal implementation brings in only around 48GB to 48.5GB of events per day. Depending on the amount of remote workers in the office, it averages around 50 million events daily.

We did not encounter any issues with stability.

We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster.

I have not personally dealt with customer service/technical support.

We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.

The initial setup is very straightforward, unzipping a tar, creating a service, starting the service.

My team was the team who had set up this implementation. I would be remiss if I didn't say that our level of expertise is quite high with an average of 4 Splunk certifications per person on my team.

ROI is estimated at saving my team roughly 10 to 12 man hours per week in troubleshooting for our company as well as what our profits had been from our services of installing, configuring, and supporting other clients with the product.

Setup cost is cheap: It is free, it is user-friendly, and it is fast. 

I would highly recommend anyone evaluating this option to download the free trial which allows for the ingestion of 500MB of data per day in order to get a feel for what Splunk does at its core. It will get pricey once your ingestion rates start to sky rocket, but I would consider it expensive given the amount of information that it allows you to analyze and react on straight out-of-the-box.

We evaluated the ELK Stack, of which recently we have implemented with a customer who was looking for a more lightweight, cheaper alternative that would work "Good Enough". They felt they did not need all of the bells and whistles that came with Splunk.

If you have an R&D department within your company that is looking for something new to increase the efficiencies and effectiveness of your company's operations, I would highly recommend having them get the free trial to test out.

It was used for security event management on landscape hosted over AWS.

It helped the organisation to proactively monitor threats and reduce its threat footprint.

Deployment server for deploying changes in one go.

It is quite stable.

No.

Professional support is great, but too expensive. Otherwise content published over website is good.

Not applicable.

Do proper estimation on log ingestion per day as that will impact pricing and licensing.

It was the customer's choice.

It provides a great range of plugins and one can really take great advantage of utilising inbuilt dashboards to derive the desired monitoring.

Our company consults for different customers and are in a good position to recommend the best solution to our clients.